{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Network.AWS.KMS.CreateGrant -- Copyright : (c) 2013-2015 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Adds a grant to a key to specify who can use the key and under what -- conditions. Grants are alternate permission mechanisms to key policies. -- -- For more information about grants, see -- <http://docs.aws.amazon.com/kms/latest/developerguide/grants.html Grants> -- in the /AWS Key Management Service Developer Guide/. -- -- /See:/ <http://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html AWS API Reference> for CreateGrant. module Network.AWS.KMS.CreateGrant ( -- * Creating a Request createGrant , CreateGrant -- * Request Lenses , cgRetiringPrincipal , cgGrantTokens , cgConstraints , cgName , cgOperations , cgKeyId , cgGranteePrincipal -- * Destructuring the Response , createGrantResponse , CreateGrantResponse -- * Response Lenses , cgrsGrantId , cgrsGrantToken , cgrsResponseStatus ) where import Network.AWS.KMS.Types import Network.AWS.KMS.Types.Product import Network.AWS.Prelude import Network.AWS.Request import Network.AWS.Response -- | /See:/ 'createGrant' smart constructor. data CreateGrant = CreateGrant' { _cgRetiringPrincipal :: !(Maybe Text) , _cgGrantTokens :: !(Maybe [Text]) , _cgConstraints :: !(Maybe GrantConstraints) , _cgName :: !(Maybe Text) , _cgOperations :: !(Maybe [GrantOperation]) , _cgKeyId :: !Text , _cgGranteePrincipal :: !Text } deriving (Eq,Read,Show,Data,Typeable,Generic) -- | Creates a value of 'CreateGrant' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'cgRetiringPrincipal' -- -- * 'cgGrantTokens' -- -- * 'cgConstraints' -- -- * 'cgName' -- -- * 'cgOperations' -- -- * 'cgKeyId' -- -- * 'cgGranteePrincipal' createGrant :: Text -- ^ 'cgKeyId' -> Text -- ^ 'cgGranteePrincipal' -> CreateGrant createGrant pKeyId_ pGranteePrincipal_ = CreateGrant' { _cgRetiringPrincipal = Nothing , _cgGrantTokens = Nothing , _cgConstraints = Nothing , _cgName = Nothing , _cgOperations = Nothing , _cgKeyId = pKeyId_ , _cgGranteePrincipal = pGranteePrincipal_ } -- | The principal that is given permission to retire the grant by using -- RetireGrant operation. -- -- To specify the principal, use the -- <http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an AWS principal. Valid AWS principals include AWS accounts (root), -- IAM users, federated users, and assumed role users. For examples of the -- ARN syntax to use for specifying a principal, see -- <http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam AWS Identity and Access Management (IAM)> -- in the Example ARNs section of the /AWS General Reference/. cgRetiringPrincipal :: Lens' CreateGrant (Maybe Text) cgRetiringPrincipal = lens _cgRetiringPrincipal (\ s a -> s{_cgRetiringPrincipal = a}); -- | A list of grant tokens. -- -- For more information, go to -- <http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token Grant Tokens> -- in the /AWS Key Management Service Developer Guide/. cgGrantTokens :: Lens' CreateGrant [Text] cgGrantTokens = lens _cgGrantTokens (\ s a -> s{_cgGrantTokens = a}) . _Default . _Coerce; -- | The conditions under which the operations permitted by the grant are -- allowed. -- -- You can use this value to allow the operations permitted by the grant -- only when a specified encryption context is present. For more -- information, see -- <http://docs.aws.amazon.com/kms/latest/developerguide/encrypt-context.html Encryption Context> -- in the /AWS Key Management Service Developer Guide/. cgConstraints :: Lens' CreateGrant (Maybe GrantConstraints) cgConstraints = lens _cgConstraints (\ s a -> s{_cgConstraints = a}); -- | A friendly name for identifying the grant. Use this value to prevent -- unintended creation of duplicate grants when retrying this request. -- -- When this value is absent, all 'CreateGrant' requests result in a new -- grant with a unique 'GrantId' even if all the supplied parameters are -- identical. This can result in unintended duplicates when you retry the -- 'CreateGrant' request. -- -- When this value is present, you can retry a 'CreateGrant' request with -- identical parameters; if the grant already exists, the original -- 'GrantId' is returned without creating a new grant. Note that the -- returned grant token is unique with every 'CreateGrant' request, even -- when a duplicate 'GrantId' is returned. All grant tokens obtained in -- this way can be used interchangeably. cgName :: Lens' CreateGrant (Maybe Text) cgName = lens _cgName (\ s a -> s{_cgName = a}); -- | A list of operations that the grant permits. The list can contain any -- combination of one or more of the following values: -- -- - Decrypt -- - Encrypt -- - GenerateDataKey -- - GenerateDataKeyWithoutPlaintext -- - ReEncryptFrom -- - ReEncryptTo -- - CreateGrant -- - RetireGrant cgOperations :: Lens' CreateGrant [GrantOperation] cgOperations = lens _cgOperations (\ s a -> s{_cgOperations = a}) . _Default . _Coerce; -- | The unique identifier for the customer master key (CMK) that the grant -- applies to. -- -- To specify this value, use the globally unique key ID or the Amazon -- Resource Name (ARN) of the key. Examples: -- -- - Globally unique key ID: 12345678-1234-1234-1234-123456789012 -- - Key ARN: -- arn:aws:kms:us-west-2:123456789012:key\/12345678-1234-1234-1234-123456789012 cgKeyId :: Lens' CreateGrant Text cgKeyId = lens _cgKeyId (\ s a -> s{_cgKeyId = a}); -- | The principal that is given permission to perform the operations that -- the grant permits. -- -- To specify the principal, use the -- <http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Name (ARN)> -- of an AWS principal. Valid AWS principals include AWS accounts (root), -- IAM users, federated users, and assumed role users. For examples of the -- ARN syntax to use for specifying a principal, see -- <http://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam AWS Identity and Access Management (IAM)> -- in the Example ARNs section of the /AWS General Reference/. cgGranteePrincipal :: Lens' CreateGrant Text cgGranteePrincipal = lens _cgGranteePrincipal (\ s a -> s{_cgGranteePrincipal = a}); instance AWSRequest CreateGrant where type Rs CreateGrant = CreateGrantResponse request = postJSON kMS response = receiveJSON (\ s h x -> CreateGrantResponse' <$> (x .?> "GrantId") <*> (x .?> "GrantToken") <*> (pure (fromEnum s))) instance ToHeaders CreateGrant where toHeaders = const (mconcat ["X-Amz-Target" =# ("TrentService.CreateGrant" :: ByteString), "Content-Type" =# ("application/x-amz-json-1.1" :: ByteString)]) instance ToJSON CreateGrant where toJSON CreateGrant'{..} = object (catMaybes [("RetiringPrincipal" .=) <$> _cgRetiringPrincipal, ("GrantTokens" .=) <$> _cgGrantTokens, ("Constraints" .=) <$> _cgConstraints, ("Name" .=) <$> _cgName, ("Operations" .=) <$> _cgOperations, Just ("KeyId" .= _cgKeyId), Just ("GranteePrincipal" .= _cgGranteePrincipal)]) instance ToPath CreateGrant where toPath = const "/" instance ToQuery CreateGrant where toQuery = const mempty -- | /See:/ 'createGrantResponse' smart constructor. data CreateGrantResponse = CreateGrantResponse' { _cgrsGrantId :: !(Maybe Text) , _cgrsGrantToken :: !(Maybe Text) , _cgrsResponseStatus :: !Int } deriving (Eq,Read,Show,Data,Typeable,Generic) -- | Creates a value of 'CreateGrantResponse' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'cgrsGrantId' -- -- * 'cgrsGrantToken' -- -- * 'cgrsResponseStatus' createGrantResponse :: Int -- ^ 'cgrsResponseStatus' -> CreateGrantResponse createGrantResponse pResponseStatus_ = CreateGrantResponse' { _cgrsGrantId = Nothing , _cgrsGrantToken = Nothing , _cgrsResponseStatus = pResponseStatus_ } -- | The unique identifier for the grant. -- -- You can use the 'GrantId' in a subsequent RetireGrant or RevokeGrant -- operation. cgrsGrantId :: Lens' CreateGrantResponse (Maybe Text) cgrsGrantId = lens _cgrsGrantId (\ s a -> s{_cgrsGrantId = a}); -- | The grant token. -- -- For more information about using grant tokens, see -- <http://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token Grant Tokens> -- in the /AWS Key Management Service Developer Guide/. cgrsGrantToken :: Lens' CreateGrantResponse (Maybe Text) cgrsGrantToken = lens _cgrsGrantToken (\ s a -> s{_cgrsGrantToken = a}); -- | The response status code. cgrsResponseStatus :: Lens' CreateGrantResponse Int cgrsResponseStatus = lens _cgrsResponseStatus (\ s a -> s{_cgrsResponseStatus = a});