{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Network.AWS.IAM.SimulateCustomPolicy -- Copyright : (c) 2013-2015 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Simulate how a set of IAM policies and optionally a resource-based -- policy works with a list of API actions and AWS resources to determine -- the policies\' effective permissions. The policies are provided as -- strings. -- -- The simulation does not perform the API actions; it only checks the -- authorization to determine if the simulated policies allow or deny the -- actions. -- -- If you want to simulate existing policies attached to an IAM user, -- group, or role, use SimulatePrincipalPolicy instead. -- -- Context keys are variables maintained by AWS and its services that -- provide details about the context of an API query request. You can use -- the 'Condition' element of an IAM policy to evaluate context keys. To -- get the list of context keys that the policies require for correct -- simulation, use GetContextKeysForCustomPolicy. -- -- If the output is long, you can use 'MaxItems' and 'Marker' parameters to -- paginate the results. -- -- /See:/ for SimulateCustomPolicy. module Network.AWS.IAM.SimulateCustomPolicy ( -- * Creating a Request simulateCustomPolicy , SimulateCustomPolicy -- * Request Lenses , scpResourcePolicy , scpCallerARN , scpResourceARNs , scpMarker , scpMaxItems , scpContextEntries , scpResourceOwner , scpPolicyInputList , scpActionNames -- * Destructuring the Response , simulatePolicyResponse , SimulatePolicyResponse -- * Response Lenses , spEvaluationResults , spMarker , spIsTruncated ) where import Network.AWS.IAM.Types import Network.AWS.IAM.Types.Product import Network.AWS.Prelude import Network.AWS.Request import Network.AWS.Response -- | /See:/ 'simulateCustomPolicy' smart constructor. data SimulateCustomPolicy = SimulateCustomPolicy' { _scpResourcePolicy :: !(Maybe Text) , _scpCallerARN :: !(Maybe Text) , _scpResourceARNs :: !(Maybe [Text]) , _scpMarker :: !(Maybe Text) , _scpMaxItems :: !(Maybe Nat) , _scpContextEntries :: !(Maybe [ContextEntry]) , _scpResourceOwner :: !(Maybe Text) , _scpPolicyInputList :: ![Text] , _scpActionNames :: ![Text] } deriving (Eq,Read,Show,Data,Typeable,Generic) -- | Creates a value of 'SimulateCustomPolicy' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'scpResourcePolicy' -- -- * 'scpCallerARN' -- -- * 'scpResourceARNs' -- -- * 'scpMarker' -- -- * 'scpMaxItems' -- -- * 'scpContextEntries' -- -- * 'scpResourceOwner' -- -- * 'scpPolicyInputList' -- -- * 'scpActionNames' simulateCustomPolicy :: SimulateCustomPolicy simulateCustomPolicy = SimulateCustomPolicy' { _scpResourcePolicy = Nothing , _scpCallerARN = Nothing , _scpResourceARNs = Nothing , _scpMarker = Nothing , _scpMaxItems = Nothing , _scpContextEntries = Nothing , _scpResourceOwner = Nothing , _scpPolicyInputList = mempty , _scpActionNames = mempty } -- | A resource-based policy to include in the simulation provided as a -- string. Each resource in the simulation is treated as if it had this -- policy attached. You can include only one resource-based policy in a -- simulation. scpResourcePolicy :: Lens' SimulateCustomPolicy (Maybe Text) scpResourcePolicy = lens _scpResourcePolicy (\ s a -> s{_scpResourcePolicy = a}); -- | The ARN of the user that you want to use as the simulated caller of the -- APIs. 'CallerArn' is required if you include a 'ResourcePolicy' so that -- the policy\'s 'Principal' element has a value to use in evaluating the -- policy. -- -- You can specify only the ARN of an IAM user. You cannot specify the ARN -- of an assumed role, federated user, or a service principal. scpCallerARN :: Lens' SimulateCustomPolicy (Maybe Text) scpCallerARN = lens _scpCallerARN (\ s a -> s{_scpCallerARN = a}); -- | A list of ARNs of AWS resources to include in the simulation. If this -- parameter is not provided then the value defaults to '*' (all -- resources). Each API in the 'ActionNames' parameter is evaluated for -- each resource in this list. The simulation determines the access result -- (allowed or denied) of each combination and reports it in the response. -- -- The simulation does not automatically retrieve policies for the -- specified resources. If you want to include a resource policy in the -- simulation, then you must include the policy as a string in the -- 'ResourcePolicy' parameter. -- -- If you include a 'ResourcePolicy', then it must be applicable to all of -- the resources included in the simulation or you receive an invalid input -- error. scpResourceARNs :: Lens' SimulateCustomPolicy [Text] scpResourceARNs = lens _scpResourceARNs (\ s a -> s{_scpResourceARNs = a}) . _Default . _Coerce; -- | Use this parameter only when paginating results and only after you -- receive a response indicating that the results are truncated. Set it to -- the value of the 'Marker' element in the response that you received to -- indicate where the next call should start. scpMarker :: Lens' SimulateCustomPolicy (Maybe Text) scpMarker = lens _scpMarker (\ s a -> s{_scpMarker = a}); -- | Use this only when paginating results to indicate the maximum number of -- items you want in the response. If additional items exist beyond the -- maximum you specify, the 'IsTruncated' response element is 'true'. -- -- This parameter is optional. If you do not include it, it defaults to -- 100. Note that IAM might return fewer results, even when there are more -- results available. In that case, the 'IsTruncated' response element -- returns 'true' and 'Marker' contains a value to include in the -- subsequent call that tells the service where to continue from. scpMaxItems :: Lens' SimulateCustomPolicy (Maybe Natural) scpMaxItems = lens _scpMaxItems (\ s a -> s{_scpMaxItems = a}) . mapping _Nat; -- | A list of context keys and corresponding values for the simulation to -- use. Whenever a context key is evaluated by a 'Condition' element in one -- of the simulated IAM permission policies, the corresponding value is -- supplied. scpContextEntries :: Lens' SimulateCustomPolicy [ContextEntry] scpContextEntries = lens _scpContextEntries (\ s a -> s{_scpContextEntries = a}) . _Default . _Coerce; -- | An AWS account ID that specifies the owner of any simulated resource -- that does not identify its owner in the resource ARN, such as an S3 -- bucket or object. If 'ResourceOwner' is specified, it is also used as -- the account owner of any 'ResourcePolicy' included in the simulation. If -- the 'ResourceOwner' parameter is not specified, then the owner of the -- resources and the resource policy defaults to the account of the -- identity provided in 'CallerArn'. This parameter is required only if you -- specify a resource-based policy and account that owns the resource is -- different from the account that owns the simulated calling user -- 'CallerArn'. scpResourceOwner :: Lens' SimulateCustomPolicy (Maybe Text) scpResourceOwner = lens _scpResourceOwner (\ s a -> s{_scpResourceOwner = a}); -- | A list of policy documents to include in the simulation. Each document -- is specified as a string containing the complete, valid JSON text of an -- IAM policy. Do not include any resource-based policies in this -- parameter. Any resource-based policy must be submitted with the -- 'ResourcePolicy' parameter. The policies cannot be \"scope-down\" -- policies, such as you could include in a call to -- -- or one of the -- -- APIs to restrict what a user can do while using the temporary -- credentials. scpPolicyInputList :: Lens' SimulateCustomPolicy [Text] scpPolicyInputList = lens _scpPolicyInputList (\ s a -> s{_scpPolicyInputList = a}) . _Coerce; -- | A list of names of API actions to evaluate in the simulation. Each -- action is evaluated against each resource. Each action must include the -- service identifier, such as 'iam:CreateUser'. scpActionNames :: Lens' SimulateCustomPolicy [Text] scpActionNames = lens _scpActionNames (\ s a -> s{_scpActionNames = a}) . _Coerce; instance AWSRequest SimulateCustomPolicy where type Rs SimulateCustomPolicy = SimulatePolicyResponse request = postQuery iAM response = receiveXMLWrapper "SimulateCustomPolicyResult" (\ s h x -> parseXML x) instance ToHeaders SimulateCustomPolicy where toHeaders = const mempty instance ToPath SimulateCustomPolicy where toPath = const "/" instance ToQuery SimulateCustomPolicy where toQuery SimulateCustomPolicy'{..} = mconcat ["Action" =: ("SimulateCustomPolicy" :: ByteString), "Version" =: ("2010-05-08" :: ByteString), "ResourcePolicy" =: _scpResourcePolicy, "CallerArn" =: _scpCallerARN, "ResourceArns" =: toQuery (toQueryList "member" <$> _scpResourceARNs), "Marker" =: _scpMarker, "MaxItems" =: _scpMaxItems, "ContextEntries" =: toQuery (toQueryList "member" <$> _scpContextEntries), "ResourceOwner" =: _scpResourceOwner, "PolicyInputList" =: toQueryList "member" _scpPolicyInputList, "ActionNames" =: toQueryList "member" _scpActionNames]