{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.CloudTrail.Types.DataResource -- Copyright : (c) 2013-2023 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay -- Stability : auto-generated -- Portability : non-portable (GHC extensions) module Amazonka.CloudTrail.Types.DataResource where import qualified Amazonka.Core as Core import qualified Amazonka.Core.Lens.Internal as Lens import qualified Amazonka.Data as Data import qualified Amazonka.Prelude as Prelude -- | The Amazon S3 buckets, Lambda functions, or Amazon DynamoDB tables that -- you specify in your event selectors for your trail to log data events. -- Data events provide information about the resource operations performed -- on or within a resource itself. These are also known as data plane -- operations. You can specify up to 250 data resources for a trail. -- -- The total number of allowed data resources is 250. This number can be -- distributed between 1 and 5 event selectors, but the total cannot exceed -- 250 across all selectors. -- -- If you are using advanced event selectors, the maximum total number of -- values for all conditions, across all advanced event selectors for the -- trail, is 500. -- -- The following example demonstrates how logging works when you configure -- logging of all data events for an S3 bucket named @bucket-1@. In this -- example, the CloudTrail user specified an empty prefix, and the option -- to log both @Read@ and @Write@ data events. -- -- 1. A user uploads an image file to @bucket-1@. -- -- 2. The @PutObject@ API operation is an Amazon S3 object-level API. It -- is recorded as a data event in CloudTrail. Because the CloudTrail -- user specified an S3 bucket with an empty prefix, events that occur -- on any object in that bucket are logged. The trail processes and -- logs the event. -- -- 3. A user uploads an object to an Amazon S3 bucket named -- @arn:aws:s3:::bucket-2@. -- -- 4. The @PutObject@ API operation occurred for an object in an S3 bucket -- that the CloudTrail user didn\'t specify for the trail. The trail -- doesn’t log the event. -- -- The following example demonstrates how logging works when you configure -- logging of Lambda data events for a Lambda function named -- /MyLambdaFunction/, but not for all Lambda functions. -- -- 1. A user runs a script that includes a call to the /MyLambdaFunction/ -- function and the /MyOtherLambdaFunction/ function. -- -- 2. The @Invoke@ API operation on /MyLambdaFunction/ is an Lambda API. -- It is recorded as a data event in CloudTrail. Because the CloudTrail -- user specified logging data events for /MyLambdaFunction/, any -- invocations of that function are logged. The trail processes and -- logs the event. -- -- 3. The @Invoke@ API operation on /MyOtherLambdaFunction/ is an Lambda -- API. Because the CloudTrail user did not specify logging data events -- for all Lambda functions, the @Invoke@ operation for -- /MyOtherLambdaFunction/ does not match the function specified for -- the trail. The trail doesn’t log the event. -- -- /See:/ 'newDataResource' smart constructor. data DataResource = DataResource' { -- | The resource type in which you want to log data events. You can specify -- the following /basic/ event selector resource types: -- -- - @AWS::S3::Object@ -- -- - @AWS::Lambda::Function@ -- -- - @AWS::DynamoDB::Table@ -- -- The following resource types are also available through /advanced/ event -- selectors. Basic event selector resource types are valid in advanced -- event selectors, but advanced event selector resource types are not -- valid in basic event selectors. For more information, see -- AdvancedFieldSelector$Field. -- -- - @AWS::S3Outposts::Object@ -- -- - @AWS::ManagedBlockchain::Node@ -- -- - @AWS::S3ObjectLambda::AccessPoint@ -- -- - @AWS::EC2::Snapshot@ -- -- - @AWS::S3::AccessPoint@ -- -- - @AWS::DynamoDB::Stream@ -- -- - @AWS::Glue::Table@ DataResource -> Maybe Text type' :: Prelude.Maybe Prelude.Text, -- | An array of Amazon Resource Name (ARN) strings or partial ARN strings -- for the specified objects. -- -- - To log data events for all objects in all S3 buckets in your Amazon -- Web Services account, specify the prefix as @arn:aws:s3@. -- -- This also enables logging of data event activity performed by any -- user or role in your Amazon Web Services account, even if that -- activity is performed on a bucket that belongs to another Amazon Web -- Services account. -- -- - To log data events for all objects in an S3 bucket, specify the -- bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@. -- The trail logs data events for all objects in this S3 bucket. -- -- - To log data events for specific objects, specify the S3 bucket and -- object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The -- trail logs data events for objects in this S3 bucket that match the -- prefix. -- -- - To log data events for all Lambda functions in your Amazon Web -- Services account, specify the prefix as @arn:aws:lambda@. -- -- This also enables logging of @Invoke@ activity performed by any user -- or role in your Amazon Web Services account, even if that activity -- is performed on a function that belongs to another Amazon Web -- Services account. -- -- - To log data events for a specific Lambda function, specify the -- function ARN. -- -- Lambda function ARNs are exact. For example, if you specify a -- function ARN -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data -- events will only be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They -- will not be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/. -- -- - To log data events for all DynamoDB tables in your Amazon Web -- Services account, specify the prefix as @arn:aws:dynamodb@. DataResource -> Maybe [Text] values :: Prelude.Maybe [Prelude.Text] } deriving (DataResource -> DataResource -> Bool forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: DataResource -> DataResource -> Bool $c/= :: DataResource -> DataResource -> Bool == :: DataResource -> DataResource -> Bool $c== :: DataResource -> DataResource -> Bool Prelude.Eq, ReadPrec [DataResource] ReadPrec DataResource Int -> ReadS DataResource ReadS [DataResource] forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [DataResource] $creadListPrec :: ReadPrec [DataResource] readPrec :: ReadPrec DataResource $creadPrec :: ReadPrec DataResource readList :: ReadS [DataResource] $creadList :: ReadS [DataResource] readsPrec :: Int -> ReadS DataResource $creadsPrec :: Int -> ReadS DataResource Prelude.Read, Int -> DataResource -> ShowS [DataResource] -> ShowS DataResource -> String forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [DataResource] -> ShowS $cshowList :: [DataResource] -> ShowS show :: DataResource -> String $cshow :: DataResource -> String showsPrec :: Int -> DataResource -> ShowS $cshowsPrec :: Int -> DataResource -> ShowS Prelude.Show, forall x. Rep DataResource x -> DataResource forall x. DataResource -> Rep DataResource x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep DataResource x -> DataResource $cfrom :: forall x. DataResource -> Rep DataResource x Prelude.Generic) -- | -- Create a value of 'DataResource' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'type'', 'dataResource_type' - The resource type in which you want to log data events. You can specify -- the following /basic/ event selector resource types: -- -- - @AWS::S3::Object@ -- -- - @AWS::Lambda::Function@ -- -- - @AWS::DynamoDB::Table@ -- -- The following resource types are also available through /advanced/ event -- selectors. Basic event selector resource types are valid in advanced -- event selectors, but advanced event selector resource types are not -- valid in basic event selectors. For more information, see -- AdvancedFieldSelector$Field. -- -- - @AWS::S3Outposts::Object@ -- -- - @AWS::ManagedBlockchain::Node@ -- -- - @AWS::S3ObjectLambda::AccessPoint@ -- -- - @AWS::EC2::Snapshot@ -- -- - @AWS::S3::AccessPoint@ -- -- - @AWS::DynamoDB::Stream@ -- -- - @AWS::Glue::Table@ -- -- 'values', 'dataResource_values' - An array of Amazon Resource Name (ARN) strings or partial ARN strings -- for the specified objects. -- -- - To log data events for all objects in all S3 buckets in your Amazon -- Web Services account, specify the prefix as @arn:aws:s3@. -- -- This also enables logging of data event activity performed by any -- user or role in your Amazon Web Services account, even if that -- activity is performed on a bucket that belongs to another Amazon Web -- Services account. -- -- - To log data events for all objects in an S3 bucket, specify the -- bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@. -- The trail logs data events for all objects in this S3 bucket. -- -- - To log data events for specific objects, specify the S3 bucket and -- object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The -- trail logs data events for objects in this S3 bucket that match the -- prefix. -- -- - To log data events for all Lambda functions in your Amazon Web -- Services account, specify the prefix as @arn:aws:lambda@. -- -- This also enables logging of @Invoke@ activity performed by any user -- or role in your Amazon Web Services account, even if that activity -- is performed on a function that belongs to another Amazon Web -- Services account. -- -- - To log data events for a specific Lambda function, specify the -- function ARN. -- -- Lambda function ARNs are exact. For example, if you specify a -- function ARN -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data -- events will only be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They -- will not be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/. -- -- - To log data events for all DynamoDB tables in your Amazon Web -- Services account, specify the prefix as @arn:aws:dynamodb@. newDataResource :: DataResource newDataResource :: DataResource newDataResource = DataResource' { $sel:type':DataResource' :: Maybe Text type' = forall a. Maybe a Prelude.Nothing, $sel:values:DataResource' :: Maybe [Text] values = forall a. Maybe a Prelude.Nothing } -- | The resource type in which you want to log data events. You can specify -- the following /basic/ event selector resource types: -- -- - @AWS::S3::Object@ -- -- - @AWS::Lambda::Function@ -- -- - @AWS::DynamoDB::Table@ -- -- The following resource types are also available through /advanced/ event -- selectors. Basic event selector resource types are valid in advanced -- event selectors, but advanced event selector resource types are not -- valid in basic event selectors. For more information, see -- AdvancedFieldSelector$Field. -- -- - @AWS::S3Outposts::Object@ -- -- - @AWS::ManagedBlockchain::Node@ -- -- - @AWS::S3ObjectLambda::AccessPoint@ -- -- - @AWS::EC2::Snapshot@ -- -- - @AWS::S3::AccessPoint@ -- -- - @AWS::DynamoDB::Stream@ -- -- - @AWS::Glue::Table@ dataResource_type :: Lens.Lens' DataResource (Prelude.Maybe Prelude.Text) dataResource_type :: Lens' DataResource (Maybe Text) dataResource_type = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\DataResource' {Maybe Text type' :: Maybe Text $sel:type':DataResource' :: DataResource -> Maybe Text type'} -> Maybe Text type') (\s :: DataResource s@DataResource' {} Maybe Text a -> DataResource s {$sel:type':DataResource' :: Maybe Text type' = Maybe Text a} :: DataResource) -- | An array of Amazon Resource Name (ARN) strings or partial ARN strings -- for the specified objects. -- -- - To log data events for all objects in all S3 buckets in your Amazon -- Web Services account, specify the prefix as @arn:aws:s3@. -- -- This also enables logging of data event activity performed by any -- user or role in your Amazon Web Services account, even if that -- activity is performed on a bucket that belongs to another Amazon Web -- Services account. -- -- - To log data events for all objects in an S3 bucket, specify the -- bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@. -- The trail logs data events for all objects in this S3 bucket. -- -- - To log data events for specific objects, specify the S3 bucket and -- object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The -- trail logs data events for objects in this S3 bucket that match the -- prefix. -- -- - To log data events for all Lambda functions in your Amazon Web -- Services account, specify the prefix as @arn:aws:lambda@. -- -- This also enables logging of @Invoke@ activity performed by any user -- or role in your Amazon Web Services account, even if that activity -- is performed on a function that belongs to another Amazon Web -- Services account. -- -- - To log data events for a specific Lambda function, specify the -- function ARN. -- -- Lambda function ARNs are exact. For example, if you specify a -- function ARN -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data -- events will only be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They -- will not be logged for -- /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/. -- -- - To log data events for all DynamoDB tables in your Amazon Web -- Services account, specify the prefix as @arn:aws:dynamodb@. dataResource_values :: Lens.Lens' DataResource (Prelude.Maybe [Prelude.Text]) dataResource_values :: Lens' DataResource (Maybe [Text]) dataResource_values = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\DataResource' {Maybe [Text] values :: Maybe [Text] $sel:values:DataResource' :: DataResource -> Maybe [Text] values} -> Maybe [Text] values) (\s :: DataResource s@DataResource' {} Maybe [Text] a -> DataResource s {$sel:values:DataResource' :: Maybe [Text] values = Maybe [Text] a} :: DataResource) forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced instance Data.FromJSON DataResource where parseJSON :: Value -> Parser DataResource parseJSON = forall a. String -> (Object -> Parser a) -> Value -> Parser a Data.withObject String "DataResource" ( \Object x -> Maybe Text -> Maybe [Text] -> DataResource DataResource' forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> (Object x forall a. FromJSON a => Object -> Key -> Parser (Maybe a) Data..:? Key "Type") forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Object x forall a. FromJSON a => Object -> Key -> Parser (Maybe a) Data..:? Key "Values" forall a. Parser (Maybe a) -> a -> Parser a Data..!= forall a. Monoid a => a Prelude.mempty) ) instance Prelude.Hashable DataResource where hashWithSalt :: Int -> DataResource -> Int hashWithSalt Int _salt DataResource' {Maybe [Text] Maybe Text values :: Maybe [Text] type' :: Maybe Text $sel:values:DataResource' :: DataResource -> Maybe [Text] $sel:type':DataResource' :: DataResource -> Maybe Text ..} = Int _salt forall a. Hashable a => Int -> a -> Int `Prelude.hashWithSalt` Maybe Text type' forall a. Hashable a => Int -> a -> Int `Prelude.hashWithSalt` Maybe [Text] values instance Prelude.NFData DataResource where rnf :: DataResource -> () rnf DataResource' {Maybe [Text] Maybe Text values :: Maybe [Text] type' :: Maybe Text $sel:values:DataResource' :: DataResource -> Maybe [Text] $sel:type':DataResource' :: DataResource -> Maybe Text ..} = forall a. NFData a => a -> () Prelude.rnf Maybe Text type' seq :: forall a b. a -> b -> b `Prelude.seq` forall a. NFData a => a -> () Prelude.rnf Maybe [Text] values instance Data.ToJSON DataResource where toJSON :: DataResource -> Value toJSON DataResource' {Maybe [Text] Maybe Text values :: Maybe [Text] type' :: Maybe Text $sel:values:DataResource' :: DataResource -> Maybe [Text] $sel:type':DataResource' :: DataResource -> Maybe Text ..} = [Pair] -> Value Data.object ( forall a. [Maybe a] -> [a] Prelude.catMaybes [ (Key "Type" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv Data..=) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe Text type', (Key "Values" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv Data..=) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] values ] )