{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput
-- Copyright   : (c) 2013-2023 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput where

import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import Amazonka.Firehose.Types.KeyType
import qualified Amazonka.Prelude as Prelude

-- | Specifies the type and Amazon Resource Name (ARN) of the CMK to use for
-- Server-Side Encryption (SSE).
--
-- /See:/ 'newDeliveryStreamEncryptionConfigurationInput' smart constructor.
data DeliveryStreamEncryptionConfigurationInput = DeliveryStreamEncryptionConfigurationInput'
  { -- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
    -- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
    -- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
    -- service-account CMK.
    DeliveryStreamEncryptionConfigurationInput -> Maybe Text
keyARN :: Prelude.Maybe Prelude.Text,
    -- | Indicates the type of customer master key (CMK) to use for encryption.
    -- The default setting is @Amazon Web Services_OWNED_CMK@. For more
    -- information about CMKs, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
    -- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
    -- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
    -- invokes the Amazon KMS operation
    -- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
    -- to create a grant that allows the Kinesis Data Firehose service to use
    -- the customer managed CMK to perform encryption and decryption. Kinesis
    -- Data Firehose manages that grant.
    --
    -- When you invoke StartDeliveryStreamEncryption to change the CMK for a
    -- delivery stream that is encrypted with a customer managed CMK, Kinesis
    -- Data Firehose schedules the grant it had on the old CMK for retirement.
    --
    -- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
    -- delivery streams. If a CreateDeliveryStream or
    -- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
    -- Firehose throws a @LimitExceededException@.
    --
    -- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
    -- Firehose doesn\'t support asymmetric CMKs. For information about
    -- symmetric and asymmetric CMKs, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
    -- in the Amazon Web Services Key Management Service developer guide.
    DeliveryStreamEncryptionConfigurationInput -> KeyType
keyType :: KeyType
  }
  deriving (DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
$c/= :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
== :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
$c== :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
Prelude.Eq, ReadPrec [DeliveryStreamEncryptionConfigurationInput]
ReadPrec DeliveryStreamEncryptionConfigurationInput
Int -> ReadS DeliveryStreamEncryptionConfigurationInput
ReadS [DeliveryStreamEncryptionConfigurationInput]
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [DeliveryStreamEncryptionConfigurationInput]
$creadListPrec :: ReadPrec [DeliveryStreamEncryptionConfigurationInput]
readPrec :: ReadPrec DeliveryStreamEncryptionConfigurationInput
$creadPrec :: ReadPrec DeliveryStreamEncryptionConfigurationInput
readList :: ReadS [DeliveryStreamEncryptionConfigurationInput]
$creadList :: ReadS [DeliveryStreamEncryptionConfigurationInput]
readsPrec :: Int -> ReadS DeliveryStreamEncryptionConfigurationInput
$creadsPrec :: Int -> ReadS DeliveryStreamEncryptionConfigurationInput
Prelude.Read, Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
[DeliveryStreamEncryptionConfigurationInput] -> ShowS
DeliveryStreamEncryptionConfigurationInput -> String
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [DeliveryStreamEncryptionConfigurationInput] -> ShowS
$cshowList :: [DeliveryStreamEncryptionConfigurationInput] -> ShowS
show :: DeliveryStreamEncryptionConfigurationInput -> String
$cshow :: DeliveryStreamEncryptionConfigurationInput -> String
showsPrec :: Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
$cshowsPrec :: Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
Prelude.Show, forall x.
Rep DeliveryStreamEncryptionConfigurationInput x
-> DeliveryStreamEncryptionConfigurationInput
forall x.
DeliveryStreamEncryptionConfigurationInput
-> Rep DeliveryStreamEncryptionConfigurationInput x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x.
Rep DeliveryStreamEncryptionConfigurationInput x
-> DeliveryStreamEncryptionConfigurationInput
$cfrom :: forall x.
DeliveryStreamEncryptionConfigurationInput
-> Rep DeliveryStreamEncryptionConfigurationInput x
Prelude.Generic)

-- |
-- Create a value of 'DeliveryStreamEncryptionConfigurationInput' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'keyARN', 'deliveryStreamEncryptionConfigurationInput_keyARN' - If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
-- service-account CMK.
--
-- 'keyType', 'deliveryStreamEncryptionConfigurationInput_keyType' - Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @Amazon Web Services_OWNED_CMK@. For more
-- information about CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the Amazon Web Services Key Management Service developer guide.
newDeliveryStreamEncryptionConfigurationInput ::
  -- | 'keyType'
  KeyType ->
  DeliveryStreamEncryptionConfigurationInput
newDeliveryStreamEncryptionConfigurationInput :: KeyType -> DeliveryStreamEncryptionConfigurationInput
newDeliveryStreamEncryptionConfigurationInput
  KeyType
pKeyType_ =
    DeliveryStreamEncryptionConfigurationInput'
      { $sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: Maybe Text
keyARN =
          forall a. Maybe a
Prelude.Nothing,
        $sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: KeyType
keyType = KeyType
pKeyType_
      }

-- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
-- service-account CMK.
deliveryStreamEncryptionConfigurationInput_keyARN :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput (Prelude.Maybe Prelude.Text)
deliveryStreamEncryptionConfigurationInput_keyARN :: Lens' DeliveryStreamEncryptionConfigurationInput (Maybe Text)
deliveryStreamEncryptionConfigurationInput_keyARN = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {Maybe Text
keyARN :: Maybe Text
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
keyARN} -> Maybe Text
keyARN) (\s :: DeliveryStreamEncryptionConfigurationInput
s@DeliveryStreamEncryptionConfigurationInput' {} Maybe Text
a -> DeliveryStreamEncryptionConfigurationInput
s {$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: Maybe Text
keyARN = Maybe Text
a} :: DeliveryStreamEncryptionConfigurationInput)

-- | Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @Amazon Web Services_OWNED_CMK@. For more
-- information about CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the Amazon Web Services Key Management Service developer guide.
deliveryStreamEncryptionConfigurationInput_keyType :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput KeyType
deliveryStreamEncryptionConfigurationInput_keyType :: Lens' DeliveryStreamEncryptionConfigurationInput KeyType
deliveryStreamEncryptionConfigurationInput_keyType = forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {KeyType
keyType :: KeyType
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
keyType} -> KeyType
keyType) (\s :: DeliveryStreamEncryptionConfigurationInput
s@DeliveryStreamEncryptionConfigurationInput' {} KeyType
a -> DeliveryStreamEncryptionConfigurationInput
s {$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: KeyType
keyType = KeyType
a} :: DeliveryStreamEncryptionConfigurationInput)

instance
  Prelude.Hashable
    DeliveryStreamEncryptionConfigurationInput
  where
  hashWithSalt :: Int -> DeliveryStreamEncryptionConfigurationInput -> Int
hashWithSalt
    Int
_salt
    DeliveryStreamEncryptionConfigurationInput' {Maybe Text
KeyType
keyType :: KeyType
keyARN :: Maybe Text
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
..} =
      Int
_salt
        forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` Maybe Text
keyARN
        forall a. Hashable a => Int -> a -> Int
`Prelude.hashWithSalt` KeyType
keyType

instance
  Prelude.NFData
    DeliveryStreamEncryptionConfigurationInput
  where
  rnf :: DeliveryStreamEncryptionConfigurationInput -> ()
rnf DeliveryStreamEncryptionConfigurationInput' {Maybe Text
KeyType
keyType :: KeyType
keyARN :: Maybe Text
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
..} =
    forall a. NFData a => a -> ()
Prelude.rnf Maybe Text
keyARN
      seq :: forall a b. a -> b -> b
`Prelude.seq` forall a. NFData a => a -> ()
Prelude.rnf KeyType
keyType

instance
  Data.ToJSON
    DeliveryStreamEncryptionConfigurationInput
  where
  toJSON :: DeliveryStreamEncryptionConfigurationInput -> Value
toJSON
    DeliveryStreamEncryptionConfigurationInput' {Maybe Text
KeyType
keyType :: KeyType
keyARN :: Maybe Text
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
..} =
      [Pair] -> Value
Data.object
        ( forall a. [Maybe a] -> [a]
Prelude.catMaybes
            [ (Key
"KeyARN" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..=) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
keyARN,
              forall a. a -> Maybe a
Prelude.Just (Key
"KeyType" forall kv v. (KeyValue kv, ToJSON v) => Key -> v -> kv
Data..= KeyType
keyType)
            ]
        )