Completes the lifecycle action for the specified token or instance with the specified\n result.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to\n invoke your Lambda function when Amazon EC2 Auto Scaling launches or terminates\n instances.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\nCreate the lifecycle hook. Specify whether the hook is used when the instances\n launch or terminate.
\nIf you need more time, record the lifecycle action heartbeat to keep the\n instance in a pending state.
\n\n If you finish before the timeout period ends, send a\n callback by using the CompleteLifecycleAction API\n call.\n
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
" + "smithy.api#documentation": "Completes the lifecycle action for the specified token or instance with the specified\n result.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a launch template or launch configuration with a user data\n script that runs while an instance is in a wait state due to a lifecycle\n hook.
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke\n your Lambda function when an instance is put into a wait state due to a\n lifecycle hook.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\nCreate the lifecycle hook. Specify whether the hook is used when the instances\n launch or terminate.
\nIf you need more time, record the lifecycle action heartbeat to keep the\n instance in a wait state.
\n\n If you finish before the timeout period ends, send a\n callback by using the CompleteLifecycleAction API\n call.\n
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
" } }, "com.amazonaws.autoscaling#CompleteLifecycleActionAnswer": { @@ -1583,7 +1583,7 @@ } ], "traits": { - "smithy.api#documentation": "\n We strongly recommend using a launch template when calling this operation to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.\n
\nCreates an Auto Scaling group with\n the specified name and attributes.
\nIf you exceed your maximum limit of Auto Scaling groups, the call fails. To query this limit,\n call the DescribeAccountLimits API. For information about updating\n this limit, see Amazon EC2 Auto Scaling service\n quotas in the Amazon EC2 Auto Scaling User Guide.
\nFor introductory exercises for creating an Auto Scaling group, see Getting started with\n Amazon EC2 Auto Scaling and Tutorial: Set up a\n scaled and load-balanced application in the\n Amazon EC2 Auto Scaling User Guide. For more information, see Auto Scaling\n groups in the Amazon EC2 Auto Scaling User Guide.
\nEvery Auto Scaling group has three size parameters (DesiredCapacity,\n MaxSize, and MinSize). Usually, you set these sizes based\n on a specific number of instances. However, if you configure a mixed instances policy\n that defines weights for the instance types, you must specify these sizes with the same\n units that you use for weighting instances.
\n We strongly recommend using a launch template when calling this operation to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.\n
\nCreates an Auto Scaling group with the specified name and attributes.
\nIf you exceed your maximum limit of Auto Scaling groups, the call fails. To query this limit,\n call the DescribeAccountLimits API. For information about updating\n this limit, see Amazon EC2 Auto Scaling service\n quotas in the Amazon EC2 Auto Scaling User Guide.
\nFor introductory exercises for creating an Auto Scaling group, see Getting started with\n Amazon EC2 Auto Scaling and Tutorial: Set up a\n scaled and load-balanced application in the\n Amazon EC2 Auto Scaling User Guide. For more information, see Auto Scaling\n groups in the Amazon EC2 Auto Scaling User Guide.
\nEvery Auto Scaling group has three size parameters (DesiredCapacity,\n MaxSize, and MinSize). Usually, you set these sizes based\n on a specific number of instances. However, if you configure a mixed instances policy\n that defines weights for the instance types, you must specify these sizes with the same\n units that you use for weighting instances.
An embedded object that specifies a mixed instances policy.
\n \n \n \nFor more information, see Auto Scaling groups with multiple\n instance types and purchase options in the Amazon EC2 Auto Scaling User\n Guide.
" + "smithy.api#documentation": "An embedded object that specifies a mixed instances policy.
\n \n \n \nFor more information, see Auto Scaling\n groups with multiple instance types and purchase options in the\n Amazon EC2 Auto Scaling User Guide.
" } }, "InstanceId": { @@ -1673,7 +1673,7 @@ "HealthCheckGracePeriod": { "target": "com.amazonaws.autoscaling#HealthCheckGracePeriod", "traits": { - "smithy.api#documentation": "The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status\n of an EC2 instance that has come into service and marking it unhealthy due to a failed\n health check. The default value is 0. For more information, see Health\n check grace period in the Amazon EC2 Auto Scaling User Guide.
Conditional: Required if you are adding an ELB health check.
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status\n of an EC2 instance that has come into service and marking it unhealthy due to a failed\n health check. The default value is 0. For more information, see Health\n check grace period in the Amazon EC2 Auto Scaling User Guide.
Required if you are adding an ELB health check.
Gets information about a warm pool and its instances.
\nFor more information, see Warm pools for\n Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.
" + "smithy.api#documentation": "Gets information about a warm pool and its instances.
\nFor more information, see Warm pools for\n Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.
" } }, "com.amazonaws.autoscaling#DescribeWarmPoolAnswer": { @@ -4284,13 +4284,13 @@ "SpotMaxPricePercentageOverLowestPrice": { "target": "com.amazonaws.autoscaling#NullablePositiveInteger", "traits": { - "smithy.api#documentation": "The price protection threshold for Spot Instances. This is the maximum you’ll pay for\n a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance\n type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your\n attributes, we will exclude instance types whose price is higher than your threshold.\n The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off\n price protection, specify a high value, such as 999999.
Default: 100\n
The price protection threshold for Spot Instances. This is the maximum you’ll pay for\n a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance\n type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your\n attributes, we will exclude instance types whose price is higher than your threshold.\n The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off\n price protection, specify a high value, such as 999999.
If you set DesiredCapacityType to vcpu or\n memory-mib, the price protection threshold is applied based on the per\n vCPU or per memory price instead of the per instance price.
Default: 100\n
The price protection threshold for On-Demand Instances. This is the maximum you’ll pay\n for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R\n instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with\n your attributes, we will exclude instance types whose price is higher than your\n threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage.\n To turn off price protection, specify a high value, such as 999999.
Default: 20\n
The price protection threshold for On-Demand Instances. This is the maximum you’ll pay\n for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R\n instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with\n your attributes, we will exclude instance types whose price is higher than your\n threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage.\n To turn off price protection, specify a high value, such as 999999.
If you set DesiredCapacityType to vcpu or\n memory-mib, the price protection threshold is applied based on the per\n vCPU or per memory price instead of the per instance price.
Default: 20\n
When you specify multiple parameters, you get instance types that satisfy all of the\n specified parameters. If you specify multiple values for a parameter, you get instance\n types that satisfy any of the specified values.
\n \n \nRepresents requirements for the types of instances that can be launched. You\n must specify VCpuCount and MemoryMiB, but all other parameters\n are optional. For more information, see Creating\n an Auto Scaling group using attribute-based instance type selection in the\n Amazon EC2 Auto Scaling User Guide.
Specifies whether instances in the Auto Scaling group can be returned to the warm pool on\n scale in.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Describes an instance reuse policy for a warm pool.
\nFor more information, see Warm pools for\n Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide.
" + } + }, "com.amazonaws.autoscaling#Instances": { "type": "list", "member": { @@ -4704,13 +4718,13 @@ "WeightedCapacity": { "target": "com.amazonaws.autoscaling#XmlStringMaxLen32", "traits": { - "smithy.api#documentation": "The number of capacity units provided by the instance type specified in\n InstanceType in terms of virtual CPUs, memory, storage, throughput, or\n other relative performance characteristic. When a Spot or On-Demand Instance is\n launched, the capacity units count toward the desired capacity. Amazon EC2 Auto Scaling launches\n instances until the desired capacity is totally fulfilled, even if this results in an\n overage. For example, if there are two units remaining to fulfill capacity, and Amazon EC2 Auto Scaling\n can only launch an instance with a WeightedCapacity of five units, the\n instance is launched, and the desired capacity is exceeded by three units. For more\n information, see Instance weighting for\n Amazon EC2 Auto Scaling in the Amazon EC2 Auto Scaling User Guide. Value must be in the\n range of 1–999.
The number of capacity units provided by the instance type specified in\n InstanceType in terms of virtual CPUs, memory, storage, throughput, or\n other relative performance characteristic. When a Spot or On-Demand Instance is\n launched, the capacity units count toward the desired capacity. Amazon EC2 Auto Scaling launches\n instances until the desired capacity is totally fulfilled, even if this results in an\n overage. For example, if there are two units remaining to fulfill capacity, and Amazon EC2 Auto Scaling\n can only launch an instance with a WeightedCapacity of five units, the\n instance is launched, and the desired capacity is exceeded by three units. For more\n information, see Configuring instance weighting for Amazon EC2 Auto Scaling in the\n Amazon EC2 Auto Scaling User Guide. Value must be in the range of 1–999.
Provides the launch template to be used when launching the instance type specified in\n InstanceType. For example, some instance types might require a launch\n template with a different AMI. If not provided, Amazon EC2 Auto Scaling uses the launch template that's\n defined for your mixed instances policy. For more information, see Specifying a\n different launch template for an instance type in the\n Amazon EC2 Auto Scaling User Guide.
Provides a launch template for the specified instance type or instance requirements.\n For example, some instance types might require a launch template with a different AMI.\n If not provided, Amazon EC2 Auto Scaling uses the launch template that's defined for your mixed\n instances policy. For more information, see Specifying a different launch template for an instance type in the\n Amazon EC2 Auto Scaling User Guide.
" } }, "InstanceRequirements": { @@ -4792,7 +4806,7 @@ "RoleARN": { "target": "com.amazonaws.autoscaling#XmlStringMaxLen255", "traits": { - "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target.
" + "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target (an Amazon SNS topic or an Amazon SQS queue).
" } }, "NotificationMetadata": { @@ -4821,7 +4835,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes a lifecycle hook, which enables an Auto Scaling group to be aware of events in the\n Auto Scaling instance lifecycle, and then perform a custom action when the corresponding\n lifecycle event occurs.
" + "smithy.api#documentation": "Describes a lifecycle hook. A lifecycle hook lets you create solutions that are aware\n of events in the Auto Scaling instance lifecycle, and then perform a custom action on instances\n when the corresponding lifecycle event\n occurs.
" } }, "com.amazonaws.autoscaling#LifecycleHookNames": { @@ -4880,7 +4894,7 @@ "RoleARN": { "target": "com.amazonaws.autoscaling#XmlStringMaxLen255", "traits": { - "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target, for example, an Amazon SNS topic or an Amazon SQS queue.
" + "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target.
\nValid only if the notification target is an Amazon SNS topic or an Amazon SQS queue. Required\n for new lifecycle hooks, but optional when updating existing hooks.
" } } }, @@ -4991,6 +5005,10 @@ { "value": "Warmed:Running", "name": "WARMED_RUNNING" + }, + { + "value": "Warmed:Hibernated", + "name": "WARMED_HIBERNATED" } ] } @@ -5758,7 +5776,7 @@ "PredefinedMetricType": { "target": "com.amazonaws.autoscaling#MetricType", "traits": { - "smithy.api#documentation": "The metric type. The following predefined metrics are available:
\n\n ASGAverageCPUUtilization - Average CPU utilization of the Auto Scaling\n group.
\n ASGAverageNetworkIn - Average number of bytes received on all\n network interfaces by the Auto Scaling group.
\n ASGAverageNetworkOut - Average number of bytes sent out on all\n network interfaces by the Auto Scaling group.
\n ALBRequestCountPerTarget - Number of requests completed per\n target in an Application Load Balancer target group.
The metric type. The following predefined metrics are available:
\n\n ASGAverageCPUUtilization - Average CPU utilization of the Auto Scaling\n group.
\n ASGAverageNetworkIn - Average number of bytes received (per\n instance per minute) for the Auto Scaling group.
\n ASGAverageNetworkOut - Average number of bytes sent out (per\n instance per minute) for the Auto Scaling group.
\n ALBRequestCountPerTarget - Average Application Load Balancer request count (per\n target per minute) for your Auto Scaling group.
Creates or updates a lifecycle hook for the specified Auto Scaling group.
\nA lifecycle hook enables an Auto Scaling group to be aware of events in the Auto Scaling instance\n lifecycle, and then perform a custom action when the corresponding lifecycle event\n occurs.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to\n invoke your Lambda function when Amazon EC2 Auto Scaling launches or terminates\n instances.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\n\n Create the lifecycle hook. Specify whether the hook is\n used when the instances launch or terminate.\n
\nIf you need more time, record the lifecycle action heartbeat to keep the\n instance in a pending state using the RecordLifecycleActionHeartbeat API call.
\nIf you finish before the timeout period ends, send a callback by using the\n CompleteLifecycleAction API call.
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
\nIf you exceed your maximum limit of lifecycle hooks, which by default is 50 per Auto Scaling\n group, the call fails.
\nYou can view the lifecycle hooks for an Auto Scaling group using the DescribeLifecycleHooks API call. If you are no longer using a lifecycle\n hook, you can delete it by calling the DeleteLifecycleHook API.
" + "smithy.api#documentation": "Creates or updates a lifecycle hook for the specified Auto Scaling group.
\nLifecycle hooks let you create solutions that are aware of events in the Auto Scaling instance\n lifecycle, and then perform a custom action on instances when the corresponding\n lifecycle event occurs.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a launch template or launch configuration with a user data\n script that runs while an instance is in a wait state due to a lifecycle\n hook.
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke\n your Lambda function when an instance is put into a wait state due to a\n lifecycle hook.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\n\n Create the lifecycle hook. Specify whether the hook is\n used when the instances launch or terminate.\n
\nIf you need more time, record the lifecycle action heartbeat to keep the\n instance in a wait state using the RecordLifecycleActionHeartbeat API call.
\nIf you finish before the timeout period ends, send a callback by using the\n CompleteLifecycleAction API call.
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
\nIf you exceed your maximum limit of lifecycle hooks, which by default is 50 per Auto Scaling\n group, the call fails.
\nYou can view the lifecycle hooks for an Auto Scaling group using the DescribeLifecycleHooks API call. If you are no longer using a lifecycle\n hook, you can delete it by calling the DeleteLifecycleHook API.
" } }, "com.amazonaws.autoscaling#PutLifecycleHookAnswer": { @@ -6164,7 +6182,7 @@ "RoleARN": { "target": "com.amazonaws.autoscaling#XmlStringMaxLen255", "traits": { - "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target, for example, an Amazon SNS topic or an Amazon SQS queue.
\nRequired for new lifecycle hooks, but optional when updating existing hooks.
" + "smithy.api#documentation": "The ARN of the IAM role that allows the Auto Scaling group to publish to the specified\n notification target.
\nValid only if the notification target is an Amazon SNS topic or an Amazon SQS queue. Required\n for new lifecycle hooks, but optional when updating existing hooks.
" } }, "NotificationTargetARN": { @@ -6491,6 +6509,12 @@ "traits": { "smithy.api#documentation": "Sets the instance state to transition to after the lifecycle actions are complete.\n Default is Stopped.
Indicates whether instances in the Auto Scaling group can be returned to the warm pool on\n scale in. The default is to terminate instances in the Auto Scaling group when the group scales\n in.
" + } } } }, @@ -6508,7 +6532,7 @@ } ], "traits": { - "smithy.api#documentation": "Records a heartbeat for the lifecycle action associated with the specified token or\n instance. This extends the timeout by the length of time defined using the PutLifecycleHook API call.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to\n invoke your Lambda function when Amazon EC2 Auto Scaling launches or terminates\n instances.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\nCreate the lifecycle hook. Specify whether the hook is used when the instances\n launch or terminate.
\n\n If you need more time, record the lifecycle action\n heartbeat to keep the instance in a pending state.\n
\nIf you finish before the timeout period ends, send a callback by using the\n CompleteLifecycleAction API call.
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
" + "smithy.api#documentation": "Records a heartbeat for the lifecycle action associated with the specified token or\n instance. This extends the timeout by the length of time defined using the PutLifecycleHook API call.
\nThis step is a part of the procedure for adding a lifecycle hook to an Auto Scaling\n group:
\n(Optional) Create a launch template or launch configuration with a user data\n script that runs while an instance is in a wait state due to a lifecycle\n hook.
\n(Optional) Create a Lambda function and a rule that allows Amazon EventBridge to invoke\n your Lambda function when an instance is put into a wait state due to a\n lifecycle hook.
\n(Optional) Create a notification target and an IAM role. The target can be\n either an Amazon SQS queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish\n lifecycle notifications to the target.
\nCreate the lifecycle hook. Specify whether the hook is used when the instances\n launch or terminate.
\n\n If you need more time, record the lifecycle action\n heartbeat to keep the instance in a wait state.\n
\nIf you finish before the timeout period ends, send a callback by using the\n CompleteLifecycleAction API call.
\nFor more information, see Amazon EC2 Auto Scaling lifecycle\n hooks in the Amazon EC2 Auto Scaling User Guide.
" } }, "com.amazonaws.autoscaling#RecordLifecycleActionHeartbeatAnswer": { @@ -6677,6 +6701,12 @@ "smithy.api#box": {} } }, + "com.amazonaws.autoscaling#ReuseOnScaleIn": { + "type": "boolean", + "traits": { + "smithy.api#box": {} + } + }, "com.amazonaws.autoscaling#ScalingActivityInProgressFault": { "type": "structure", "members": { @@ -6939,13 +6969,13 @@ "StartTime": { "target": "com.amazonaws.autoscaling#TimestampType", "traits": { - "smithy.api#documentation": "The date and time in UTC for this action to start. For example,\n \"2019-06-01T00:00:00Z\".\n
The date and time in UTC for this action to start. For example,\n \"2019-06-01T00:00:00Z\".
The date and time in UTC for the recurring schedule to end. For example,\n \"2019-06-01T00:00:00Z\".\n
The date and time in UTC for the recurring schedule to end. For example,\n \"2019-06-01T00:00:00Z\".
The target value for the metric.
", + "smithy.api#documentation": "The target value for the metric.
\nSome metrics are based on a count instead of a percentage, such as the request\n count for an Application Load Balancer or the number of messages in an SQS queue. If the scaling policy\n specifies one of these metrics, specify the target utilization as the optimal\n average request or message count per instance during any one-minute interval.\n
\n\n We strongly recommend that all Auto Scaling groups use launch templates to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.\n
\nUpdates the configuration for\n the specified Auto Scaling group.
\nTo update an Auto Scaling group, specify the name of the group and the parameter that you want\n to change. Any parameters that you don't specify are not changed by this update request.\n The new settings take effect on any scaling activities after this call returns.\n
\nIf you associate a new launch configuration or template with an Auto Scaling group, all new\n instances will get the updated configuration. Existing instances continue to run with\n the configuration that they were originally launched with. When you update a group to\n specify a mixed instances policy instead of a launch configuration or template, existing\n instances may be replaced to match the new purchasing options that you specified in the\n policy. For example, if the group currently has 100% On-Demand capacity and the policy\n specifies 50% Spot capacity, this means that half of your instances will be gradually\n terminated and relaunched as Spot Instances. When replacing instances, Amazon EC2 Auto Scaling launches\n new instances before terminating the old ones, so that updating your group does not\n compromise the performance or availability of your application.
\nNote the following about changing DesiredCapacity, MaxSize,\n or MinSize:
If a scale-in activity occurs as a result of a new\n DesiredCapacity value that is lower than the current size of\n the group, the Auto Scaling group uses its termination policy to determine which\n instances to terminate.
If you specify a new value for MinSize without specifying a value\n for DesiredCapacity, and the new MinSize is larger\n than the current size of the group, this sets the group's\n DesiredCapacity to the new MinSize value.
If you specify a new value for MaxSize without specifying a value\n for DesiredCapacity, and the new MaxSize is smaller\n than the current size of the group, this sets the group's\n DesiredCapacity to the new MaxSize value.
To see which parameters have been set, call the DescribeAutoScalingGroups API. To view the scaling policies for an Auto Scaling\n group, call the DescribePolicies API. If the group has scaling\n policies, you can update them by calling the PutScalingPolicy\n API.
" + "smithy.api#documentation": "\n We strongly recommend that all Auto Scaling groups use launch templates to ensure full functionality for Amazon EC2 Auto Scaling and Amazon EC2.\n
\nUpdates the configuration for the specified Auto Scaling group.
\nTo update an Auto Scaling group, specify the name of the group and the parameter that you want\n to change. Any parameters that you don't specify are not changed by this update request.\n The new settings take effect on any scaling activities after this call returns.\n
\nIf you associate a new launch configuration or template with an Auto Scaling group, all new\n instances will get the updated configuration. Existing instances continue to run with\n the configuration that they were originally launched with. When you update a group to\n specify a mixed instances policy instead of a launch configuration or template, existing\n instances may be replaced to match the new purchasing options that you specified in the\n policy. For example, if the group currently has 100% On-Demand capacity and the policy\n specifies 50% Spot capacity, this means that half of your instances will be gradually\n terminated and relaunched as Spot Instances. When replacing instances, Amazon EC2 Auto Scaling launches\n new instances before terminating the old ones, so that updating your group does not\n compromise the performance or availability of your application.
\nNote the following about changing DesiredCapacity, MaxSize,\n or MinSize:
If a scale-in activity occurs as a result of a new\n DesiredCapacity value that is lower than the current size of\n the group, the Auto Scaling group uses its termination policy to determine which\n instances to terminate.
If you specify a new value for MinSize without specifying a value\n for DesiredCapacity, and the new MinSize is larger\n than the current size of the group, this sets the group's\n DesiredCapacity to the new MinSize value.
If you specify a new value for MaxSize without specifying a value\n for DesiredCapacity, and the new MaxSize is smaller\n than the current size of the group, this sets the group's\n DesiredCapacity to the new MaxSize value.
To see which parameters have been set, call the DescribeAutoScalingGroups API. To view the scaling policies for an Auto Scaling\n group, call the DescribePolicies API. If the group has scaling\n policies, you can update them by calling the PutScalingPolicy\n API.
" } }, "com.amazonaws.autoscaling#UpdateAutoScalingGroupType": { @@ -7657,7 +7687,7 @@ "MixedInstancesPolicy": { "target": "com.amazonaws.autoscaling#MixedInstancesPolicy", "traits": { - "smithy.api#documentation": "An embedded object that specifies a mixed instances policy. For more information, see\n Auto Scaling groups with multiple\n instance types and purchase options in the Amazon EC2 Auto Scaling User\n Guide.
" + "smithy.api#documentation": "An embedded object that specifies a mixed instances policy. For more information, see\n Auto Scaling\n groups with multiple instance types and purchase options in the\n Amazon EC2 Auto Scaling User Guide.
" } }, "MinSize": { @@ -7699,7 +7729,7 @@ "HealthCheckGracePeriod": { "target": "com.amazonaws.autoscaling#HealthCheckGracePeriod", "traits": { - "smithy.api#documentation": "The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status\n of an EC2 instance that has come into service and marking it unhealthy due to a failed\n health check. The default value is 0. For more information, see Health\n check grace period in the Amazon EC2 Auto Scaling User Guide.
Conditional: Required if you are adding an ELB health check.
The amount of time, in seconds, that Amazon EC2 Auto Scaling waits before checking the health status\n of an EC2 instance that has come into service and marking it unhealthy due to a failed\n health check. The default value is 0. For more information, see Health\n check grace period in the Amazon EC2 Auto Scaling User Guide.
Required if you are adding an ELB health check.
The status of a warm pool that is marked for deletion.
" } + }, + "InstanceReusePolicy": { + "target": "com.amazonaws.autoscaling#InstanceReusePolicy", + "traits": { + "smithy.api#documentation": "The instance reuse policy.
" + } } }, "traits": { @@ -7843,6 +7879,10 @@ { "value": "Running", "name": "Running" + }, + { + "value": "Hibernated", + "name": "Hibernated" } ] } diff --git a/codegen/sdk-codegen/aws-models/databrew.2017-07-25.json b/codegen/sdk-codegen/aws-models/databrew.2017-07-25.json index fd4bc1a6bcd..2f5af9401df 100644 --- a/codegen/sdk-codegen/aws-models/databrew.2017-07-25.json +++ b/codegen/sdk-codegen/aws-models/databrew.2017-07-25.json @@ -4304,6 +4304,16 @@ } } }, + "com.amazonaws.databrew#MaxOutputFiles": { + "type": "integer", + "traits": { + "smithy.api#box": {}, + "smithy.api#range": { + "min": 1, + "max": 999 + } + } + }, "com.amazonaws.databrew#MaxResults100": { "type": "integer", "traits": { @@ -4429,6 +4439,12 @@ "traits": { "smithy.api#documentation": "Represents options that define how DataBrew formats job output files.
" } + }, + "MaxOutputFiles": { + "target": "com.amazonaws.databrew#MaxOutputFiles", + "traits": { + "smithy.api#documentation": "Maximum number of files to be generated by the job and written to the output folder. For output partitioned \n by column(s), the MaxOutputFiles value is the maximum number of files per partition.
" + } } }, "traits": { diff --git a/codegen/sdk-codegen/aws-models/fms.2018-01-01.json b/codegen/sdk-codegen/aws-models/fms.2018-01-01.json index 1ae607a8ffe..b78abbbb2ce 100644 --- a/codegen/sdk-codegen/aws-models/fms.2018-01-01.json +++ b/codegen/sdk-codegen/aws-models/fms.2018-01-01.json @@ -53,7 +53,7 @@ "name": "fms" }, "aws.protocols#awsJson1_1": {}, - "smithy.api#documentation": "This is the Firewall Manager API Reference. This guide is for\n developers who need detailed information about the Firewall Manager API actions, data\n types, and errors. For detailed information about Firewall Manager features, see the\n Firewall Manager Developer Guide.
\nSome API actions require explicit resource permissions. For information, see the developer guide topic \n Firewall Manager required permissions for API actions.\n
", + "smithy.api#documentation": "This is the Firewall Manager API Reference. This guide is for\n developers who need detailed information about the Firewall Manager API actions, data types, and\n errors. For detailed information about Firewall Manager features, see the Firewall Manager\n Developer Guide.
\nSome API actions require explicit resource permissions. For information, see the\n developer guide topic Firewall Manager required permissions\n for API actions.
", "smithy.api#title": "Firewall Management Service" }, "version": "2018-01-01", @@ -198,7 +198,7 @@ "Protocol": { "target": "com.amazonaws.fms#Protocol", "traits": { - "smithy.api#documentation": "The IP protocol name or number. The name can be one of tcp, udp, or icmp. For information on possible numbers, see Protocol Numbers.
The IP protocol name or number. The name can be one of tcp,\n udp, or icmp. For information on possible numbers, see Protocol\n Numbers.
A unique identifier for each update to the list. When you update \n the list, the update token must match the token of the current version of the application list. \n You can retrieve the update token by getting the list.
" + "smithy.api#documentation": "A unique identifier for each update to the list. When you update the list, the update\n token must match the token of the current version of the application list. You can retrieve\n the update token by getting the list.
" } }, "CreateTime": { @@ -264,7 +264,7 @@ "PreviousAppsList": { "target": "com.amazonaws.fms#PreviousAppsList", "traits": { - "smithy.api#documentation": "A map of previous version numbers to their corresponding App object arrays.
A map of previous version numbers to their corresponding App object\n arrays.
Sets the Firewall Manager administrator account. The account must be\n a member of the organization in Organizations whose resources you want to protect. \n Firewall Manager sets the permissions that allow the account to administer your Firewall Manager policies.
\nThe account that you associate with Firewall Manager is called the Firewall Manager administrator account.
" + "smithy.api#documentation": "Sets the Firewall Manager administrator account. The account must be a member of the\n organization in Organizations whose resources you want to protect. Firewall Manager sets the\n permissions that allow the account to administer your Firewall Manager policies.
\nThe account that you associate with Firewall Manager is called the Firewall Manager administrator\n account.
" } }, "com.amazonaws.fms#AssociateAdminAccountRequest": { @@ -342,7 +342,7 @@ "AdminAccount": { "target": "com.amazonaws.fms#AWSAccountId", "traits": { - "smithy.api#documentation": "The Amazon Web Services account ID to associate with Firewall Manager as the Firewall Manager\n administrator account. This must be an Organizations member account.\n For more information about Organizations, see \n Managing the Amazon Web Services Accounts in Your Organization.
", + "smithy.api#documentation": "The Amazon Web Services account ID to associate with Firewall Manager as the Firewall Manager administrator account.\n This must be an Organizations member account. For more information about Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "smithy.api#required": {} } } @@ -380,7 +380,7 @@ "ViolatingSecurityGroups": { "target": "com.amazonaws.fms#ResourceIdList", "traits": { - "smithy.api#documentation": "List of security groups that violate the rules specified in the primary security group of the Firewall Manager policy.
" + "smithy.api#documentation": "List of security groups that violate the rules specified in the primary security group\n of the Firewall Manager policy.
" } } }, @@ -412,7 +412,7 @@ "PartialMatches": { "target": "com.amazonaws.fms#PartialMatches", "traits": { - "smithy.api#documentation": "List of rules specified in the security group of the Firewall Manager policy that partially match the ViolationTarget rule.
List of rules specified in the security group of the Firewall Manager policy that partially\n match the ViolationTarget rule.
Violation detail for the rule violation in a security group when compared to the primary security group of the Firewall Manager policy.
" + "smithy.api#documentation": "Violation detail for the rule violation in a security group when compared to the primary\n security group of the Firewall Manager policy.
" } }, "com.amazonaws.fms#BasicInteger": { @@ -466,7 +466,13 @@ "ResourceType": { "target": "com.amazonaws.fms#ResourceType", "traits": { - "smithy.api#documentation": "The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference. For example:\n AWS::ElasticLoadBalancingV2::LoadBalancer, \n AWS::CloudFront::Distribution, or\n AWS::NetworkFirewall::FirewallPolicy.
The resource type. This is in the format shown in the Amazon Web Services\n Resource Types Reference. For example:\n AWS::ElasticLoadBalancingV2::LoadBalancer,\n AWS::CloudFront::Distribution, or\n AWS::NetworkFirewall::FirewallPolicy.
Metadata about the resource that doesn't comply with the policy scope.
" } } }, @@ -474,6 +480,15 @@ "smithy.api#documentation": "Details of the resource that is not protected by the policy.
" } }, + "com.amazonaws.fms#ComplianceViolatorMetadata": { + "type": "map", + "key": { + "target": "com.amazonaws.fms#LengthBoundedString" + }, + "value": { + "target": "com.amazonaws.fms#LengthBoundedString" + } + }, "com.amazonaws.fms#ComplianceViolators": { "type": "list", "member": { @@ -546,7 +561,7 @@ "ListId": { "target": "com.amazonaws.fms#ListId", "traits": { - "smithy.api#documentation": "The ID of the applications list that you want to delete. You can retrieve this ID from \n PutAppsList, ListAppsLists, and GetAppsList.
The ID of the applications list that you want to delete. You can retrieve this ID from\n PutAppsList, ListAppsLists, and\n GetAppsList.
Deletes an Firewall Manager association with the IAM role and the Amazon Simple\n Notification Service (SNS) topic that is used to record Firewall Manager SNS logs.
" + "smithy.api#documentation": "Deletes an Firewall Manager association with the IAM role and the Amazon Simple Notification\n Service (SNS) topic that is used to record Firewall Manager SNS logs.
" } }, "com.amazonaws.fms#DeleteNotificationChannelRequest": { @@ -608,14 +623,14 @@ "PolicyId": { "target": "com.amazonaws.fms#PolicyId", "traits": { - "smithy.api#documentation": "The ID of the policy that you want to delete. You can retrieve this ID from \n PutPolicy and ListPolicies.
The ID of the policy that you want to delete. You can retrieve this ID from\n PutPolicy and ListPolicies.
If True, the request performs cleanup according to the policy type.
For WAF and Shield Advanced policies, the cleanup does the following:
\nDeletes rule groups created by Firewall Manager
\nRemoves web ACLs from in-scope resources
\nDeletes web ACLs that contain no rules or rule groups
\nFor security group policies, the cleanup does the following for each security group in\n the policy:
\nDisassociates the security group from in-scope resources
\nDeletes the security group if it was created through Firewall Manager and if it's\n no longer associated with any resources through another policy
\nAfter the cleanup, in-scope resources are no longer protected by web ACLs in this policy.\n Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you\n create and accounts that you associate with the policy. When creating the policy, if you\n specify that only resources in specific accounts or with specific tags are in scope of the\n policy, those accounts and resources are handled by the policy. All others are out of scope.\n If you don't specify tags or accounts, all resources are in scope.
" + "smithy.api#documentation": "If True, the request performs cleanup according to the policy type.
For WAF and Shield Advanced policies, the cleanup does the following:
\nDeletes rule groups created by Firewall Manager
\nRemoves web ACLs from in-scope resources
\nDeletes web ACLs that contain no rules or rule groups
\nFor security group policies, the cleanup does the following for each security group\n in the policy:
\nDisassociates the security group from in-scope resources
\nDeletes the security group if it was created through Firewall Manager and if it's no\n longer associated with any resources through another policy
\nAfter the cleanup, in-scope resources are no longer protected by web ACLs in this\n policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags\n that you create and accounts that you associate with the policy. When creating the policy,\n if you specify that only resources in specific accounts or with specific tags are in scope\n of the policy, those accounts and resources are handled by the policy. All others are out\n of scope. If you don't specify tags or accounts, all resources are in scope.
" } } } @@ -646,7 +661,7 @@ "ListId": { "target": "com.amazonaws.fms#ListId", "traits": { - "smithy.api#documentation": "The ID of the protocols list that you want to delete. You can retrieve this ID from \n PutProtocolsList, ListProtocolsLists, and GetProtocolsLost.
The ID of the protocols list that you want to delete. You can retrieve this ID from\n PutProtocolsList, ListProtocolsLists, and\n GetProtocolsLost.
Disassociates the account that has been set as the Firewall Manager administrator\n account. To set a different account as the administrator account, you must submit an\n AssociateAdminAccount request.
Disassociates the account that has been set as the Firewall Manager administrator account. To\n set a different account as the administrator account, you must submit an\n AssociateAdminAccount request.
A DNS Firewall rule group that Firewall Manager \n tried to associate with a VPC is already associated with the VPC and can't be associated again.
" + "smithy.api#documentation": "A DNS Firewall rule group that Firewall Manager tried to associate with a VPC is already associated\n with the VPC and can't be associated again.
" } }, "com.amazonaws.fms#DnsRuleGroupLimitExceededViolation": { @@ -766,12 +781,12 @@ "NumberOfRuleGroupsAlreadyAssociated": { "target": "com.amazonaws.fms#BasicInteger", "traits": { - "smithy.api#documentation": "The number of rule groups currently associated with the VPC.
" + "smithy.api#documentation": "The number of rule groups currently associated with the VPC.
" } } }, "traits": { - "smithy.api#documentation": "The VPC that Firewall Manager was applying a DNS Fireall policy to reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed due to the limit.
" + "smithy.api#documentation": "The VPC that Firewall Manager was applying a DNS Fireall policy to reached the limit for associated\n DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and\n failed due to the limit.
" } }, "com.amazonaws.fms#DnsRuleGroupPriorities": { @@ -801,7 +816,7 @@ "ViolationTargetDescription": { "target": "com.amazonaws.fms#LengthBoundedString", "traits": { - "smithy.api#documentation": "A description of the violation that specifies the VPC and the rule group that's already associated with it.
" + "smithy.api#documentation": "A description of the violation that specifies the VPC and the rule group that's already\n associated with it.
" } }, "ConflictingPriority": { @@ -813,18 +828,18 @@ "ConflictingPolicyId": { "target": "com.amazonaws.fms#PolicyId", "traits": { - "smithy.api#documentation": "The ID of the Firewall Manager DNS Firewall policy that was already applied to the VPC. \n This policy contains the rule group that's already associated with the VPC.
" + "smithy.api#documentation": "The ID of the Firewall Manager DNS Firewall policy that was already applied to the VPC. This policy\n contains the rule group that's already associated with the VPC.
" } }, "UnavailablePriorities": { "target": "com.amazonaws.fms#DnsRuleGroupPriorities", "traits": { - "smithy.api#documentation": "The priorities of rule groups that are already associated with the VPC. To retry your operation, \n choose priority settings that aren't in this list for the rule groups in your new DNS Firewall policy.
" + "smithy.api#documentation": "The priorities of rule groups that are already associated with the VPC. To retry your\n operation, choose priority settings that aren't in this list for the rule groups in your\n new DNS Firewall policy.
" } } }, "traits": { - "smithy.api#documentation": "A rule group that Firewall Manager \n tried to associate with a VPC has the same priority as a rule group that's already associated.
" + "smithy.api#documentation": "A rule group that Firewall Manager tried to associate with a VPC has the same priority as a rule\n group that's already associated.
" } }, "com.amazonaws.fms#EC2AssociateRouteTableAction": { @@ -833,7 +848,7 @@ "Description": { "target": "com.amazonaws.fms#LengthBoundedString", "traits": { - "smithy.api#documentation": "A description of the EC2 route table that is associated with the remediation action.
" + "smithy.api#documentation": "A description of the EC2 route table that is associated with the remediation\n action.
" } }, "RouteTableId": { @@ -846,18 +861,18 @@ "SubnetId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "The ID of the subnet for the EC2 route table that is associated with the remediation action.
" + "smithy.api#documentation": "The ID of the subnet for the EC2 route table that is associated with the remediation\n action.
" } }, "GatewayId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "The ID of the gateway to be used with the EC2 route table that is associated with the remediation action.
" + "smithy.api#documentation": "The ID of the gateway to be used with the EC2 route table that is associated with the\n remediation action.
" } } }, "traits": { - "smithy.api#documentation": "The action of associating an EC2 resource, such as a subnet or internet gateway, with a route table.
" + "smithy.api#documentation": "The action of associating an EC2 resource, such as a subnet or internet gateway, with a\n route table.
" } }, "com.amazonaws.fms#EC2CopyRouteTableAction": { @@ -866,20 +881,20 @@ "Description": { "target": "com.amazonaws.fms#LengthBoundedString", "traits": { - "smithy.api#documentation": "A description of the copied EC2 route table that is associated with the remediation action.
" + "smithy.api#documentation": "A description of the copied EC2 route table that is associated with the remediation\n action.
" } }, "VpcId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "The VPC ID of the copied EC2 route table that is associated with the remediation action.
", + "smithy.api#documentation": "The VPC ID of the copied EC2 route table that is associated with the remediation\n action.
", "smithy.api#required": {} } }, "RouteTableId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "The ID of the copied EC2 route table that is associated with the remediation action.
", + "smithy.api#documentation": "The ID of the copied EC2 route table that is associated with the remediation\n action.
", "smithy.api#required": {} } } @@ -918,13 +933,13 @@ "VpcEndpointId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "Information about the ID of a VPC endpoint. Supported for Gateway Load Balancer endpoints only.
" + "smithy.api#documentation": "Information about the ID of a VPC endpoint. Supported for Gateway Load Balancer\n endpoints only.
" } }, "GatewayId": { "target": "com.amazonaws.fms#ActionTarget", "traits": { - "smithy.api#documentation": "Information about the ID of an internet gateway or virtual private gateway attached to your VPC.
" + "smithy.api#documentation": "Information about the ID of an internet gateway or virtual private gateway attached to\n your VPC.
" } }, "RouteTableId": { @@ -972,7 +987,7 @@ "DestinationCidrBlock": { "target": "com.amazonaws.fms#CIDR", "traits": { - "smithy.api#documentation": "Information about the IPv4 CIDR range for the route. The value you specify must match the CIDR for the route exactly.
" + "smithy.api#documentation": "Information about the IPv4 CIDR range for the route. The value you specify must match\n the CIDR for the route exactly.
" } }, "DestinationPrefixListId": { @@ -984,7 +999,7 @@ "DestinationIpv6CidrBlock": { "target": "com.amazonaws.fms#CIDR", "traits": { - "smithy.api#documentation": "Information about the IPv6 CIDR range for the route. The value you specify must match the CIDR for the route exactly.
" + "smithy.api#documentation": "Information about the IPv6 CIDR range for the route. The value you specify must match\n the CIDR for the route exactly.
" } }, "RouteTableId": { @@ -1011,7 +1026,7 @@ "DestinationCidrBlock": { "target": "com.amazonaws.fms#CIDR", "traits": { - "smithy.api#documentation": "Information about the IPv4 CIDR address block used for the destination match. The value that you provide must match the CIDR of an existing route in the table.
" + "smithy.api#documentation": "Information about the IPv4 CIDR address block used for the destination match. The value\n that you provide must match the CIDR of an existing route in the table.
" } }, "DestinationPrefixListId": { @@ -1023,7 +1038,7 @@ "DestinationIpv6CidrBlock": { "target": "com.amazonaws.fms#CIDR", "traits": { - "smithy.api#documentation": "Information about the IPv6 CIDR address block used for the destination match. The value that you provide must match the CIDR of an existing route in the table.
" + "smithy.api#documentation": "Information about the IPv6 CIDR address block used for the destination match. The value\n that you provide must match the CIDR of an existing route in the table.
" } }, "GatewayId": { @@ -1087,18 +1102,18 @@ "ViolatorCount": { "target": "com.amazonaws.fms#ResourceCount", "traits": { - "smithy.api#documentation": "The number of resources that are noncompliant with the specified policy. For WAF and\n Shield Advanced policies, a resource is considered noncompliant if it is not associated with\n the policy. For security group policies, a resource is considered noncompliant if it doesn't\n comply with the rules of the policy and remediation is disabled or not possible.
" + "smithy.api#documentation": "The number of resources that are noncompliant with the specified policy. For WAF\n and Shield Advanced policies, a resource is considered noncompliant if it is not associated\n with the policy. For security group policies, a resource is considered noncompliant if it\n doesn't comply with the rules of the policy and remediation is disabled or not\n possible.
" } }, "EvaluationLimitExceeded": { "target": "com.amazonaws.fms#Boolean", "traits": { - "smithy.api#documentation": "Indicates that over 100 resources are noncompliant with the Firewall Manager\n policy.
" + "smithy.api#documentation": "Indicates that over 100 resources are noncompliant with the Firewall Manager policy.
" } } }, "traits": { - "smithy.api#documentation": "Describes the compliance status for the account. An account is considered noncompliant if\n it includes resources that are not protected by the specified policy or that don't comply with\n the policy.
" + "smithy.api#documentation": "Describes the compliance status for the account. An account is considered noncompliant\n if it includes resources that are not protected by the specified policy or that don't\n comply with the policy.
" } }, "com.amazonaws.fms#EvaluationResults": { @@ -1157,6 +1172,75 @@ "target": "com.amazonaws.fms#ExpectedRoute" } }, + "com.amazonaws.fms#FMSPolicyUpdateFirewallCreationConfigAction": { + "type": "structure", + "members": { + "Description": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "Describes the remedial action.
" + } + }, + "FirewallCreationConfig": { + "target": "com.amazonaws.fms#ManagedServiceData", + "traits": { + "smithy.api#documentation": "A FirewallCreationConfig that you can copy into your current policy's\n SecurityServiceData in order to remedy scope violations.
Contains information about the actions that you can take to remediate scope violations\n caused by your policy's FirewallCreationConfig.\n FirewallCreationConfig is an optional configuration that you can use to\n choose which Availability Zones Firewall Manager creates Network Firewall endpoints in.
The ID of the firewall subnet that violates the policy scope.
" + } + }, + "VpcId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The VPC ID of the firewall subnet that violates the policy scope.
" + } + }, + "SubnetAvailabilityZone": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The Availability Zone of the firewall subnet that violates the policy scope.
" + } + }, + "SubnetAvailabilityZoneId": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The Availability Zone ID of the firewall subnet that violates the policy scope.
" + } + }, + "VpcEndpointId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The VPC endpoint ID of the firewall subnet that violates the policy scope.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Contains details about the firewall subnet that violates the policy scope.
" + } + }, "com.amazonaws.fms#GetAdminAccount": { "type": "operation", "input": { @@ -1177,7 +1261,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the Organizations account that is associated with Firewall Manager\n as the Firewall Manager administrator.
" + "smithy.api#documentation": "Returns the Organizations account that is associated with Firewall Manager as the Firewall Manager\n administrator.
" } }, "com.amazonaws.fms#GetAdminAccountRequest": { @@ -1196,7 +1280,7 @@ "RoleStatus": { "target": "com.amazonaws.fms#AccountRoleStatus", "traits": { - "smithy.api#documentation": "The status of the Amazon Web Services account that you set as the Firewall Manager\n administrator.
" + "smithy.api#documentation": "The status of the Amazon Web Services account that you set as the Firewall Manager administrator.
" } } } @@ -1282,7 +1366,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns detailed compliance information about the specified member account. Details\n include resources that are in and out of compliance with the specified policy.
\nResources are\n considered noncompliant for WAF and Shield Advanced policies if the specified policy has\n not been applied to them.
\nResources are considered noncompliant for security group policies if\n they are in scope of the policy, they violate one or more of the policy rules, and remediation\n is disabled or not possible.
\nResources are considered noncompliant for Network Firewall policies\n if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet, \n if a subnet created by the Firewall Manager doesn't have the expected route table, \n and for modifications to a firewall policy that violate the Firewall Manager policy's rules.
\nResources are considered noncompliant for DNS Firewall policies\n if a DNS Firewall rule group is missing from the rule group associations for the VPC.
\nReturns detailed compliance information about the specified member account. Details\n include resources that are in and out of compliance with the specified policy.
\nResources are considered noncompliant for WAF and Shield Advanced policies\n if the specified policy has not been applied to them.
\nResources are considered noncompliant for security group policies if they are in\n scope of the policy, they violate one or more of the policy rules, and remediation is\n disabled or not possible.
\nResources are considered noncompliant for Network Firewall policies if a firewall is\n missing in the VPC, if the firewall endpoint isn't set up in an expected Availability\n Zone and subnet, if a subnet created by the Firewall Manager doesn't have the expected route\n table, and for modifications to a firewall policy that violate the Firewall Manager policy's\n rules.
\nResources are considered noncompliant for DNS Firewall policies if a DNS Firewall\n rule group is missing from the rule group associations for the VPC.
\nThe ID of the policy that you want to get the details for. PolicyId is\n returned by PutPolicy and by ListPolicies.
The ID of the policy that you want to get the details for. PolicyId is\n returned by PutPolicy and by ListPolicies.
Information about the resources and the policy that you specified in the\n GetComplianceDetail request.
Information about the resources and the policy that you specified in the\n GetComplianceDetail request.
Information\n about the Amazon Simple Notification Service (SNS) topic that is used to\n record Firewall Manager SNS logs.
" + "smithy.api#documentation": "Information\n about the Amazon Simple Notification Service (SNS) topic that is used to\n record Firewall Manager SNS logs.
" } }, "com.amazonaws.fms#GetNotificationChannelRequest": { @@ -1434,7 +1518,7 @@ } ], "traits": { - "smithy.api#documentation": "If you created a Shield Advanced policy, returns policy-level attack summary information\n in the event of a potential DDoS attack. Other policy types are currently unsupported.
" + "smithy.api#documentation": "If you created a Shield Advanced policy, returns policy-level attack summary information\n in the event of a potential DDoS attack. Other policy types are currently\n unsupported.
" } }, "com.amazonaws.fms#GetProtectionStatusRequest": { @@ -1456,25 +1540,25 @@ "StartTime": { "target": "com.amazonaws.fms#TimeStamp", "traits": { - "smithy.api#documentation": "The start of the time period to query for the attacks. This is a timestamp type. The\n request syntax listing indicates a number type because the default used by Firewall Manager is Unix time in seconds. However, any valid timestamp format is\n allowed.
The start of the time period to query for the attacks. This is a timestamp\n type. The request syntax listing indicates a number type because the default\n used by Firewall Manager is Unix time in seconds. However, any valid timestamp format\n is allowed.
The end of the time period to query for the attacks. This is a timestamp type. The\n request syntax listing indicates a number type because the default used by Firewall Manager is Unix time in seconds. However, any valid timestamp format is\n allowed.
The end of the time period to query for the attacks. This is a timestamp\n type. The request syntax listing indicates a number type because the default\n used by Firewall Manager is Unix time in seconds. However, any valid timestamp format\n is allowed.
If you specify a value for MaxResults and you have more objects than the number that you specify \n for MaxResults, Firewall Manager returns a NextToken value in the response, which you can use to retrieve another group of \n objects. For the second and subsequent GetProtectionStatus requests, specify the value of NextToken \n from the previous response to get information about another batch of objects.
If you specify a value for MaxResults and you have more objects than the\n number that you specify for MaxResults, Firewall Manager returns a\n NextToken value in the response, which you can use to retrieve another\n group of objects. For the second and subsequent GetProtectionStatus requests,\n specify the value of NextToken from the previous response to get information\n about another batch of objects.
Specifies the number of objects that you want Firewall Manager to return for this request. If you have more \n objects than the number that you specify for MaxResults, the response includes a \n NextToken value that you can use to get another batch of objects.
Specifies the number of objects that you want Firewall Manager to return for this request. If\n you have more objects than the number that you specify for MaxResults, the\n response includes a NextToken value that you can use to get another batch of\n objects.
If you have more objects than the number that you specified for MaxResults in the request, \n the response includes a NextToken value. To list more objects, submit another \n GetProtectionStatus request, and specify the NextToken value from the response in the \n NextToken value in the next request.
Amazon Web Services SDKs provide auto-pagination that identify NextToken in a response and\n make subsequent request calls automatically on your behalf. However, this feature is not\n supported by GetProtectionStatus. You must submit subsequent requests with\n NextToken using your own processes.
If you have more objects than the number that you specified for MaxResults\n in the request, the response includes a NextToken value. To list more objects,\n submit another GetProtectionStatus request, and specify the\n NextToken value from the response in the NextToken value in\n the next request.
Amazon Web Services SDKs provide auto-pagination that identify NextToken in a response\n and make subsequent request calls automatically on your behalf. However, this feature is\n not supported by GetProtectionStatus. You must submit subsequent requests with\n NextToken using your own processes.
Retrieves violations for a resource based on the specified Firewall Manager policy and Amazon Web Services account.
" + "smithy.api#documentation": "Retrieves violations for a resource based on the specified Firewall Manager policy and Amazon Web Services\n account.
" } }, "com.amazonaws.fms#GetViolationDetailsRequest": { @@ -1595,7 +1679,7 @@ "PolicyId": { "target": "com.amazonaws.fms#PolicyId", "traits": { - "smithy.api#documentation": "The ID of the Firewall Manager policy that you want the details for. This currently only supports security group content audit policies.
", + "smithy.api#documentation": "The ID of the Firewall Manager policy that you want the details for. This currently only\n supports security group content audit policies.
", "smithy.api#required": {} } }, @@ -1616,7 +1700,7 @@ "ResourceType": { "target": "com.amazonaws.fms#ResourceType", "traits": { - "smithy.api#documentation": "The resource type. This is in the format shown in the Amazon Web Services Resource Types Reference.\n Supported resource types are:\n AWS::EC2::Instance,\n AWS::EC2::NetworkInterface, \n AWS::EC2::SecurityGroup,\n AWS::NetworkFirewall::FirewallPolicy, and\n AWS::EC2::Subnet.\n
The resource type. This is in the format shown in the Amazon Web Services\n Resource Types Reference. Supported resource types are:\n AWS::EC2::Instance, AWS::EC2::NetworkInterface,\n AWS::EC2::SecurityGroup, AWS::NetworkFirewall::FirewallPolicy,\n and AWS::EC2::Subnet.
The operation failed because of a system problem, even though the request was valid. Retry\n your request.
", + "smithy.api#documentation": "The operation failed because of a system problem, even though the request was valid.\n Retry your request.
", "smithy.api#error": "client" } }, @@ -1675,7 +1759,7 @@ } }, "traits": { - "smithy.api#documentation": "The operation failed because there was nothing to do or the operation wasn't possible. For example, you might have\n submitted an AssociateAdminAccount request for an account ID that \n was already set as the Firewall Manager administrator. Or you might have tried to access a Region\n that's disabled by default, and that you need to enable for the Firewall Manager \n administrator account and for Organizations before you can access it.
The operation failed because there was nothing to do or the operation wasn't possible.\n For example, you might have submitted an AssociateAdminAccount request for an\n account ID that was already set as the Firewall Manager administrator. Or you might have tried to\n access a Region that's disabled by default, and that you need to enable for the Firewall Manager\n administrator account and for Organizations before you can access it.
The operation exceeds a resource limit, for example, the maximum number of\n policy objects that you can create for an Amazon Web Services account. For more information,\n see Firewall\n Manager Limits in the WAF Developer Guide.
The operation exceeds a resource limit, for example, the maximum number of\n policy objects that you can create for an Amazon Web Services account. For more\n information, see Firewall Manager Limits in the\n WAF Developer Guide.
If you specify a value for MaxResults in your list request, and you have more objects than the maximum, \n Firewall Manager returns this token in the response. For all but the first request, you provide the token returned by the prior request \n in the request parameters, to retrieve the next batch of objects.
If you specify a value for MaxResults in your list request, and you have\n more objects than the maximum, Firewall Manager returns this token in the response. For all but\n the first request, you provide the token returned by the prior request in the request\n parameters, to retrieve the next batch of objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.
If you don't specify this, Firewall Manager returns all available objects.
", + "smithy.api#documentation": "The maximum number of objects that you want Firewall Manager to return for this request. If\n more objects are available, in the response, Firewall Manager provides a NextToken\n value that you can use in a subsequent call to get the next batch of objects.
If you don't specify this, Firewall Manager returns all available objects.
", "smithy.api#required": {} } } @@ -1795,7 +1879,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "If you specify a value for MaxResults in your list request, and you have more objects than the maximum, \n Firewall Manager returns this token in the response. You can use this token in subsequent requests to retrieve the next batch of objects.
If you specify a value for MaxResults in your list request, and you have\n more objects than the maximum, Firewall Manager returns this token in the response. You can use\n this token in subsequent requests to retrieve the next batch of objects.
Returns an array of PolicyComplianceStatus objects. Use\n PolicyComplianceStatus to get a summary of which member accounts are protected\n by the specified policy.
Returns an array of PolicyComplianceStatus objects. Use\n PolicyComplianceStatus to get a summary of which member accounts are\n protected by the specified policy.
If you specify a value for MaxResults and you have more\n PolicyComplianceStatus objects than the number that you specify for\n MaxResults, Firewall Manager returns a NextToken value in the\n response that allows you to list another group of PolicyComplianceStatus objects.\n For the second and subsequent ListComplianceStatus requests, specify the value of\n NextToken from the previous response to get information about another batch of\n PolicyComplianceStatus objects.
If you specify a value for MaxResults and you have more\n PolicyComplianceStatus objects than the number that you specify for\n MaxResults, Firewall Manager returns a NextToken value in the\n response that allows you to list another group of PolicyComplianceStatus\n objects. For the second and subsequent ListComplianceStatus requests, specify\n the value of NextToken from the previous response to get information about\n another batch of PolicyComplianceStatus objects.
Specifies the number of PolicyComplianceStatus objects that you want \n Firewall Manager to return for this request. If you have more\n PolicyComplianceStatus objects than the number that you specify for\n MaxResults, the response includes a NextToken value that you can\n use to get another batch of PolicyComplianceStatus objects.
Specifies the number of PolicyComplianceStatus objects that you want Firewall Manager\n to return for this request. If you have more PolicyComplianceStatus objects\n than the number that you specify for MaxResults, the response includes a\n NextToken value that you can use to get another batch of\n PolicyComplianceStatus objects.
If you have more PolicyComplianceStatus objects than the number that you\n specified for MaxResults in the request, the response includes a\n NextToken value. To list more PolicyComplianceStatus objects,\n submit another ListComplianceStatus request, and specify the\n NextToken value from the response in the NextToken value in the\n next request.
If you have more PolicyComplianceStatus objects than the number that you\n specified for MaxResults in the request, the response includes a\n NextToken value. To list more PolicyComplianceStatus objects,\n submit another ListComplianceStatus request, and specify the\n NextToken value from the response in the NextToken value in\n the next request.
Returns a MemberAccounts object that lists the member accounts in the\n administrator's Amazon Web Services organization.
The ListMemberAccounts must be submitted by the account that is set as the\n Firewall Manager administrator.
Returns a MemberAccounts object that lists the member accounts in the\n administrator's Amazon Web Services organization.
The ListMemberAccounts must be submitted by the account that is set as the\n Firewall Manager administrator.
If you specify a value for MaxResults and you have more account IDs than the\n number that you specify for MaxResults, Firewall Manager returns a\n NextToken value in the response that allows you to list another group of IDs.\n For the second and subsequent ListMemberAccountsRequest requests, specify the\n value of NextToken from the previous response to get information about another\n batch of member account IDs.
If you specify a value for MaxResults and you have more account IDs than\n the number that you specify for MaxResults, Firewall Manager returns a\n NextToken value in the response that allows you to list another group of\n IDs. For the second and subsequent ListMemberAccountsRequest requests, specify\n the value of NextToken from the previous response to get information about\n another batch of member account IDs.
Specifies the number of member account IDs that you want Firewall Manager to return\n for this request. If you have more IDs than the number that you specify for\n MaxResults, the response includes a NextToken value that you can\n use to get another batch of member account IDs.
Specifies the number of member account IDs that you want Firewall Manager to return for this\n request. If you have more IDs than the number that you specify for MaxResults,\n the response includes a NextToken value that you can use to get another batch\n of member account IDs.
If you have more member account IDs than the number that you specified for\n MaxResults in the request, the response includes a NextToken\n value. To list more IDs, submit another ListMemberAccounts request, and specify\n the NextToken value from the response in the NextToken value in the\n next request.
If you have more member account IDs than the number that you specified for\n MaxResults in the request, the response includes a NextToken\n value. To list more IDs, submit another ListMemberAccounts request, and\n specify the NextToken value from the response in the NextToken\n value in the next request.
If you specify a value for MaxResults and you have more\n PolicySummary objects than the number that you specify for\n MaxResults, Firewall Manager returns a NextToken value in the\n response that allows you to list another group of PolicySummary objects. For the\n second and subsequent ListPolicies requests, specify the value of\n NextToken from the previous response to get information about another batch of\n PolicySummary objects.
If you specify a value for MaxResults and you have more\n PolicySummary objects than the number that you specify for\n MaxResults, Firewall Manager returns a NextToken value in the\n response that allows you to list another group of PolicySummary objects. For\n the second and subsequent ListPolicies requests, specify the value of\n NextToken from the previous response to get information about another batch\n of PolicySummary objects.
Specifies the number of PolicySummary objects that you want Firewall Manager to return for this request. If you have more PolicySummary objects than\n the number that you specify for MaxResults, the response includes a\n NextToken value that you can use to get another batch of\n PolicySummary objects.
Specifies the number of PolicySummary objects that you want Firewall Manager to\n return for this request. If you have more PolicySummary objects than the\n number that you specify for MaxResults, the response includes a\n NextToken value that you can use to get another batch of\n PolicySummary objects.
If you have more PolicySummary objects than the number that you specified for\n MaxResults in the request, the response includes a NextToken\n value. To list more PolicySummary objects, submit another\n ListPolicies request, and specify the NextToken value from the\n response in the NextToken value in the next request.
If you have more PolicySummary objects than the number that you specified\n for MaxResults in the request, the response includes a NextToken\n value. To list more PolicySummary objects, submit another\n ListPolicies request, and specify the NextToken value from the\n response in the NextToken value in the next request.
If you specify a value for MaxResults in your list request, and you have more objects than the maximum, \n Firewall Manager returns this token in the response. For all but the first request, you provide the token returned by the prior request \n in the request parameters, to retrieve the next batch of objects.
If you specify a value for MaxResults in your list request, and you have\n more objects than the maximum, Firewall Manager returns this token in the response. For all but\n the first request, you provide the token returned by the prior request in the request\n parameters, to retrieve the next batch of objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more\n objects are available, in the response, Firewall Manager provides a\n NextToken value that you can use in a subsequent call to get the next batch of objects.
If you don't specify this, Firewall Manager returns all available objects.
", + "smithy.api#documentation": "The maximum number of objects that you want Firewall Manager to return for this request. If\n more objects are available, in the response, Firewall Manager provides a NextToken\n value that you can use in a subsequent call to get the next batch of objects.
If you don't specify this, Firewall Manager returns all available objects.
", "smithy.api#required": {} } } @@ -2068,7 +2152,7 @@ "NextToken": { "target": "com.amazonaws.fms#PaginationToken", "traits": { - "smithy.api#documentation": "If you specify a value for MaxResults in your list request, and you have more objects than the maximum, \n Firewall Manager returns this token in the response. You can use this token in subsequent requests to retrieve the next batch of objects.
If you specify a value for MaxResults in your list request, and you have\n more objects than the maximum, Firewall Manager returns this token in the response. You can use\n this token in subsequent requests to retrieve the next batch of objects.
Retrieves the list of tags for the specified Amazon Web Services resource.
" + "smithy.api#documentation": "Retrieves the list of tags for the specified Amazon Web Services resource.
" } }, "com.amazonaws.fms#ListTagsForResourceRequest": { @@ -2105,7 +2189,7 @@ "ResourceArn": { "target": "com.amazonaws.fms#ResourceArn", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager resources that support tagging are policies, applications lists, and protocols lists.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager\n resources that support tagging are policies, applications lists, and protocols lists.\n
", "smithy.api#required": {} } } @@ -2129,7 +2213,7 @@ "min": 1, "max": 8192 }, - "smithy.api#pattern": ".*" + "smithy.api#pattern": "^((?!\\\\[nr]).)+$" } }, "com.amazonaws.fms#MemberAccounts": { @@ -2183,7 +2267,7 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for an internet gateway route with an inactive state in the customer subnet route table or Network Firewall subnet route table.
" + "smithy.api#documentation": "Violation detail for an internet gateway route with an inactive state in the customer\n subnet route table or Network Firewall subnet route table.
" } }, "com.amazonaws.fms#NetworkFirewallInternetTrafficNotInspectedViolation": { @@ -2281,7 +2365,7 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for the subnet for which internet traffic that hasn't been inspected.
" + "smithy.api#documentation": "Violation detail for the subnet for which internet traffic that hasn't been\n inspected.
" } }, "com.amazonaws.fms#NetworkFirewallInvalidRouteConfigurationViolation": { @@ -2385,7 +2469,7 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for the improperly configured subnet route. It's possible there is a missing route table route,\n or a configuration that causes traffic to cross an Availability Zone boundary.
" + "smithy.api#documentation": "Violation detail for the improperly configured subnet route. It's possible there is a\n missing route table route, or a configuration that causes traffic to cross an Availability\n Zone boundary.
" } }, "com.amazonaws.fms#NetworkFirewallMissingExpectedRTViolation": { @@ -2412,7 +2496,7 @@ "CurrentRouteTable": { "target": "com.amazonaws.fms#ResourceId", "traits": { - "smithy.api#documentation": "The resource ID of the current route table that's associated with the subnet, if one is available.
" + "smithy.api#documentation": "The resource ID of the current route table that's associated with the subnet, if one is\n available.
" } }, "ExpectedRouteTable": { @@ -2423,7 +2507,7 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for Network Firewall for a subnet that's not associated to the expected\n Firewall Manager managed route table.
" + "smithy.api#documentation": "Violation detail for Network Firewall for a subnet that's not associated to the expected Firewall Manager\n managed route table.
" } }, "com.amazonaws.fms#NetworkFirewallMissingExpectedRoutesViolation": { @@ -2481,7 +2565,7 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for Network Firewall for a subnet that doesn't have a \n Firewall Manager managed firewall in its VPC.
" + "smithy.api#documentation": "Violation detail for Network Firewall for a subnet that doesn't have a Firewall Manager managed firewall\n in its VPC.
" } }, "com.amazonaws.fms#NetworkFirewallMissingSubnetViolation": { @@ -2513,7 +2597,21 @@ } }, "traits": { - "smithy.api#documentation": "Violation detail for Network Firewall for an Availability Zone that's \n missing the expected Firewall Manager managed subnet.
" + "smithy.api#documentation": "Violation detail for Network Firewall for an Availability Zone that's missing the expected\n Firewall Manager managed subnet.
" + } + }, + "com.amazonaws.fms#NetworkFirewallPolicy": { + "type": "structure", + "members": { + "FirewallDeploymentModel": { + "target": "com.amazonaws.fms#FirewallDeploymentModel", + "traits": { + "smithy.api#documentation": "Defines the deployment model to use for the firewall policy. To use a distributed model,\n set PolicyOption to NULL.
Configures the firewall policy deployment model of Network Firewall. For information about\n Network Firewall deployment models, see Network Firewall example\n architectures with routing in the Network Firewall Developer\n Guide.
" } }, "com.amazonaws.fms#NetworkFirewallPolicyDescription": { @@ -2528,19 +2626,19 @@ "StatelessDefaultActions": { "target": "com.amazonaws.fms#NetworkFirewallActionList", "traits": { - "smithy.api#documentation": "The actions to take on packets that don't match any of the stateless rule groups.
" + "smithy.api#documentation": "The actions to take on packets that don't match any of the stateless rule groups.\n
" } }, "StatelessFragmentDefaultActions": { "target": "com.amazonaws.fms#NetworkFirewallActionList", "traits": { - "smithy.api#documentation": "The actions to take on packet fragments that don't match any of the stateless rule groups.
" + "smithy.api#documentation": "The actions to take on packet fragments that don't match any of the stateless rule\n groups.
" } }, "StatelessCustomActions": { "target": "com.amazonaws.fms#NetworkFirewallActionList", "traits": { - "smithy.api#documentation": "Names of custom actions that are available for use in the stateless default actions settings.
" + "smithy.api#documentation": "Names of custom actions that are available for use in the stateless default actions\n settings.
" } }, "StatefulRuleGroups": { @@ -2572,12 +2670,12 @@ "ExpectedPolicyDescription": { "target": "com.amazonaws.fms#NetworkFirewallPolicyDescription", "traits": { - "smithy.api#documentation": "The policy that should be in use in the individual account in order to be compliant.
" + "smithy.api#documentation": "The policy that should be in use in the individual account in order to be compliant.\n
" } } }, "traits": { - "smithy.api#documentation": "Violation detail for Network Firewall for a firewall policy that has a different\n NetworkFirewallPolicyDescription than is required by the Firewall Manager policy.
" + "smithy.api#documentation": "Violation detail for Network Firewall for a firewall policy that has a different NetworkFirewallPolicyDescription than is required by the Firewall Manager policy.\n
" } }, "com.amazonaws.fms#NetworkFirewallResourceName": { @@ -2646,7 +2744,7 @@ "RouteTableId": { "target": "com.amazonaws.fms#ResourceId", "traits": { - "smithy.api#documentation": "Information about the route table.
" + "smithy.api#documentation": "Information about the route table.
" } }, "VpcId": { @@ -2703,7 +2801,7 @@ } }, "traits": { - "smithy.api#documentation": "The reference rule that partially matches the ViolationTarget rule and violation reason.
The reference rule that partially matches the ViolationTarget rule and\n violation reason.
A unique identifier for each update to the policy. When issuing a PutPolicy\n request, the PolicyUpdateToken in the request must match the\n PolicyUpdateToken of the current policy version. To get the\n PolicyUpdateToken of the current policy version, use a GetPolicy\n request.
A unique identifier for each update to the policy. When issuing a PutPolicy\n request, the PolicyUpdateToken in the request must match the\n PolicyUpdateToken of the current policy version. To get the\n PolicyUpdateToken of the current policy version, use a\n GetPolicy request.
The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference.\n To apply this policy to multiple resource types, specify a resource type of ResourceTypeList and then specify the resource types in a ResourceTypeList.
For WAF and Shield Advanced, resource types include\n AWS::ElasticLoadBalancingV2::LoadBalancer, AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and\n AWS::CloudFront::Distribution. For a security group common policy, valid values\n are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a\n security group content audit policy, valid values are AWS::EC2::SecurityGroup,\n AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security\n group usage audit policy, the value is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy,\n the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services\n Resource Types Reference. To apply this policy to multiple resource types,\n specify a resource type of ResourceTypeList and then specify the resource\n types in a ResourceTypeList.
For WAF and Shield Advanced, resource types include\n AWS::ElasticLoadBalancingV2::LoadBalancer,\n AWS::ElasticLoadBalancing::LoadBalancer, AWS::EC2::EIP, and\n AWS::CloudFront::Distribution. For a security group common policy, valid\n values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For\n a security group content audit policy, valid values are\n AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and\n AWS::EC2::Instance. For a security group usage audit policy, the value is\n AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy,\n the value is AWS::EC2::VPC.
An array of ResourceType objects. Use this only to specify multiple resource types. To specify a single resource type, use ResourceType.
An array of ResourceType objects. Use this only to specify multiple\n resource types. To specify a single resource type, use ResourceType.
If set to True, resources with the tags that are specified in the\n ResourceTag array are not in scope of the policy. If set to False,\n and the ResourceTag array is not null, only resources with the specified tags are\n in scope of the policy.
If set to True, resources with the tags that are specified in the\n ResourceTag array are not in scope of the policy. If set to\n False, and the ResourceTag array is not null, only resources\n with the specified tags are in scope of the policy.
This option isn't available for the centralized deployment model when creating policies\n to configure Network Firewall.
", "smithy.api#required": {} } }, @@ -2777,19 +2875,19 @@ "DeleteUnusedFMManagedResources": { "target": "com.amazonaws.fms#Boolean", "traits": { - "smithy.api#documentation": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources \n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL \n from a protected customer resource when the customer resource leaves policy scope.
\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
\nThis option is not available for Shield Advanced or WAF Classic policies.
" + "smithy.api#documentation": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.
\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
\nThis option is not available for Shield Advanced or WAF Classic policies.
" } }, "IncludeMap": { "target": "com.amazonaws.fms#CustomerPolicyScopeMap", "traits": { - "smithy.api#documentation": "Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to include in the policy. \n Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
\nYou can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager \n applies the policy to all accounts specified by the IncludeMap, and \n does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager \n applies the policy to all accounts except for those specified by the ExcludeMap.
You can specify account IDs, OUs, or a combination:
\nSpecify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: \n {“ACCOUNT” : [“accountID1”, “accountID2”]}.
Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: \n {“ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map:\n {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to include in\n the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in\n any of its child OUs, including any child OUs and accounts that are added at a later\n time.
\nYou can specify inclusions or exclusions, but not both. If you specify an\n IncludeMap, Firewall Manager applies the policy to all accounts specified by the\n IncludeMap, and does not evaluate any ExcludeMap\n specifications. If you do not specify an IncludeMap, then Firewall Manager applies the\n policy to all accounts except for those specified by the ExcludeMap.
You can specify account IDs, OUs, or a combination:
\nSpecify account IDs by setting the key to ACCOUNT. For example, the\n following is a valid map: {“ACCOUNT” : [“accountID1”,\n “accountID2”]}.
Specify OUs by setting the key to ORG_UNIT. For example, the\n following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specify accounts and OUs together in a single map, separated with a comma. For\n example, the following is a valid map: {“ACCOUNT” : [“accountID1”,\n “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.
This option isn't available for the centralized deployment model when creating policies\n to configure Network Firewall.
" } }, "ExcludeMap": { "target": "com.amazonaws.fms#CustomerPolicyScopeMap", "traits": { - "smithy.api#documentation": "Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from the policy. \n Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
\nYou can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager \n applies the policy to all accounts specified by the IncludeMap, and \n does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager \n applies the policy to all accounts except for those specified by the ExcludeMap.
You can specify account IDs, OUs, or a combination:
\nSpecify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: \n {“ACCOUNT” : [“accountID1”, “accountID2”]}.
Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: \n {“ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map:\n {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from\n the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in\n any of its child OUs, including any child OUs and accounts that are added at a later\n time.
\nYou can specify inclusions or exclusions, but not both. If you specify an\n IncludeMap, Firewall Manager applies the policy to all accounts specified by the\n IncludeMap, and does not evaluate any ExcludeMap\n specifications. If you do not specify an IncludeMap, then Firewall Manager applies the\n policy to all accounts except for those specified by the ExcludeMap.
You can specify account IDs, OUs, or a combination:
\nSpecify account IDs by setting the key to ACCOUNT. For example, the\n following is a valid map: {“ACCOUNT” : [“accountID1”,\n “accountID2”]}.
Specify OUs by setting the key to ORG_UNIT. For example, the\n following is a valid map: {“ORG_UNIT” : [“ouid111”, “ouid112”]}.
Specify accounts and OUs together in a single map, separated with a comma. For\n example, the following is a valid map: {“ACCOUNT” : [“accountID1”,\n “accountID2”], “ORG_UNIT” : [“ouid111”, “ouid112”]}.
This option isn't available for the centralized deployment model when creating policies\n to configure Network Firewall.
" } } }, @@ -2821,30 +2919,30 @@ "Violators": { "target": "com.amazonaws.fms#ComplianceViolators", "traits": { - "smithy.api#documentation": "An array of resources that aren't protected by the WAF or Shield Advanced policy or\n that aren't in compliance with the security group policy.
" + "smithy.api#documentation": "An array of resources that aren't protected by the WAF or Shield Advanced policy\n or that aren't in compliance with the security group policy.
" } }, "EvaluationLimitExceeded": { "target": "com.amazonaws.fms#Boolean", "traits": { - "smithy.api#documentation": "Indicates if over 100 resources are noncompliant with the Firewall Manager\n policy.
" + "smithy.api#documentation": "Indicates if over 100 resources are noncompliant with the Firewall Manager policy.
" } }, "ExpiredAt": { "target": "com.amazonaws.fms#TimeStamp", "traits": { - "smithy.api#documentation": "A timestamp that indicates when the returned information should be considered out of\n date.
" + "smithy.api#documentation": "A timestamp that indicates when the returned information should be considered out of\n date.
" } }, "IssueInfoMap": { "target": "com.amazonaws.fms#IssueInfoMap", "traits": { - "smithy.api#documentation": "Details about problems with dependent services, such as WAF or Config,\n and the error message received that indicates the problem with the service.
" + "smithy.api#documentation": "Details about problems with dependent services, such as WAF or Config, and the\n error message received that indicates the problem with the service.
" } } }, "traits": { - "smithy.api#documentation": "Describes\n the noncompliant resources in a member account for a specific Firewall Manager policy. A maximum of 100 entries are displayed. If more than 100 resources are\n noncompliant, EvaluationLimitExceeded is set to True.
Describes\n the noncompliant resources in a member account for a specific Firewall Manager\n policy. A maximum of 100 entries are displayed. If more than 100 resources are\n noncompliant, EvaluationLimitExceeded is set to True.
Details about problems with dependent services, such as WAF or Config,\n and the error message received that indicates the problem with the service.
" + "smithy.api#documentation": "Details about problems with dependent services, such as WAF or Config, and the\n error message received that indicates the problem with the service.
" } } }, "traits": { - "smithy.api#documentation": "Indicates whether the account is compliant with the specified policy. An account is\n considered noncompliant if it includes resources that are not protected by the policy, for \n WAF and Shield Advanced policies, or that are noncompliant with the policy, for security group\n policies.
" + "smithy.api#documentation": "Indicates whether the account is compliant with the specified policy. An account is\n considered noncompliant if it includes resources that are not protected by the policy, for\n WAF and Shield Advanced policies, or that are noncompliant with the policy, for\n security group policies.
" } }, "com.amazonaws.fms#PolicyComplianceStatusList": { @@ -2928,6 +3026,20 @@ "smithy.api#pattern": "^[a-z0-9A-Z-]{36}$" } }, + "com.amazonaws.fms#PolicyOption": { + "type": "structure", + "members": { + "NetworkFirewallPolicy": { + "target": "com.amazonaws.fms#NetworkFirewallPolicy", + "traits": { + "smithy.api#documentation": "Defines the deployment model to use for the firewall policy.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Contains the Network Firewall firewall policy options to configure a centralized deployment\n model.
" + } + }, "com.amazonaws.fms#PolicySummary": { "type": "structure", "members": { @@ -2952,13 +3064,13 @@ "ResourceType": { "target": "com.amazonaws.fms#ResourceType", "traits": { - "smithy.api#documentation": "The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services Resource Types Reference. \n For WAF and Shield Advanced, examples include\n AWS::ElasticLoadBalancingV2::LoadBalancer and\n AWS::CloudFront::Distribution. For a security group common policy, valid values\n are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For a\n security group content audit policy, valid values are AWS::EC2::SecurityGroup,\n AWS::EC2::NetworkInterface, and AWS::EC2::Instance. For a security\n group usage audit policy, the value is AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy,\n the value is AWS::EC2::VPC.
The type of resource protected by or in scope of the policy. This is in the format shown\n in the Amazon Web Services\n Resource Types Reference. For WAF and Shield Advanced, examples include\n AWS::ElasticLoadBalancingV2::LoadBalancer and\n AWS::CloudFront::Distribution. For a security group common policy, valid\n values are AWS::EC2::NetworkInterface and AWS::EC2::Instance. For\n a security group content audit policy, valid values are\n AWS::EC2::SecurityGroup, AWS::EC2::NetworkInterface, and\n AWS::EC2::Instance. For a security group usage audit policy, the value is\n AWS::EC2::SecurityGroup. For an Network Firewall policy or DNS Firewall policy,\n the value is AWS::EC2::VPC.
The service that the policy is using to protect the resources. This specifies the type of\n policy that is created, either an WAF policy, a Shield Advanced policy, or a security\n group policy.
" + "smithy.api#documentation": "The service that the policy is using to protect the resources. This specifies the type\n of policy that is created, either an WAF policy, a Shield Advanced policy, or a\n security group policy.
" } }, "RemediationEnabled": { @@ -2970,7 +3082,7 @@ "DeleteUnusedFMManagedResources": { "target": "com.amazonaws.fms#Boolean", "traits": { - "smithy.api#documentation": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources \n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL \n from a protected customer resource when the customer resource leaves policy scope.
\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
\nThis option is not available for Shield Advanced or WAF Classic policies.
" + "smithy.api#documentation": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources\n that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL\n from a protected customer resource when the customer resource leaves policy scope.
\nBy default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
\nThis option is not available for Shield Advanced or WAF Classic policies.
" } } }, @@ -3044,7 +3156,7 @@ } }, "traits": { - "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" + "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action\n is a list of individual remediation actions.
" } }, "com.amazonaws.fms#PreviousAppsList": { @@ -3113,7 +3225,7 @@ "ListUpdateToken": { "target": "com.amazonaws.fms#UpdateToken", "traits": { - "smithy.api#documentation": "A unique identifier for each update to the list. When you update \n the list, the update token must match the token of the current version of the application list. \n You can retrieve the update token by getting the list.
" + "smithy.api#documentation": "A unique identifier for each update to the list. When you update the list, the update\n token must match the token of the current version of the application list. You can retrieve\n the update token by getting the list.
" } }, "CreateTime": { @@ -3265,7 +3377,7 @@ } ], "traits": { - "smithy.api#documentation": "Designates the IAM role and Amazon Simple Notification Service (SNS) topic that \n Firewall Manager uses to record SNS logs.
\nTo perform this action outside of the console, you must configure the SNS topic to allow the Firewall Manager \n role AWSServiceRoleForFMS to publish SNS logs. For more information, see \n Firewall Manager required permissions for API actions in the Firewall Manager Developer Guide.
Designates the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager\n uses to record SNS logs.
\nTo perform this action outside of the console, you must configure the SNS topic to allow\n the Firewall Manager role AWSServiceRoleForFMS to publish SNS logs. For more information,\n see Firewall Manager required permissions\n for API actions in the Firewall Manager Developer Guide.
The Amazon Resource Name (ARN) of the SNS topic that collects notifications from \n Firewall Manager.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the SNS topic that collects notifications from\n Firewall Manager.
", "smithy.api#required": {} } }, "SnsRoleName": { "target": "com.amazonaws.fms#ResourceArn", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record \n Firewall Manager activity.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record\n Firewall Manager activity.
", "smithy.api#required": {} } } @@ -3316,7 +3428,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates an Firewall Manager policy.
\nFirewall Manager provides the following types of policies:
\nAn WAF policy (type WAFV2), which defines rule groups to run first in the \n corresponding WAF web ACL and rule groups to run last in the web ACL.
\nAn WAF Classic policy (type WAF), which defines a rule group.
\nA Shield Advanced policy, which applies Shield Advanced protection to specified\n accounts and resources.
\nA security group policy, which manages VPC security groups across your Amazon Web Services\n organization.
\nAn Network Firewall policy, which provides firewall rules to filter network traffic in specified \n Amazon VPCs.
\nA DNS Firewall policy, which provides Route 53 Resolver DNS Firewall rules to filter DNS queries for \n specified VPCs.
\nEach policy is specific to one of the types. If you want to enforce more than one\n policy type across accounts, create multiple policies. You can create multiple\n policies for each type.
\nYou must be subscribed to Shield Advanced to create a Shield Advanced policy. For more\n information about subscribing to Shield Advanced, see \n CreateSubscription.
" + "smithy.api#documentation": "Creates an Firewall Manager policy.
\nFirewall Manager provides the following types of policies:
\nAn WAF policy (type WAFV2), which defines rule groups to run first in the\n corresponding WAF web ACL and rule groups to run last in the web ACL.
\nAn WAF Classic policy (type WAF), which defines a rule group.
\nA Shield Advanced policy, which applies Shield Advanced protection to specified\n accounts and resources.
\nA security group policy, which manages VPC security groups across your Amazon Web Services\n organization.
\nAn Network Firewall policy, which provides firewall rules to filter network traffic in\n specified Amazon VPCs.
\nA DNS Firewall policy, which provides Route 53 Resolver DNS Firewall rules to filter DNS\n queries for specified VPCs.
\nEach policy is specific to one of the types. If you want to enforce more than one policy\n type across accounts, create multiple policies. You can create multiple policies for each\n type.
\nYou must be subscribed to Shield Advanced to create a Shield Advanced policy. For more\n information about subscribing to Shield Advanced, see CreateSubscription.
" } }, "com.amazonaws.fms#PutPolicyRequest": { @@ -3457,7 +3569,7 @@ "EC2ReplaceRouteTableAssociationAction": { "target": "com.amazonaws.fms#EC2ReplaceRouteTableAssociationAction", "traits": { - "smithy.api#documentation": "Information about the ReplaceRouteTableAssociation action in the Amazon EC2 API.
" + "smithy.api#documentation": "Information about the ReplaceRouteTableAssociation action in the Amazon EC2\n API.
" } }, "EC2AssociateRouteTableAction": { @@ -3471,6 +3583,12 @@ "traits": { "smithy.api#documentation": "Information about the CreateRouteTable action in the Amazon EC2 API.
" } + }, + "FMSPolicyUpdateFirewallCreationConfigAction": { + "target": "com.amazonaws.fms#FMSPolicyUpdateFirewallCreationConfigAction", + "traits": { + "smithy.api#documentation": "The remedial action to take when updating a firewall configuration.
" + } } }, "traits": { @@ -3596,7 +3714,7 @@ } }, "traits": { - "smithy.api#documentation": "The resource tags that Firewall Manager uses to determine if a particular resource\n should be included or excluded from the Firewall Manager policy. Tags enable you to\n categorize your Amazon Web Services resources in different ways, for example, by purpose, owner, or\n environment. Each tag consists of a key and an optional value. Firewall Manager combines the\n tags with \"AND\" so that, if you add more than one tag to a policy scope, a resource must have\n all the specified tags to be included or excluded. For more information, see \n Working with Tag Editor.
" + "smithy.api#documentation": "The resource tags that Firewall Manager uses to determine if a particular resource should be\n included or excluded from the Firewall Manager policy. Tags enable you to categorize your Amazon Web Services\n resources in different ways, for example, by purpose, owner, or environment. Each tag\n consists of a key and an optional value. Firewall Manager combines the tags with \"AND\" so that, if you\n add more than one tag to a policy scope, a resource must have all the specified tags to be\n included or excluded. For more information, see Working with Tag\n Editor.
" } }, "com.amazonaws.fms#ResourceTagKey": { @@ -3671,25 +3789,25 @@ "NetworkFirewallMissingFirewallViolation": { "target": "com.amazonaws.fms#NetworkFirewallMissingFirewallViolation", "traits": { - "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a subnet has no Firewall Manager \n managed firewall in its VPC.
" + "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a subnet has no Firewall Manager managed\n firewall in its VPC.
" } }, "NetworkFirewallMissingSubnetViolation": { "target": "com.amazonaws.fms#NetworkFirewallMissingSubnetViolation", "traits": { - "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that an Availability Zone is \n missing the expected Firewall Manager managed subnet.
" + "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that an Availability Zone is\n missing the expected Firewall Manager managed subnet.
" } }, "NetworkFirewallMissingExpectedRTViolation": { "target": "com.amazonaws.fms#NetworkFirewallMissingExpectedRTViolation", "traits": { - "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a subnet \n is not associated with the expected Firewall Manager managed route table.
" + "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a subnet is not associated\n with the expected Firewall Manager managed route table.
" } }, "NetworkFirewallPolicyModifiedViolation": { "target": "com.amazonaws.fms#NetworkFirewallPolicyModifiedViolation", "traits": { - "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a firewall policy \n in an individual account has been modified in a way that makes it noncompliant. \n For example, the individual account owner might have deleted a rule group, \n changed the priority of a stateless rule group, or changed a policy default action.
" + "smithy.api#documentation": "Violation detail for an Network Firewall policy that indicates that a firewall policy in an\n individual account has been modified in a way that makes it noncompliant. For example, the\n individual account owner might have deleted a rule group, changed the priority of a\n stateless rule group, or changed a policy default action.
" } }, "NetworkFirewallInternetTrafficNotInspectedViolation": { @@ -3728,25 +3846,37 @@ "DnsRuleGroupPriorityConflictViolation": { "target": "com.amazonaws.fms#DnsRuleGroupPriorityConflictViolation", "traits": { - "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager \n tried to associate with a VPC has the same priority as a rule group that's already associated.
" + "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager\n tried to associate with a VPC has the same priority as a rule group that's already\n associated.
" } }, "DnsDuplicateRuleGroupViolation": { "target": "com.amazonaws.fms#DnsDuplicateRuleGroupViolation", "traits": { - "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager \n tried to associate with a VPC is already associated with the VPC and can't be associated again.
" + "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that a rule group that Firewall Manager\n tried to associate with a VPC is already associated with the VPC and can't be associated\n again.
" } }, "DnsRuleGroupLimitExceededViolation": { "target": "com.amazonaws.fms#DnsRuleGroupLimitExceededViolation", "traits": { - "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that the VPC reached the limit for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with the VPC and failed.
" + "smithy.api#documentation": "Violation detail for a DNS Firewall policy that indicates that the VPC reached the limit\n for associated DNS Firewall rule groups. Firewall Manager tried to associate another rule group with\n the VPC and failed.
" } }, "PossibleRemediationActions": { "target": "com.amazonaws.fms#PossibleRemediationActions", "traits": { - "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action is a list of individual remediation actions.
" + "smithy.api#documentation": "A list of possible remediation action lists. Each individual possible remediation action\n is a list of individual remediation actions.
" + } + }, + "FirewallSubnetIsOutOfScopeViolation": { + "target": "com.amazonaws.fms#FirewallSubnetIsOutOfScopeViolation", + "traits": { + "smithy.api#documentation": "Contains details about the firewall subnet that violates the policy scope.
" + } + }, + "RouteHasOutOfScopeEndpointViolation": { + "target": "com.amazonaws.fms#RouteHasOutOfScopeEndpointViolation", + "traits": { + "smithy.api#documentation": "Contains details about the route endpoint that violates the policy scope.
" } } }, @@ -3792,6 +3922,86 @@ "smithy.api#documentation": "Describes a route in a route table.
" } }, + "com.amazonaws.fms#RouteHasOutOfScopeEndpointViolation": { + "type": "structure", + "members": { + "SubnetId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The ID of the subnet associated with the route that violates the policy scope.
" + } + }, + "VpcId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The VPC ID of the route that violates the policy scope.
" + } + }, + "RouteTableId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The ID of the route table.
" + } + }, + "ViolatingRoutes": { + "target": "com.amazonaws.fms#Routes", + "traits": { + "smithy.api#documentation": "The list of routes that violate the route table.
" + } + }, + "SubnetAvailabilityZone": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The subnet's Availability Zone.
" + } + }, + "SubnetAvailabilityZoneId": { + "target": "com.amazonaws.fms#LengthBoundedString", + "traits": { + "smithy.api#documentation": "The ID of the subnet's Availability Zone.
" + } + }, + "CurrentFirewallSubnetRouteTable": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The route table associated with the current firewall subnet.
" + } + }, + "FirewallSubnetId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The ID of the firewall subnet.
" + } + }, + "FirewallSubnetRoutes": { + "target": "com.amazonaws.fms#Routes", + "traits": { + "smithy.api#documentation": "The list of firewall subnet routes.
" + } + }, + "InternetGatewayId": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The ID of the Internet Gateway.
" + } + }, + "CurrentInternetGatewayRouteTable": { + "target": "com.amazonaws.fms#ResourceId", + "traits": { + "smithy.api#documentation": "The current route table associated with the Internet Gateway.
" + } + }, + "InternetGatewayRoutes": { + "target": "com.amazonaws.fms#Routes", + "traits": { + "smithy.api#documentation": "The routes in the route table associated with the Internet Gateway.
" + } + } + }, + "traits": { + "smithy.api#documentation": "Contains details about the route endpoint that violates the policy scope.
" + } + }, "com.amazonaws.fms#Routes": { "type": "list", "member": { @@ -3816,7 +4026,7 @@ "RemediationResult": { "target": "com.amazonaws.fms#SecurityGroupRuleDescription", "traits": { - "smithy.api#documentation": "The final state of the rule specified in the ViolationTarget after it is remediated.
The final state of the rule specified in the ViolationTarget after it is\n remediated.
The IP protocol name (tcp, udp, icmp, icmpv6) or number.
The IP protocol name (tcp, udp, icmp,\n icmpv6) or number.
The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types.
The start of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type\n number. A value of -1 indicates all ICMP/ICMPv6 types.
The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes.
The end of the port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value\n of -1 indicates all ICMP/ICMPv6 codes.
The service that the policy is using to protect the resources. This specifies the type of\n policy that is created, either an WAF policy, a Shield Advanced policy, or a security\n group policy. For security group policies, Firewall Manager supports one security group for\n each common policy and for each content audit policy. This is an adjustable limit that you can\n increase by contacting Amazon Web Services Support.
", + "smithy.api#documentation": "The service that the policy is using to protect the resources. This specifies the type\n of policy that is created, either an WAF policy, a Shield Advanced policy, or a\n security group policy. For security group policies, Firewall Manager supports one security group for\n each common policy and for each content audit policy. This is an adjustable limit that you\n can increase by contacting Amazon Web Services Support.
", "smithy.api#required": {} } }, "ManagedServiceData": { "target": "com.amazonaws.fms#ManagedServiceData", "traits": { - "smithy.api#documentation": "Details about the service that are specific to the service type, in JSON format.
\nExample: DNS_FIREWALL\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL\n
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2\\\",\\\"priority\\\":10}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:pass\\\",\\\"custom1\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"custom2\\\",\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"custom1\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"dimension1\\\"}]}}},{\\\"actionName\\\":\\\"custom2\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"dimension2\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-1:1234567891011:stateful-rulegroup/rulegroup1\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":true,\\\"allowedIPV4CidrList\\\":[\\\"10.24.34.0/28\\\"]} }\"\n
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"\n
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"\n
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: WAFV2\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"\n
In the loggingConfiguration, you can specify one logDestinationConfigs, you can optionally provide up to 20 redactedFields, and the RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic\n
\n \"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"\n
Example: SECURITY_GROUPS_COMMON\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"\n
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns\n
\n\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_CONTENT_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"\n
The security group action for content audit can be ALLOW or\n DENY. For ALLOW, all in-scope security group rules must be\n within the allowed range of the policy's security group rules. For DENY, all\n in-scope security group rules must not contain a value or a range that matches a rule\n value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"\n
Details about the service that are specific to the service type, in JSON format.
\nExample: DNS_FIREWALL\n
\n \"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"\n
Valid values for preProcessRuleGroups are between 1 and 99. Valid\n values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment\n model.
\n \"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"\n
To use the centralized deployment model, you must set PolicyOption to\n CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration. With automatic Availbility Zone\n configuration, Firewall Manager chooses which Availability Zones to create the endpoints in.
\n \"{ \\\"type\\\": \\\"NETWORK_FIREWALL\\\",\n \\\"networkFirewallStatelessRuleGroupReferences\\\": [ { \\\"resourceARN\\\":\n \\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\n \\\"priority\\\": 1 } ], \\\"networkFirewallStatelessDefaultActions\\\": [\n \\\"aws:forward_to_sfe\\\", \\\"customActionName\\\" ],\n \\\"networkFirewallStatelessFragmentDefaultActions\\\": [ \\\"aws:forward_to_sfe\\\",\n \\\"customActionName\\\" ], \\\"networkFirewallStatelessCustomActions\\\": [ {\n \\\"actionName\\\": \\\"customActionName\\\", \\\"actionDefinition\\\": {\n \\\"publishMetricAction\\\": { \\\"dimensions\\\": [ { \\\"value\\\": \\\"metricdimensionvalue\\\"\n } ] } } } ], \\\"networkFirewallStatefulRuleGroupReferences\\\": [ { \\\"resourceARN\\\":\n \\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\" } ],\n \\\"networkFirewallOrchestrationConfig\\\": { \\\"singleFirewallEndpointPerVPC\\\": false,\n \\\"allowedIPV4CidrList\\\": [ \\\"10.0.0.0/28\\\", \\\"192.168.0.0/28\\\" ],\n \\\"routeManagementAction\\\": \\\"OFF\\\" }, \\\"networkFirewallLoggingConfiguration\\\": {\n \\\"logDestinationConfigs\\\": [ { \\\"logDestinationType\\\": \\\"S3\\\", \\\"logType\\\":\n \\\"ALERT\\\", \\\"logDestination\\\": { \\\"bucketName\\\": \\\"s3-bucket-name\\\" } }, {\n \\\"logDestinationType\\\": \\\"S3\\\", \\\"logType\\\": \\\"FLOW\\\", \\\"logDestination\\\": {\n \\\"bucketName\\\": \\\"s3-bucket-name\\\" } } ], \\\"overrideExistingConfig\\\": true }\n }\"\n
To use the distributed deployment model, you must set PolicyOption to\n NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with\n automatic Availability Zone configuration, and route management.
\n \"{ \\\"type\\\": \\\"NETWORK_FIREWALL\\\",\n \\\"networkFirewallStatelessRuleGroupReferences\\\": [ { \\\"resourceARN\\\":\n \\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\n \\\"priority\\\": 1 } ], \\\"networkFirewallStatelessDefaultActions\\\": [\n \\\"aws:forward_to_sfe\\\", \\\"customActionName\\\" ],\n \\\"networkFirewallStatelessFragmentDefaultActions\\\": [ \\\"aws:forward_to_sfe\\\",\n \\\"customActionName\\\" ], \\\"networkFirewallStatelessCustomActions\\\": [ {\n \\\"actionName\\\": \\\"customActionName\\\", \\\"actionDefinition\\\": {\n \\\"publishMetricAction\\\": { \\\"dimensions\\\": [ { \\\"value\\\": \\\"metricdimensionvalue\\\"\n } ] } } } ], \\\"networkFirewallStatefulRuleGroupReferences\\\": [ { \\\"resourceARN\\\":\n \\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\" } ],\n \\\"networkFirewallOrchestrationConfig\\\": { \\\"singleFirewallEndpointPerVPC\\\": false,\n \\\"allowedIPV4CidrList\\\": [ \\\"10.0.0.0/28\\\", \\\"192.168.0.0/28\\\" ],\n \\\"routeManagementAction\\\": \\\"MONITOR\\\", \\\"routeManagementTargetTypes\\\": [\n \\\"InternetGateway\\\" ] }, \\\"networkFirewallLoggingConfiguration\\\": {\n \\\"logDestinationConfigs\\\": [ { \\\"logDestinationType\\\": \\\"S3\\\", \\\"logType\\\":\n \\\"ALERT\\\", \\\"logDestination\\\": { \\\"bucketName\\\": \\\"s3-bucket-name\\\" } }, {\n \\\"logDestinationType\\\": \\\"S3\\\", \\\"logType\\\": \\\"FLOW\\\", \\\"logDestination\\\": {\n \\\"bucketName\\\": \\\"s3-bucket-name\\\" } } ], \\\"overrideExistingConfig\\\": true }\n }\"\n
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration. With custom Availability Zone configuration,\n you define which specific Availability Zones to create endpoints in by configuring\n firewallCreationConfig.
\n \"{\n \\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\n \\\"networkFirewallStatelessDefaultActions\\\":[ \\\"aws:forward_to_sfe\\\",\n \\\"customActionName\\\" ], \\\"networkFirewallStatelessFragmentDefaultActions\\\":[\n \\\"aws:forward_to_sfe\\\", \\\"fragmentcustomactionname\\\" ],\n \\\"networkFirewallStatelessCustomActions\\\":[ { \\\"actionName\\\":\\\"customActionName\\\",\n \\\"actionDefinition\\\":{ \\\"publishMetricAction\\\":{ \\\"dimensions\\\":[ {\n \\\"value\\\":\\\"metricdimensionvalue\\\" } ] } } }, {\n \\\"actionName\\\":\\\"fragmentcustomactionname\\\", \\\"actionDefinition\\\":{\n \\\"publishMetricAction\\\":{ \\\"dimensions\\\":[ {\n \\\"value\\\":\\\"fragmentmetricdimensionvalue\\\" } ] } } } ],\n \\\"networkFirewallStatefulRuleGroupReferences\\\":[ {\n \\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"\n } ], \\\"networkFirewallOrchestrationConfig\\\":{ \\\"firewallCreationConfig\\\":{\n \\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\n \\\"availabilityZoneId\\\":null, \\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\n \\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\" ] }, { ¯\\\"availabilityZoneId\\\":null,\n \\\"availabilityZoneName\\\":\\\"us-east-1b\\\", \\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"\n ] } ] } }, \\\"singleFirewallEndpointPerVPC\\\":false, \\\"allowedIPV4CidrList\\\":null,\n \\\"routeManagementAction\\\":\\\"OFF\\\", \\\"networkFirewallLoggingConfiguration\\\":{\n \\\"logDestinationConfigs\\\":[ { \\\"logDestinationType\\\":\\\"S3\\\",\n \\\"logType\\\":\\\"ALERT\\\", \\\"logDestination\\\":{ \\\"bucketName\\\":\\\"s3-bucket-name\\\" } },\n { \\\"logDestinationType\\\":\\\"S3\\\", \\\"logType\\\":\\\"FLOW\\\", \\\"logDestination\\\":{\n \\\"bucketName\\\":\\\"s3-bucket-name\\\" } } ], \\\"overrideExistingConfig\\\":boolean }\n }\"\n
Example: NETWORK_FIREWALL - Distributed deployment model with\n custom Availability Zone configuration, and route management.
\n \"{\n \\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\n \\\"networkFirewallStatelessDefaultActions\\\":[ \\\"aws:forward_to_sfe\\\",\n \\\"customActionName\\\" ], \\\"networkFirewallStatelessFragmentDefaultActions\\\":[\n \\\"aws:forward_to_sfe\\\", \\\"fragmentcustomactionname\\\" ],\n \\\"networkFirewallStatelessCustomActions\\\":[ { \\\"actionName\\\":\\\"customActionName\\\",\n \\\"actionDefinition\\\":{ \\\"publishMetricAction\\\":{ \\\"dimensions\\\":[ {\n \\\"value\\\":\\\"metricdimensionvalue\\\" } ] } } }, {\n \\\"actionName\\\":\\\"fragmentcustomactionname\\\", \\\"actionDefinition\\\":{\n \\\"publishMetricAction\\\":{ \\\"dimensions\\\":[ {\n \\\"value\\\":\\\"fragmentmetricdimensionvalue\\\" } ] } } } ],\n \\\"networkFirewallStatefulRuleGroupReferences\\\":[ {\n \\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"\n } ], \\\"networkFirewallOrchestrationConfig\\\":{ \\\"firewallCreationConfig\\\":{\n \\\"endpointLocation\\\":{ \\\"availabilityZoneConfigList\\\":[ {\n \\\"availabilityZoneId\\\":null, \\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\n \\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\" ] }, { ¯\\\"availabilityZoneId\\\":null,\n \\\"availabilityZoneName\\\":\\\"us-east-1b\\\", \\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"\n ] } ] } }, \\\"singleFirewallEndpointPerVPC\\\":false, \\\"allowedIPV4CidrList\\\":null,\n \\\"routeManagementAction\\\":\\\"MONITOR\\\", \\\"routeManagementTargetTypes\\\":[\n \\\"InternetGateway\\\" ], \\\"routeManagementConfig\\\":{\n \\\"allowCrossAZTrafficIfNoEndpoint\\\":true } },\n \\\"networkFirewallLoggingConfiguration\\\":{ \\\"logDestinationConfigs\\\":[ {\n \\\"logDestinationType\\\":\\\"S3\\\", \\\"logType\\\":\\\"ALERT\\\", \\\"logDestination\\\":{\n \\\"bucketName\\\":\\\"s3-bucket-name\\\" } }, { \\\"logDestinationType\\\":\\\"S3\\\",\n \\\"logType\\\":\\\"FLOW\\\", \\\"logDestination\\\":{ \\\"bucketName\\\":\\\"s3-bucket-name\\\" } }\n ], \\\"overrideExistingConfig\\\":boolean } }\"\n
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\":\n {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\",\n \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"},\n \\\"overrideCustomerWebaclClassic\\\":true|false}\"\n
For example:\n \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\":\n {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\",\n \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"\n
The default value for automaticResponseStatus is\n IGNORED. The value for automaticResponseAction is only\n required when automaticResponseStatus is set to ENABLED.\n The default value for overrideCustomerWebaclClassic is\n false.
For other resource types that you can protect with a Shield Advanced policy, this\n ManagedServiceData configuration is an empty string.
Example: WAFV2\n
\n \"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"\n
In the loggingConfiguration, you can specify one\n logDestinationConfigs, you can optionally provide up to 20\n redactedFields, and the RedactedFieldType must be one of\n URI, QUERY_STRING, HEADER, or\n METHOD.
Example: WAF Classic\n
\n \"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\":\n [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\":\n \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"\n
Example: SECURITY_GROUPS_COMMON\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as\n well as to those in VPCs that the account owns
\n\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\n \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\"\n sg-000e55995d61a06bd\\\"}]}\"\n
Example: SECURITY_GROUPS_CONTENT_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"\n
The security group action for content audit can be ALLOW or\n DENY. For ALLOW, all in-scope security group rules must\n be within the allowed range of the policy's security group rules. For\n DENY, all in-scope security group rules must not contain a value or a\n range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT\n
\n \"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"\n
Contains the Network Firewall firewall policy options to configure a centralized deployment\n model.
" } } }, @@ -3984,7 +4200,7 @@ "Priority": { "target": "com.amazonaws.fms#StatelessRuleGroupPriority", "traits": { - "smithy.api#documentation": "The priority of the rule group. Network Firewall evaluates the stateless rule groups in a firewall policy starting from the lowest priority setting.
" + "smithy.api#documentation": "The priority of the rule group. Network Firewall evaluates the stateless rule groups in a\n firewall policy starting from the lowest priority setting.
" } } }, @@ -4013,20 +4229,20 @@ "Key": { "target": "com.amazonaws.fms#TagKey", "traits": { - "smithy.api#documentation": "Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as \"customer.\" Tag keys are case-sensitive.
", + "smithy.api#documentation": "Part of the key:value pair that defines a tag. You can use a tag key to describe a\n category of information, such as \"customer.\" Tag keys are case-sensitive.
", "smithy.api#required": {} } }, "Value": { "target": "com.amazonaws.fms#TagValue", "traits": { - "smithy.api#documentation": "Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are case-sensitive.
", + "smithy.api#documentation": "Part of the key:value pair that defines a tag. You can use a tag value to describe a\n specific value within a category, such as \"companyA\" or \"companyB.\" Tag values are\n case-sensitive.
", "smithy.api#required": {} } } }, "traits": { - "smithy.api#documentation": "A collection of key:value pairs associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.
" + "smithy.api#documentation": "A collection of key:value pairs associated with an Amazon Web Services resource. The key:value pair\n can be anything you define. Typically, the tag key represents a category (such as\n \"environment\") and the tag value represents a specific value within that category (such as\n \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.\n
" } }, "com.amazonaws.fms#TagKey": { @@ -4098,7 +4314,7 @@ "ResourceArn": { "target": "com.amazonaws.fms#ResourceArn", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager resources that support tagging are policies, applications lists, and protocols lists.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager\n resources that support tagging are policies, applications lists, and protocols lists.\n
", "smithy.api#required": {} } }, @@ -4223,7 +4439,7 @@ "ResourceArn": { "target": "com.amazonaws.fms#ResourceArn", "traits": { - "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager resources that support tagging are policies, applications lists, and protocols lists.
", + "smithy.api#documentation": "The Amazon Resource Name (ARN) of the resource to return tags for. The Firewall Manager\n resources that support tagging are policies, applications lists, and protocols lists.\n
", "smithy.api#required": {} } }, @@ -4291,7 +4507,7 @@ "ResourceTags": { "target": "com.amazonaws.fms#TagList", "traits": { - "smithy.api#documentation": "The ResourceTag objects associated with the resource.
The ResourceTag objects associated with the resource.
This option isn't available for the centralized deployment model when creating policies\n to configure Network Firewall.
" } }, "ResourceDescription": { @@ -4302,7 +4518,7 @@ } }, "traits": { - "smithy.api#documentation": "Violations for a resource based on the specified Firewall Manager policy and Amazon Web Services account.
" + "smithy.api#documentation": "Violations for a resource based on the specified Firewall Manager policy and Amazon Web Services\n account.
" } }, "com.amazonaws.fms#ViolationReason": { @@ -4408,6 +4624,14 @@ { "value": "RESOURCE_MISSING_DNS_FIREWALL", "name": "ResourceMissingDnsFirewall" + }, + { + "value": "FIREWALL_SUBNET_IS_OUT_OF_SCOPE", + "name": "FirewallSubnetIsOutOfScope" + }, + { + "value": "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", + "name": "RouteHasOutOfScopeEndpoint" } ] } diff --git a/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json b/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json index efa8af27d19..7b61e4d6b80 100644 --- a/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json +++ b/codegen/sdk-codegen/aws-models/lightsail.2016-11-28.json @@ -96,12 +96,12 @@ "lastUsed": { "target": "com.amazonaws.lightsail#AccessKeyLastUsed", "traits": { - "smithy.api#documentation": "An object that describes the last time the access key was used.
\n\nThis object does not include data in the response of a CreateBucketAccessKey action. If the access key has not been used, the\n region and serviceName values are N/A, and the\n lastUsedDate value is null.
An object that describes the last time the access key was used.
\n\nThis object does not include data in the response of a CreateBucketAccessKey action. If the access key has not been used, the\n region and serviceName values are N/A, and the\n lastUsedDate value is null.
Describes an access key for an Amazon Lightsail bucket.
\n\nAccess keys grant full programmatic access to the specified bucket and its objects. You\n can have a maximum of two access keys per bucket. Use the CreateBucketAccessKey action to create an access key for a specific bucket. For\n more information about access keys, see Creating access keys for a bucket in Amazon Lightsail in the\n Amazon Lightsail Developer Guide.
\n\nThe secretAccessKey value is returned only in response to the\n CreateBucketAccessKey action. You can get a secret access key only when you\n first create an access key; you cannot get the secret access key later. If you lose the\n secret access key, you must create a new access key.
Describes an access key for an Amazon Lightsail bucket.
\n\nAccess keys grant full programmatic access to the specified bucket and its objects. You\n can have a maximum of two access keys per bucket. Use the CreateBucketAccessKey action to create an access key for a specific bucket. For\n more information about access keys, see Creating access keys for a bucket in Amazon Lightsail in the\n Amazon Lightsail Developer Guide.
\n\nThe secretAccessKey value is returned only in response to the\n CreateBucketAccessKey action. You can get a secret access key only when you\n first create an access key; you cannot get the secret access key later. If you lose the\n secret access key, you must create a new access key.
Describes the last time an access key was used.
\n\nThis object does not include data in the response of a CreateBucketAccessKey action.
\nDescribes the last time an access key was used.
\n\nThis object does not include data in the response of a CreateBucketAccessKey action.
\nThe ID of the bundle currently applied to the bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket.
\n\nUse the UpdateBucketBundle action to change the bundle of a\n bucket.
" + "smithy.api#documentation": "The ID of the bundle currently applied to the bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket.
\n\nUse the UpdateBucketBundle action to change the\n bundle of a bucket.
" } }, "createdAt": { @@ -1175,7 +1175,7 @@ "ableToUpdateBundle": { "target": "com.amazonaws.lightsail#boolean", "traits": { - "smithy.api#documentation": "Indicates whether the bundle that is currently applied to a bucket can be changed to\n another bundle.
\n\nYou can update a bucket's bundle only one time within a monthly AWS billing\n cycle.
\n\nUse the UpdateBucketBundle action to change a bucket's bundle.
" + "smithy.api#documentation": "Indicates whether the bundle that is currently applied to a bucket can be changed to\n another bundle.
\n\nYou can update a bucket's bundle only one time within a monthly AWS billing\n cycle.
\n\nUse the UpdateBucketBundle action to change a\n bucket's bundle.
" } }, "readonlyAccessAccounts": { @@ -1187,7 +1187,7 @@ "resourcesReceivingAccess": { "target": "com.amazonaws.lightsail#AccessReceiverList", "traits": { - "smithy.api#documentation": "An array of objects that describe Lightsail instances that have access to the\n bucket.
\n\nUse the SetResourceAccessForBucket action to update the instances that\n have access to a bucket.
" + "smithy.api#documentation": "An array of objects that describe Lightsail instances that have access to the\n bucket.
\n\nUse the SetResourceAccessForBucket\n action to update the instances that have access to a bucket.
" } }, "state": { @@ -1462,7 +1462,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the per-path cache behavior of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nA per-path cache behavior is used to override, or add an exception to, the default cache\n behavior of a distribution. For example, if the cacheBehavior is set to\n cache, then a per-path cache behavior can be used to specify a directory, file,\n or file type that your distribution will cache. Alternately, if the distribution's\n cacheBehavior is dont-cache, then a per-path cache behavior can be\n used to specify a directory, file, or file type that your distribution will not cache.
if the cacheBehavior's behavior is set to 'cache', then
" + "smithy.api#documentation": "Describes the per-path cache behavior of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nA per-path cache behavior is used to override, or add an exception to, the default cache\n behavior of a distribution. For example, if the cacheBehavior is set to\n cache, then a per-path cache behavior can be used to specify a directory, file,\n or file type that your distribution will cache. Alternately, if the distribution's\n cacheBehavior is dont-cache, then a per-path cache behavior can be\n used to specify a directory, file, or file type that your distribution will not cache.
The name of the image used for the container.
\n \nContainer images sourced from your Lightsail container service, that are registered and\n stored on your service, start with a colon (:). For example, if your container\n service name is container-service-1, the container image label is\n mystaticsite, and you want to use the third (3) version of the\n registered container image, then you should specify\n :container-service-1.mystaticsite.3. To use the latest version of a container\n image, specify latest instead of a version number (for example,\n :container-service-1.mystaticsite.latest). Lightsail will automatically use\n the highest numbered version of the registered container image.
Container images sourced from a public registry like Docker Hub don't start with a colon.\n For example, nginx:latest or nginx.
The name of the image used for the container.
\n\nContainer images sourced from your Lightsail container service, that are registered and\n stored on your service, start with a colon (:). For example, if your container\n service name is container-service-1, the container image label is\n mystaticsite, and you want to use the third (3) version of the\n registered container image, then you should specify\n :container-service-1.mystaticsite.3. To use the latest version of a container\n image, specify latest instead of a version number (for example,\n :container-service-1.mystaticsite.latest). Lightsail will automatically use\n the highest numbered version of the registered container image.
Container images sourced from a public registry like Docker Hub don't start with a colon.\n For example, nginx:latest or nginx.
Creates a new access key for the specified Amazon Lightsail bucket. Access keys consist of\n an access key ID and corresponding secret access key.
\n\nAccess keys grant full programmatic access to the specified bucket and its objects. You\n can have a maximum of two access keys per bucket. Use the GetBucketAccessKeys action to get a list of current access keys for a specific bucket. For more information\n about access keys, see Creating access keys for a bucket in Amazon Lightsail in the\n Amazon Lightsail Developer Guide.
\n\nThe secretAccessKey value is returned only in response to the\n CreateBucketAccessKey action. You can get a secret access key only when you\n first create an access key; you cannot get the secret access key later. If you lose the\n secret access key, you must create a new access key.
Creates a new access key for the specified Amazon Lightsail bucket. Access keys consist of\n an access key ID and corresponding secret access key.
\n\nAccess keys grant full programmatic access to the specified bucket and its objects. You\n can have a maximum of two access keys per bucket. Use the GetBucketAccessKeys action to get a list of current access keys for a specific bucket. For more\n information about access keys, see Creating access keys for a bucket in Amazon Lightsail in the\n Amazon Lightsail Developer Guide.
\n\nThe secretAccessKey value is returned only in response to the\n CreateBucketAccessKey action. You can get a secret access key only when you\n first create an access key; you cannot get the secret access key later. If you lose the\n secret access key, you must create a new access key.
The ID of the bundle to use for the bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket.
\n\nUse the GetBucketBundles action to get a list of bundle IDs that you can\n specify.
\n\nUse the UpdateBucketBundle action to change the bundle after the bucket\n is created.
", + "smithy.api#documentation": "The ID of the bundle to use for the bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket.
\n\nUse the GetBucketBundles action to get a list of\n bundle IDs that you can specify.
\n\nUse the UpdateBucketBundle action to change the\n bundle after the bucket is created.
", "smithy.api#required": {} } }, "tags": { "target": "com.amazonaws.lightsail#TagList", "traits": { - "smithy.api#documentation": "The tag keys and optional values to add to the bucket during creation.
\n\nUse the TagResource action to tag the bucket after it's created.
" + "smithy.api#documentation": "The tag keys and optional values to add to the bucket during creation.
\n\nUse the TagResource action to tag the bucket after it's\n created.
" } }, "enableObjectVersioning": { @@ -3774,7 +3774,7 @@ "origin": { "target": "com.amazonaws.lightsail#InputOrigin", "traits": { - "smithy.api#documentation": "An object that describes the origin resource for the distribution, such as a Lightsail\n instance or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
", + "smithy.api#documentation": "An object that describes the origin resource for the distribution, such as a Lightsail\n instance, bucket, or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
", "smithy.api#required": {} } }, @@ -4340,7 +4340,7 @@ } ], "traits": { - "smithy.api#documentation": "Creates an SSH key pair.
\nThe create key pair operation supports tag-based access control via request\n tags. For more information, see the Amazon Lightsail Developer Guide.
Creates a custom SSH key pair that you can use with an Amazon Lightsail\n instance.
\nUse the DownloadDefaultKeyPair action to create a Lightsail default key\n pair in an Amazon Web Services Region where a default key pair does not currently\n exist.
\nThe create key pair operation supports tag-based access control via request\n tags. For more information, see the Amazon Lightsail Developer Guide.
The ID of the access key to delete.
\n\nUse the GetBucketAccessKeys action to get a list of access key IDs that\n you can specify.
", + "smithy.api#documentation": "The ID of the access key to delete.
\n\nUse the GetBucketAccessKeys action to get a\n list of access key IDs that you can specify.
", "smithy.api#required": {} } } @@ -5135,14 +5135,14 @@ "bucketName": { "target": "com.amazonaws.lightsail#BucketName", "traits": { - "smithy.api#documentation": "The name of the bucket to delete.
\n\nUse the GetBuckets action to get a list of bucket names that you can\n specify.
", + "smithy.api#documentation": "The name of the bucket to delete.
\n\nUse the GetBuckets action to get a list of bucket names\n that you can specify.
", "smithy.api#required": {} } }, "forceDelete": { "target": "com.amazonaws.lightsail#boolean", "traits": { - "smithy.api#documentation": "A Boolean value that indicates whether to force delete the bucket.
\n\nYou must force delete the bucket if it has one of the following conditions:
\nThe bucket is the origin of a distribution.
\nThe bucket has instances that were granted access to it using the SetResourceAccessForBucket action.
\nThe bucket has objects.
\nThe bucket has access keys.
\nForce deleting a bucket might impact other resources that rely on the bucket, such as\n instances, distributions, or software that use the issued access keys.
\nA Boolean value that indicates whether to force delete the bucket.
\n\nYou must force delete the bucket if it has one of the following conditions:
\nThe bucket is the origin of a distribution.
\nThe bucket has instances that were granted access to it using the SetResourceAccessForBucket action.
\nThe bucket has objects.
\nThe bucket has access keys.
\nForce deleting a bucket might impact other resources that rely on the bucket, such as\n instances, distributions, or software that use the issued access keys.
\nDeletes a specific SSH key pair.
\n \n\nThe delete key pair operation supports tag-based access control via resource\n tags applied to the resource identified by key pair name. For more information,\n see the Amazon Lightsail Developer Guide.
Deletes the specified key pair by removing the public key from Amazon Lightsail.
\nYou can delete key pairs that were created using the ImportKeyPair and\n CreateKeyPair actions, as well as the Lightsail default key pair. A new default\n key pair will not be created unless you launch an instance without specifying a custom key\n pair, or you call the DownloadDefaultKeyPair API.
\n\nThe delete key pair operation supports tag-based access control via resource\n tags applied to the resource identified by key pair name. For more information,\n see the Amazon Lightsail Developer Guide.
The name of the key pair to delete.
", "smithy.api#required": {} } + }, + "expectedFingerprint": { + "target": "com.amazonaws.lightsail#string", + "traits": { + "smithy.api#documentation": "The RSA fingerprint of the Lightsail default key pair to delete.
\nThe expectedFingerprint parameter is required only when specifying to\n delete a Lightsail default key pair.
Downloads the default SSH key pair from the user's account.
", + "smithy.api#documentation": "Downloads the regional Amazon Lightsail default key pair.
\nThis action also creates a Lightsail default key pair if a default key pair\n does not currently exist in the Amazon Web Services Region.
", "smithy.api#http": { "method": "POST", "uri": "/ls/api/2016-11-28/DownloadDefaultKeyPair", @@ -7239,6 +7245,12 @@ "traits": { "smithy.api#documentation": "A base64-encoded RSA private key.
" } + }, + "createdAt": { + "target": "com.amazonaws.lightsail#IsoDate", + "traits": { + "smithy.api#documentation": "The timestamp when the default key pair was created.
" + } } } }, @@ -7881,7 +7893,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns the existing access key IDs for the specified Amazon Lightsail bucket.
\n\nThis action does not return the secret access key value of an access key. You can get a\n secret access key only when you create it from the response of the CreateBucketAccessKey action. If you lose the secret access key, you must\n create a new access key.
\nReturns the existing access key IDs for the specified Amazon Lightsail bucket.
\n\nThis action does not return the secret access key value of an access key. You can get a\n secret access key only when you create it from the response of the CreateBucketAccessKey action. If you lose the secret access key, you must create\n a new access key.
\nReturns the bundles that you can apply to a Amazon Lightsail bucket.
\n\nThe bucket bundle specifies the monthly cost, storage quota, and data transfer quota for a\n bucket.
\n\nUse the UpdateBucketBundle action to update the bundle for a\n bucket.
", + "smithy.api#documentation": "Returns the bundles that you can apply to a Amazon Lightsail bucket.
\n\nThe bucket bundle specifies the monthly cost, storage quota, and data transfer quota for a\n bucket.
\n\nUse the UpdateBucketBundle action to update the\n bundle for a bucket.
", "smithy.api#http": { "method": "POST", "uri": "/ls/api/2016-11-28/GetBucketBundles", @@ -8122,7 +8134,7 @@ "includeConnectedResources": { "target": "com.amazonaws.lightsail#boolean", "traits": { - "smithy.api#documentation": "A Boolean value that indicates whether to include Lightsail instances that were given\n access to the bucket using the SetResourceAccessForBucket action.
" + "smithy.api#documentation": "A Boolean value that indicates whether to include Lightsail instances that were given\n access to the bucket using the SetResourceAccessForBucket\n action.
" } } } @@ -9592,7 +9604,7 @@ } ], "traits": { - "smithy.api#documentation": "Returns all export snapshot records created as a result of the export\n snapshot operation.
An export snapshot record can be used to create a new Amazon EC2 instance and its related\n resources with the CreateCloudFormationStack action.
", + "smithy.api#documentation": "Returns all export snapshot records created as a result of the export\n snapshot operation.
An export snapshot record can be used to create a new Amazon EC2 instance and its related\n resources with the CreateCloudFormationStack\n action.
", "smithy.api#http": { "method": "POST", "uri": "/ls/api/2016-11-28/GetExportSnapshotRecords", @@ -10307,6 +10319,12 @@ "traits": { "smithy.api#documentation": "The token to advance to the next page of results from your request.
\nTo get a page token, perform an initial GetKeyPairs request. If your results\n are paginated, the response will return a next page token that you can specify as the page\n token in a subsequent request.
A Boolean value that indicates whether to include the default key pair in the response of\n your request.
" + } } } }, @@ -12212,7 +12230,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the origin resource of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nAn origin can be a Lightsail instance or load balancer. A distribution pulls content\n from an origin, caches it, and serves it to viewers via a worldwide network of edge\n servers.
" + "smithy.api#documentation": "Describes the origin resource of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nAn origin can be a Lightsail instance, bucket, or load balancer. A distribution pulls\n content from an origin, caches it, and serves it to viewers via a worldwide network of edge\n servers.
" } }, "com.amazonaws.lightsail#Instance": { @@ -13270,7 +13288,7 @@ "origin": { "target": "com.amazonaws.lightsail#Origin", "traits": { - "smithy.api#documentation": "An object that describes the origin resource of the distribution, such as a Lightsail\n instance or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
" + "smithy.api#documentation": "An object that describes the origin resource of the distribution, such as a Lightsail\n instance, bucket, or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
" } }, "originPublicDNS": { @@ -15476,7 +15494,7 @@ } }, "traits": { - "smithy.api#documentation": "Describes the origin resource of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nAn origin can be a Lightsail instance or load balancer. A distribution pulls content\n from an origin, caches it, and serves it to viewers via a worldwide network of edge\n servers.
" + "smithy.api#documentation": "Describes the origin resource of an Amazon Lightsail content delivery network (CDN)\n distribution.
\nAn origin can be a Lightsail instance, bucket, or load balancer. A distribution pulls\n content from an origin, caches it, and serves it to viewers via a worldwide network of edge\n servers.
" } }, "com.amazonaws.lightsail#OriginProtocolPolicyEnum": { @@ -18325,7 +18343,7 @@ } ], "traits": { - "smithy.api#documentation": "Updates the bundle, or storage plan, of an existing Amazon Lightsail bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket. You can update a bucket's bundle only one time within a monthly AWS billing cycle. To\n determine if you can update a bucket's bundle, use the GetBuckets action.\n The ableToUpdateBundle parameter in the response will indicate whether you can\n currently update a bucket's bundle.
Update a bucket's bundle if it's consistently going over its storage space or data\n transfer quota, or if a bucket's usage is consistently in the lower range of its storage space\n or data transfer quota. Due to the unpredictable usage fluctuations that a bucket might\n experience, we strongly recommend that you update a bucket's bundle only as a long-term\n strategy, instead of as a short-term, monthly cost-cutting measure. Choose a bucket bundle\n that will provide the bucket with ample storage space and data transfer for a long time to\n come.
", + "smithy.api#documentation": "Updates the bundle, or storage plan, of an existing Amazon Lightsail bucket.
\n\nA bucket bundle specifies the monthly cost, storage space, and data transfer quota for a\n bucket. You can update a bucket's bundle only one time within a monthly AWS billing cycle. To\n determine if you can update a bucket's bundle, use the GetBuckets action. The\n ableToUpdateBundle parameter in the response will indicate whether you can\n currently update a bucket's bundle.
Update a bucket's bundle if it's consistently going over its storage space or data\n transfer quota, or if a bucket's usage is consistently in the lower range of its storage space\n or data transfer quota. Due to the unpredictable usage fluctuations that a bucket might\n experience, we strongly recommend that you update a bucket's bundle only as a long-term\n strategy, instead of as a short-term, monthly cost-cutting measure. Choose a bucket bundle\n that will provide the bucket with ample storage space and data transfer for a long time to\n come.
", "smithy.api#http": { "method": "POST", "uri": "/ls/api/2016-11-28/UpdateBucketBundle", @@ -18346,7 +18364,7 @@ "bundleId": { "target": "com.amazonaws.lightsail#NonEmptyString", "traits": { - "smithy.api#documentation": "The ID of the new bundle to apply to the bucket.
\n\nUse the GetBucketBundles action to get a list of bundle IDs that you can\n specify.
", + "smithy.api#documentation": "The ID of the new bundle to apply to the bucket.
\n\nUse the GetBucketBundles action to get a list of\n bundle IDs that you can specify.
", "smithy.api#required": {} } } @@ -18610,7 +18628,7 @@ "origin": { "target": "com.amazonaws.lightsail#InputOrigin", "traits": { - "smithy.api#documentation": "An object that describes the origin resource for the distribution, such as a Lightsail\n instance or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
" + "smithy.api#documentation": "An object that describes the origin resource for the distribution, such as a Lightsail\n instance, bucket, or load balancer.
\nThe distribution pulls, caches, and serves content from the origin.
" } }, "defaultCacheBehavior": { diff --git a/codegen/sdk-codegen/aws-models/route53.2013-04-01.json b/codegen/sdk-codegen/aws-models/route53.2013-04-01.json index b2ec5b08291..946527ccaf4 100644 --- a/codegen/sdk-codegen/aws-models/route53.2013-04-01.json +++ b/codegen/sdk-codegen/aws-models/route53.2013-04-01.json @@ -467,7 +467,7 @@ } ], "traits": { - "smithy.api#documentation": "Associates an Amazon VPC with a private hosted zone.
\n\t\tTo perform the association, the VPC and the private hosted zone must already exist. \n\t\t\tYou can't convert a public hosted zone into a private hosted zone.
\nIf you want to associate a VPC that was created by using one Amazon Web Services account with a private hosted zone that was created \n\t\t\tby using a different account, the Amazon Web Services account that created the private hosted zone must first submit a \n\t\t\tCreateVPCAssociationAuthorization request. Then the account that created the VPC must submit an \n\t\t\tAssociateVPCWithHostedZone request.
Associates an Amazon VPC with a private hosted zone.
\n\t\tTo perform the association, the VPC and the private hosted zone must already exist. \n\t\t\tYou can't convert a public hosted zone into a private hosted zone.
\nIf you want to associate a VPC that was created by using one Amazon Web Services account with a private hosted zone that was created \n\t\t\tby using a different account, the Amazon Web Services account that created the private hosted zone must first submit a \n\t\t\tCreateVPCAssociationAuthorization request. Then the account that created the VPC must submit an \n\t\t\tAssociateVPCWithHostedZone request.
When granting access, the hosted zone and the Amazon VPC must belong to the same partition. A\n\t\t\tpartition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one\n\t\t\tpartition.
\n\t\t\tThe following are the supported partitions:
\n\t\t\t\n aws - Amazon Web Services Regions
\n aws-cn - China Regions
\n aws-us-gov - Amazon Web Services GovCloud (US) Region
For more information, see Access Management\n\t\t\t\tin the Amazon Web Services General Reference.
\nCreates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified \n\t\t\tdomain name or subdomain name. For example, you can use ChangeResourceRecordSets to create a resource record set that \n\t\t\troutes traffic for test.example.com to a web server that has an IP address of 192.0.2.44.
\n Deleting Resource Record Sets\n
\n\t\tTo delete a resource record set, you must specify all the same values that you specified when you created it.
\n\n\t\t\n Change Batches and Transactional Changes\n
\n\t\tThe request body must include a document with a ChangeResourceRecordSetsRequest element. \n\t\t\tThe request body contains a list of change items, known as a change batch. Change batches are considered transactional changes.\n\t\t\tRoute 53 validates the changes in the request and then either makes all or none of the changes in the change batch request. \n\t\t\tThis ensures that DNS routing isn't adversely affected by partial changes to the resource record sets in a hosted zone.
For example, suppose a change batch request contains two changes: it deletes the CNAME resource record set for www.example.com and \n\t\t\tcreates an alias resource record set for www.example.com. If validation for both records succeeds, Route 53 deletes the first resource record set and \n\t\t\tcreates the second resource record set in a single operation. If validation for either the DELETE or the CREATE action fails, \n\t\t\tthen the request is canceled, and the original CNAME record continues to exist.
If you try to delete the same resource record set more than once in a single change batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\n\t\tTo create resource record sets for complex routing configurations, use either the traffic flow visual editor in the \n\t\t\tRoute 53 console or the API actions for traffic policies and traffic policy instances. Save the configuration as a traffic policy, \n\t\t\tthen associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), \n\t\t\tin the same hosted zone or in multiple hosted zones. You can roll back the updates if the new configuration isn't performing \n\t\t\tas expected. For more information, see Using Traffic Flow to Route DNS Traffic \n\t\t\tin the Amazon Route 53 Developer Guide.
\n\t\t\n\t\t\n Create, Delete, and Upsert\n
\n\t\tUse ChangeResourceRecordsSetsRequest to perform the following actions:
\n CREATE: Creates a resource record set that has the specified values.
\n DELETE: Deletes an existing resource record set that has the specified values.
\n UPSERT: If a resource record set does not already exist, Amazon Web Services creates it. \n\t\t\t\t\t\tIf a resource set does exist, Route 53 updates it with the values in the request.
\n Syntaxes for Creating, Updating, and Deleting Resource Record Sets\n
\n\t\tThe syntax for a request depends on the type of resource record set that you want to create, delete, or update, such as \n\t\t\tweighted, alias, or failover. The XML elements in your request must appear in the order listed in the syntax.
\n\n\t\t\n\t\tFor an example for each type of resource record set, see \"Examples.\"
\n\t\t\n\t\t\n\t\tDon't refer to the syntax in the \"Parameter Syntax\" section, which includes all of the elements for every kind of \n\t\t\tresource record set that you can create, delete, or update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\n\t\tWhen you submit a ChangeResourceRecordSets request, Route 53 propagates your changes to all of the \n\t\t\tRoute 53 authoritative DNS servers. While your changes are propagating, GetChange returns a status of \n\t\t\tPENDING. When propagation is complete, GetChange returns a status of INSYNC. \n\t\t\tChanges generally propagate to all Route 53 name servers within 60 seconds. For more information, see \n\t\t\tGetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\n\t\tFor information about the limits on a ChangeResourceRecordSets request, see \n\t\t\tLimits in the \n\t\t\tAmazon Route 53 Developer Guide.
Creates, changes, or deletes a resource record set, which contains authoritative DNS information for a specified \n\t\t\tdomain name or subdomain name. For example, you can use ChangeResourceRecordSets to create a resource record set that \n\t\t\troutes traffic for test.example.com to a web server that has an IP address of 192.0.2.44.
\n Deleting Resource Record Sets\n
\n\t\tTo delete a resource record set, you must specify all the same values that you specified when you created it.
\n\n\t\t\n Change Batches and Transactional Changes\n
\n\t\tThe request body must include a document with a ChangeResourceRecordSetsRequest element. \n\t\t\tThe request body contains a list of change items, known as a change batch. Change batches are considered transactional changes.\n\t\t\tRoute 53 validates the changes in the request and then either makes all or none of the changes in the change batch request. \n\t\t\tThis ensures that DNS routing isn't adversely affected by partial changes to the resource record sets in a hosted zone.
For example, suppose a change batch request contains two changes: it deletes the CNAME resource record set for www.example.com and \n\t\t\tcreates an alias resource record set for www.example.com. If validation for both records succeeds, Route 53 deletes the first resource record set and \n\t\t\tcreates the second resource record set in a single operation. If validation for either the DELETE or the CREATE action fails, \n\t\t\tthen the request is canceled, and the original CNAME record continues to exist.
If you try to delete the same resource record set more than once in a single change batch, Route 53 returns an InvalidChangeBatch error.
\n Traffic Flow\n
\n\t\tTo create resource record sets for complex routing configurations, use either the traffic flow visual editor in the \n\t\t\tRoute 53 console or the API actions for traffic policies and traffic policy instances. Save the configuration as a traffic policy, \n\t\t\tthen associate the traffic policy with one or more domain names (such as example.com) or subdomain names (such as www.example.com), \n\t\t\tin the same hosted zone or in multiple hosted zones. You can roll back the updates if the new configuration isn't performing \n\t\t\tas expected. For more information, see Using Traffic Flow to Route DNS Traffic \n\t\t\tin the Amazon Route 53 Developer Guide.
\n\t\t\n\t\t\n Create, Delete, and Upsert\n
\n\t\tUse ChangeResourceRecordsSetsRequest to perform the following actions:
\n CREATE: Creates a resource record set that has the specified values.
\n DELETE: Deletes an existing resource record set that has the specified values.
\n UPSERT: If a resource set exists Route 53 updates it with the values in the\n\t\t\t\t\trequest.
\n Syntaxes for Creating, Updating, and Deleting Resource Record Sets\n
\n\t\tThe syntax for a request depends on the type of resource record set that you want to create, delete, or update, such as \n\t\t\tweighted, alias, or failover. The XML elements in your request must appear in the order listed in the syntax.
\n\n\t\t\n\t\tFor an example for each type of resource record set, see \"Examples.\"
\n\t\t\n\t\t\n\t\tDon't refer to the syntax in the \"Parameter Syntax\" section, which includes all of the elements for every kind of \n\t\t\tresource record set that you can create, delete, or update by using ChangeResourceRecordSets.
\n Change Propagation to Route 53 DNS Servers\n
\n\t\tWhen you submit a ChangeResourceRecordSets request, Route 53 propagates your changes to all of the \n\t\t\tRoute 53 authoritative DNS servers. While your changes are propagating, GetChange returns a status of \n\t\t\tPENDING. When propagation is complete, GetChange returns a status of INSYNC. \n\t\t\tChanges generally propagate to all Route 53 name servers within 60 seconds. For more information, see \n\t\t\tGetChange.
\n Limits on ChangeResourceRecordSets Requests\n
\n\t\tFor information about the limits on a ChangeResourceRecordSets request, see \n\t\t\tLimits in the \n\t\t\tAmazon Route 53 Developer Guide.
Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic \n\t\t\ton the internet for a domain, such as example.com, and its subdomains (apex.example.com, acme.example.com). You create records in a \n\t\t\tprivate hosted zone to define how you want to route traffic for a domain and its subdomains within one or more \n\t\t\tAmazon Virtual Private Clouds (Amazon VPCs).
\n\t\tYou can't convert a public hosted zone to a private hosted zone or vice versa. Instead, you must create a new hosted zone \n\t\t\t\twith the same name and create new resource record sets.
\n\t\tFor more information about charges for hosted zones, see Amazon Route 53 Pricing.
\n\t\tNote the following:
\n\t\tYou can't create a hosted zone for a top-level domain (TLD) such as .com.
\n\t\t\tFor public hosted zones, Route 53 automatically creates a default SOA record and four NS records for the zone. \n\t\t\t\t\tFor more information about SOA and NS records, see \n\t\t\t\t\tNS and SOA Records that Route 53 Creates for a Hosted Zone in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\t\tIf you want to use the same name servers for multiple public hosted zones, you can optionally associate a reusable delegation set \n\t\t\t\t\twith the hosted zone. See the DelegationSetId element.
If your domain is registered with a registrar other than Route 53, you must update the name servers with your registrar to make \n\t\t\t\t\tRoute 53 the DNS service for the domain. For more information, see \n\t\t\t\t\tMigrating DNS Service for an Existing Domain to Amazon Route 53 in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\tWhen you submit a CreateHostedZone request, the initial status of the hosted zone is PENDING. \n\t\t\tFor public hosted zones, this means that the NS and SOA records are not yet available on all Route 53 DNS servers. When the \n\t\t\tNS and SOA records are available, the status of the zone changes to INSYNC.
The CreateHostedZone request requires the caller to have an ec2:DescribeVpcs permission.
Creates a new public or private hosted zone. You create records in a public hosted zone to define how you want to route traffic \n\t\t\ton the internet for a domain, such as example.com, and its subdomains (apex.example.com, acme.example.com). You create records in a \n\t\t\tprivate hosted zone to define how you want to route traffic for a domain and its subdomains within one or more \n\t\t\tAmazon Virtual Private Clouds (Amazon VPCs).
\n\t\tYou can't convert a public hosted zone to a private hosted zone or vice versa. Instead, you must create a new hosted zone \n\t\t\t\twith the same name and create new resource record sets.
\n\t\tFor more information about charges for hosted zones, see Amazon Route 53 Pricing.
\n\t\tNote the following:
\n\t\tYou can't create a hosted zone for a top-level domain (TLD) such as .com.
\n\t\t\tFor public hosted zones, Route 53 automatically creates a default SOA record and four NS records for the zone. \n\t\t\t\t\tFor more information about SOA and NS records, see \n\t\t\t\t\tNS and SOA Records that Route 53 Creates for a Hosted Zone in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\t\tIf you want to use the same name servers for multiple public hosted zones, you can optionally associate a reusable delegation set \n\t\t\t\t\twith the hosted zone. See the DelegationSetId element.
If your domain is registered with a registrar other than Route 53, you must update the name servers with your registrar to make \n\t\t\t\t\tRoute 53 the DNS service for the domain. For more information, see \n\t\t\t\t\tMigrating DNS Service for an Existing Domain to Amazon Route 53 in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\tWhen you submit a CreateHostedZone request, the initial status of the hosted zone is PENDING. \n\t\t\tFor public hosted zones, this means that the NS and SOA records are not yet available on all Route 53 DNS servers. When the \n\t\t\tNS and SOA records are available, the status of the zone changes to INSYNC.
The CreateHostedZone request requires the caller to have an ec2:DescribeVpcs permission.
When creating private hosted zones, the Amazon VPC must belong to the same partition\n\t\t\t\twhere the hosted zone is created. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
\n\t\t\tThe following are the supported partitions:
\n\t\t\t\n aws - Amazon Web Services Regions
\n aws-cn - China Regions
\n aws-us-gov - Amazon Web Services GovCloud (US) Region
For more information, see Access Management\n\t\t\t\tin the Amazon Web Services General Reference.
\nCreates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish \n\t\t\tlog data to an Amazon CloudWatch Logs log group.
\n\t\tDNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following:
\n\t\tRoute 53 edge location that responded to the DNS query
\nDomain or subdomain that was requested
\nDNS record type, such as A or AAAA
\nDNS response code, such as NoError or ServFail\n
Before you create a query logging configuration, perform the following operations.
\n\t\t\t\t\tIf you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically.
\nCreate a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a \n\t\t\t\t\t\t\tquery logging configuration. Note the following:
\n\t\t\t\t\t\t\tYou must create the log group in the us-east-1 region.
\nYou must use the same Amazon Web Services account to create the log group and the hosted zone that you want to \n\t\t\t\t\t\t\t\t\tconfigure query logging for.
\nWhen you create log groups for query logging, we recommend that you use a consistent prefix, for example:
\n\t\t\t\t\t\t\t\t\t\n /aws/route53/hosted zone name\n \n
In the next step, you'll create a resource policy, which controls access to one or more log groups and the associated \n\t\t\t\t\t\t\t\t\t\tAmazon Web Services resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so \n\t\t\t\t\t\t\t\t\t\twe recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create \n\t\t\t\t\t\t\t\t\t\tfor query logging.
\n\t\t\t\t\t\t\t\tCreate a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to \n\t\t\t\t\t\t\tsend query logs to log streams. For the value of Resource, specify the ARN for the log group that you created \n\t\t\t\t\t\t\tin the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, \n\t\t\t\t\t\t\treplace the hosted zone name with *, for example:
\n arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*\n
You can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the Amazon Web Services SDKs, \n\t\t\t\t\t\t\t\tor the CLI.
\nWhen Route 53 finishes creating the configuration for DNS query logging, it does the following:
\n\t\t\t\t\tCreates a log stream for an edge location the first time that the edge location responds to DNS queries for the \n\t\t\t\t\t\t\tspecified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location.
\nBegins to send query logs to the applicable log stream.
\nThe name of each log stream is in the following format:
\n\t\t\t\t\t\n \n hosted zone ID/edge location code\n \n
The edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code \n\t\t\t\t\t\ttypically corresponds with the International Air Transport Association airport code for an airport near the edge location. \n\t\t\t\t\t\t(These abbreviations might change in the future.) For a list of edge locations, see \"The Route 53 Global Network\" on the \n\t\t\t\t\t\tRoute 53 Product Details page.
\n\t\t\t\tQuery logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached \n\t\t\t\t\tthe response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return \n\t\t\t\t\tthe cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. \n\t\t\t\t\tDepending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, \n\t\t\t\t\tquery logs might contain information about only one query out of every several thousand queries that are submitted to DNS. \n\t\t\t\t\tFor more information about how DNS works, see \n\t\t\t\t\tRouting Internet Traffic to Your Website or Web Application\n\t\t\t\t\tin the Amazon Route 53 Developer Guide.
\n\t\t\t\tFor a list of the values in each query log and the format of each value, see \n\t\t\t\t\tLogging DNS Queries in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\t\tFor information about charges for query logs, see \n\t\t\t\t\tAmazon CloudWatch Pricing.
\nIf you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see \n\t\t\t\t\tDeleteQueryLoggingConfig.
\n\t\t\t\tCreates a configuration for DNS query logging. After you create a query logging configuration, Amazon Route 53 begins to publish \n\t\t\tlog data to an Amazon CloudWatch Logs log group.
\n\t\tDNS query logs contain information about the queries that Route 53 receives for a specified public hosted zone, such as the following:
\n\t\tRoute 53 edge location that responded to the DNS query
\nDomain or subdomain that was requested
\nDNS record type, such as A or AAAA
\nDNS response code, such as NoError or ServFail\n
Before you create a query logging configuration, perform the following operations.
\n\t\t\t\t\tIf you create a query logging configuration using the Route 53 console, Route 53 performs these operations automatically.
\nCreate a CloudWatch Logs log group, and make note of the ARN, which you specify when you create a \n\t\t\t\t\t\t\tquery logging configuration. Note the following:
\n\t\t\t\t\t\t\tYou must create the log group in the us-east-1 region.
\nYou must use the same Amazon Web Services account to create the log group and the hosted zone that you want to \n\t\t\t\t\t\t\t\t\tconfigure query logging for.
\nWhen you create log groups for query logging, we recommend that you use a consistent prefix, for example:
\n\t\t\t\t\t\t\t\t\t\n /aws/route53/hosted zone name\n \n
In the next step, you'll create a resource policy, which controls access to one or more log groups and the associated \n\t\t\t\t\t\t\t\t\t\tAmazon Web Services resources, such as Route 53 hosted zones. There's a limit on the number of resource policies that you can create, so \n\t\t\t\t\t\t\t\t\t\twe recommend that you use a consistent prefix so you can use the same resource policy for all the log groups that you create \n\t\t\t\t\t\t\t\t\t\tfor query logging.
\n\t\t\t\t\t\t\t\tCreate a CloudWatch Logs resource policy, and give it the permissions that Route 53 needs to create log streams and to \n\t\t\t\t\t\t\tsend query logs to log streams. For the value of Resource, specify the ARN for the log group that you created \n\t\t\t\t\t\t\tin the previous step. To use the same resource policy for all the CloudWatch Logs log groups that you created for query logging configurations, \n\t\t\t\t\t\t\treplace the hosted zone name with *, for example:
\n arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/*\n
To avoid the confused deputy problem, a security issue where an entity without a\n\t\t\t\t\t\t\t\tpermission for an action can coerce a more-privileged entity to\n\t\t\t\t\t\t\t\tperform it, you can optionally limit the permissions that a service\n\t\t\t\t\t\t\t\thas to a resource in a resource-based policy by supplying the\n\t\t\t\t\t\t\t\tfollowing values:
\n\t\t\t\t\t\t\tFor aws:SourceArn, supply the hosted zone ARN used in creating the query logging\n\t\t\t\t\t\t\t\t\t\tconfiguration. For example, aws:SourceArn:\n\t\t\t\t\t\t\t\t\t\t\tarn:aws:route53:::hostedzone/hosted zone\n\t\t\t\t\t\t\t\t\t\tID.
For aws:SourceAccount, supply the account ID for the account that creates the\n\t\t\t\t\t\t\t\t\t\tquery logging configuration. For example,\n\t\t\t\t\t\t\t\t\t\t\taws:SourceAccount:111111111111.
For more information, see The confused\n\t\t\t\t\t\t\t\t\tdeputy problem in the Amazon Web Services\n\t\t\t\t\t\t\t\t\tIAM User Guide.
\n\t\t\t\t\t\t\tYou can't use the CloudWatch console to create or edit a resource policy. You must use the CloudWatch API, one of the Amazon Web Services SDKs, \n\t\t\t\t\t\t\t\tor the CLI.
\nWhen Route 53 finishes creating the configuration for DNS query logging, it does the following:
\n\t\t\t\t\tCreates a log stream for an edge location the first time that the edge location responds to DNS queries for the \n\t\t\t\t\t\t\tspecified hosted zone. That log stream is used to log all queries that Route 53 responds to for that edge location.
\nBegins to send query logs to the applicable log stream.
\nThe name of each log stream is in the following format:
\n\t\t\t\t\t\n \n hosted zone ID/edge location code\n \n
The edge location code is a three-letter code and an arbitrarily assigned number, for example, DFW3. The three-letter code \n\t\t\t\t\t\ttypically corresponds with the International Air Transport Association airport code for an airport near the edge location. \n\t\t\t\t\t\t(These abbreviations might change in the future.) For a list of edge locations, see \"The Route 53 Global Network\" on the \n\t\t\t\t\t\tRoute 53 Product Details page.
\n\t\t\t\tQuery logs contain only the queries that DNS resolvers forward to Route 53. If a DNS resolver has already cached \n\t\t\t\t\tthe response to a query (such as the IP address for a load balancer for example.com), the resolver will continue to return \n\t\t\t\t\tthe cached response. It doesn't forward another query to Route 53 until the TTL for the corresponding resource record set expires. \n\t\t\t\t\tDepending on how many DNS queries are submitted for a resource record set, and depending on the TTL for that resource record set, \n\t\t\t\t\tquery logs might contain information about only one query out of every several thousand queries that are submitted to DNS. \n\t\t\t\t\tFor more information about how DNS works, see \n\t\t\t\t\tRouting Internet Traffic to Your Website or Web Application\n\t\t\t\t\tin the Amazon Route 53 Developer Guide.
\n\t\t\t\tFor a list of the values in each query log and the format of each value, see \n\t\t\t\t\tLogging DNS Queries in the \n\t\t\t\t\tAmazon Route 53 Developer Guide.
\n\t\t\t\tFor information about charges for query logs, see \n\t\t\t\t\tAmazon CloudWatch Pricing.
\nIf you want Route 53 to stop sending query logs to CloudWatch Logs, delete the query logging configuration. For more information, see \n\t\t\t\t\tDeleteQueryLoggingConfig.
\n\t\t\t\tDisassociates an Amazon Virtual Private Cloud (Amazon VPC) from an Amazon Route 53 private hosted zone. Note the following:
\n\t\tYou can't disassociate the last Amazon VPC from a private hosted zone.
\nYou can't convert a private hosted zone into a public hosted zone.
\nYou can submit a DisassociateVPCFromHostedZone request using either the account \n\t\t\t\tthat created the hosted zone or the account that created the Amazon VPC.
Some services, such as Cloud Map and Amazon Elastic File System (Amazon EFS) automatically create hosted zones and associate \n\t\t\t\tVPCs with the hosted zones. A service can create a hosted zone using your account or using its own account. \n\t\t\t\tYou can disassociate a VPC from a hosted zone only if the service created the hosted zone using your account.
\n\t\t\t\tWhen you run DisassociateVPCFromHostedZone, \n\t\t\t\t\tif the hosted zone has a value for OwningAccount, you can use DisassociateVPCFromHostedZone. \n\t\t\t\t\tIf the hosted zone has a value for OwningService, you can't use DisassociateVPCFromHostedZone.
Disassociates an Amazon Virtual Private Cloud (Amazon VPC) from an Amazon Route 53 private hosted zone. Note the following:
\n\t\tYou can't disassociate the last Amazon VPC from a private hosted zone.
\nYou can't convert a private hosted zone into a public hosted zone.
\nYou can submit a DisassociateVPCFromHostedZone request using either the account \n\t\t\t\tthat created the hosted zone or the account that created the Amazon VPC.
Some services, such as Cloud Map and Amazon Elastic File System (Amazon EFS) automatically create hosted zones and associate \n\t\t\t\tVPCs with the hosted zones. A service can create a hosted zone using your account or using its own account. \n\t\t\t\tYou can disassociate a VPC from a hosted zone only if the service created the hosted zone using your account.
\n\t\t\t\tWhen you run DisassociateVPCFromHostedZone, \n\t\t\t\t\tif the hosted zone has a value for OwningAccount, you can use DisassociateVPCFromHostedZone. \n\t\t\t\t\tIf the hosted zone has a value for OwningService, you can't use DisassociateVPCFromHostedZone.
When revoking access, the hosted zone and the Amazon VPC must belong to the same\n\t\t\t\tpartition. A partition is a group of Amazon Web Services Regions. Each Amazon Web Services account is scoped to one partition.
\n\t\t\tThe following are the supported partitions:
\n\t\t\t\n aws - Amazon Web Services Regions
\n aws-cn - China Regions
\n aws-us-gov - Amazon Web Services GovCloud (US) Region
For more information, see Access Management\n\t\t\t\tin the Amazon Web Services General Reference.
\nLists all the private hosted zones that a specified VPC is associated with, regardless of which Amazon Web Services account or Amazon Web Services service owns the \n\t\t\thosted zones. The HostedZoneOwner structure in the response contains one of the following values:
An OwningAccount element, which contains the account number of either the current Amazon Web Services account or \n\t\t\t\tanother Amazon Web Services account. Some services, such as Cloud Map, create hosted zones using the current account.
An OwningService element, which identifies the Amazon Web Services service that created and owns the hosted zone. \n\t\t\t\tFor example, if a hosted zone was created by Amazon Elastic File System (Amazon EFS), the value of Owner is \n\t\t\t\tefs.amazonaws.com.
Lists all the private hosted zones that a specified VPC is associated with, regardless of which Amazon Web Services account or Amazon Web Services service owns the \n\t\t\thosted zones. The HostedZoneOwner structure in the response contains one of the following values:
An OwningAccount element, which contains the account number of either the current Amazon Web Services account or \n\t\t\t\tanother Amazon Web Services account. Some services, such as Cloud Map, create hosted zones using the current account.
An OwningService element, which identifies the Amazon Web Services service that created and owns the hosted zone. \n\t\t\t\tFor example, if a hosted zone was created by Amazon Elastic File System (Amazon EFS), the value of Owner is \n\t\t\t\tefs.amazonaws.com.
When listing private hosted zones, the hosted zone and the Amazon VPC must belong to\n\t\t\t\tthe same partition where the hosted zones were created. A partition is a group of\n\t\t\t\t\tAmazon Web Services Regions. Each Amazon Web Services account is scoped to one\n\t\t\t\tpartition.
\n\t\t\tThe following are the supported partitions:
\n\t\t\t\n aws - Amazon Web Services Regions
\n aws-cn - China Regions
\n aws-us-gov - Amazon Web Services GovCloud (US) Region
For more information, see Access Management\n\t\t\t\tin the Amazon Web Services General Reference.
\nSpecifies whether Amazon S3 should use an S3 Bucket Key for object encryption with\n server-side encryption using Amazon Web Services KMS (SSE-KMS). Setting this header to true\n causes Amazon S3 to use an S3 Bucket Key for object encryption with SSE-KMS.
Specifying this header with an object action doesn’t affect\n bucket-level settings for S3 Bucket Key.
" } + }, + "ChecksumAlgorithm": { + "target": "com.amazonaws.s3control#S3ChecksumAlgorithm", + "traits": { + "smithy.api#documentation": "Indicates the algorithm you want Amazon S3 to use to create the checksum. For more information\n see \n Checking object integrity in the Amazon S3 User Guide.
" + } } }, "traits": { diff --git a/codegen/sdk-codegen/aws-models/transfer.2018-11-05.json b/codegen/sdk-codegen/aws-models/transfer.2018-11-05.json index 39b524615ac..7fa54319b31 100644 --- a/codegen/sdk-codegen/aws-models/transfer.2018-11-05.json +++ b/codegen/sdk-codegen/aws-models/transfer.2018-11-05.json @@ -2187,6 +2187,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Accesses", "pageSize": "MaxResults" } } @@ -2270,6 +2271,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Executions", "pageSize": "MaxResults" } } @@ -2350,6 +2352,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "SecurityPolicyNames", "pageSize": "MaxResults" } } @@ -2416,6 +2419,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Servers", "pageSize": "MaxResults" } } @@ -2482,6 +2486,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Tags", "pageSize": "MaxResults" } } @@ -2563,6 +2568,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Users", "pageSize": "MaxResults" } } @@ -2643,6 +2649,7 @@ "smithy.api#paginated": { "inputToken": "NextToken", "outputToken": "NextToken", + "items": "Workflows", "pageSize": "MaxResults" } } diff --git a/service/autoscaling/api_op_CompleteLifecycleAction.go b/service/autoscaling/api_op_CompleteLifecycleAction.go index 798d6ff100f..332bfe18633 100644 --- a/service/autoscaling/api_op_CompleteLifecycleAction.go +++ b/service/autoscaling/api_op_CompleteLifecycleAction.go @@ -14,9 +14,13 @@ import ( // specified result. This step is a part of the procedure for adding a lifecycle // hook to an Auto Scaling group: // +// * (Optional) Create a launch template or launch +// configuration with a user data script that runs while an instance is in a wait +// state due to a lifecycle hook. +// // * (Optional) Create a Lambda function and a rule -// that allows Amazon EventBridge to invoke your Lambda function when Amazon EC2 -// Auto Scaling launches or terminates instances. +// that allows Amazon EventBridge to invoke your Lambda function when an instance +// is put into a wait state due to a lifecycle hook. // // * (Optional) Create a // notification target and an IAM role. The target can be either an Amazon SQS @@ -27,14 +31,14 @@ import ( // whether the hook is used when the instances launch or terminate. // // * If you need -// more time, record the lifecycle action heartbeat to keep the instance in a -// pending state. +// more time, record the lifecycle action heartbeat to keep the instance in a wait +// state. // -// * If you finish before the timeout period ends, send a callback -// by using the CompleteLifecycleAction API call. +// * If you finish before the timeout period ends, send a callback by using +// the CompleteLifecycleAction API call. // -// For more information, see Amazon -// EC2 Auto Scaling lifecycle hooks +// For more information, see Amazon EC2 Auto +// Scaling lifecycle hooks // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html) in // the Amazon EC2 Auto Scaling User Guide. func (c *Client) CompleteLifecycleAction(ctx context.Context, params *CompleteLifecycleActionInput, optFns ...func(*Options)) (*CompleteLifecycleActionOutput, error) { diff --git a/service/autoscaling/api_op_CreateAutoScalingGroup.go b/service/autoscaling/api_op_CreateAutoScalingGroup.go index 4c86d3e861e..ada69ec5f64 100644 --- a/service/autoscaling/api_op_CreateAutoScalingGroup.go +++ b/service/autoscaling/api_op_CreateAutoScalingGroup.go @@ -119,8 +119,8 @@ type CreateAutoScalingGroupInput struct { // marking it unhealthy due to a failed health check. The default value is 0. For // more information, see Health check grace period // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html#health-check-grace-period) - // in the Amazon EC2 Auto Scaling User Guide. Conditional: Required if you are - // adding an ELB health check. + // in the Amazon EC2 Auto Scaling User Guide. Required if you are adding an ELB + // health check. HealthCheckGracePeriod *int32 // The service to use for the health checks. The valid values are EC2 (default) and diff --git a/service/autoscaling/api_op_PutLifecycleHook.go b/service/autoscaling/api_op_PutLifecycleHook.go index 296825e166a..06aafad859a 100644 --- a/service/autoscaling/api_op_PutLifecycleHook.go +++ b/service/autoscaling/api_op_PutLifecycleHook.go @@ -10,15 +10,19 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates or updates a lifecycle hook for the specified Auto Scaling group. A -// lifecycle hook enables an Auto Scaling group to be aware of events in the Auto -// Scaling instance lifecycle, and then perform a custom action when the -// corresponding lifecycle event occurs. This step is a part of the procedure for -// adding a lifecycle hook to an Auto Scaling group: +// Creates or updates a lifecycle hook for the specified Auto Scaling group. +// Lifecycle hooks let you create solutions that are aware of events in the Auto +// Scaling instance lifecycle, and then perform a custom action on instances when +// the corresponding lifecycle event occurs. This step is a part of the procedure +// for adding a lifecycle hook to an Auto Scaling group: // -// * (Optional) Create a Lambda -// function and a rule that allows Amazon EventBridge to invoke your Lambda -// function when Amazon EC2 Auto Scaling launches or terminates instances. +// * (Optional) Create a +// launch template or launch configuration with a user data script that runs while +// an instance is in a wait state due to a lifecycle hook. +// +// * (Optional) Create a +// Lambda function and a rule that allows Amazon EventBridge to invoke your Lambda +// function when an instance is put into a wait state due to a lifecycle hook. // // * // (Optional) Create a notification target and an IAM role. The target can be @@ -30,14 +34,14 @@ import ( // terminate. // // * If you need more time, record the lifecycle action heartbeat to -// keep the instance in a pending state using the RecordLifecycleActionHeartbeat -// API call. +// keep the instance in a wait state using the RecordLifecycleActionHeartbeat API +// call. // -// * If you finish before the timeout period ends, send a callback by -// using the CompleteLifecycleAction API call. +// * If you finish before the timeout period ends, send a callback by using +// the CompleteLifecycleAction API call. // -// For more information, see Amazon -// EC2 Auto Scaling lifecycle hooks +// For more information, see Amazon EC2 Auto +// Scaling lifecycle hooks // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html) in // the Amazon EC2 Auto Scaling User Guide. If you exceed your maximum limit of // lifecycle hooks, which by default is 50 per Auto Scaling group, the call fails. @@ -112,9 +116,9 @@ type PutLifecycleHookInput struct { NotificationTargetARN *string // The ARN of the IAM role that allows the Auto Scaling group to publish to the - // specified notification target, for example, an Amazon SNS topic or an Amazon SQS - // queue. Required for new lifecycle hooks, but optional when updating existing - // hooks. + // specified notification target. Valid only if the notification target is an + // Amazon SNS topic or an Amazon SQS queue. Required for new lifecycle hooks, but + // optional when updating existing hooks. RoleARN *string noSmithyDocumentSerde diff --git a/service/autoscaling/api_op_PutWarmPool.go b/service/autoscaling/api_op_PutWarmPool.go index c62d26e6c51..c6d515bad4b 100644 --- a/service/autoscaling/api_op_PutWarmPool.go +++ b/service/autoscaling/api_op_PutWarmPool.go @@ -45,6 +45,11 @@ type PutWarmPoolInput struct { // This member is required. AutoScalingGroupName *string + // Indicates whether instances in the Auto Scaling group can be returned to the + // warm pool on scale in. The default is to terminate instances in the Auto Scaling + // group when the group scales in. + InstanceReusePolicy *types.InstanceReusePolicy + // Specifies the maximum number of instances that are allowed to be in the warm // pool or in any state except Terminated for the Auto Scaling group. This is an // optional property. Specify it only if you do not want the warm pool size to be diff --git a/service/autoscaling/api_op_RecordLifecycleActionHeartbeat.go b/service/autoscaling/api_op_RecordLifecycleActionHeartbeat.go index 44d47dbf03b..69090b40e5d 100644 --- a/service/autoscaling/api_op_RecordLifecycleActionHeartbeat.go +++ b/service/autoscaling/api_op_RecordLifecycleActionHeartbeat.go @@ -15,12 +15,16 @@ import ( // PutLifecycleHook API call. This step is a part of the procedure for adding a // lifecycle hook to an Auto Scaling group: // +// * (Optional) Create a launch template +// or launch configuration with a user data script that runs while an instance is +// in a wait state due to a lifecycle hook. +// // * (Optional) Create a Lambda function -// and a rule that allows Amazon EventBridge to invoke your Lambda function when -// Amazon EC2 Auto Scaling launches or terminates instances. +// and a rule that allows Amazon EventBridge to invoke your Lambda function when an +// instance is put into a wait state due to a lifecycle hook. // -// * (Optional) Create a -// notification target and an IAM role. The target can be either an Amazon SQS +// * (Optional) Create +// a notification target and an IAM role. The target can be either an Amazon SQS // queue or an Amazon SNS topic. The role allows Amazon EC2 Auto Scaling to publish // lifecycle notifications to the target. // @@ -28,14 +32,14 @@ import ( // whether the hook is used when the instances launch or terminate. // // * If you need -// more time, record the lifecycle action heartbeat to keep the instance in a -// pending state. +// more time, record the lifecycle action heartbeat to keep the instance in a wait +// state. // -// * If you finish before the timeout period ends, send a callback -// by using the CompleteLifecycleAction API call. +// * If you finish before the timeout period ends, send a callback by using +// the CompleteLifecycleAction API call. // -// For more information, see Amazon -// EC2 Auto Scaling lifecycle hooks +// For more information, see Amazon EC2 Auto +// Scaling lifecycle hooks // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/lifecycle-hooks.html) in // the Amazon EC2 Auto Scaling User Guide. func (c *Client) RecordLifecycleActionHeartbeat(ctx context.Context, params *RecordLifecycleActionHeartbeatInput, optFns ...func(*Options)) (*RecordLifecycleActionHeartbeatOutput, error) { diff --git a/service/autoscaling/api_op_UpdateAutoScalingGroup.go b/service/autoscaling/api_op_UpdateAutoScalingGroup.go index c880f1f8d74..3c100806f8c 100644 --- a/service/autoscaling/api_op_UpdateAutoScalingGroup.go +++ b/service/autoscaling/api_op_UpdateAutoScalingGroup.go @@ -113,8 +113,8 @@ type UpdateAutoScalingGroupInput struct { // marking it unhealthy due to a failed health check. The default value is 0. For // more information, see Health check grace period // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/healthcheck.html#health-check-grace-period) - // in the Amazon EC2 Auto Scaling User Guide. Conditional: Required if you are - // adding an ELB health check. + // in the Amazon EC2 Auto Scaling User Guide. Required if you are adding an ELB + // health check. HealthCheckGracePeriod *int32 // The service to use for the health checks. The valid values are EC2 and ELB. If diff --git a/service/autoscaling/deserializers.go b/service/autoscaling/deserializers.go index adfd6447b91..2dca85318fe 100644 --- a/service/autoscaling/deserializers.go +++ b/service/autoscaling/deserializers.go @@ -10557,6 +10557,58 @@ func awsAwsquery_deserializeDocumentInstanceRequirements(v **types.InstanceRequi return nil } +func awsAwsquery_deserializeDocumentInstanceReusePolicy(v **types.InstanceReusePolicy, decoder smithyxml.NodeDecoder) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + var sv *types.InstanceReusePolicy + if *v == nil { + sv = &types.InstanceReusePolicy{} + } else { + sv = *v + } + + for { + t, done, err := decoder.Token() + if err != nil { + return err + } + if done { + break + } + originalDecoder := decoder + decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t) + switch { + case strings.EqualFold("ReuseOnScaleIn", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv, err := strconv.ParseBool(string(val)) + if err != nil { + return fmt.Errorf("expected ReuseOnScaleIn to be of type *bool, got %T instead", val) + } + sv.ReuseOnScaleIn = ptr.Bool(xtv) + } + + default: + // Do nothing and ignore the unexpected tag element + err = decoder.Decoder.Skip() + if err != nil { + return err + } + + } + decoder = originalDecoder + } + *v = sv + return nil +} + func awsAwsquery_deserializeDocumentInstances(v *[]types.Instance, decoder smithyxml.NodeDecoder) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -16039,6 +16091,12 @@ func awsAwsquery_deserializeDocumentWarmPoolConfiguration(v **types.WarmPoolConf originalDecoder := decoder decoder = smithyxml.WrapNodeDecoder(originalDecoder.Decoder, t) switch { + case strings.EqualFold("InstanceReusePolicy", t.Name.Local): + nodeDecoder := smithyxml.WrapNodeDecoder(decoder.Decoder, t) + if err := awsAwsquery_deserializeDocumentInstanceReusePolicy(&sv.InstanceReusePolicy, nodeDecoder); err != nil { + return err + } + case strings.EqualFold("MaxGroupPreparedCapacity", t.Name.Local): val, err := decoder.Value() if err != nil { diff --git a/service/autoscaling/serializers.go b/service/autoscaling/serializers.go index 5a65e131513..d7a0f3108ba 100644 --- a/service/autoscaling/serializers.go +++ b/service/autoscaling/serializers.go @@ -4476,6 +4476,18 @@ func awsAwsquery_serializeDocumentInstanceRequirements(v *types.InstanceRequirem return nil } +func awsAwsquery_serializeDocumentInstanceReusePolicy(v *types.InstanceReusePolicy, value query.Value) error { + object := value.Object() + _ = object + + if v.ReuseOnScaleIn != nil { + objectKey := object.Key("ReuseOnScaleIn") + objectKey.Boolean(*v.ReuseOnScaleIn) + } + + return nil +} + func awsAwsquery_serializeDocumentInstancesDistribution(v *types.InstancesDistribution, value query.Value) error { object := value.Object() _ = object @@ -6935,6 +6947,13 @@ func awsAwsquery_serializeOpDocumentPutWarmPoolInput(v *PutWarmPoolInput, value objectKey.String(*v.AutoScalingGroupName) } + if v.InstanceReusePolicy != nil { + objectKey := object.Key("InstanceReusePolicy") + if err := awsAwsquery_serializeDocumentInstanceReusePolicy(v.InstanceReusePolicy, objectKey); err != nil { + return err + } + } + if v.MaxGroupPreparedCapacity != nil { objectKey := object.Key("MaxGroupPreparedCapacity") objectKey.Integer(*v.MaxGroupPreparedCapacity) diff --git a/service/autoscaling/types/enums.go b/service/autoscaling/types/enums.go index a2ce6018f8c..dc363306fb6 100644 --- a/service/autoscaling/types/enums.go +++ b/service/autoscaling/types/enums.go @@ -240,6 +240,7 @@ const ( LifecycleStateWarmedTerminated LifecycleState = "Warmed:Terminated" LifecycleStateWarmedStopped LifecycleState = "Warmed:Stopped" LifecycleStateWarmedRunning LifecycleState = "Warmed:Running" + LifecycleStateWarmedHibernated LifecycleState = "Warmed:Hibernated" ) // Values returns all known values for LifecycleState. Note that this can be @@ -269,6 +270,7 @@ func (LifecycleState) Values() []LifecycleState { "Warmed:Terminated", "Warmed:Stopped", "Warmed:Running", + "Warmed:Hibernated", } } @@ -517,8 +519,9 @@ type WarmPoolState string // Enum values for WarmPoolState const ( - WarmPoolStateStopped WarmPoolState = "Stopped" - WarmPoolStateRunning WarmPoolState = "Running" + WarmPoolStateStopped WarmPoolState = "Stopped" + WarmPoolStateRunning WarmPoolState = "Running" + WarmPoolStateHibernated WarmPoolState = "Hibernated" ) // Values returns all known values for WarmPoolState. Note that this can be @@ -528,6 +531,7 @@ func (WarmPoolState) Values() []WarmPoolState { return []WarmPoolState{ "Stopped", "Running", + "Hibernated", } } diff --git a/service/autoscaling/types/types.go b/service/autoscaling/types/types.go index 9eea486b360..0652557da6d 100644 --- a/service/autoscaling/types/types.go +++ b/service/autoscaling/types/types.go @@ -1033,7 +1033,10 @@ type InstanceRequirements struct { // EC2 Auto Scaling selects instance types with your attributes, we will exclude // instance types whose price is higher than your threshold. The parameter accepts // an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn - // off price protection, specify a high value, such as 999999. Default: 20 + // off price protection, specify a high value, such as 999999. If you set + // DesiredCapacityType to vcpu or memory-mib, the price protection threshold is + // applied based on the per vCPU or per memory price instead of the per instance + // price. Default: 20 OnDemandMaxPricePercentageOverLowestPrice *int32 // Indicates whether instance types must provide On-Demand Instance hibernation @@ -1046,7 +1049,10 @@ type InstanceRequirements struct { // Scaling selects instance types with your attributes, we will exclude instance // types whose price is higher than your threshold. The parameter accepts an // integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off - // price protection, specify a high value, such as 999999. Default: 100 + // price protection, specify a high value, such as 999999. If you set + // DesiredCapacityType to vcpu or memory-mib, the price protection threshold is + // applied based on the per vCPU or per memory price instead of the per instance + // price. Default: 100 SpotMaxPricePercentageOverLowestPrice *int32 // The minimum and maximum total local storage size for an instance type, in GB. @@ -1056,6 +1062,19 @@ type InstanceRequirements struct { noSmithyDocumentSerde } +// Describes an instance reuse policy for a warm pool. For more information, see +// Warm pools for Amazon EC2 Auto Scaling +// (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-warm-pools.html) +// in the Amazon EC2 Auto Scaling User Guide. +type InstanceReusePolicy struct { + + // Specifies whether instances in the Auto Scaling group can be returned to the + // warm pool on scale in. + ReuseOnScaleIn *bool + + noSmithyDocumentSerde +} + // Describes an instances distribution for an Auto Scaling group. type InstancesDistribution struct { @@ -1286,12 +1305,11 @@ type LaunchTemplateOverrides struct { // Amazon Elastic Compute Cloud User Guide. InstanceType *string - // Provides the launch template to be used when launching the instance type - // specified in InstanceType. For example, some instance types might require a - // launch template with a different AMI. If not provided, Amazon EC2 Auto Scaling - // uses the launch template that's defined for your mixed instances policy. For - // more information, see Specifying a different launch template for an instance - // type + // Provides a launch template for the specified instance type or instance + // requirements. For example, some instance types might require a launch template + // with a different AMI. If not provided, Amazon EC2 Auto Scaling uses the launch + // template that's defined for your mixed instances policy. For more information, + // see Specifying a different launch template for an instance type // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-launch-template-overrides.html) // in the Amazon EC2 Auto Scaling User Guide. LaunchTemplateSpecification *LaunchTemplateSpecification @@ -1304,9 +1322,9 @@ type LaunchTemplateOverrides struct { // if this results in an overage. For example, if there are two units remaining to // fulfill capacity, and Amazon EC2 Auto Scaling can only launch an instance with a // WeightedCapacity of five units, the instance is launched, and the desired - // capacity is exceeded by three units. For more information, see Instance - // weighting for Amazon EC2 Auto Scaling - // (https://docs.aws.amazon.com/ec2-auto-scaling-mixed-instances-groups-instance-weighting.html) + // capacity is exceeded by three units. For more information, see Configuring + // instance weighting for Amazon EC2 Auto Scaling + // (https://docs.aws.amazon.com/autoscaling/ec2/userguide/ec2-auto-scaling-mixed-instances-groups-instance-weighting.html) // in the Amazon EC2 Auto Scaling User Guide. Value must be in the range of 1–999. WeightedCapacity *string @@ -1355,9 +1373,9 @@ type LaunchTemplateSpecification struct { noSmithyDocumentSerde } -// Describes a lifecycle hook, which enables an Auto Scaling group to be aware of -// events in the Auto Scaling instance lifecycle, and then perform a custom action -// when the corresponding lifecycle event occurs. +// Describes a lifecycle hook. A lifecycle hook lets you create solutions that are +// aware of events in the Auto Scaling instance lifecycle, and then perform a +// custom action on instances when the corresponding lifecycle event occurs. type LifecycleHook struct { // The name of the Auto Scaling group for the lifecycle hook. @@ -1400,7 +1418,7 @@ type LifecycleHook struct { NotificationTargetARN *string // The ARN of the IAM role that allows the Auto Scaling group to publish to the - // specified notification target. + // specified notification target (an Amazon SNS topic or an Amazon SQS queue). RoleARN *string noSmithyDocumentSerde @@ -1449,8 +1467,9 @@ type LifecycleHookSpecification struct { NotificationTargetARN *string // The ARN of the IAM role that allows the Auto Scaling group to publish to the - // specified notification target, for example, an Amazon SNS topic or an Amazon SQS - // queue. + // specified notification target. Valid only if the notification target is an + // Amazon SNS topic or an Amazon SQS queue. Required for new lifecycle hooks, but + // optional when updating existing hooks. RoleARN *string noSmithyDocumentSerde @@ -1827,15 +1846,15 @@ type PredefinedMetricSpecification struct { // ASGAverageCPUUtilization - Average CPU utilization of the Auto Scaling group. // // * - // ASGAverageNetworkIn - Average number of bytes received on all network interfaces - // by the Auto Scaling group. + // ASGAverageNetworkIn - Average number of bytes received (per instance per minute) + // for the Auto Scaling group. // // * ASGAverageNetworkOut - Average number of bytes - // sent out on all network interfaces by the Auto Scaling group. + // sent out (per instance per minute) for the Auto Scaling group. // // * - // ALBRequestCountPerTarget - Number of requests completed per target in an - // Application Load Balancer target group. + // ALBRequestCountPerTarget - Average Application Load Balancer request count (per + // target per minute) for your Auto Scaling group. // // This member is required. PredefinedMetricType MetricType @@ -2521,7 +2540,11 @@ type TagDescription struct { // Auto Scaling. type TargetTrackingConfiguration struct { - // The target value for the metric. + // The target value for the metric. Some metrics are based on a count instead of a + // percentage, such as the request count for an Application Load Balancer or the + // number of messages in an SQS queue. If the scaling policy specifies one of these + // metrics, specify the target utilization as the optimal average request or + // message count per instance during any one-minute interval. // // This member is required. TargetValue *float64 @@ -2574,6 +2597,9 @@ type VCpuCountRequest struct { // Describes a warm pool configuration. type WarmPoolConfiguration struct { + // The instance reuse policy. + InstanceReusePolicy *InstanceReusePolicy + // The maximum number of instances that are allowed to be in the warm pool or in // any state except Terminated for the Auto Scaling group. MaxGroupPreparedCapacity *int32 diff --git a/service/databrew/deserializers.go b/service/databrew/deserializers.go index c671c12372d..5459759c653 100644 --- a/service/databrew/deserializers.go +++ b/service/databrew/deserializers.go @@ -10216,6 +10216,19 @@ func awsRestjson1_deserializeDocumentOutput(v **types.Output, value interface{}) return err } + case "MaxOutputFiles": + if value != nil { + jtv, ok := value.(json.Number) + if !ok { + return fmt.Errorf("expected MaxOutputFiles to be json.Number, got %T instead", value) + } + i64, err := jtv.Int64() + if err != nil { + return err + } + sv.MaxOutputFiles = ptr.Int32(int32(i64)) + } + case "Overwrite": if value != nil { jtv, ok := value.(bool) diff --git a/service/databrew/serializers.go b/service/databrew/serializers.go index 0abb150e18c..36f394744df 100644 --- a/service/databrew/serializers.go +++ b/service/databrew/serializers.go @@ -4085,6 +4085,11 @@ func awsRestjson1_serializeDocumentOutput(v *types.Output, value smithyjson.Valu } } + if v.MaxOutputFiles != nil { + ok := object.Key("MaxOutputFiles") + ok.Integer(*v.MaxOutputFiles) + } + if v.Overwrite { ok := object.Key("Overwrite") ok.Boolean(v.Overwrite) diff --git a/service/databrew/types/types.go b/service/databrew/types/types.go index 24fc72acb79..97fd1eebb28 100644 --- a/service/databrew/types/types.go +++ b/service/databrew/types/types.go @@ -720,6 +720,11 @@ type Output struct { // Represents options that define how DataBrew formats job output files. FormatOptions *OutputFormatOptions + // Maximum number of files to be generated by the job and written to the output + // folder. For output partitioned by column(s), the MaxOutputFiles value is the + // maximum number of files per partition. + MaxOutputFiles *int32 + // A value that, if true, means that any data in the location specified for output // is overwritten with new output. Overwrite bool diff --git a/service/fms/deserializers.go b/service/fms/deserializers.go index 5b01712646c..589b45b0f23 100644 --- a/service/fms/deserializers.go +++ b/service/fms/deserializers.go @@ -3716,6 +3716,11 @@ func awsAwsjson11_deserializeDocumentComplianceViolator(v **types.ComplianceViol for key, value := range shape { switch key { + case "Metadata": + if err := awsAwsjson11_deserializeDocumentComplianceViolatorMetadata(&sv.Metadata, value); err != nil { + return err + } + case "ResourceId": if value != nil { jtv, ok := value.(string) @@ -3752,6 +3757,42 @@ func awsAwsjson11_deserializeDocumentComplianceViolator(v **types.ComplianceViol return nil } +func awsAwsjson11_deserializeDocumentComplianceViolatorMetadata(v *map[string]string, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var mv map[string]string + if *v == nil { + mv = map[string]string{} + } else { + mv = *v + } + + for key, value := range shape { + var parsedVal string + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + parsedVal = jtv + } + mv[key] = parsedVal + + } + *v = mv + return nil +} + func awsAwsjson11_deserializeDocumentComplianceViolators(v *[]types.ComplianceViolator, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -4721,6 +4762,131 @@ func awsAwsjson11_deserializeDocumentExpectedRoutes(v *[]types.ExpectedRoute, va return nil } +func awsAwsjson11_deserializeDocumentFirewallSubnetIsOutOfScopeViolation(v **types.FirewallSubnetIsOutOfScopeViolation, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.FirewallSubnetIsOutOfScopeViolation + if *v == nil { + sv = &types.FirewallSubnetIsOutOfScopeViolation{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "FirewallSubnetId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.FirewallSubnetId = ptr.String(jtv) + } + + case "SubnetAvailabilityZone": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + sv.SubnetAvailabilityZone = ptr.String(jtv) + } + + case "SubnetAvailabilityZoneId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + sv.SubnetAvailabilityZoneId = ptr.String(jtv) + } + + case "VpcEndpointId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.VpcEndpointId = ptr.String(jtv) + } + + case "VpcId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.VpcId = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + +func awsAwsjson11_deserializeDocumentFMSPolicyUpdateFirewallCreationConfigAction(v **types.FMSPolicyUpdateFirewallCreationConfigAction, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.FMSPolicyUpdateFirewallCreationConfigAction + if *v == nil { + sv = &types.FMSPolicyUpdateFirewallCreationConfigAction{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "Description": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + sv.Description = ptr.String(jtv) + } + + case "FirewallCreationConfig": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ManagedServiceData to be of type string, got %T instead", value) + } + sv.FirewallCreationConfig = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentInternalErrorException(v **types.InternalErrorException, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -5689,6 +5855,46 @@ func awsAwsjson11_deserializeDocumentNetworkFirewallMissingSubnetViolation(v **t return nil } +func awsAwsjson11_deserializeDocumentNetworkFirewallPolicy(v **types.NetworkFirewallPolicy, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.NetworkFirewallPolicy + if *v == nil { + sv = &types.NetworkFirewallPolicy{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "FirewallDeploymentModel": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected FirewallDeploymentModel to be of type string, got %T instead", value) + } + sv.FirewallDeploymentModel = types.FirewallDeploymentModel(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentNetworkFirewallPolicyDescription(v **types.NetworkFirewallPolicyDescription, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -6382,6 +6588,42 @@ func awsAwsjson11_deserializeDocumentPolicyComplianceStatusList(v *[]types.Polic return nil } +func awsAwsjson11_deserializeDocumentPolicyOption(v **types.PolicyOption, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.PolicyOption + if *v == nil { + sv = &types.PolicyOption{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "NetworkFirewallPolicy": + if err := awsAwsjson11_deserializeDocumentNetworkFirewallPolicy(&sv.NetworkFirewallPolicy, value); err != nil { + return err + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentPolicySummary(v **types.PolicySummary, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -7010,6 +7252,11 @@ func awsAwsjson11_deserializeDocumentRemediationAction(v **types.RemediationActi return err } + case "FMSPolicyUpdateFirewallCreationConfigAction": + if err := awsAwsjson11_deserializeDocumentFMSPolicyUpdateFirewallCreationConfigAction(&sv.FMSPolicyUpdateFirewallCreationConfigAction, value); err != nil { + return err + } + default: _, _ = key, value @@ -7315,6 +7562,11 @@ func awsAwsjson11_deserializeDocumentResourceViolation(v **types.ResourceViolati return err } + case "FirewallSubnetIsOutOfScopeViolation": + if err := awsAwsjson11_deserializeDocumentFirewallSubnetIsOutOfScopeViolation(&sv.FirewallSubnetIsOutOfScopeViolation, value); err != nil { + return err + } + case "NetworkFirewallBlackHoleRouteDetectedViolation": if err := awsAwsjson11_deserializeDocumentNetworkFirewallBlackHoleRouteDetectedViolation(&sv.NetworkFirewallBlackHoleRouteDetectedViolation, value); err != nil { return err @@ -7370,6 +7622,11 @@ func awsAwsjson11_deserializeDocumentResourceViolation(v **types.ResourceViolati return err } + case "RouteHasOutOfScopeEndpointViolation": + if err := awsAwsjson11_deserializeDocumentRouteHasOutOfScopeEndpointViolation(&sv.RouteHasOutOfScopeEndpointViolation, value); err != nil { + return err + } + default: _, _ = key, value @@ -7480,6 +7737,133 @@ func awsAwsjson11_deserializeDocumentRoute(v **types.Route, value interface{}) e return nil } +func awsAwsjson11_deserializeDocumentRouteHasOutOfScopeEndpointViolation(v **types.RouteHasOutOfScopeEndpointViolation, value interface{}) error { + if v == nil { + return fmt.Errorf("unexpected nil of type %T", v) + } + if value == nil { + return nil + } + + shape, ok := value.(map[string]interface{}) + if !ok { + return fmt.Errorf("unexpected JSON type %v", value) + } + + var sv *types.RouteHasOutOfScopeEndpointViolation + if *v == nil { + sv = &types.RouteHasOutOfScopeEndpointViolation{} + } else { + sv = *v + } + + for key, value := range shape { + switch key { + case "CurrentFirewallSubnetRouteTable": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.CurrentFirewallSubnetRouteTable = ptr.String(jtv) + } + + case "CurrentInternetGatewayRouteTable": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.CurrentInternetGatewayRouteTable = ptr.String(jtv) + } + + case "FirewallSubnetId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.FirewallSubnetId = ptr.String(jtv) + } + + case "FirewallSubnetRoutes": + if err := awsAwsjson11_deserializeDocumentRoutes(&sv.FirewallSubnetRoutes, value); err != nil { + return err + } + + case "InternetGatewayId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.InternetGatewayId = ptr.String(jtv) + } + + case "InternetGatewayRoutes": + if err := awsAwsjson11_deserializeDocumentRoutes(&sv.InternetGatewayRoutes, value); err != nil { + return err + } + + case "RouteTableId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.RouteTableId = ptr.String(jtv) + } + + case "SubnetAvailabilityZone": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + sv.SubnetAvailabilityZone = ptr.String(jtv) + } + + case "SubnetAvailabilityZoneId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected LengthBoundedString to be of type string, got %T instead", value) + } + sv.SubnetAvailabilityZoneId = ptr.String(jtv) + } + + case "SubnetId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.SubnetId = ptr.String(jtv) + } + + case "ViolatingRoutes": + if err := awsAwsjson11_deserializeDocumentRoutes(&sv.ViolatingRoutes, value); err != nil { + return err + } + + case "VpcId": + if value != nil { + jtv, ok := value.(string) + if !ok { + return fmt.Errorf("expected ResourceId to be of type string, got %T instead", value) + } + sv.VpcId = ptr.String(jtv) + } + + default: + _, _ = key, value + + } + } + *v = sv + return nil +} + func awsAwsjson11_deserializeDocumentRoutes(v *[]types.Route, value interface{}) error { if v == nil { return fmt.Errorf("unexpected nil of type %T", v) @@ -7735,6 +8119,11 @@ func awsAwsjson11_deserializeDocumentSecurityServicePolicyData(v **types.Securit sv.ManagedServiceData = ptr.String(jtv) } + case "PolicyOption": + if err := awsAwsjson11_deserializeDocumentPolicyOption(&sv.PolicyOption, value); err != nil { + return err + } + case "Type": if value != nil { jtv, ok := value.(string) diff --git a/service/fms/serializers.go b/service/fms/serializers.go index 77354698b63..7d407c3383b 100644 --- a/service/fms/serializers.go +++ b/service/fms/serializers.go @@ -1553,6 +1553,18 @@ func awsAwsjson11_serializeDocumentCustomerPolicyScopeMap(v map[string][]string, return nil } +func awsAwsjson11_serializeDocumentNetworkFirewallPolicy(v *types.NetworkFirewallPolicy, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if len(v.FirewallDeploymentModel) > 0 { + ok := object.Key("FirewallDeploymentModel") + ok.String(string(v.FirewallDeploymentModel)) + } + + return nil +} + func awsAwsjson11_serializeDocumentPolicy(v *types.Policy, value smithyjson.Value) error { object := value.Object() defer object.Close() @@ -1630,6 +1642,20 @@ func awsAwsjson11_serializeDocumentPolicy(v *types.Policy, value smithyjson.Valu return nil } +func awsAwsjson11_serializeDocumentPolicyOption(v *types.PolicyOption, value smithyjson.Value) error { + object := value.Object() + defer object.Close() + + if v.NetworkFirewallPolicy != nil { + ok := object.Key("NetworkFirewallPolicy") + if err := awsAwsjson11_serializeDocumentNetworkFirewallPolicy(v.NetworkFirewallPolicy, ok); err != nil { + return err + } + } + + return nil +} + func awsAwsjson11_serializeDocumentPreviousAppsList(v map[string][]types.App, value smithyjson.Value) error { object := value.Object() defer object.Close() @@ -1769,6 +1795,13 @@ func awsAwsjson11_serializeDocumentSecurityServicePolicyData(v *types.SecuritySe ok.String(*v.ManagedServiceData) } + if v.PolicyOption != nil { + ok := object.Key("PolicyOption") + if err := awsAwsjson11_serializeDocumentPolicyOption(v.PolicyOption, ok); err != nil { + return err + } + } + if len(v.Type) > 0 { ok := object.Key("Type") ok.String(string(v.Type)) diff --git a/service/fms/types/enums.go b/service/fms/types/enums.go index 6da4cdc761f..5b6d2081462 100644 --- a/service/fms/types/enums.go +++ b/service/fms/types/enums.go @@ -86,6 +86,22 @@ func (DestinationType) Values() []DestinationType { } } +type FirewallDeploymentModel string + +// Enum values for FirewallDeploymentModel +const ( + FirewallDeploymentModelCentralized FirewallDeploymentModel = "CENTRALIZED" +) + +// Values returns all known values for FirewallDeploymentModel. Note that this can +// be expanded in the future, and so it is only as up to date as the client. The +// ordering of this slice is not guaranteed to be stable across updates. +func (FirewallDeploymentModel) Values() []FirewallDeploymentModel { + return []FirewallDeploymentModel{ + "CENTRALIZED", + } +} + type PolicyComplianceStatusType string // Enum values for PolicyComplianceStatusType @@ -215,6 +231,8 @@ const ( ViolationReasonBlackHoleRouteDetected ViolationReason = "BLACK_HOLE_ROUTE_DETECTED" ViolationReasonBlackHoleRouteDetectedInFirewallSubnet ViolationReason = "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET" ViolationReasonResourceMissingDnsFirewall ViolationReason = "RESOURCE_MISSING_DNS_FIREWALL" + ViolationReasonFirewallSubnetIsOutOfScope ViolationReason = "FIREWALL_SUBNET_IS_OUT_OF_SCOPE" + ViolationReasonRouteHasOutOfScopeEndpoint ViolationReason = "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT" ) // Values returns all known values for ViolationReason. Note that this can be @@ -247,5 +265,7 @@ func (ViolationReason) Values() []ViolationReason { "BLACK_HOLE_ROUTE_DETECTED", "BLACK_HOLE_ROUTE_DETECTED_IN_FIREWALL_SUBNET", "RESOURCE_MISSING_DNS_FIREWALL", + "FIREWALL_SUBNET_IS_OUT_OF_SCOPE", + "ROUTE_HAS_OUT_OF_SCOPE_ENDPOINT", } } diff --git a/service/fms/types/types.go b/service/fms/types/types.go index 5a536d326e2..7f4e3d16b6f 100644 --- a/service/fms/types/types.go +++ b/service/fms/types/types.go @@ -141,6 +141,9 @@ type AwsVPCSecurityGroupViolation struct { // Details of the resource that is not protected by the policy. type ComplianceViolator struct { + // Metadata about the resource that doesn't comply with the policy scope. + Metadata map[string]string + // The resource ID. ResourceId *string @@ -426,6 +429,45 @@ type ExpectedRoute struct { noSmithyDocumentSerde } +// Contains details about the firewall subnet that violates the policy scope. +type FirewallSubnetIsOutOfScopeViolation struct { + + // The ID of the firewall subnet that violates the policy scope. + FirewallSubnetId *string + + // The Availability Zone of the firewall subnet that violates the policy scope. + SubnetAvailabilityZone *string + + // The Availability Zone ID of the firewall subnet that violates the policy scope. + SubnetAvailabilityZoneId *string + + // The VPC endpoint ID of the firewall subnet that violates the policy scope. + VpcEndpointId *string + + // The VPC ID of the firewall subnet that violates the policy scope. + VpcId *string + + noSmithyDocumentSerde +} + +// Contains information about the actions that you can take to remediate scope +// violations caused by your policy's FirewallCreationConfig. +// FirewallCreationConfig is an optional configuration that you can use to choose +// which Availability Zones Firewall Manager creates Network Firewall endpoints in. +type FMSPolicyUpdateFirewallCreationConfigAction struct { + + // Describes the remedial action. + Description *string + + // A FirewallCreationConfig that you can copy into your current policy's + // SecurityServiceData + // (https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html) + // in order to remedy scope violations. + FirewallCreationConfig *string + + noSmithyDocumentSerde +} + // Violation detail for an internet gateway route with an inactive state in the // customer subnet route table or Network Firewall subnet route table. type NetworkFirewallBlackHoleRouteDetectedViolation struct { @@ -629,6 +671,22 @@ type NetworkFirewallMissingSubnetViolation struct { noSmithyDocumentSerde } +// Configures the firewall policy deployment model of Network Firewall. For +// information about Network Firewall deployment models, see Network Firewall +// example architectures with routing +// (https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html) +// in the Network Firewall Developer Guide. +type NetworkFirewallPolicy struct { + + // Defines the deployment model to use for the firewall policy. To use a + // distributed model, set PolicyOption + // (https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) + // to NULL. + FirewallDeploymentModel FirewallDeploymentModel + + noSmithyDocumentSerde +} + // The definition of the Network Firewall firewall policy. type NetworkFirewallPolicyDescription struct { @@ -731,6 +789,8 @@ type Policy struct { // If set to True, resources with the tags that are specified in the ResourceTag // array are not in scope of the policy. If set to False, and the ResourceTag array // is not null, only resources with the specified tags are in scope of the policy. + // This option isn't available for the centralized deployment model when creating + // policies to configure Network Firewall. // // This member is required. ExcludeResourceTags bool @@ -800,6 +860,9 @@ type Policy struct { // together in a single map, separated with a comma. For example, the following is // a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, // “ouid112”]}. + // + // This option isn't available for the centralized deployment model + // when creating policies to configure Network Firewall. ExcludeMap map[string][]string // Specifies the Amazon Web Services account IDs and Organizations organizational @@ -824,6 +887,9 @@ type Policy struct { // together in a single map, separated with a comma. For example, the following is // a valid map: {“ACCOUNT” : [“accountID1”, “accountID2”], “ORG_UNIT” : [“ouid111”, // “ouid112”]}. + // + // This option isn't available for the centralized deployment model + // when creating policies to configure Network Firewall. IncludeMap map[string][]string // The ID of the Firewall Manager policy. @@ -909,6 +975,16 @@ type PolicyComplianceStatus struct { noSmithyDocumentSerde } +// Contains the Network Firewall firewall policy options to configure a centralized +// deployment model. +type PolicyOption struct { + + // Defines the deployment model to use for the firewall policy. + NetworkFirewallPolicy *NetworkFirewallPolicy + + noSmithyDocumentSerde +} + // Details of the Firewall Manager policy. type PolicySummary struct { @@ -1062,6 +1138,9 @@ type RemediationAction struct { // Information about the ReplaceRouteTableAssociation action in the Amazon EC2 API. EC2ReplaceRouteTableAssociationAction *EC2ReplaceRouteTableAssociationAction + // The remedial action to take when updating a firewall configuration. + FMSPolicyUpdateFirewallCreationConfigAction *FMSPolicyUpdateFirewallCreationConfigAction + noSmithyDocumentSerde } @@ -1126,6 +1205,9 @@ type ResourceViolation struct { // group that's already associated. DnsRuleGroupPriorityConflictViolation *DnsRuleGroupPriorityConflictViolation + // Contains details about the firewall subnet that violates the policy scope. + FirewallSubnetIsOutOfScopeViolation *FirewallSubnetIsOutOfScopeViolation + // Violation detail for an internet gateway route with an inactive state in the // customer subnet route table or Network Firewall subnet route table. NetworkFirewallBlackHoleRouteDetectedViolation *NetworkFirewallBlackHoleRouteDetectedViolation @@ -1169,6 +1251,9 @@ type ResourceViolation struct { // remediation action is a list of individual remediation actions. PossibleRemediationActions *PossibleRemediationActions + // Contains details about the route endpoint that violates the policy scope. + RouteHasOutOfScopeEndpointViolation *RouteHasOutOfScopeEndpointViolation + noSmithyDocumentSerde } @@ -1190,6 +1275,48 @@ type Route struct { noSmithyDocumentSerde } +// Contains details about the route endpoint that violates the policy scope. +type RouteHasOutOfScopeEndpointViolation struct { + + // The route table associated with the current firewall subnet. + CurrentFirewallSubnetRouteTable *string + + // The current route table associated with the Internet Gateway. + CurrentInternetGatewayRouteTable *string + + // The ID of the firewall subnet. + FirewallSubnetId *string + + // The list of firewall subnet routes. + FirewallSubnetRoutes []Route + + // The ID of the Internet Gateway. + InternetGatewayId *string + + // The routes in the route table associated with the Internet Gateway. + InternetGatewayRoutes []Route + + // The ID of the route table. + RouteTableId *string + + // The subnet's Availability Zone. + SubnetAvailabilityZone *string + + // The ID of the subnet's Availability Zone. + SubnetAvailabilityZoneId *string + + // The ID of the subnet associated with the route that violates the policy scope. + SubnetId *string + + // The list of routes that violate the route table. + ViolatingRoutes []Route + + // The VPC ID of the route that violates the policy scope. + VpcId *string + + noSmithyDocumentSerde +} + // Remediation option for the rule specified in the ViolationTarget. type SecurityGroupRemediationAction struct { @@ -1256,11 +1383,124 @@ type SecurityServicePolicyData struct { // Valid values for preProcessRuleGroups are between 1 and 99. Valid values for // postProcessRuleGroups are between 9901 and 10000. // - // * Example: - // NETWORK_FIREWALL"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2\",\"priority\":10}],\"networkFirewallStatelessDefaultActions\":[\"aws:pass\",\"custom1\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"custom2\",\"aws:pass\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"custom1\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"dimension1\"}]}}},{\"actionName\":\"custom2\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"dimension2\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-1:1234567891011:stateful-rulegroup/rulegroup1\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":true,\"allowedIPV4CidrList\":[\"10.24.34.0/28\"]} + // * Example: NETWORK_FIREWALL - + // Centralized deployment model. + // "{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}" + // To use the centralized deployment model, you must set PolicyOption + // (https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) + // to CENTRALIZED. + // + // * Example: NETWORK_FIREWALL - Distributed deployment model with + // automatic Availability Zone configuration. With automatic Availbility Zone + // configuration, Firewall Manager chooses which Availability Zones to create the + // endpoints in. "{ \"type\": \"NETWORK_FIREWALL\", + // \"networkFirewallStatelessRuleGroupReferences\": [ { \"resourceARN\": + // \"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\", + // \"priority\": 1 } ], \"networkFirewallStatelessDefaultActions\": [ + // \"aws:forward_to_sfe\", \"customActionName\" ], + // \"networkFirewallStatelessFragmentDefaultActions\": [ \"aws:forward_to_sfe\", + // \"customActionName\" ], \"networkFirewallStatelessCustomActions\": [ { + // \"actionName\": \"customActionName\", \"actionDefinition\": { + // \"publishMetricAction\": { \"dimensions\": [ { \"value\": + // \"metricdimensionvalue\" } ] } } } ], + // \"networkFirewallStatefulRuleGroupReferences\": [ { \"resourceARN\": + // \"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\" } ], + // \"networkFirewallOrchestrationConfig\": { \"singleFirewallEndpointPerVPC\": + // false, \"allowedIPV4CidrList\": [ \"10.0.0.0/28\", \"192.168.0.0/28\" ], + // \"routeManagementAction\": \"OFF\" }, \"networkFirewallLoggingConfiguration\": { + // \"logDestinationConfigs\": [ { \"logDestinationType\": \"S3\", \"logType\": + // \"ALERT\", \"logDestination\": { \"bucketName\": \"s3-bucket-name\" } }, { + // \"logDestinationType\": \"S3\", \"logType\": \"FLOW\", \"logDestination\": { + // \"bucketName\": \"s3-bucket-name\" } } ], \"overrideExistingConfig\": true } }" + // To use the distributed deployment model, you must set PolicyOption + // (https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) + // to NULL. + // + // * Example: NETWORK_FIREWALL - Distributed deployment model with + // automatic Availability Zone configuration, and route management. "{ \"type\": + // \"NETWORK_FIREWALL\", \"networkFirewallStatelessRuleGroupReferences\": [ { + // \"resourceARN\": + // \"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\", + // \"priority\": 1 } ], \"networkFirewallStatelessDefaultActions\": [ + // \"aws:forward_to_sfe\", \"customActionName\" ], + // \"networkFirewallStatelessFragmentDefaultActions\": [ \"aws:forward_to_sfe\", + // \"customActionName\" ], \"networkFirewallStatelessCustomActions\": [ { + // \"actionName\": \"customActionName\", \"actionDefinition\": { + // \"publishMetricAction\": { \"dimensions\": [ { \"value\": + // \"metricdimensionvalue\" } ] } } } ], + // \"networkFirewallStatefulRuleGroupReferences\": [ { \"resourceARN\": + // \"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\" } ], + // \"networkFirewallOrchestrationConfig\": { \"singleFirewallEndpointPerVPC\": + // false, \"allowedIPV4CidrList\": [ \"10.0.0.0/28\", \"192.168.0.0/28\" ], + // \"routeManagementAction\": \"MONITOR\", \"routeManagementTargetTypes\": [ + // \"InternetGateway\" ] }, \"networkFirewallLoggingConfiguration\": { + // \"logDestinationConfigs\": [ { \"logDestinationType\": \"S3\", \"logType\": + // \"ALERT\", \"logDestination\": { \"bucketName\": \"s3-bucket-name\" } }, { + // \"logDestinationType\": \"S3\", \"logType\": \"FLOW\", \"logDestination\": { + // \"bucketName\": \"s3-bucket-name\" } } ], \"overrideExistingConfig\": true } // }" // - // * Specification for SHIELD_ADVANCED for Amazon CloudFront distributions + // * Example: NETWORK_FIREWALL - Distributed deployment model with custom + // Availability Zone configuration. With custom Availability Zone configuration, + // you define which specific Availability Zones to create endpoints in by + // configuring firewallCreationConfig. "{ + // \"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}], + // \"networkFirewallStatelessDefaultActions\":[ \"aws:forward_to_sfe\", + // \"customActionName\" ], \"networkFirewallStatelessFragmentDefaultActions\":[ + // \"aws:forward_to_sfe\", \"fragmentcustomactionname\" ], + // \"networkFirewallStatelessCustomActions\":[ { + // \"actionName\":\"customActionName\", \"actionDefinition\":{ + // \"publishMetricAction\":{ \"dimensions\":[ { \"value\":\"metricdimensionvalue\" + // } ] } } }, { \"actionName\":\"fragmentcustomactionname\", \"actionDefinition\":{ + // \"publishMetricAction\":{ \"dimensions\":[ { + // \"value\":\"fragmentmetricdimensionvalue\" } ] } } } ], + // \"networkFirewallStatefulRuleGroupReferences\":[ { + // \"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\" + // } ], \"networkFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ + // \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { + // \"availabilityZoneId\":null, \"availabilityZoneName\":\"us-east-1a\", + // \"allowedIPV4CidrList\":[ \"10.0.0.0/28\" ] }, { ¯\"availabilityZoneId\":null, + // \"availabilityZoneName\":\"us-east-1b\", \"allowedIPV4CidrList\":[ + // \"10.0.0.0/28\" ] } ] } }, \"singleFirewallEndpointPerVPC\":false, + // \"allowedIPV4CidrList\":null, \"routeManagementAction\":\"OFF\", + // \"networkFirewallLoggingConfiguration\":{ \"logDestinationConfigs\":[ { + // \"logDestinationType\":\"S3\", \"logType\":\"ALERT\", \"logDestination\":{ + // \"bucketName\":\"s3-bucket-name\" } }, { \"logDestinationType\":\"S3\", + // \"logType\":\"FLOW\", \"logDestination\":{ \"bucketName\":\"s3-bucket-name\" } } + // ], \"overrideExistingConfig\":boolean } }" + // + // * Example: NETWORK_FIREWALL - + // Distributed deployment model with custom Availability Zone configuration, and + // route management. "{ + // \"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}], + // \"networkFirewallStatelessDefaultActions\":[ \"aws:forward_to_sfe\", + // \"customActionName\" ], \"networkFirewallStatelessFragmentDefaultActions\":[ + // \"aws:forward_to_sfe\", \"fragmentcustomactionname\" ], + // \"networkFirewallStatelessCustomActions\":[ { + // \"actionName\":\"customActionName\", \"actionDefinition\":{ + // \"publishMetricAction\":{ \"dimensions\":[ { \"value\":\"metricdimensionvalue\" + // } ] } } }, { \"actionName\":\"fragmentcustomactionname\", \"actionDefinition\":{ + // \"publishMetricAction\":{ \"dimensions\":[ { + // \"value\":\"fragmentmetricdimensionvalue\" } ] } } } ], + // \"networkFirewallStatefulRuleGroupReferences\":[ { + // \"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\" + // } ], \"networkFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ + // \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { + // \"availabilityZoneId\":null, \"availabilityZoneName\":\"us-east-1a\", + // \"allowedIPV4CidrList\":[ \"10.0.0.0/28\" ] }, { ¯\"availabilityZoneId\":null, + // \"availabilityZoneName\":\"us-east-1b\", \"allowedIPV4CidrList\":[ + // \"10.0.0.0/28\" ] } ] } }, \"singleFirewallEndpointPerVPC\":false, + // \"allowedIPV4CidrList\":null, \"routeManagementAction\":\"MONITOR\", + // \"routeManagementTargetTypes\":[ \"InternetGateway\" ], + // \"routeManagementConfig\":{ \"allowCrossAZTrafficIfNoEndpoint\":true } }, + // \"networkFirewallLoggingConfiguration\":{ \"logDestinationConfigs\":[ { + // \"logDestinationType\":\"S3\", \"logType\":\"ALERT\", \"logDestination\":{ + // \"bucketName\":\"s3-bucket-name\" } }, { \"logDestinationType\":\"S3\", + // \"logType\":\"FLOW\", \"logDestination\":{ \"bucketName\":\"s3-bucket-name\" } } + // ], \"overrideExistingConfig\":boolean } }" + // + // * Specification for SHIELD_ADVANCED + // for Amazon CloudFront distributions // "{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": // {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", // \"automaticResponseAction\":\"BLOCK|COUNT\"}, @@ -1308,6 +1548,10 @@ type SecurityServicePolicyData struct { // SECURITY_GROUPS_USAGE_AUDIT"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}" ManagedServiceData *string + // Contains the Network Firewall firewall policy options to configure a centralized + // deployment model. + PolicyOption *PolicyOption + noSmithyDocumentSerde } @@ -1397,7 +1641,9 @@ type ViolationDetail struct { // Brief description for the requested resource. ResourceDescription *string - // The ResourceTag objects associated with the resource. + // The ResourceTag objects associated with the resource. This option isn't + // available for the centralized deployment model when creating policies to + // configure Network Firewall. ResourceTags []Tag noSmithyDocumentSerde diff --git a/service/lightsail/api_op_CreateBucket.go b/service/lightsail/api_op_CreateBucket.go index 5d378395ad8..a2abdb1ddb0 100644 --- a/service/lightsail/api_op_CreateBucket.go +++ b/service/lightsail/api_op_CreateBucket.go @@ -44,8 +44,12 @@ type CreateBucketInput struct { // The ID of the bundle to use for the bucket. A bucket bundle specifies the // monthly cost, storage space, and data transfer quota for a bucket. Use the - // GetBucketBundles action to get a list of bundle IDs that you can specify. Use - // the UpdateBucketBundle action to change the bundle after the bucket is created. + // GetBucketBundles + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBucketBundles.html) + // action to get a list of bundle IDs that you can specify. Use the + // UpdateBucketBundle + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_UpdateBucketBundle.html) + // action to change the bundle after the bucket is created. // // This member is required. BundleId *string @@ -58,7 +62,9 @@ type CreateBucketInput struct { EnableObjectVersioning *bool // The tag keys and optional values to add to the bucket during creation. Use the - // TagResource action to tag the bucket after it's created. + // TagResource + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_TagResource.html) + // action to tag the bucket after it's created. Tags []types.Tag noSmithyDocumentSerde diff --git a/service/lightsail/api_op_CreateBucketAccessKey.go b/service/lightsail/api_op_CreateBucketAccessKey.go index 84ac025e899..e2e02daa23e 100644 --- a/service/lightsail/api_op_CreateBucketAccessKey.go +++ b/service/lightsail/api_op_CreateBucketAccessKey.go @@ -14,9 +14,11 @@ import ( // Creates a new access key for the specified Amazon Lightsail bucket. Access keys // consist of an access key ID and corresponding secret access key. Access keys // grant full programmatic access to the specified bucket and its objects. You can -// have a maximum of two access keys per bucket. Use the GetBucketAccessKeys action -// to get a list of current access keys for a specific bucket. For more information -// about access keys, see Creating access keys for a bucket in Amazon Lightsail +// have a maximum of two access keys per bucket. Use the GetBucketAccessKeys +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBucketAccessKeys.html) +// action to get a list of current access keys for a specific bucket. For more +// information about access keys, see Creating access keys for a bucket in Amazon +// Lightsail // (https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-creating-bucket-access-keys) // in the Amazon Lightsail Developer Guide. The secretAccessKey value is returned // only in response to the CreateBucketAccessKey action. You can get a secret diff --git a/service/lightsail/api_op_CreateDistribution.go b/service/lightsail/api_op_CreateDistribution.go index a41cc449bb9..53059ce2560 100644 --- a/service/lightsail/api_op_CreateDistribution.go +++ b/service/lightsail/api_op_CreateDistribution.go @@ -53,8 +53,8 @@ type CreateDistributionInput struct { DistributionName *string // An object that describes the origin resource for the distribution, such as a - // Lightsail instance or load balancer. The distribution pulls, caches, and serves - // content from the origin. + // Lightsail instance, bucket, or load balancer. The distribution pulls, caches, + // and serves content from the origin. // // This member is required. Origin *types.InputOrigin diff --git a/service/lightsail/api_op_CreateKeyPair.go b/service/lightsail/api_op_CreateKeyPair.go index 26bcc1488d8..e22817a743c 100644 --- a/service/lightsail/api_op_CreateKeyPair.go +++ b/service/lightsail/api_op_CreateKeyPair.go @@ -11,9 +11,13 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Creates an SSH key pair. The create key pair operation supports tag-based access -// control via request tags. For more information, see the Amazon Lightsail -// Developer Guide +// Creates a custom SSH key pair that you can use with an Amazon Lightsail +// instance. Use the DownloadDefaultKeyPair +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_DownloadDefaultKeyPair.html) +// action to create a Lightsail default key pair in an Amazon Web Services Region +// where a default key pair does not currently exist. The create key pair operation +// supports tag-based access control via request tags. For more information, see +// the Amazon Lightsail Developer Guide // (https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-controlling-access-using-tags). func (c *Client) CreateKeyPair(ctx context.Context, params *CreateKeyPairInput, optFns ...func(*Options)) (*CreateKeyPairOutput, error) { if params == nil { diff --git a/service/lightsail/api_op_DeleteBucket.go b/service/lightsail/api_op_DeleteBucket.go index bfa65948e4d..9ec30502d99 100644 --- a/service/lightsail/api_op_DeleteBucket.go +++ b/service/lightsail/api_op_DeleteBucket.go @@ -31,8 +31,9 @@ func (c *Client) DeleteBucket(ctx context.Context, params *DeleteBucketInput, op type DeleteBucketInput struct { - // The name of the bucket to delete. Use the GetBuckets action to get a list of - // bucket names that you can specify. + // The name of the bucket to delete. Use the GetBuckets + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBuckets.html) + // action to get a list of bucket names that you can specify. // // This member is required. BucketName *string @@ -44,16 +45,17 @@ type DeleteBucketInput struct { // is the origin of a distribution. // // * The bucket has instances that were granted - // access to it using the SetResourceAccessForBucket action. + // access to it using the SetResourceAccessForBucket + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_SetResourceAccessForBucket.html) + // action. // - // * The bucket has - // objects. + // * The bucket has objects. // // * The bucket has access keys. // - // Force deleting a bucket might impact - // other resources that rely on the bucket, such as instances, distributions, or - // software that use the issued access keys. + // Force + // deleting a bucket might impact other resources that rely on the bucket, such as + // instances, distributions, or software that use the issued access keys. ForceDelete *bool noSmithyDocumentSerde diff --git a/service/lightsail/api_op_DeleteBucketAccessKey.go b/service/lightsail/api_op_DeleteBucketAccessKey.go index 39fa411f408..988041a48b0 100644 --- a/service/lightsail/api_op_DeleteBucketAccessKey.go +++ b/service/lightsail/api_op_DeleteBucketAccessKey.go @@ -34,8 +34,9 @@ func (c *Client) DeleteBucketAccessKey(ctx context.Context, params *DeleteBucket type DeleteBucketAccessKeyInput struct { - // The ID of the access key to delete. Use the GetBucketAccessKeys action to get a - // list of access key IDs that you can specify. + // The ID of the access key to delete. Use the GetBucketAccessKeys + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBucketAccessKeys.html) + // action to get a list of access key IDs that you can specify. // // This member is required. AccessKeyId *string diff --git a/service/lightsail/api_op_DeleteKeyPair.go b/service/lightsail/api_op_DeleteKeyPair.go index 221f86ba11d..a7f12abbd97 100644 --- a/service/lightsail/api_op_DeleteKeyPair.go +++ b/service/lightsail/api_op_DeleteKeyPair.go @@ -11,9 +11,18 @@ import ( smithyhttp "github.com/aws/smithy-go/transport/http" ) -// Deletes a specific SSH key pair. The delete key pair operation supports -// tag-based access control via resource tags applied to the resource identified by -// key pair name. For more information, see the Amazon Lightsail Developer Guide +// Deletes the specified key pair by removing the public key from Amazon Lightsail. +// You can delete key pairs that were created using the ImportKeyPair +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_ImportKeyPair.html) +// and CreateKeyPair +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateKeyPair.html) +// actions, as well as the Lightsail default key pair. A new default key pair will +// not be created unless you launch an instance without specifying a custom key +// pair, or you call the DownloadDefaultKeyPair +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_DownloadDefaultKeyPair.html) +// API. The delete key pair operation supports tag-based access control via +// resource tags applied to the resource identified by key pair name. For more +// information, see the Amazon Lightsail Developer Guide // (https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-controlling-access-using-tags). func (c *Client) DeleteKeyPair(ctx context.Context, params *DeleteKeyPairInput, optFns ...func(*Options)) (*DeleteKeyPairOutput, error) { if params == nil { @@ -37,6 +46,11 @@ type DeleteKeyPairInput struct { // This member is required. KeyPairName *string + // The RSA fingerprint of the Lightsail default key pair to delete. The + // expectedFingerprint parameter is required only when specifying to delete a + // Lightsail default key pair. + ExpectedFingerprint *string + noSmithyDocumentSerde } diff --git a/service/lightsail/api_op_DownloadDefaultKeyPair.go b/service/lightsail/api_op_DownloadDefaultKeyPair.go index f00ad3e30ec..f9228594dc2 100644 --- a/service/lightsail/api_op_DownloadDefaultKeyPair.go +++ b/service/lightsail/api_op_DownloadDefaultKeyPair.go @@ -8,9 +8,12 @@ import ( "github.com/aws/aws-sdk-go-v2/aws/signer/v4" "github.com/aws/smithy-go/middleware" smithyhttp "github.com/aws/smithy-go/transport/http" + "time" ) -// Downloads the default SSH key pair from the user's account. +// Downloads the regional Amazon Lightsail default key pair. This action also +// creates a Lightsail default key pair if a default key pair does not currently +// exist in the Amazon Web Services Region. func (c *Client) DownloadDefaultKeyPair(ctx context.Context, params *DownloadDefaultKeyPairInput, optFns ...func(*Options)) (*DownloadDefaultKeyPairOutput, error) { if params == nil { params = &DownloadDefaultKeyPairInput{} @@ -32,6 +35,9 @@ type DownloadDefaultKeyPairInput struct { type DownloadDefaultKeyPairOutput struct { + // The timestamp when the default key pair was created. + CreatedAt *time.Time + // A base64-encoded RSA private key. PrivateKeyBase64 *string diff --git a/service/lightsail/api_op_GetBucketAccessKeys.go b/service/lightsail/api_op_GetBucketAccessKeys.go index 3fb34df0e54..b1c60ece8f6 100644 --- a/service/lightsail/api_op_GetBucketAccessKeys.go +++ b/service/lightsail/api_op_GetBucketAccessKeys.go @@ -14,8 +14,9 @@ import ( // Returns the existing access key IDs for the specified Amazon Lightsail bucket. // This action does not return the secret access key value of an access key. You // can get a secret access key only when you create it from the response of the -// CreateBucketAccessKey action. If you lose the secret access key, you must create -// a new access key. +// CreateBucketAccessKey +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateBucketAccessKey.html) +// action. If you lose the secret access key, you must create a new access key. func (c *Client) GetBucketAccessKeys(ctx context.Context, params *GetBucketAccessKeysInput, optFns ...func(*Options)) (*GetBucketAccessKeysOutput, error) { if params == nil { params = &GetBucketAccessKeysInput{} diff --git a/service/lightsail/api_op_GetBucketBundles.go b/service/lightsail/api_op_GetBucketBundles.go index 1ca8d61cb00..e30cddd8a6a 100644 --- a/service/lightsail/api_op_GetBucketBundles.go +++ b/service/lightsail/api_op_GetBucketBundles.go @@ -13,7 +13,9 @@ import ( // Returns the bundles that you can apply to a Amazon Lightsail bucket. The bucket // bundle specifies the monthly cost, storage quota, and data transfer quota for a -// bucket. Use the UpdateBucketBundle action to update the bundle for a bucket. +// bucket. Use the UpdateBucketBundle +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_UpdateBucketBundle.html) +// action to update the bundle for a bucket. func (c *Client) GetBucketBundles(ctx context.Context, params *GetBucketBundlesInput, optFns ...func(*Options)) (*GetBucketBundlesOutput, error) { if params == nil { params = &GetBucketBundlesInput{} diff --git a/service/lightsail/api_op_GetBuckets.go b/service/lightsail/api_op_GetBuckets.go index e53e68d5cf0..5eb023baa95 100644 --- a/service/lightsail/api_op_GetBuckets.go +++ b/service/lightsail/api_op_GetBuckets.go @@ -38,7 +38,9 @@ type GetBucketsInput struct { BucketName *string // A Boolean value that indicates whether to include Lightsail instances that were - // given access to the bucket using the SetResourceAccessForBucket action. + // given access to the bucket using the SetResourceAccessForBucket + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_SetResourceAccessForBucket.html) + // action. IncludeConnectedResources *bool // The token to advance to the next page of results from your request. To get a diff --git a/service/lightsail/api_op_GetExportSnapshotRecords.go b/service/lightsail/api_op_GetExportSnapshotRecords.go index 80aa7e0ac07..c010171c796 100644 --- a/service/lightsail/api_op_GetExportSnapshotRecords.go +++ b/service/lightsail/api_op_GetExportSnapshotRecords.go @@ -13,7 +13,9 @@ import ( // Returns all export snapshot records created as a result of the export snapshot // operation. An export snapshot record can be used to create a new Amazon EC2 -// instance and its related resources with the CreateCloudFormationStack action. +// instance and its related resources with the CreateCloudFormationStack +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateCloudFormationStack.html) +// action. func (c *Client) GetExportSnapshotRecords(ctx context.Context, params *GetExportSnapshotRecordsInput, optFns ...func(*Options)) (*GetExportSnapshotRecordsOutput, error) { if params == nil { params = &GetExportSnapshotRecordsInput{} diff --git a/service/lightsail/api_op_GetKeyPairs.go b/service/lightsail/api_op_GetKeyPairs.go index 5917f801633..beb5452bcc5 100644 --- a/service/lightsail/api_op_GetKeyPairs.go +++ b/service/lightsail/api_op_GetKeyPairs.go @@ -29,6 +29,10 @@ func (c *Client) GetKeyPairs(ctx context.Context, params *GetKeyPairsInput, optF type GetKeyPairsInput struct { + // A Boolean value that indicates whether to include the default key pair in the + // response of your request. + IncludeDefaultKeyPair *bool + // The token to advance to the next page of results from your request. To get a // page token, perform an initial GetKeyPairs request. If your results are // paginated, the response will return a next page token that you can specify as diff --git a/service/lightsail/api_op_UpdateBucketBundle.go b/service/lightsail/api_op_UpdateBucketBundle.go index 5ee23810834..1505ceb3396 100644 --- a/service/lightsail/api_op_UpdateBucketBundle.go +++ b/service/lightsail/api_op_UpdateBucketBundle.go @@ -15,15 +15,17 @@ import ( // bucket bundle specifies the monthly cost, storage space, and data transfer quota // for a bucket. You can update a bucket's bundle only one time within a monthly // AWS billing cycle. To determine if you can update a bucket's bundle, use the -// GetBuckets action. The ableToUpdateBundle parameter in the response will -// indicate whether you can currently update a bucket's bundle. Update a bucket's -// bundle if it's consistently going over its storage space or data transfer quota, -// or if a bucket's usage is consistently in the lower range of its storage space -// or data transfer quota. Due to the unpredictable usage fluctuations that a -// bucket might experience, we strongly recommend that you update a bucket's bundle -// only as a long-term strategy, instead of as a short-term, monthly cost-cutting -// measure. Choose a bucket bundle that will provide the bucket with ample storage -// space and data transfer for a long time to come. +// GetBuckets +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBuckets.html) +// action. The ableToUpdateBundle parameter in the response will indicate whether +// you can currently update a bucket's bundle. Update a bucket's bundle if it's +// consistently going over its storage space or data transfer quota, or if a +// bucket's usage is consistently in the lower range of its storage space or data +// transfer quota. Due to the unpredictable usage fluctuations that a bucket might +// experience, we strongly recommend that you update a bucket's bundle only as a +// long-term strategy, instead of as a short-term, monthly cost-cutting measure. +// Choose a bucket bundle that will provide the bucket with ample storage space and +// data transfer for a long time to come. func (c *Client) UpdateBucketBundle(ctx context.Context, params *UpdateBucketBundleInput, optFns ...func(*Options)) (*UpdateBucketBundleOutput, error) { if params == nil { params = &UpdateBucketBundleInput{} @@ -46,8 +48,9 @@ type UpdateBucketBundleInput struct { // This member is required. BucketName *string - // The ID of the new bundle to apply to the bucket. Use the GetBucketBundles action - // to get a list of bundle IDs that you can specify. + // The ID of the new bundle to apply to the bucket. Use the GetBucketBundles + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_GetBucketBundles.html) + // action to get a list of bundle IDs that you can specify. // // This member is required. BundleId *string diff --git a/service/lightsail/api_op_UpdateDistribution.go b/service/lightsail/api_op_UpdateDistribution.go index 311d8c5486b..b67388cfa39 100644 --- a/service/lightsail/api_op_UpdateDistribution.go +++ b/service/lightsail/api_op_UpdateDistribution.go @@ -53,8 +53,8 @@ type UpdateDistributionInput struct { IsEnabled *bool // An object that describes the origin resource for the distribution, such as a - // Lightsail instance or load balancer. The distribution pulls, caches, and serves - // content from the origin. + // Lightsail instance, bucket, or load balancer. The distribution pulls, caches, + // and serves content from the origin. Origin *types.InputOrigin noSmithyDocumentSerde diff --git a/service/lightsail/deserializers.go b/service/lightsail/deserializers.go index e0fb2477253..74c4bf42db1 100644 --- a/service/lightsail/deserializers.go +++ b/service/lightsail/deserializers.go @@ -33364,6 +33364,22 @@ func awsAwsjson11_deserializeOpDocumentDownloadDefaultKeyPairOutput(v **Download for key, value := range shape { switch key { + case "createdAt": + if value != nil { + switch jtv := value.(type) { + case json.Number: + f64, err := jtv.Float64() + if err != nil { + return err + } + sv.CreatedAt = ptr.Time(smithytime.ParseEpochSeconds(f64)) + + default: + return fmt.Errorf("expected IsoDate to be a JSON Number, got %T instead", value) + + } + } + case "privateKeyBase64": if value != nil { jtv, ok := value.(string) diff --git a/service/lightsail/serializers.go b/service/lightsail/serializers.go index 7e3a4c986e3..b34cad0dd13 100644 --- a/service/lightsail/serializers.go +++ b/service/lightsail/serializers.go @@ -10465,6 +10465,11 @@ func awsAwsjson11_serializeOpDocumentDeleteKeyPairInput(v *DeleteKeyPairInput, v object := value.Object() defer object.Close() + if v.ExpectedFingerprint != nil { + ok := object.Key("expectedFingerprint") + ok.String(*v.ExpectedFingerprint) + } + if v.KeyPairName != nil { ok := object.Key("keyPairName") ok.String(*v.KeyPairName) @@ -11322,6 +11327,11 @@ func awsAwsjson11_serializeOpDocumentGetKeyPairsInput(v *GetKeyPairsInput, value object := value.Object() defer object.Close() + if v.IncludeDefaultKeyPair != nil { + ok := object.Key("includeDefaultKeyPair") + ok.Boolean(*v.IncludeDefaultKeyPair) + } + if v.PageToken != nil { ok := object.Key("pageToken") ok.String(*v.PageToken) diff --git a/service/lightsail/types/types.go b/service/lightsail/types/types.go index 28e42122140..e19f06ab852 100644 --- a/service/lightsail/types/types.go +++ b/service/lightsail/types/types.go @@ -9,9 +9,10 @@ import ( // Describes an access key for an Amazon Lightsail bucket. Access keys grant full // programmatic access to the specified bucket and its objects. You can have a -// maximum of two access keys per bucket. Use the CreateBucketAccessKey action to -// create an access key for a specific bucket. For more information about access -// keys, see Creating access keys for a bucket in Amazon Lightsail +// maximum of two access keys per bucket. Use the CreateBucketAccessKey +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateBucketAccessKey.html) +// action to create an access key for a specific bucket. For more information about +// access keys, see Creating access keys for a bucket in Amazon Lightsail // (https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-creating-bucket-access-keys) // in the Amazon Lightsail Developer Guide. The secretAccessKey value is returned // only in response to the CreateBucketAccessKey action. You can get a secret @@ -27,9 +28,10 @@ type AccessKey struct { CreatedAt *time.Time // An object that describes the last time the access key was used. This object does - // not include data in the response of a CreateBucketAccessKey action. If the - // access key has not been used, the region and serviceName values are N/A, and the - // lastUsedDate value is null. + // not include data in the response of a CreateBucketAccessKey + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateBucketAccessKey.html) + // action. If the access key has not been used, the region and serviceName values + // are N/A, and the lastUsedDate value is null. LastUsed *AccessKeyLastUsed // The secret access key used to sign requests. You should store the secret access @@ -45,7 +47,9 @@ type AccessKey struct { } // Describes the last time an access key was used. This object does not include -// data in the response of a CreateBucketAccessKey action. +// data in the response of a CreateBucketAccessKey +// (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_CreateBucketAccessKey.html) +// action. type AccessKeyLastUsed struct { // The date and time when the access key was most recently used. This value is null @@ -404,8 +408,9 @@ type Bucket struct { // Indicates whether the bundle that is currently applied to a bucket can be // changed to another bundle. You can update a bucket's bundle only one time within - // a monthly AWS billing cycle. Use the UpdateBucketBundle action to change a - // bucket's bundle. + // a monthly AWS billing cycle. Use the UpdateBucketBundle + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_UpdateBucketBundle.html) + // action to change a bucket's bundle. AbleToUpdateBundle *bool // An object that describes the access log configuration for the bucket. @@ -419,7 +424,9 @@ type Bucket struct { // The ID of the bundle currently applied to the bucket. A bucket bundle specifies // the monthly cost, storage space, and data transfer quota for a bucket. Use the - // UpdateBucketBundle action to change the bundle of a bucket. + // UpdateBucketBundle + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_UpdateBucketBundle.html) + // action to change the bundle of a bucket. BundleId *string // The timestamp when the distribution was created. @@ -452,8 +459,9 @@ type Bucket struct { ResourceType *string // An array of objects that describe Lightsail instances that have access to the - // bucket. Use the SetResourceAccessForBucket action to update the instances that - // have access to a bucket. + // bucket. Use the SetResourceAccessForBucket + // (https://docs.aws.amazon.com/lightsail/2016-11-28/api-reference/API_SetResourceAccessForBucket.html) + // action to update the instances that have access to a bucket. ResourcesReceivingAccess []ResourceReceivingAccess // An object that describes the state of the bucket. @@ -629,8 +637,7 @@ type CacheBehavior struct { // to specify a directory, file, or file type that your distribution will cache. // Alternately, if the distribution's cacheBehavior is dont-cache, then a per-path // cache behavior can be used to specify a directory, file, or file type that your -// distribution will not cache. if the cacheBehavior's behavior is set to 'cache', -// then +// distribution will not cache. type CacheBehaviorPerPath struct { // The cache behavior for the specified path. You can specify one of the following @@ -1836,9 +1843,9 @@ type HostKeyAttributes struct { } // Describes the origin resource of an Amazon Lightsail content delivery network -// (CDN) distribution. An origin can be a Lightsail instance or load balancer. A -// distribution pulls content from an origin, caches it, and serves it to viewers -// via a worldwide network of edge servers. +// (CDN) distribution. An origin can be a Lightsail instance, bucket, or load +// balancer. A distribution pulls content from an origin, caches it, and serves it +// to viewers via a worldwide network of edge servers. type InputOrigin struct { // The name of the origin resource. @@ -2530,8 +2537,8 @@ type LightsailDistribution struct { Name *string // An object that describes the origin resource of the distribution, such as a - // Lightsail instance or load balancer. The distribution pulls, caches, and serves - // content from the origin. + // Lightsail instance, bucket, or load balancer. The distribution pulls, caches, + // and serves content from the origin. Origin *Origin // The public DNS of the origin. @@ -2999,9 +3006,9 @@ type Operation struct { } // Describes the origin resource of an Amazon Lightsail content delivery network -// (CDN) distribution. An origin can be a Lightsail instance or load balancer. A -// distribution pulls content from an origin, caches it, and serves it to viewers -// via a worldwide network of edge servers. +// (CDN) distribution. An origin can be a Lightsail instance, bucket, or load +// balancer. A distribution pulls content from an origin, caches it, and serves it +// to viewers via a worldwide network of edge servers. type Origin struct { // The name of the origin resource. diff --git a/service/route53/api_op_AssociateVPCWithHostedZone.go b/service/route53/api_op_AssociateVPCWithHostedZone.go index 0886ab60205..a8dc3691ad2 100644 --- a/service/route53/api_op_AssociateVPCWithHostedZone.go +++ b/service/route53/api_op_AssociateVPCWithHostedZone.go @@ -18,7 +18,22 @@ import ( // zone that was created by using a different account, the Amazon Web Services // account that created the private hosted zone must first submit a // CreateVPCAssociationAuthorization request. Then the account that created the VPC -// must submit an AssociateVPCWithHostedZone request. +// must submit an AssociateVPCWithHostedZone request. When granting access, the +// hosted zone and the Amazon VPC must belong to the same partition. A partition is +// a group of Amazon Web Services Regions. Each Amazon Web Services account is +// scoped to one partition. The following are the supported partitions: +// +// * aws - +// Amazon Web Services Regions +// +// * aws-cn - China Regions +// +// * aws-us-gov - Amazon Web +// Services GovCloud (US) Region +// +// For more information, see Access Management +// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in +// the Amazon Web Services General Reference. func (c *Client) AssociateVPCWithHostedZone(ctx context.Context, params *AssociateVPCWithHostedZoneInput, optFns ...func(*Options)) (*AssociateVPCWithHostedZoneOutput, error) { if params == nil { params = &AssociateVPCWithHostedZoneInput{} diff --git a/service/route53/api_op_ChangeResourceRecordSets.go b/service/route53/api_op_ChangeResourceRecordSets.go index 03785e93501..8259985a02b 100644 --- a/service/route53/api_op_ChangeResourceRecordSets.go +++ b/service/route53/api_op_ChangeResourceRecordSets.go @@ -51,8 +51,7 @@ import ( // an existing resource record set that has the specified values. // // * UPSERT: If a -// resource record set does not already exist, Amazon Web Services creates it. If a -// resource set does exist, Route 53 updates it with the values in the +// resource set exists Route 53 updates it with the values in the // request. // // Syntaxes for Creating, Updating, and Deleting Resource Record Sets The diff --git a/service/route53/api_op_CreateHostedZone.go b/service/route53/api_op_CreateHostedZone.go index a97a3f95239..8d009aff69a 100644 --- a/service/route53/api_op_CreateHostedZone.go +++ b/service/route53/api_op_CreateHostedZone.go @@ -47,7 +47,23 @@ import ( // zones, this means that the NS and SOA records are not yet available on all Route // 53 DNS servers. When the NS and SOA records are available, the status of the // zone changes to INSYNC. The CreateHostedZone request requires the caller to have -// an ec2:DescribeVpcs permission. +// an ec2:DescribeVpcs permission. When creating private hosted zones, the Amazon +// VPC must belong to the same partition where the hosted zone is created. A +// partition is a group of Amazon Web Services Regions. Each Amazon Web Services +// account is scoped to one partition. The following are the supported +// partitions: +// +// * aws - Amazon Web Services Regions +// +// * aws-cn - China Regions +// +// * +// aws-us-gov - Amazon Web Services GovCloud (US) Region +// +// For more information, see +// Access Management +// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in +// the Amazon Web Services General Reference. func (c *Client) CreateHostedZone(ctx context.Context, params *CreateHostedZoneInput, optFns ...func(*Options)) (*CreateHostedZoneOutput, error) { if params == nil { params = &CreateHostedZoneInput{} diff --git a/service/route53/api_op_CreateQueryLoggingConfig.go b/service/route53/api_op_CreateQueryLoggingConfig.go index 0ccedc4b81e..8b70d4aa0a0 100644 --- a/service/route53/api_op_CreateQueryLoggingConfig.go +++ b/service/route53/api_op_CreateQueryLoggingConfig.go @@ -58,39 +58,56 @@ import ( // previous step. To use the same resource policy for all the CloudWatch Logs log // groups that you created for query logging configurations, replace the hosted // zone name with , for example: -// arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/ You can't use the -// CloudWatch console to create or edit a resource policy. You must use the -// CloudWatch API, one of the Amazon Web Services SDKs, or the CLI. -// -// Log Streams -// and Edge Locations When Route 53 finishes creating the configuration for DNS -// query logging, it does the following: -// -// * Creates a log stream for an edge -// location the first time that the edge location responds to DNS queries for the -// specified hosted zone. That log stream is used to log all queries that Route 53 -// responds to for that edge location. -// -// * Begins to send query logs to the -// applicable log stream. -// -// The name of each log stream is in the following format: -// hosted zone ID/edge location code The edge location code is a three-letter code -// and an arbitrarily assigned number, for example, DFW3. The three-letter code -// typically corresponds with the International Air Transport Association airport -// code for an airport near the edge location. (These abbreviations might change in -// the future.) For a list of edge locations, see "The Route 53 Global Network" on -// the Route 53 Product Details (http://aws.amazon.com/route53/details/) page. -// Queries That Are Logged Query logs contain only the queries that DNS resolvers -// forward to Route 53. If a DNS resolver has already cached the response to a -// query (such as the IP address for a load balancer for example.com), the resolver -// will continue to return the cached response. It doesn't forward another query to -// Route 53 until the TTL for the corresponding resource record set expires. -// Depending on how many DNS queries are submitted for a resource record set, and -// depending on the TTL for that resource record set, query logs might contain -// information about only one query out of every several thousand queries that are -// submitted to DNS. For more information about how DNS works, see Routing Internet -// Traffic to Your Website or Web Application +// arn:aws:logs:us-east-1:123412341234:log-group:/aws/route53/ To avoid the +// confused deputy problem, a security issue where an entity without a permission +// for an action can coerce a more-privileged entity to perform it, you can +// optionally limit the permissions that a service has to a resource in a +// resource-based policy by supplying the following values: +// +// * For aws:SourceArn, +// supply the hosted zone ARN used in creating the query logging configuration. For +// example, aws:SourceArn: arn:aws:route53:::hostedzone/hosted zone ID. +// +// * For +// aws:SourceAccount, supply the account ID for the account that creates the query +// logging configuration. For example, aws:SourceAccount:111111111111. +// +// For more +// information, see The confused deputy problem +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html) in the +// Amazon Web Services IAM User Guide. You can't use the CloudWatch console to +// create or edit a resource policy. You must use the CloudWatch API, one of the +// Amazon Web Services SDKs, or the CLI. +// +// Log Streams and Edge Locations When Route +// 53 finishes creating the configuration for DNS query logging, it does the +// following: +// +// * Creates a log stream for an edge location the first time that the +// edge location responds to DNS queries for the specified hosted zone. That log +// stream is used to log all queries that Route 53 responds to for that edge +// location. +// +// * Begins to send query logs to the applicable log stream. +// +// The name +// of each log stream is in the following format: hosted zone ID/edge location +// code The edge location code is a three-letter code and an arbitrarily assigned +// number, for example, DFW3. The three-letter code typically corresponds with the +// International Air Transport Association airport code for an airport near the +// edge location. (These abbreviations might change in the future.) For a list of +// edge locations, see "The Route 53 Global Network" on the Route 53 Product +// Details (http://aws.amazon.com/route53/details/) page. Queries That Are Logged +// Query logs contain only the queries that DNS resolvers forward to Route 53. If a +// DNS resolver has already cached the response to a query (such as the IP address +// for a load balancer for example.com), the resolver will continue to return the +// cached response. It doesn't forward another query to Route 53 until the TTL for +// the corresponding resource record set expires. Depending on how many DNS queries +// are submitted for a resource record set, and depending on the TTL for that +// resource record set, query logs might contain information about only one query +// out of every several thousand queries that are submitted to DNS. For more +// information about how DNS works, see Routing Internet Traffic to Your Website or +// Web Application // (https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/welcome-dns-service.html) // in the Amazon Route 53 Developer Guide. Log File Format For a list of the values // in each query log and the format of each value, see Logging DNS Queries diff --git a/service/route53/api_op_DisassociateVPCFromHostedZone.go b/service/route53/api_op_DisassociateVPCFromHostedZone.go index 465584cfcc8..bbe7fdad48a 100644 --- a/service/route53/api_op_DisassociateVPCFromHostedZone.go +++ b/service/route53/api_op_DisassociateVPCFromHostedZone.go @@ -34,6 +34,23 @@ import ( // if the hosted zone has a value for OwningAccount, you can use // DisassociateVPCFromHostedZone. If the hosted zone has a value for OwningService, // you can't use DisassociateVPCFromHostedZone. +// +// When revoking access, the hosted +// zone and the Amazon VPC must belong to the same partition. A partition is a +// group of Amazon Web Services Regions. Each Amazon Web Services account is scoped +// to one partition. The following are the supported partitions: +// +// * aws - Amazon +// Web Services Regions +// +// * aws-cn - China Regions +// +// * aws-us-gov - Amazon Web +// Services GovCloud (US) Region +// +// For more information, see Access Management +// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in +// the Amazon Web Services General Reference. func (c *Client) DisassociateVPCFromHostedZone(ctx context.Context, params *DisassociateVPCFromHostedZoneInput, optFns ...func(*Options)) (*DisassociateVPCFromHostedZoneOutput, error) { if params == nil { params = &DisassociateVPCFromHostedZoneInput{} diff --git a/service/route53/api_op_ListHostedZonesByVPC.go b/service/route53/api_op_ListHostedZonesByVPC.go index 681d28d81e0..fefdc3c7195 100644 --- a/service/route53/api_op_ListHostedZonesByVPC.go +++ b/service/route53/api_op_ListHostedZonesByVPC.go @@ -25,6 +25,24 @@ import ( // the Amazon Web Services service that created and owns the hosted zone. For // example, if a hosted zone was created by Amazon Elastic File System (Amazon // EFS), the value of Owner is efs.amazonaws.com. +// +// When listing private hosted +// zones, the hosted zone and the Amazon VPC must belong to the same partition +// where the hosted zones were created. A partition is a group of Amazon Web +// Services Regions. Each Amazon Web Services account is scoped to one partition. +// The following are the supported partitions: +// +// * aws - Amazon Web Services +// Regions +// +// * aws-cn - China Regions +// +// * aws-us-gov - Amazon Web Services GovCloud +// (US) Region +// +// For more information, see Access Management +// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in +// the Amazon Web Services General Reference. func (c *Client) ListHostedZonesByVPC(ctx context.Context, params *ListHostedZonesByVPCInput, optFns ...func(*Options)) (*ListHostedZonesByVPCOutput, error) { if params == nil { params = &ListHostedZonesByVPCInput{} diff --git a/service/s3control/deserializers.go b/service/s3control/deserializers.go index ec288dd4c3d..fa41c7fc768 100644 --- a/service/s3control/deserializers.go +++ b/service/s3control/deserializers.go @@ -13348,6 +13348,19 @@ func awsRestxml_deserializeDocumentS3CopyObjectOperation(v **types.S3CopyObjectO sv.CannedAccessControlList = types.S3CannedAccessControlList(xtv) } + case strings.EqualFold("ChecksumAlgorithm", t.Name.Local): + val, err := decoder.Value() + if err != nil { + return err + } + if val == nil { + break + } + { + xtv := string(val) + sv.ChecksumAlgorithm = types.S3ChecksumAlgorithm(xtv) + } + case strings.EqualFold("MetadataDirective", t.Name.Local): val, err := decoder.Value() if err != nil { diff --git a/service/s3control/serializers.go b/service/s3control/serializers.go index bcb0be78fbc..acf0de53c2c 100644 --- a/service/s3control/serializers.go +++ b/service/s3control/serializers.go @@ -5891,6 +5891,17 @@ func awsRestxml_serializeDocumentS3CopyObjectOperation(v *types.S3CopyObjectOper el := value.MemberElement(root) el.String(string(v.CannedAccessControlList)) } + if len(v.ChecksumAlgorithm) > 0 { + rootAttr := []smithyxml.Attr{} + root := smithyxml.StartElement{ + Name: smithyxml.Name{ + Local: "ChecksumAlgorithm", + }, + Attr: rootAttr, + } + el := value.MemberElement(root) + el.String(string(v.ChecksumAlgorithm)) + } if len(v.MetadataDirective) > 0 { rootAttr := []smithyxml.Attr{} root := smithyxml.StartElement{ diff --git a/service/s3control/types/enums.go b/service/s3control/types/enums.go index e0f0888aff2..625050262ea 100644 --- a/service/s3control/types/enums.go +++ b/service/s3control/types/enums.go @@ -441,6 +441,28 @@ func (S3CannedAccessControlList) Values() []S3CannedAccessControlList { } } +type S3ChecksumAlgorithm string + +// Enum values for S3ChecksumAlgorithm +const ( + S3ChecksumAlgorithmCrc32 S3ChecksumAlgorithm = "CRC32" + S3ChecksumAlgorithmCrc32c S3ChecksumAlgorithm = "CRC32C" + S3ChecksumAlgorithmSha1 S3ChecksumAlgorithm = "SHA1" + S3ChecksumAlgorithmSha256 S3ChecksumAlgorithm = "SHA256" +) + +// Values returns all known values for S3ChecksumAlgorithm. Note that this can be +// expanded in the future, and so it is only as up to date as the client. The +// ordering of this slice is not guaranteed to be stable across updates. +func (S3ChecksumAlgorithm) Values() []S3ChecksumAlgorithm { + return []S3ChecksumAlgorithm{ + "CRC32", + "CRC32C", + "SHA1", + "SHA256", + } +} + type S3GlacierJobTier string // Enum values for S3GlacierJobTier diff --git a/service/s3control/types/types.go b/service/s3control/types/types.go index 759d56fcdef..85ebb7f0cf0 100644 --- a/service/s3control/types/types.go +++ b/service/s3control/types/types.go @@ -1200,6 +1200,12 @@ type S3CopyObjectOperation struct { // CannedAccessControlList S3CannedAccessControlList + // Indicates the algorithm you want Amazon S3 to use to create the checksum. For + // more information see Checking object integrity + // (https://docs.aws.amazon.com/AmazonS3/latest/userguide/CheckingObjectIntegrity.xml) + // in the Amazon S3 User Guide. + ChecksumAlgorithm S3ChecksumAlgorithm + // MetadataDirective S3MetadataDirective