{-# LANGUAGE FlexibleContexts  #-}
{-# LANGUAGE LambdaCase        #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RankNTypes        #-}

-- |
-- Module      : Credentials
-- Copyright   : (c) 2015-2016 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>
-- Stability   : provisional
-- Portability : non-portable (GHC extensions)
--
-- This module provides a common interface for operating on your shared
-- credentials.
module Credentials
    (
    -- * Usage
    -- $usage

    -- * Operations
      insert
    , select
    , delete
    , truncate
    , revisions
    , setup
    , teardown

    -- * KMS
    , KeyId             (..)
    , defaultKeyId

    -- * DynamoDB
    , DynamoTable       (..)
    , defaultTable

    -- * Errors
    , CredentialError   (..)
    , AsCredentialError (..)

    -- * Types
    , Name              (..)
    , Revision          (..)
    , Context           (..)
    , Setup             (..)
    ) where

import Credentials.DynamoDB
import Credentials.Types

-- $usage
-- To use the library, make sure you have met the following prerequisites:
--
-- * You have a master key in KMS. You can create this under Identity and Access
--   Management > Encryption Keys, in the AWS developer console.
--
-- * Your AWS access credentials are available where
--   <https://hackage.haskell.org/package/amazonka amazonka> can find them. This
--   will be automatic if you are running on an EC2 host, otherwise
--   the <https://blogs.aws.amazon.com/security/post/Tx3D6U6WSFGOK2H/A-New-and-Standardized-Way-to-Manage-Credentials-in-the-AWS-SDKs ~\/.aws\/credentials> file, as @AWS_ACCESS_KEY_ID@ and
--   @AWS_SECRET_ACCESS_KEY@ environment variables need to be configured.
--
-- Since all of the credentials operations are constrained by a 'MonadAWS' context,
-- running them is identical to that of [amazonka](https://hackage.haskell.org/package/amazonka),
-- which you will also need to add to your @build-depends@ section of your project's cabal file.
--
-- > {-# LANGUAGE OverloadedStrings #-}
-- >
-- > import Credentials
-- > import Control.Lens
-- > import Data.ByteString (ByteString)
-- > import Network.AWS
-- > import System.IO
-- >
-- > example :: IO (ByteString, Revision)
-- > example = do
-- >     -- A new 'Logger' to replace the default noop logger is created,
-- >     -- which will print AWS debug information and errors to stdout.
-- >     lgr <- newLogger Debug stdout
-- >
-- >     -- A new amazonka 'Env' is created, which auto-discovers the
-- >     -- underlying host credentials.
-- >     env <- newEnv Frankfurt Discover
-- >
-- >     let table = "dynamo-table-name"
-- >         key   = "kms-key-alias"
-- >         name  = "credential-name"
-- >
-- >     -- We now run the 'AWS' computation with the overriden logger,
-- >     -- performing the sequence of credentials operations.
-- >     runResourceT . runAWS (env & envLogger .~ lgr) $ do
-- >         -- Firstly, we create the DynamoDB table.
-- >         -- This is an idempotent operation but since it makes remote API calls,
-- >         -- it's recommended you only run this once via the CLI.
-- >         Credentials.setup table
-- >
-- >         -- Then we insert a credential\'s value, for a given name.
-- >         -- Encryption is handled transparently and the resulting revision
-- >         -- is returned.
-- >         _ <- Credentials.insert key mempty name "a-super-secret-value" table
-- >
-- >         -- Selecting the credential by name, and specifying 'Nothing' for the
-- >         -- revision results in the latest credential revision being returned.
-- >         Credentials.select mempty name Nothing table