{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Network.AWS.KMS.PutKeyPolicy -- Copyright : (c) 2013-2018 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Attaches a key policy to the specified customer master key (CMK). You cannot perform this operation on a CMK in a different AWS account. -- -- -- For more information about key policies, see in the /AWS Key Management Service Developer Guide/ . -- module Network.AWS.KMS.PutKeyPolicy ( -- * Creating a Request putKeyPolicy , PutKeyPolicy -- * Request Lenses , pkpBypassPolicyLockoutSafetyCheck , pkpKeyId , pkpPolicyName , pkpPolicy -- * Destructuring the Response , putKeyPolicyResponse , PutKeyPolicyResponse ) where import Network.AWS.KMS.Types import Network.AWS.KMS.Types.Product import Network.AWS.Lens import Network.AWS.Prelude import Network.AWS.Request import Network.AWS.Response -- | /See:/ 'putKeyPolicy' smart constructor. data PutKeyPolicy = PutKeyPolicy' { _pkpBypassPolicyLockoutSafetyCheck :: !(Maybe Bool) , _pkpKeyId :: !Text , _pkpPolicyName :: !Text , _pkpPolicy :: !Text } deriving (Eq, Read, Show, Data, Typeable, Generic) -- | Creates a value of 'PutKeyPolicy' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'pkpBypassPolicyLockoutSafetyCheck' - A flag to indicate whether to bypass the key policy lockout safety check. /Important:/ Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the section in the /AWS Key Management Service Developer Guide/ . Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent @PutKeyPolicy@ request on the CMK. The default value is false. -- -- * 'pkpKeyId' - A unique identifier for the customer master key (CMK). Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ * Key ARN: @arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab@ To get the key ID and key ARN for a CMK, use 'ListKeys' or 'DescribeKey' . -- -- * 'pkpPolicyName' - The name of the key policy. The only valid value is @default@ . -- -- * 'pkpPolicy' - The key policy to attach to the CMK. The key policy must meet the following criteria: * If you don't set @BypassPolicyLockoutSafetyCheck@ to true, the key policy must allow the principal that is making the @PutKeyPolicy@ request to make a subsequent @PutKeyPolicy@ request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the section of the /AWS Key Management Service Developer Guide/ . * Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see in the /AWS Identity and Access Management User Guide/ . The key policy size limit is 32 kilobytes (32768 bytes). putKeyPolicy :: Text -- ^ 'pkpKeyId' -> Text -- ^ 'pkpPolicyName' -> Text -- ^ 'pkpPolicy' -> PutKeyPolicy putKeyPolicy pKeyId_ pPolicyName_ pPolicy_ = PutKeyPolicy' { _pkpBypassPolicyLockoutSafetyCheck = Nothing , _pkpKeyId = pKeyId_ , _pkpPolicyName = pPolicyName_ , _pkpPolicy = pPolicy_ } -- | A flag to indicate whether to bypass the key policy lockout safety check. /Important:/ Setting this value to true increases the risk that the CMK becomes unmanageable. Do not set this value to true indiscriminately. For more information, refer to the scenario in the section in the /AWS Key Management Service Developer Guide/ . Use this parameter only when you intend to prevent the principal that is making the request from making a subsequent @PutKeyPolicy@ request on the CMK. The default value is false. pkpBypassPolicyLockoutSafetyCheck :: Lens' PutKeyPolicy (Maybe Bool) pkpBypassPolicyLockoutSafetyCheck = lens _pkpBypassPolicyLockoutSafetyCheck (\ s a -> s{_pkpBypassPolicyLockoutSafetyCheck = a}) -- | A unique identifier for the customer master key (CMK). Specify the key ID or the Amazon Resource Name (ARN) of the CMK. For example: * Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@ * Key ARN: @arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab@ To get the key ID and key ARN for a CMK, use 'ListKeys' or 'DescribeKey' . pkpKeyId :: Lens' PutKeyPolicy Text pkpKeyId = lens _pkpKeyId (\ s a -> s{_pkpKeyId = a}) -- | The name of the key policy. The only valid value is @default@ . pkpPolicyName :: Lens' PutKeyPolicy Text pkpPolicyName = lens _pkpPolicyName (\ s a -> s{_pkpPolicyName = a}) -- | The key policy to attach to the CMK. The key policy must meet the following criteria: * If you don't set @BypassPolicyLockoutSafetyCheck@ to true, the key policy must allow the principal that is making the @PutKeyPolicy@ request to make a subsequent @PutKeyPolicy@ request on the CMK. This reduces the risk that the CMK becomes unmanageable. For more information, refer to the scenario in the section of the /AWS Key Management Service Developer Guide/ . * Each statement in the key policy must contain one or more principals. The principals in the key policy must exist and be visible to AWS KMS. When you create a new AWS principal (for example, an IAM user or role), you might need to enforce a delay before including the new principal in a key policy because the new principal might not be immediately visible to AWS KMS. For more information, see in the /AWS Identity and Access Management User Guide/ . The key policy size limit is 32 kilobytes (32768 bytes). pkpPolicy :: Lens' PutKeyPolicy Text pkpPolicy = lens _pkpPolicy (\ s a -> s{_pkpPolicy = a}) instance AWSRequest PutKeyPolicy where type Rs PutKeyPolicy = PutKeyPolicyResponse request = postJSON kms response = receiveNull PutKeyPolicyResponse' instance Hashable PutKeyPolicy where instance NFData PutKeyPolicy where instance ToHeaders PutKeyPolicy where toHeaders = const (mconcat ["X-Amz-Target" =# ("TrentService.PutKeyPolicy" :: ByteString), "Content-Type" =# ("application/x-amz-json-1.1" :: ByteString)]) instance ToJSON PutKeyPolicy where toJSON PutKeyPolicy'{..} = object (catMaybes [("BypassPolicyLockoutSafetyCheck" .=) <$> _pkpBypassPolicyLockoutSafetyCheck, Just ("KeyId" .= _pkpKeyId), Just ("PolicyName" .= _pkpPolicyName), Just ("Policy" .= _pkpPolicy)]) instance ToPath PutKeyPolicy where toPath = const "/" instance ToQuery PutKeyPolicy where toQuery = const mempty -- | /See:/ 'putKeyPolicyResponse' smart constructor. data PutKeyPolicyResponse = PutKeyPolicyResponse' deriving (Eq, Read, Show, Data, Typeable, Generic) -- | Creates a value of 'PutKeyPolicyResponse' with the minimum fields required to make a request. -- putKeyPolicyResponse :: PutKeyPolicyResponse putKeyPolicyResponse = PutKeyPolicyResponse' instance NFData PutKeyPolicyResponse where