{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Network.AWS.KMS.ImportKeyMaterial -- Copyright : (c) 2013-2017 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Imports key material into an existing AWS KMS customer master key (CMK) that was created without key material. You cannot perform this operation on a CMK in a different AWS account. For more information about creating CMKs with no key material and then importing key material, see <http://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html Importing Key Material> in the /AWS Key Management Service Developer Guide/ . -- -- -- Before using this operation, call 'GetParametersForImport' . Its response includes a public key and an import token. Use the public key to encrypt the key material. Then, submit the import token from the same @GetParametersForImport@ response. -- -- When calling this operation, you must specify the following values: -- -- * The key ID or key ARN of a CMK with no key material. Its @Origin@ must be @EXTERNAL@ . -- -- To create a CMK with no key material, call 'CreateKey' and set the value of its @Origin@ parameter to @EXTERNAL@ . To get the @Origin@ of a CMK, call 'DescribeKey' .) -- -- * The encrypted key material. To get the public key to encrypt the key material, call 'GetParametersForImport' . -- -- * The import token that 'GetParametersForImport' returned. This token and the public key used to encrypt the key material must have come from the same response. -- -- * Whether the key material expires and if so, when. If you set an expiration date, you can change it only by reimporting the same key material and specifying a new expiration date. If the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. To use the CMK again, you must reimport the same key material. -- -- -- -- When this operation is successful, the CMK's key state changes from @PendingImport@ to @Enabled@ , and you can use the CMK. After you successfully import key material into a CMK, you can reimport the same key material into that CMK, but you cannot import different key material. -- module Network.AWS.KMS.ImportKeyMaterial ( -- * Creating a Request importKeyMaterial , ImportKeyMaterial -- * Request Lenses , ikmExpirationModel , ikmValidTo , ikmKeyId , ikmImportToken , ikmEncryptedKeyMaterial -- * Destructuring the Response , importKeyMaterialResponse , ImportKeyMaterialResponse -- * Response Lenses , ikmrsResponseStatus ) where import Network.AWS.KMS.Types import Network.AWS.KMS.Types.Product import Network.AWS.Lens import Network.AWS.Prelude import Network.AWS.Request import Network.AWS.Response -- | /See:/ 'importKeyMaterial' smart constructor. data ImportKeyMaterial = ImportKeyMaterial' { _ikmExpirationModel :: !(Maybe ExpirationModelType) , _ikmValidTo :: !(Maybe POSIX) , _ikmKeyId :: !Text , _ikmImportToken :: !Base64 , _ikmEncryptedKeyMaterial :: !Base64 } deriving (Eq, Read, Show, Data, Typeable, Generic) -- | Creates a value of 'ImportKeyMaterial' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'ikmExpirationModel' - Specifies whether the key material expires. The default is @KEY_MATERIAL_EXPIRES@ , in which case you must include the @ValidTo@ parameter. When this parameter is set to @KEY_MATERIAL_DOES_NOT_EXPIRE@ , you must omit the @ValidTo@ parameter. -- -- * 'ikmValidTo' - The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. You must omit this parameter when the @ExpirationModel@ parameter is set to @KEY_MATERIAL_DOES_NOT_EXPIRE@ . Otherwise it is required. -- -- * 'ikmKeyId' - The identifier of the CMK to import the key material into. The CMK's @Origin@ must be @EXTERNAL@ . Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ * Key ARN: @arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab@ To get the key ID and key ARN for a CMK, use 'ListKeys' or 'DescribeKey' . -- -- * 'ikmImportToken' - The import token that you received in the response to a previous 'GetParametersForImport' request. It must be from the same response that contained the public key that you used to encrypt the key material.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data. -- -- * 'ikmEncryptedKeyMaterial' - The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous 'GetParametersForImport' request, using the wrapping algorithm that you specified in that request.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data. importKeyMaterial :: Text -- ^ 'ikmKeyId' -> ByteString -- ^ 'ikmImportToken' -> ByteString -- ^ 'ikmEncryptedKeyMaterial' -> ImportKeyMaterial importKeyMaterial pKeyId_ pImportToken_ pEncryptedKeyMaterial_ = ImportKeyMaterial' { _ikmExpirationModel = Nothing , _ikmValidTo = Nothing , _ikmKeyId = pKeyId_ , _ikmImportToken = _Base64 # pImportToken_ , _ikmEncryptedKeyMaterial = _Base64 # pEncryptedKeyMaterial_ } -- | Specifies whether the key material expires. The default is @KEY_MATERIAL_EXPIRES@ , in which case you must include the @ValidTo@ parameter. When this parameter is set to @KEY_MATERIAL_DOES_NOT_EXPIRE@ , you must omit the @ValidTo@ parameter. ikmExpirationModel :: Lens' ImportKeyMaterial (Maybe ExpirationModelType) ikmExpirationModel = lens _ikmExpirationModel (\ s a -> s{_ikmExpirationModel = a}); -- | The time at which the imported key material expires. When the key material expires, AWS KMS deletes the key material and the CMK becomes unusable. You must omit this parameter when the @ExpirationModel@ parameter is set to @KEY_MATERIAL_DOES_NOT_EXPIRE@ . Otherwise it is required. ikmValidTo :: Lens' ImportKeyMaterial (Maybe UTCTime) ikmValidTo = lens _ikmValidTo (\ s a -> s{_ikmValidTo = a}) . mapping _Time; -- | The identifier of the CMK to import the key material into. The CMK's @Origin@ must be @EXTERNAL@ . Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ * Key ARN: @arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab@ To get the key ID and key ARN for a CMK, use 'ListKeys' or 'DescribeKey' . ikmKeyId :: Lens' ImportKeyMaterial Text ikmKeyId = lens _ikmKeyId (\ s a -> s{_ikmKeyId = a}); -- | The import token that you received in the response to a previous 'GetParametersForImport' request. It must be from the same response that contained the public key that you used to encrypt the key material.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data. ikmImportToken :: Lens' ImportKeyMaterial ByteString ikmImportToken = lens _ikmImportToken (\ s a -> s{_ikmImportToken = a}) . _Base64; -- | The encrypted key material to import. It must be encrypted with the public key that you received in the response to a previous 'GetParametersForImport' request, using the wrapping algorithm that you specified in that request.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data. ikmEncryptedKeyMaterial :: Lens' ImportKeyMaterial ByteString ikmEncryptedKeyMaterial = lens _ikmEncryptedKeyMaterial (\ s a -> s{_ikmEncryptedKeyMaterial = a}) . _Base64; instance AWSRequest ImportKeyMaterial where type Rs ImportKeyMaterial = ImportKeyMaterialResponse request = postJSON kms response = receiveEmpty (\ s h x -> ImportKeyMaterialResponse' <$> (pure (fromEnum s))) instance Hashable ImportKeyMaterial where instance NFData ImportKeyMaterial where instance ToHeaders ImportKeyMaterial where toHeaders = const (mconcat ["X-Amz-Target" =# ("TrentService.ImportKeyMaterial" :: ByteString), "Content-Type" =# ("application/x-amz-json-1.1" :: ByteString)]) instance ToJSON ImportKeyMaterial where toJSON ImportKeyMaterial'{..} = object (catMaybes [("ExpirationModel" .=) <$> _ikmExpirationModel, ("ValidTo" .=) <$> _ikmValidTo, Just ("KeyId" .= _ikmKeyId), Just ("ImportToken" .= _ikmImportToken), Just ("EncryptedKeyMaterial" .= _ikmEncryptedKeyMaterial)]) instance ToPath ImportKeyMaterial where toPath = const "/" instance ToQuery ImportKeyMaterial where toQuery = const mempty -- | /See:/ 'importKeyMaterialResponse' smart constructor. newtype ImportKeyMaterialResponse = ImportKeyMaterialResponse' { _ikmrsResponseStatus :: Int } deriving (Eq, Read, Show, Data, Typeable, Generic) -- | Creates a value of 'ImportKeyMaterialResponse' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'ikmrsResponseStatus' - -- | The response status code. importKeyMaterialResponse :: Int -- ^ 'ikmrsResponseStatus' -> ImportKeyMaterialResponse importKeyMaterialResponse pResponseStatus_ = ImportKeyMaterialResponse' {_ikmrsResponseStatus = pResponseStatus_} -- | -- | The response status code. ikmrsResponseStatus :: Lens' ImportKeyMaterialResponse Int ikmrsResponseStatus = lens _ikmrsResponseStatus (\ s a -> s{_ikmrsResponseStatus = a}); instance NFData ImportKeyMaterialResponse where