Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
Derived from API version 2018-05-10
of the AWS service descriptions, licensed under Apache 2.0.
These interfaces allow you to apply the AWS library of pre-defined controls to your organizational units, programmatically. In this context, controls are the same as AWS Control Tower guardrails.
To call these APIs, you'll need to know:
- the
ControlARN
for the control--that is, the guardrail--you are targeting, - and the ARN associated with the target organizational unit (OU).
To get the ControlARN
for your AWS Control Tower guardrail:
The ControlARN
contains the control name which is specified in each
guardrail. For a list of control names for Strongly recommended and
Elective guardrails, see
Resource identifiers for APIs and guardrails
in the
Automating tasks section
of the AWS Control Tower User Guide. Remember that Mandatory
guardrails cannot be added or removed.
ARN format: arn:aws:controltower:{REGION}::control/{CONTROL_NAME}
Example:
arn:aws:controltower:us-west-2::control/AWS-GR_AUTOSCALING_LAUNCH_CONFIG_PUBLIC_IP_DISABLED
To get the ARN for an OU:
In the AWS Organizations console, you can find the ARN for the OU on the Organizational unit details page associated with that OU.
OU ARN format:
arn:${Partition}:organizations::${MasterAccountId}:ou/o-${OrganizationId}/ou-${OrganizationalUnitId}
Details and examples
- List of resource identifiers for APIs and guardrails
- Guardrail API examples (CLI)
- Enable controls with AWS CloudFormation
- Creating AWS Control Tower resources with AWS CloudFormation
To view the open source resource repository on GitHub, see aws-cloudformation/aws-cloudformation-resource-providers-controltower
Recording API Requests
AWS Control Tower supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine which requests the AWS Control Tower service received, who made the request and when, and so on. For more about AWS Control Tower and its support for CloudTrail, see Logging AWS Control Tower Actions with AWS CloudTrail in the AWS Control Tower User Guide. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
Synopsis
- defaultService :: Service
- _AccessDeniedException :: AsError a => Fold a ServiceError
- _ConflictException :: AsError a => Fold a ServiceError
- _InternalServerException :: AsError a => Fold a ServiceError
- _ResourceNotFoundException :: AsError a => Fold a ServiceError
- _ServiceQuotaExceededException :: AsError a => Fold a ServiceError
- _ThrottlingException :: AsError a => Fold a ServiceError
- _ValidationException :: AsError a => Fold a ServiceError
- data DisableControl = DisableControl' Text Text
- newDisableControl :: Text -> Text -> DisableControl
- data DisableControlResponse = DisableControlResponse' Int Text
- newDisableControlResponse :: Int -> Text -> DisableControlResponse
- data EnableControl = EnableControl' Text Text
- newEnableControl :: Text -> Text -> EnableControl
- data EnableControlResponse = EnableControlResponse' Int Text
- newEnableControlResponse :: Int -> Text -> EnableControlResponse
- data GetControlOperation = GetControlOperation' Text
- newGetControlOperation :: Text -> GetControlOperation
- data GetControlOperationResponse = GetControlOperationResponse' Int ControlOperation
- newGetControlOperationResponse :: Int -> ControlOperation -> GetControlOperationResponse
- data ListEnabledControls = ListEnabledControls' (Maybe Natural) (Maybe Text) Text
- newListEnabledControls :: Text -> ListEnabledControls
- data ListEnabledControlsResponse = ListEnabledControlsResponse' (Maybe Text) Int [EnabledControlSummary]
- newListEnabledControlsResponse :: Int -> ListEnabledControlsResponse
- newtype ControlOperationStatus where
- newtype ControlOperationType where
- data ControlOperation = ControlOperation' (Maybe ISO8601) (Maybe ControlOperationType) (Maybe ISO8601) (Maybe ControlOperationStatus) (Maybe Text)
- newControlOperation :: ControlOperation
- data EnabledControlSummary = EnabledControlSummary' (Maybe Text)
- newEnabledControlSummary :: EnabledControlSummary
Service Configuration
defaultService :: Service Source #
API version 2018-05-10
of the Amazon Control Tower SDK configuration.
Errors
Error matchers are designed for use with the functions provided by
Control.Exception.Lens.
This allows catching (and rethrowing) service specific errors returned
by ControlTower
.
AccessDeniedException
_AccessDeniedException :: AsError a => Fold a ServiceError Source #
User does not have sufficient access to perform this action.
ConflictException
_ConflictException :: AsError a => Fold a ServiceError Source #
Updating or deleting a resource can cause an inconsistent state.
InternalServerException
_InternalServerException :: AsError a => Fold a ServiceError Source #
Unexpected error during processing of request.
ResourceNotFoundException
_ResourceNotFoundException :: AsError a => Fold a ServiceError Source #
Request references a resource which does not exist.
ServiceQuotaExceededException
_ServiceQuotaExceededException :: AsError a => Fold a ServiceError Source #
Request would cause a service quota to be exceeded. The limit is 10 concurrent operations.
ThrottlingException
_ThrottlingException :: AsError a => Fold a ServiceError Source #
Request was denied due to request throttling.
ValidationException
_ValidationException :: AsError a => Fold a ServiceError Source #
The input fails to satisfy the constraints specified by an AWS service.
Waiters
Waiters poll by repeatedly sending a request until some remote success condition
configured by the Wait
specification is fulfilled. The Wait
specification
determines how many attempts should be made, in addition to delay and retry strategies.
Operations
Some AWS operations return results that are incomplete and require subsequent
requests in order to obtain the entire result set. The process of sending
subsequent requests to continue where a previous request left off is called
pagination. For example, the ListObjects
operation of Amazon S3 returns up to
1000 objects at a time, and you must send subsequent requests with the
appropriate Marker in order to retrieve the next page of results.
Operations that have an AWSPager
instance can transparently perform subsequent
requests, correctly setting Markers and other request facets to iterate through
the entire result set of a truncated API operation. Operations which support
this have an additional note in the documentation.
Many operations have the ability to filter results on the server side. See the individual operation parameters for details.
DisableControl
data DisableControl Source #
See: newDisableControl
smart constructor.
Instances
Create a value of DisableControl
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
DisableControl
, disableControl_controlIdentifier
- The ARN of the control. Only Strongly recommended and Elective
controls are permitted, with the exception of the Region deny
guardrail.
$sel:targetIdentifier:DisableControl'
, disableControl_targetIdentifier
- The ARN of the organizational unit.
data DisableControlResponse Source #
See: newDisableControlResponse
smart constructor.
Instances
newDisableControlResponse Source #
:: Int | |
-> Text | |
-> DisableControlResponse |
Create a value of DisableControlResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:DisableControlResponse'
, disableControlResponse_httpStatus
- The response's http status code.
$sel:operationIdentifier:DisableControlResponse'
, disableControlResponse_operationIdentifier
- The ID of the asynchronous operation, which is used to track status. The
operation is available for 90 days.
EnableControl
data EnableControl Source #
See: newEnableControl
smart constructor.
Instances
Create a value of EnableControl
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
EnableControl
, enableControl_controlIdentifier
- The ARN of the control. Only Strongly recommended and Elective
controls are permitted, with the exception of the Region deny
guardrail.
$sel:targetIdentifier:EnableControl'
, enableControl_targetIdentifier
- The ARN of the organizational unit.
data EnableControlResponse Source #
See: newEnableControlResponse
smart constructor.
Instances
newEnableControlResponse Source #
:: Int | |
-> Text | |
-> EnableControlResponse |
Create a value of EnableControlResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:EnableControlResponse'
, enableControlResponse_httpStatus
- The response's http status code.
$sel:operationIdentifier:EnableControlResponse'
, enableControlResponse_operationIdentifier
- The ID of the asynchronous operation, which is used to track status. The
operation is available for 90 days.
GetControlOperation
data GetControlOperation Source #
See: newGetControlOperation
smart constructor.
Instances
newGetControlOperation Source #
Create a value of GetControlOperation
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:operationIdentifier:GetControlOperation'
, getControlOperation_operationIdentifier
- The ID of the asynchronous operation, which is used to track status. The
operation is available for 90 days.
data GetControlOperationResponse Source #
See: newGetControlOperationResponse
smart constructor.
Instances
newGetControlOperationResponse Source #
Create a value of GetControlOperationResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:httpStatus:GetControlOperationResponse'
, getControlOperationResponse_httpStatus
- The response's http status code.
$sel:controlOperation:GetControlOperationResponse'
, getControlOperationResponse_controlOperation
-
ListEnabledControls (Paginated)
data ListEnabledControls Source #
See: newListEnabledControls
smart constructor.
Instances
newListEnabledControls Source #
Create a value of ListEnabledControls
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:maxResults:ListEnabledControls'
, listEnabledControls_maxResults
- How many results to return per API call.
ListEnabledControls
, listEnabledControls_nextToken
- The token to continue the list from a previous API call with the same
parameters.
$sel:targetIdentifier:ListEnabledControls'
, listEnabledControls_targetIdentifier
- The ARN of the organizational unit.
data ListEnabledControlsResponse Source #
See: newListEnabledControlsResponse
smart constructor.
Instances
newListEnabledControlsResponse Source #
Create a value of ListEnabledControlsResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
ListEnabledControls
, listEnabledControlsResponse_nextToken
- Retrieves the next page of results. If the string is empty, the current
response is the end of the results.
$sel:httpStatus:ListEnabledControlsResponse'
, listEnabledControlsResponse_httpStatus
- The response's http status code.
$sel:enabledControls:ListEnabledControlsResponse'
, listEnabledControlsResponse_enabledControls
- Lists the controls enabled by AWS Control Tower on the specified
organizational unit and the accounts it contains.
Types
ControlOperationStatus
newtype ControlOperationStatus Source #
pattern ControlOperationStatus_FAILED :: ControlOperationStatus | |
pattern ControlOperationStatus_IN_PROGRESS :: ControlOperationStatus | |
pattern ControlOperationStatus_SUCCEEDED :: ControlOperationStatus |
Instances
ControlOperationType
newtype ControlOperationType Source #
pattern ControlOperationType_DISABLE_CONTROL :: ControlOperationType | |
pattern ControlOperationType_ENABLE_CONTROL :: ControlOperationType |
Instances
ControlOperation
data ControlOperation Source #
An operation performed by the control.
See: newControlOperation
smart constructor.
ControlOperation' (Maybe ISO8601) (Maybe ControlOperationType) (Maybe ISO8601) (Maybe ControlOperationStatus) (Maybe Text) |
Instances
newControlOperation :: ControlOperation Source #
Create a value of ControlOperation
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:endTime:ControlOperation'
, controlOperation_endTime
- The time that the operation finished.
$sel:operationType:ControlOperation'
, controlOperation_operationType
- One of ENABLE_CONTROL
or DISABLE_CONTROL
.
$sel:startTime:ControlOperation'
, controlOperation_startTime
- The time that the operation began.
$sel:status:ControlOperation'
, controlOperation_status
- One of IN_PROGRESS
, SUCEEDED
, or FAILED
.
$sel:statusMessage:ControlOperation'
, controlOperation_statusMessage
- If the operation result is FAILED
, this string contains a message
explaining why the operation failed.
EnabledControlSummary
data EnabledControlSummary Source #
A summary of enabled controls.
See: newEnabledControlSummary
smart constructor.
Instances
newEnabledControlSummary :: EnabledControlSummary Source #
Create a value of EnabledControlSummary
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:controlIdentifier:EnabledControlSummary'
, enabledControlSummary_controlIdentifier
- The ARN of the control. Only Strongly recommended and Elective
controls are permitted, with the exception of the Region deny
guardrail.