{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.CertificateManagerPCA.CreatePermission
-- Copyright   : (c) 2013-2023 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Grants one or more permissions on a private CA to the Certificate
-- Manager (ACM) service principal (@acm.amazonaws.com@). These permissions
-- allow ACM to issue and renew ACM certificates that reside in the same
-- Amazon Web Services account as the CA.
--
-- You can list current permissions with the
-- <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListPermissions.html ListPermissions>
-- action and revoke them with the
-- <https://docs.aws.amazon.com/privateca/latest/APIReference/API_DeletePermission.html DeletePermission>
-- action.
--
-- __About Permissions__
--
-- -   If the private CA and the certificates it issues reside in the same
--     account, you can use @CreatePermission@ to grant permissions for ACM
--     to carry out automatic certificate renewals.
--
-- -   For automatic certificate renewal to succeed, the ACM service
--     principal needs permissions to create, retrieve, and list
--     certificates.
--
-- -   If the private CA and the ACM certificates reside in different
--     accounts, then permissions cannot be used to enable automatic
--     renewals. Instead, the ACM certificate owner must set up a
--     resource-based policy to enable cross-account issuance and renewals.
--     For more information, see
--     <https://docs.aws.amazon.com/privateca/latest/userguide/pca-rbp.html Using a Resource Based Policy with Amazon Web Services Private CA>.
module Amazonka.CertificateManagerPCA.CreatePermission
  ( -- * Creating a Request
    CreatePermission (..),
    newCreatePermission,

    -- * Request Lenses
    createPermission_sourceAccount,
    createPermission_certificateAuthorityArn,
    createPermission_principal,
    createPermission_actions,

    -- * Destructuring the Response
    CreatePermissionResponse (..),
    newCreatePermissionResponse,
  )
where

import Amazonka.CertificateManagerPCA.Types
import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | /See:/ 'newCreatePermission' smart constructor.
data CreatePermission = CreatePermission'
  { -- | The ID of the calling account.
    CreatePermission -> Maybe Text
sourceAccount :: Prelude.Maybe Prelude.Text,
    -- | The Amazon Resource Name (ARN) of the CA that grants the permissions.
    -- You can find the ARN by calling the
    -- <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html ListCertificateAuthorities>
    -- action. This must have the following form:
    --
    -- @arn:aws:acm-pca:@/@region@/@:@/@account@/@:certificate-authority\/@/@12345678-1234-1234-1234-123456789012@/@ @.
    CreatePermission -> Text
certificateAuthorityArn :: Prelude.Text,
    -- | The Amazon Web Services service or identity that receives the
    -- permission. At this time, the only valid principal is
    -- @acm.amazonaws.com@.
    CreatePermission -> Text
principal :: Prelude.Text,
    -- | The actions that the specified Amazon Web Services service principal can
    -- use. These include @IssueCertificate@, @GetCertificate@, and
    -- @ListPermissions@.
    CreatePermission -> NonEmpty ActionType
actions :: Prelude.NonEmpty ActionType
  }
  deriving (CreatePermission -> CreatePermission -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: CreatePermission -> CreatePermission -> Bool
$c/= :: CreatePermission -> CreatePermission -> Bool
== :: CreatePermission -> CreatePermission -> Bool
$c== :: CreatePermission -> CreatePermission -> Bool
Prelude.Eq, ReadPrec [CreatePermission]
ReadPrec CreatePermission
Int -> ReadS CreatePermission
ReadS [CreatePermission]
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [CreatePermission]
$creadListPrec :: ReadPrec [CreatePermission]
readPrec :: ReadPrec CreatePermission
$creadPrec :: ReadPrec CreatePermission
readList :: ReadS [CreatePermission]
$creadList :: ReadS [CreatePermission]
readsPrec :: Int -> ReadS CreatePermission
$creadsPrec :: Int -> ReadS CreatePermission
Prelude.Read, Int -> CreatePermission -> ShowS
[CreatePermission] -> ShowS
CreatePermission -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [CreatePermission] -> ShowS
$cshowList :: [CreatePermission] -> ShowS
show :: CreatePermission -> String
$cshow :: CreatePermission -> String
showsPrec :: Int -> CreatePermission -> ShowS
$cshowsPrec :: Int -> CreatePermission -> ShowS
Prelude.Show, forall x. Rep CreatePermission x -> CreatePermission
forall x. CreatePermission -> Rep CreatePermission x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep CreatePermission x -> CreatePermission
$cfrom :: forall x. CreatePermission -> Rep CreatePermission x
Prelude.Generic)

-- |
-- Create a value of 'CreatePermission' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'sourceAccount', 'createPermission_sourceAccount' - The ID of the calling account.
--
-- 'certificateAuthorityArn', 'createPermission_certificateAuthorityArn' - The Amazon Resource Name (ARN) of the CA that grants the permissions.
-- You can find the ARN by calling the
-- <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html ListCertificateAuthorities>
-- action. This must have the following form:
--
-- @arn:aws:acm-pca:@/@region@/@:@/@account@/@:certificate-authority\/@/@12345678-1234-1234-1234-123456789012@/@ @.
--
-- 'principal', 'createPermission_principal' - The Amazon Web Services service or identity that receives the
-- permission. At this time, the only valid principal is
-- @acm.amazonaws.com@.
--
-- 'actions', 'createPermission_actions' - The actions that the specified Amazon Web Services service principal can
-- use. These include @IssueCertificate@, @GetCertificate@, and
-- @ListPermissions@.
newCreatePermission ::
  -- | 'certificateAuthorityArn'
  Prelude.Text ->
  -- | 'principal'
  Prelude.Text ->
  -- | 'actions'
  Prelude.NonEmpty ActionType ->
  CreatePermission
newCreatePermission :: Text -> Text -> NonEmpty ActionType -> CreatePermission
newCreatePermission
  Text
pCertificateAuthorityArn_
  Text
pPrincipal_
  NonEmpty ActionType
pActions_ =
    CreatePermission'
      { $sel:sourceAccount:CreatePermission' :: Maybe Text
sourceAccount = forall a. Maybe a
Prelude.Nothing,
        $sel:certificateAuthorityArn:CreatePermission' :: Text
certificateAuthorityArn = Text
pCertificateAuthorityArn_,
        $sel:principal:CreatePermission' :: Text
principal = Text
pPrincipal_,
        $sel:actions:CreatePermission' :: NonEmpty ActionType
actions = forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced forall t b. AReview t b -> b -> t
Lens.# NonEmpty ActionType
pActions_
      }

-- | The ID of the calling account.
createPermission_sourceAccount :: Lens.Lens' CreatePermission (Prelude.Maybe Prelude.Text)
createPermission_sourceAccount :: Lens' CreatePermission (Maybe Text)
createPermission_sourceAccount = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\CreatePermission' {Maybe Text
sourceAccount :: Maybe Text
$sel:sourceAccount:CreatePermission' :: CreatePermission -> Maybe Text
sourceAccount} -> Maybe Text
sourceAccount) (\s :: CreatePermission
s@CreatePermission' {} Maybe Text
a -> CreatePermission
s {$sel:sourceAccount:CreatePermission' :: Maybe Text
sourceAccount = Maybe Text
a} :: CreatePermission)

-- | The Amazon Resource Name (ARN) of the CA that grants the permissions.
-- You can find the ARN by calling the
-- <https://docs.aws.amazon.com/privateca/latest/APIReference/API_ListCertificateAuthorities.html ListCertificateAuthorities>
-- action. This must have the following form:
--
-- @arn:aws:acm-pca:@/@region@/@:@/@account@/@:certificate-authority\/@/@12345678-1234-1234-1234-123456789012@/@ @.
createPermission_certificateAuthorityArn :: Lens.Lens' CreatePermission Prelude.Text
createPermission_certificateAuthorityArn :: Lens' CreatePermission Text
createPermission_certificateAuthorityArn = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\CreatePermission' {Text
certificateAuthorityArn :: Text
$sel:certificateAuthorityArn:CreatePermission' :: CreatePermission -> Text
certificateAuthorityArn} -> Text
certificateAuthorityArn) (\s :: CreatePermission
s@CreatePermission' {} Text
a -> CreatePermission
s {$sel:certificateAuthorityArn:CreatePermission' :: Text
certificateAuthorityArn = Text
a} :: CreatePermission)

-- | The Amazon Web Services service or identity that receives the
-- permission. At this time, the only valid principal is
-- @acm.amazonaws.com@.
createPermission_principal :: Lens.Lens' CreatePermission Prelude.Text
createPermission_principal :: Lens' CreatePermission Text
createPermission_principal = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\CreatePermission' {Text
principal :: Text
$sel:principal:CreatePermission' :: CreatePermission -> Text
principal} -> Text
principal) (\s :: CreatePermission
s@CreatePermission' {} Text
a -> CreatePermission
s {$sel:principal:CreatePermission' :: Text
principal = Text
a} :: CreatePermission)

-- | The actions that the specified Amazon Web Services service principal can
-- use. These include @IssueCertificate@, @GetCertificate@, and
-- @ListPermissions@.
createPermission_actions :: Lens.Lens' CreatePermission (Prelude.NonEmpty ActionType)
createPermission_actions :: Lens' CreatePermission (NonEmpty ActionType)
createPermission_actions = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\CreatePermission' {NonEmpty ActionType
actions :: NonEmpty ActionType
$sel:actions:CreatePermission' :: CreatePermission -> NonEmpty ActionType
actions} -> NonEmpty ActionType
actions) (\s :: CreatePermission
s@CreatePermission' {} NonEmpty ActionType
a -> CreatePermission
s {$sel:actions:CreatePermission' :: NonEmpty ActionType
actions = NonEmpty ActionType
a} :: CreatePermission) forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

instance Core.AWSRequest CreatePermission where
  type
    AWSResponse CreatePermission =
      CreatePermissionResponse
  request :: (Service -> Service)
-> CreatePermission -> Request CreatePermission
request Service -> Service
overrides =
    forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON (Service -> Service
overrides Service
defaultService)
  response :: forall (m :: * -> *).
MonadResource m =>
(ByteStringLazy -> IO ByteStringLazy)
-> Service
-> Proxy CreatePermission
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse CreatePermission)))
response =
    forall (m :: * -> *) a.
MonadResource m =>
AWSResponse a
-> (ByteStringLazy -> IO ByteStringLazy)
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveNull CreatePermissionResponse
CreatePermissionResponse'

instance Prelude.Hashable CreatePermission where
  hashWithSalt :: Int -> CreatePermission -> Int
hashWithSalt Int
_salt CreatePermission' {Maybe Text
NonEmpty ActionType
Text
actions :: NonEmpty ActionType
principal :: Text
certificateAuthorityArn :: Text
sourceAccount :: Maybe Text
$sel:actions:CreatePermission' :: CreatePermission -> NonEmpty ActionType
$sel:principal:CreatePermission' :: CreatePermission -> Text
$sel:certificateAuthorityArn:CreatePermission' :: CreatePermission -> Text
$sel:sourceAccount:CreatePermission' :: CreatePermission -> Maybe Text
..} =
    Int
_salt
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` Maybe Text
sourceAccount
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` Text
certificateAuthorityArn
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` Text
principal
      forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` NonEmpty ActionType
actions

instance Prelude.NFData CreatePermission where
  rnf :: CreatePermission -> ()
rnf CreatePermission' {Maybe Text
NonEmpty ActionType
Text
actions :: NonEmpty ActionType
principal :: Text
certificateAuthorityArn :: Text
sourceAccount :: Maybe Text
$sel:actions:CreatePermission' :: CreatePermission -> NonEmpty ActionType
$sel:principal:CreatePermission' :: CreatePermission -> Text
$sel:certificateAuthorityArn:CreatePermission' :: CreatePermission -> Text
$sel:sourceAccount:CreatePermission' :: CreatePermission -> Maybe Text
..} =
    forall a. NFData a => a -> ()
Prelude.rnf Maybe Text
sourceAccount
      seq :: forall a b. a -> b -> b
`Prelude.seq` forall a. NFData a => a -> ()
Prelude.rnf Text
certificateAuthorityArn
      seq :: forall a b. a -> b -> b
`Prelude.seq` forall a. NFData a => a -> ()
Prelude.rnf Text
principal
      seq :: forall a b. a -> b -> b
`Prelude.seq` forall a. NFData a => a -> ()
Prelude.rnf NonEmpty ActionType
actions

instance Data.ToHeaders CreatePermission where
  toHeaders :: CreatePermission -> [Header]
toHeaders =
    forall a b. a -> b -> a
Prelude.const
      ( forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              forall a. ToHeader a => HeaderName -> a -> [Header]
Data.=# ( ByteString
"ACMPrivateCA.CreatePermission" ::
                          Prelude.ByteString
                      ),
            HeaderName
"Content-Type"
              forall a. ToHeader a => HeaderName -> a -> [Header]
Data.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Data.ToJSON CreatePermission where
  toJSON :: CreatePermission -> Value
toJSON CreatePermission' {Maybe Text
NonEmpty ActionType
Text
actions :: NonEmpty ActionType
principal :: Text
certificateAuthorityArn :: Text
sourceAccount :: Maybe Text
$sel:actions:CreatePermission' :: CreatePermission -> NonEmpty ActionType
$sel:principal:CreatePermission' :: CreatePermission -> Text
$sel:certificateAuthorityArn:CreatePermission' :: CreatePermission -> Text
$sel:sourceAccount:CreatePermission' :: CreatePermission -> Maybe Text
..} =
    [Pair] -> Value
Data.object
      ( forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Key
"SourceAccount" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..=) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
sourceAccount,
            forall a. a -> Maybe a
Prelude.Just
              ( Key
"CertificateAuthorityArn"
                  forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= Text
certificateAuthorityArn
              ),
            forall a. a -> Maybe a
Prelude.Just (Key
"Principal" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= Text
principal),
            forall a. a -> Maybe a
Prelude.Just (Key
"Actions" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= NonEmpty ActionType
actions)
          ]
      )

instance Data.ToPath CreatePermission where
  toPath :: CreatePermission -> ByteString
toPath = forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Data.ToQuery CreatePermission where
  toQuery :: CreatePermission -> QueryString
toQuery = forall a b. a -> b -> a
Prelude.const forall a. Monoid a => a
Prelude.mempty

-- | /See:/ 'newCreatePermissionResponse' smart constructor.
data CreatePermissionResponse = CreatePermissionResponse'
  {
  }
  deriving (CreatePermissionResponse -> CreatePermissionResponse -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: CreatePermissionResponse -> CreatePermissionResponse -> Bool
$c/= :: CreatePermissionResponse -> CreatePermissionResponse -> Bool
== :: CreatePermissionResponse -> CreatePermissionResponse -> Bool
$c== :: CreatePermissionResponse -> CreatePermissionResponse -> Bool
Prelude.Eq, ReadPrec [CreatePermissionResponse]
ReadPrec CreatePermissionResponse
Int -> ReadS CreatePermissionResponse
ReadS [CreatePermissionResponse]
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [CreatePermissionResponse]
$creadListPrec :: ReadPrec [CreatePermissionResponse]
readPrec :: ReadPrec CreatePermissionResponse
$creadPrec :: ReadPrec CreatePermissionResponse
readList :: ReadS [CreatePermissionResponse]
$creadList :: ReadS [CreatePermissionResponse]
readsPrec :: Int -> ReadS CreatePermissionResponse
$creadsPrec :: Int -> ReadS CreatePermissionResponse
Prelude.Read, Int -> CreatePermissionResponse -> ShowS
[CreatePermissionResponse] -> ShowS
CreatePermissionResponse -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [CreatePermissionResponse] -> ShowS
$cshowList :: [CreatePermissionResponse] -> ShowS
show :: CreatePermissionResponse -> String
$cshow :: CreatePermissionResponse -> String
showsPrec :: Int -> CreatePermissionResponse -> ShowS
$cshowsPrec :: Int -> CreatePermissionResponse -> ShowS
Prelude.Show, forall x.
Rep CreatePermissionResponse x -> CreatePermissionResponse
forall x.
CreatePermissionResponse -> Rep CreatePermissionResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x.
Rep CreatePermissionResponse x -> CreatePermissionResponse
$cfrom :: forall x.
CreatePermissionResponse -> Rep CreatePermissionResponse x
Prelude.Generic)

-- |
-- Create a value of 'CreatePermissionResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
newCreatePermissionResponse ::
  CreatePermissionResponse
newCreatePermissionResponse :: CreatePermissionResponse
newCreatePermissionResponse =
  CreatePermissionResponse
CreatePermissionResponse'

instance Prelude.NFData CreatePermissionResponse where
  rnf :: CreatePermissionResponse -> ()
rnf CreatePermissionResponse
_ = ()