This API is in preview release for Amazon Connect and is subject to change.
Creates hours of operation.
", "CreateInstance": "This API is in preview release for Amazon Connect and is subject to change.
Initiates an Amazon Connect instance with all the supported channels enabled. It does not attach any storage, such as Amazon Simple Storage Service (Amazon S3) or Amazon Kinesis. It also does not allow for any configurations on features, such as Contact Lens for Amazon Connect.
Amazon Connect enforces a limit on the total number of instances that you can create or delete in 30 days. If you exceed this limit, you will get an error message indicating there has been an excessive number of attempts at creating or deleting instances. You must wait 30 days before you can restart creating and deleting instances in your account.
", "CreateIntegrationAssociation": "Creates an Amazon Web Services resource association with an Amazon Connect instance.
", + "CreateParticipant": "Adds a new participant into an on-going chat contact. For more information, see Customize chat flow experiences by integrating custom participants.
", "CreateQueue": "This API is in preview release for Amazon Connect and is subject to change.
Creates a new queue for the specified Amazon Connect instance.
If the number being used in the input is claimed to a traffic distribution group, and you are calling this API using an instance in the Amazon Web Services Region where the traffic distribution group was created, you can use either a full phone number ARN or UUID value for the OutboundCallerIdNumberId value of the OutboundCallerConfig request body parameter. However, if the number is claimed to a traffic distribution group and you are calling this API using an instance in the alternate Amazon Web Services Region associated with the traffic distribution group, you must provide a full phone number ARN. If a UUID is provided in this scenario, you will receive a ResourceNotFoundException.
Creates a quick connect for the specified Amazon Connect instance.
", "CreateRoutingProfile": "Creates a new routing profile.
", @@ -742,6 +743,7 @@ "ClaimPhoneNumberRequest$ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
Pattern: ^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$
A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
", "CreateInstanceRequest$ClientToken": "The idempotency token.
", + "CreateParticipantRequest$ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
", "CreateRuleRequest$ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
", "CreateTaskTemplateRequest$ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
", "CreateTrafficDistributionGroupRequest$ClientToken": "A unique, case-sensitive identifier that you provide to ensure the idempotency of the request. If not provided, the Amazon Web Services SDK populates this field. For more information about idempotency, see Making retries safe with idempotent APIs.
", @@ -969,6 +971,7 @@ "Contact$InitialContactId": "If this contact is related to other contacts, this is the ID of the initial contact.
", "Contact$PreviousContactId": "If this contact is not the first contact, this is the ID of the previous contact.
", "Contact$RelatedContactId": "The contactId that is related to this contact.
", + "CreateParticipantRequest$ContactId": "The identifier of the contact in this instance of Amazon Connect. Only contacts in the CHAT channel are supported.
", "DescribeContactRequest$ContactId": "The identifier of the contact.
", "DismissUserContactRequest$ContactId": "The identifier of the contact.
", "GetContactAttributesRequest$InitialContactId": "The identifier of the initial contact.
", @@ -1110,6 +1113,16 @@ "refs": { } }, + "CreateParticipantRequest": { + "base": null, + "refs": { + } + }, + "CreateParticipantResponse": { + "base": null, + "refs": { + } + }, "CreateQueueRequest": { "base": null, "refs": { @@ -1738,7 +1751,8 @@ "DisplayName": { "base": null, "refs": { - "ParticipantDetails$DisplayName": "Display name of the participant.
" + "ParticipantDetails$DisplayName": "Display name of the participant.
", + "ParticipantDetailsToAdd$DisplayName": "The display name of the participant.
" } }, "Distribution": { @@ -2205,6 +2219,12 @@ "HoursOfOperationConfig$EndTime": "The end time that your contact center closes.
" } }, + "ISO8601Datetime": { + "base": null, + "refs": { + "ParticipantTokenCredentials$Expiry": "The expiration of the token. It's specified in ISO 8601 format: yyyy-MM-ddThh:mm:ss.SSSZ. For example, 2019-11-08T02:41:28.172Z.
" + } + }, "IdempotencyException": { "base": "An entity with the same name already exists.
", "refs": { @@ -2265,6 +2285,7 @@ "CreateHoursOfOperationRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", "CreateInstanceResponse$Id": "The identifier for the instance.
", "CreateIntegrationAssociationRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", + "CreateParticipantRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", "CreateQueueRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", "CreateQuickConnectRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", "CreateRoutingProfileRequest$InstanceId": "The identifier of the Amazon Connect instance. You can find the instance ID in the Amazon Resource Name (ARN) of the instance.
", @@ -3347,12 +3368,25 @@ "StartChatContactRequest$ParticipantDetails": "Information identifying the participant.
" } }, + "ParticipantDetailsToAdd": { + "base": "The details to add for the participant.
", + "refs": { + "CreateParticipantRequest$ParticipantDetails": "Information identifying the participant.
The only Valid value for ParticipantRole is CUSTOM_BOT.
DisplayName is Required.
The identifier for a chat participant. The participantId for a chat participant is the same throughout the chat lifecycle.
", "StartChatContactResponse$ParticipantId": "The identifier for a chat participant. The participantId for a chat participant is the same throughout the chat lifecycle.
" } }, + "ParticipantRole": { + "base": null, + "refs": { + "ParticipantDetailsToAdd$ParticipantRole": "The role of the participant being added.
" + } + }, "ParticipantTimerAction": { "base": null, "refs": { @@ -3392,9 +3426,16 @@ "ParticipantToken": { "base": null, "refs": { + "ParticipantTokenCredentials$ParticipantToken": "The token used by the chat participant to call CreateParticipantConnection. The participant token is valid for the lifetime of a chat participant.
", "StartChatContactResponse$ParticipantToken": "The token used by the chat participant to call CreateParticipantConnection. The participant token is valid for the lifetime of a chat participant.
" } }, + "ParticipantTokenCredentials": { + "base": "The credentials used by the participant.
", + "refs": { + "CreateParticipantResponse$ParticipantCredentials": "The token used by the chat participant to call CreateParticipantConnection. The participant token is valid for the lifetime of a chat participant.
The value in the hierarchy group condition.
", "InstanceStatusReason$Message": "The message.
", - "MetricFilterV2$MetricFilterKey": "The key to use for filtering data.
Valid metric filter keys: INITIATION_METHOD, DISCONNECT_REASON
The key to use for filtering data.
Valid metric filter keys: INITIATION_METHOD, DISCONNECT_REASON. These are the same values as the InitiationMethod and DisconnectReason in the contact record. For more information, see ContactTraceRecord in the Amazon Connect Administrator's Guide.
The full property path.
", "StringCondition$FieldName": "The name of the field in the string condition.
", diff --git a/models/apis/ecs/2014-11-13/docs-2.json b/models/apis/ecs/2014-11-13/docs-2.json index c52035b35f4..5cf68805d4f 100644 --- a/models/apis/ecs/2014-11-13/docs-2.json +++ b/models/apis/ecs/2014-11-13/docs-2.json @@ -236,8 +236,8 @@ "HealthCheck$retries": "The number of times to retry a failed health check before the container is considered unhealthy. You may specify between 1 and 10 retries. The default value is 3.
", "HealthCheck$startPeriod": "The optional grace period to provide containers time to bootstrap before failed health checks count towards the maximum number of retries. You can specify between 0 and 300 seconds. By default, the startPeriod is off.
If a health check succeeds within the startPeriod, then the container is considered healthy and any subsequent failures count toward the maximum number of retries.
The value for the size (in MiB) of the /dev/shm volume. This parameter maps to the --shm-size option to docker run.
If you are using tasks that use the Fargate launch type, the sharedMemorySize parameter is not supported.
The total amount of swap memory (in MiB) a container can use. This parameter will be translated to the --memory-swap option to docker run where the value would be the sum of the container memory plus the maxSwap value.
If a maxSwap value of 0 is specified, the container will not use swap. Accepted values are 0 or any positive integer. If the maxSwap parameter is omitted, the container will use the swap configuration for the container instance it is running on. A maxSwap value must be set for the swappiness parameter to be used.
If you're using tasks that use the Fargate launch type, the maxSwap parameter isn't supported.
This allows you to tune a container's memory swappiness behavior. A swappiness value of 0 will cause swapping to not happen unless absolutely necessary. A swappiness value of 100 will cause pages to be swapped very aggressively. Accepted values are whole numbers between 0 and 100. If the swappiness parameter is not specified, a default value of 60 is used. If a value is not specified for maxSwap then this parameter is ignored. This parameter maps to the --memory-swappiness option to docker run.
If you're using tasks that use the Fargate launch type, the swappiness parameter isn't supported.
The total amount of swap memory (in MiB) a container can use. This parameter will be translated to the --memory-swap option to docker run where the value would be the sum of the container memory plus the maxSwap value.
If a maxSwap value of 0 is specified, the container will not use swap. Accepted values are 0 or any positive integer. If the maxSwap parameter is omitted, the container will use the swap configuration for the container instance it is running on. A maxSwap value must be set for the swappiness parameter to be used.
If you're using tasks that use the Fargate launch type, the maxSwap parameter isn't supported.
If you're using tasks on Amazon Linux 2023 the swappiness parameter isn't supported.
This allows you to tune a container's memory swappiness behavior. A swappiness value of 0 will cause swapping to not happen unless absolutely necessary. A swappiness value of 100 will cause pages to be swapped very aggressively. Accepted values are whole numbers between 0 and 100. If the swappiness parameter is not specified, a default value of 60 is used. If a value is not specified for maxSwap then this parameter is ignored. This parameter maps to the --memory-swappiness option to docker run.
If you're using tasks that use the Fargate launch type, the swappiness parameter isn't supported.
If you're using tasks on Amazon Linux 2023 the swappiness parameter isn't supported.
The maximum number of cluster results that ListAttributes returned in paginated output. When this parameter is used, ListAttributes only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another ListAttributes request with the returned nextToken value. This value can be between 1 and 100. If this parameter isn't used, then ListAttributes returns up to 100 results and a nextToken value if applicable.
The maximum number of cluster results that ListClusters returned in paginated output. When this parameter is used, ListClusters only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another ListClusters request with the returned nextToken value. This value can be between 1 and 100. If this parameter isn't used, then ListClusters returns up to 100 results and a nextToken value if applicable.
The maximum number of container instance results that ListContainerInstances returned in paginated output. When this parameter is used, ListContainerInstances only returns maxResults results in a single page along with a nextToken response element. The remaining results of the initial request can be seen by sending another ListContainerInstances request with the returned nextToken value. This value can be between 1 and 100. If this parameter isn't used, then ListContainerInstances returns up to 100 results and a nextToken value if applicable.
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you use containers in a task with the awsvpc or host network mode, specify the exposed ports using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
You can't expose the same container port for multiple protocols. If you attempt this, an error is returned.
After a task reaches the RUNNING status, manual and automatic host and container port assignments are visible in the networkBindings section of DescribeTasks API responses.
Port mappings allow containers to access ports on the host container instance to send or receive traffic. Port mappings are specified as part of the container definition.
If you use containers in a task with the awsvpc or host network mode, specify the exposed ports using containerPort. The hostPort can be left blank or it must be the same value as the containerPort.
Most fields of this parameter (containerPort, hostPort, protocol) maps to PortBindings in the Create a container section of the Docker Remote API and the --publish option to docker run . If the network mode of a task definition is set to host, host ports must either be undefined or match the container port in the port mapping.
You can't expose the same container port for multiple protocols. If you attempt this, an error is returned.
After a task reaches the RUNNING status, manual and automatic host and container port assignments are visible in the networkBindings section of DescribeTasks API responses.
The resource name to disable the account setting for. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the ENI limit for your Amazon ECS container instances is affected.
The name of the account setting you want to list the settings for.
", - "PutAccountSettingDefaultRequest$name": "The resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the ENI limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If tagResourceAuthorization is specified, the opt-in option for tagging resources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer Guide.
When you specify fargateFIPSMode for the name and enabled for the value, Fargate uses FIPS-140 compliant cryptographic algorithms on your tasks. For more information about FIPS-140 compliance with Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2 compliance in the Amazon Elastic Container Service Developer Guide.
The resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the ENI limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If tagResourceAuthorization is specified, the opt-in option for tagging resources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer Guide.
When you specify fargateFIPSMode for the name and enabled for the value, Fargate uses FIPS-140 compliant cryptographic algorithms on your tasks. For more information about FIPS-140 compliance with Fargate, see Amazon Web Services Fargate Federal Information Processing Standard (FIPS) 140-2 compliance in the Amazon Elastic Container Service Developer Guide.
The Amazon ECS resource name for which to modify the account setting. If serviceLongArnFormat is specified, the ARN for your Amazon ECS services is affected. If taskLongArnFormat is specified, the ARN and resource ID for your Amazon ECS tasks is affected. If containerInstanceLongArnFormat is specified, the ARN and resource ID for your Amazon ECS container instances is affected. If awsvpcTrunking is specified, the elastic network interface (ENI) limit for your Amazon ECS container instances is affected. If containerInsights is specified, the default setting for Amazon Web Services CloudWatch Container Insights for your clusters is affected. If fargateFIPSMode is specified, Fargate FIPS 140 compliance is affected. If tagResourceAuthorization is specified, the opt-in option for tagging resources on creation is affected. For information about the opt-in timeline, see Tagging authorization timeline in the Amazon ECS Developer Guide.
The Amazon ECS resource name.
" } diff --git a/models/apis/fms/2018-01-01/api-2.json b/models/apis/fms/2018-01-01/api-2.json index 8810717fd32..fdbe01a160e 100644 --- a/models/apis/fms/2018-01-01/api-2.json +++ b/models/apis/fms/2018-01-01/api-2.json @@ -184,6 +184,21 @@ {"shape":"InternalErrorException"} ] }, + "GetAdminScope":{ + "name":"GetAdminScope", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"GetAdminScopeRequest"}, + "output":{"shape":"GetAdminScopeResponse"}, + "errors":[ + {"shape":"InvalidOperationException"}, + {"shape":"InvalidInputException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InternalErrorException"} + ] + }, "GetAppsList":{ "name":"GetAppsList", "http":{ @@ -314,6 +329,34 @@ {"shape":"InternalErrorException"} ] }, + "ListAdminAccountsForOrganization":{ + "name":"ListAdminAccountsForOrganization", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListAdminAccountsForOrganizationRequest"}, + "output":{"shape":"ListAdminAccountsForOrganizationResponse"}, + "errors":[ + {"shape":"InvalidOperationException"}, + {"shape":"ResourceNotFoundException"}, + {"shape":"InternalErrorException"} + ] + }, + "ListAdminsManagingAccount":{ + "name":"ListAdminsManagingAccount", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ListAdminsManagingAccountRequest"}, + "output":{"shape":"ListAdminsManagingAccountResponse"}, + "errors":[ + {"shape":"ResourceNotFoundException"}, + {"shape":"InvalidInputException"}, + {"shape":"InternalErrorException"} + ] + }, "ListAppsLists":{ "name":"ListAppsLists", "http":{ @@ -457,6 +500,20 @@ {"shape":"InternalErrorException"} ] }, + "PutAdminAccount":{ + "name":"PutAdminAccount", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"PutAdminAccountRequest"}, + "errors":[ + {"shape":"InvalidOperationException"}, + {"shape":"InvalidInputException"}, + {"shape":"InternalErrorException"}, + {"shape":"LimitExceededException"} + ] + }, "PutAppsList":{ "name":"PutAppsList", "http":{ @@ -577,6 +634,22 @@ "type":"list", "member":{"shape":"AWSAccountId"} }, + "AWSRegion":{ + "type":"string", + "max":32, + "min":6, + "pattern":"^(af|ap|ca|eu|il|me|mx|sa|us|cn|us-gov)-\\w+-\\d+$" + }, + "AWSRegionList":{ + "type":"list", + "member":{"shape":"AWSRegion"}, + "max":64, + "min":0 + }, + "AccountIdList":{ + "type":"list", + "member":{"shape":"AWSAccountId"} + }, "AccountRoleStatus":{ "type":"string", "enum":[ @@ -587,6 +660,14 @@ "DELETED" ] }, + "AccountScope":{ + "type":"structure", + "members":{ + "Accounts":{"shape":"AccountIdList"}, + "AllAccountsEnabled":{"shape":"Boolean"}, + "ExcludeSpecifiedAccounts":{"shape":"Boolean"} + } + }, "ActionTarget":{ "type":"structure", "members":{ @@ -594,6 +675,27 @@ "Description":{"shape":"LengthBoundedString"} } }, + "AdminAccountSummary":{ + "type":"structure", + "members":{ + "AdminAccount":{"shape":"AWSAccountId"}, + "DefaultAdmin":{"shape":"Boolean"}, + "Status":{"shape":"OrganizationStatus"} + } + }, + "AdminAccountSummaryList":{ + "type":"list", + "member":{"shape":"AdminAccountSummary"} + }, + "AdminScope":{ + "type":"structure", + "members":{ + "AccountScope":{"shape":"AccountScope"}, + "OrganizationalUnitScope":{"shape":"OrganizationalUnitScope"}, + "RegionScope":{"shape":"RegionScope"}, + "PolicyTypeScope":{"shape":"PolicyTypeScope"} + } + }, "App":{ "type":"structure", "required":[ @@ -789,6 +891,13 @@ "key":{"shape":"CustomerPolicyScopeIdType"}, "value":{"shape":"CustomerPolicyScopeIdList"} }, + "CustomerPolicyStatus":{ + "type":"string", + "enum":[ + "ACTIVE", + "OUT_OF_ADMIN_SCOPE" + ] + }, "DeleteAppsListRequest":{ "type":"structure", "required":["ListId"], @@ -1101,6 +1210,20 @@ "RoleStatus":{"shape":"AccountRoleStatus"} } }, + "GetAdminScopeRequest":{ + "type":"structure", + "required":["AdminAccount"], + "members":{ + "AdminAccount":{"shape":"AWSAccountId"} + } + }, + "GetAdminScopeResponse":{ + "type":"structure", + "members":{ + "AdminScope":{"shape":"AdminScope"}, + "Status":{"shape":"OrganizationStatus"} + } + }, "GetAppsListRequest":{ "type":"structure", "required":["ListId"], @@ -1312,6 +1435,34 @@ }, "exception":true }, + "ListAdminAccountsForOrganizationRequest":{ + "type":"structure", + "members":{ + "NextToken":{"shape":"PaginationToken"}, + "MaxResults":{"shape":"PaginationMaxResults"} + } + }, + "ListAdminAccountsForOrganizationResponse":{ + "type":"structure", + "members":{ + "AdminAccounts":{"shape":"AdminAccountSummaryList"}, + "NextToken":{"shape":"PaginationToken"} + } + }, + "ListAdminsManagingAccountRequest":{ + "type":"structure", + "members":{ + "NextToken":{"shape":"PaginationToken"}, + "MaxResults":{"shape":"PaginationMaxResults"} + } + }, + "ListAdminsManagingAccountResponse":{ + "type":"structure", + "members":{ + "AdminAccounts":{"shape":"AccountIdList"}, + "NextToken":{"shape":"PaginationToken"} + } + }, "ListAppsListsRequest":{ "type":"structure", "required":["MaxResults"], @@ -1479,7 +1630,7 @@ }, "ManagedServiceData":{ "type":"string", - "max":8192, + "max":10000, "min":1, "pattern":"^((?!\\\\[nr]).)+" }, @@ -1662,6 +1813,33 @@ "type":"list", "member":{"shape":"RemediationActionWithOrder"} }, + "OrganizationStatus":{ + "type":"string", + "enum":[ + "ONBOARDING", + "ONBOARDING_COMPLETE", + "OFFBOARDING", + "OFFBOARDING_COMPLETE" + ] + }, + "OrganizationalUnitId":{ + "type":"string", + "max":68, + "min":16, + "pattern":"^ou-[0-9a-z]{4,32}-[a-z0-9]{8,32}$" + }, + "OrganizationalUnitIdList":{ + "type":"list", + "member":{"shape":"OrganizationalUnitId"} + }, + "OrganizationalUnitScope":{ + "type":"structure", + "members":{ + "OrganizationalUnits":{"shape":"OrganizationalUnitIdList"}, + "AllOrganizationalUnitsEnabled":{"shape":"Boolean"}, + "ExcludeSpecifiedOrganizationalUnits":{"shape":"Boolean"} + } + }, "PaginationMaxResults":{ "type":"integer", "max":100, @@ -1707,7 +1885,8 @@ "IncludeMap":{"shape":"CustomerPolicyScopeMap"}, "ExcludeMap":{"shape":"CustomerPolicyScopeMap"}, "ResourceSetIds":{"shape":"ResourceSetIds"}, - "PolicyDescription":{"shape":"ResourceDescription"} + "PolicyDescription":{"shape":"ResourceDescription"}, + "PolicyStatus":{"shape":"CustomerPolicyStatus"} } }, "PolicyComplianceDetail":{ @@ -1767,13 +1946,21 @@ "ResourceType":{"shape":"ResourceType"}, "SecurityServiceType":{"shape":"SecurityServiceType"}, "RemediationEnabled":{"shape":"Boolean"}, - "DeleteUnusedFMManagedResources":{"shape":"Boolean"} + "DeleteUnusedFMManagedResources":{"shape":"Boolean"}, + "PolicyStatus":{"shape":"CustomerPolicyStatus"} } }, "PolicySummaryList":{ "type":"list", "member":{"shape":"PolicySummary"} }, + "PolicyTypeScope":{ + "type":"structure", + "members":{ + "PolicyTypes":{"shape":"SecurityServiceTypeList"}, + "AllPolicyTypesEnabled":{"shape":"Boolean"} + } + }, "PolicyUpdateToken":{ "type":"string", "max":1024, @@ -1857,6 +2044,14 @@ "type":"list", "member":{"shape":"ProtocolsListDataSummary"} }, + "PutAdminAccountRequest":{ + "type":"structure", + "required":["AdminAccount"], + "members":{ + "AdminAccount":{"shape":"AWSAccountId"}, + "AdminScope":{"shape":"AdminScope"} + } + }, "PutAppsListRequest":{ "type":"structure", "required":["AppsList"], @@ -1933,6 +2128,13 @@ } }, "ReferenceRule":{"type":"string"}, + "RegionScope":{ + "type":"structure", + "members":{ + "Regions":{"shape":"AWSRegionList"}, + "AllRegionsEnabled":{"shape":"Boolean"} + } + }, "RemediationAction":{ "type":"structure", "members":{ @@ -2029,20 +2231,29 @@ "Description":{"shape":"Description"}, "UpdateToken":{"shape":"UpdateToken"}, "ResourceTypeList":{"shape":"ResourceTypeList"}, - "LastUpdateTime":{"shape":"TimeStamp"} + "LastUpdateTime":{"shape":"TimeStamp"}, + "ResourceSetStatus":{"shape":"ResourceSetStatus"} } }, "ResourceSetIds":{ "type":"list", "member":{"shape":"Base62Id"} }, + "ResourceSetStatus":{ + "type":"string", + "enum":[ + "ACTIVE", + "OUT_OF_ADMIN_SCOPE" + ] + }, "ResourceSetSummary":{ "type":"structure", "members":{ "Id":{"shape":"Base62Id"}, "Name":{"shape":"Name"}, "Description":{"shape":"Description"}, - "LastUpdateTime":{"shape":"TimeStamp"} + "LastUpdateTime":{"shape":"TimeStamp"}, + "ResourceSetStatus":{"shape":"ResourceSetStatus"} } }, "ResourceSetSummaryList":{ @@ -2201,6 +2412,12 @@ "IMPORT_NETWORK_FIREWALL" ] }, + "SecurityServiceTypeList":{ + "type":"list", + "member":{"shape":"SecurityServiceType"}, + "max":32, + "min":0 + }, "StatefulEngineOptions":{ "type":"structure", "members":{ diff --git a/models/apis/fms/2018-01-01/docs-2.json b/models/apis/fms/2018-01-01/docs-2.json index 929677525b9..66e428ba17c 100644 --- a/models/apis/fms/2018-01-01/docs-2.json +++ b/models/apis/fms/2018-01-01/docs-2.json @@ -1,8 +1,8 @@ { "version": "2.0", - "service": "This is the Firewall Manager API Reference. This guide is for developers who need detailed information about the Firewall Manager API actions, data types, and errors. For detailed information about Firewall Manager features, see the Firewall Manager Developer Guide.
Some API actions require explicit resource permissions. For information, see the developer guide topic Firewall Manager required permissions for API actions.
", + "service": "This is the Firewall Manager API Reference. This guide is for developers who need detailed information about the Firewall Manager API actions, data types, and errors. For detailed information about Firewall Manager features, see the Firewall Manager Developer Guide.
Some API actions require explicit resource permissions. For information, see the developer guide topic Service roles for Firewall Manager.
", "operations": { - "AssociateAdminAccount": "Sets the Firewall Manager administrator account. The account must be a member of the organization in Organizations whose resources you want to protect. Firewall Manager sets the permissions that allow the account to administer your Firewall Manager policies.
The account that you associate with Firewall Manager is called the Firewall Manager administrator account.
", + "AssociateAdminAccount": "Sets a Firewall Manager default administrator account. The Firewall Manager default administrator account can manage third-party firewalls and has full administrative scope that allows administration of all policy types, accounts, organizational units, and Regions. This account must be a member account of the organization in Organizations whose resources you want to protect.
For information about working with Firewall Manager administrator accounts, see Managing Firewall Manager administrators in the Firewall Manager Developer Guide.
", "AssociateThirdPartyFirewall": "Sets the Firewall Manager policy administrator as a tenant administrator of a third-party firewall service. A tenant is an instance of the third-party firewall service that's associated with your Amazon Web Services customer account.
", "BatchAssociateResource": "Associate resources to a Firewall Manager resource set.
", "BatchDisassociateResource": "Disassociates resources from a Firewall Manager resource set.
", @@ -11,9 +11,10 @@ "DeletePolicy": "Permanently deletes an Firewall Manager policy.
", "DeleteProtocolsList": "Permanently deletes an Firewall Manager protocols list.
", "DeleteResourceSet": "Deletes the specified ResourceSet.
", - "DisassociateAdminAccount": "Disassociates the account that has been set as the Firewall Manager administrator account. To set a different account as the administrator account, you must submit an AssociateAdminAccount request.
Disassociates an Firewall Manager administrator account. To set a different account as an Firewall Manager administrator, submit a PutAdminAccount request. To set an account as a default administrator account, you must submit an AssociateAdminAccount request.
Disassociation of the default administrator account follows the first in, last out principle. If you are the default administrator, all Firewall Manager administrators within the organization must first disassociate their accounts before you can disassociate your account.
", "DisassociateThirdPartyFirewall": "Disassociates a Firewall Manager policy administrator from a third-party firewall tenant. When you call DisassociateThirdPartyFirewall, the third-party firewall vendor deletes all of the firewalls that are associated with the account.
Returns the Organizations account that is associated with Firewall Manager as the Firewall Manager administrator.
", + "GetAdminAccount": "Returns the Organizations account that is associated with Firewall Manager as the Firewall Manager default administrator.
", + "GetAdminScope": "Returns information about the specified account's administrative scope. The admistrative scope defines the resources that an Firewall Manager administrator can manage.
", "GetAppsList": "Returns information about the specified Firewall Manager applications list.
", "GetComplianceDetail": "Returns detailed compliance information about the specified member account. Details include resources that are in and out of compliance with the specified policy.
Resources are considered noncompliant for WAF and Shield Advanced policies if the specified policy has not been applied to them.
Resources are considered noncompliant for security group policies if they are in scope of the policy, they violate one or more of the policy rules, and remediation is disabled or not possible.
Resources are considered noncompliant for Network Firewall policies if a firewall is missing in the VPC, if the firewall endpoint isn't set up in an expected Availability Zone and subnet, if a subnet created by the Firewall Manager doesn't have the expected route table, and for modifications to a firewall policy that violate the Firewall Manager policy's rules.
Resources are considered noncompliant for DNS Firewall policies if a DNS Firewall rule group is missing from the rule group associations for the VPC.
Information about the Amazon Simple Notification Service (SNS) topic that is used to record Firewall Manager SNS logs.
", @@ -23,18 +24,21 @@ "GetResourceSet": "Gets information about a specific resource set.
", "GetThirdPartyFirewallAssociationStatus": "The onboarding status of a Firewall Manager admin account to third-party firewall vendor tenant.
", "GetViolationDetails": "Retrieves violations for a resource based on the specified Firewall Manager policy and Amazon Web Services account.
", + "ListAdminAccountsForOrganization": "Returns a AdminAccounts object that lists the Firewall Manager administrators within the organization that are onboarded to Firewall Manager by AssociateAdminAccount.
This operation can be called only from the organization's management account.
", + "ListAdminsManagingAccount": "Lists the accounts that are managing the specified Organizations member account. This is useful for any member account so that they can view the accounts who are managing their account. This operation only returns the managing administrators that have the requested account within their AdminScope.
", "ListAppsLists": "Returns an array of AppsListDataSummary objects.
Returns an array of PolicyComplianceStatus objects. Use PolicyComplianceStatus to get a summary of which member accounts are protected by the specified policy.
Returns an array of resources in the organization's accounts that are available to be associated with a resource set.
", - "ListMemberAccounts": "Returns a MemberAccounts object that lists the member accounts in the administrator's Amazon Web Services organization.
The ListMemberAccounts must be submitted by the account that is set as the Firewall Manager administrator.
Returns a MemberAccounts object that lists the member accounts in the administrator's Amazon Web Services organization.
Either an Firewall Manager administrator or the organization's management account can make this request.
", "ListPolicies": "Returns an array of PolicySummary objects.
Returns an array of ProtocolsListDataSummary objects.
Returns an array of resources that are currently associated to a resource set.
", "ListResourceSets": "Returns an array of ResourceSetSummary objects.
Retrieves the list of tags for the specified Amazon Web Services resource.
", "ListThirdPartyFirewallFirewallPolicies": "Retrieves a list of all of the third-party firewall policies that are associated with the third-party firewall administrator's account.
", + "PutAdminAccount": "Creates or updates an Firewall Manager administrator account. The account must be a member of the organization that was onboarded to Firewall Manager by AssociateAdminAccount. Only the organization's management account can create an Firewall Manager administrator account. When you create an Firewall Manager administrator account, the service checks to see if the account is already a delegated administrator within Organizations. If the account isn't a delegated administrator, Firewall Manager calls Organizations to delegate the account within Organizations. For more information about administrator accounts within Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "PutAppsList": "Creates an Firewall Manager applications list.
", - "PutNotificationChannel": "Designates the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
To perform this action outside of the console, you must configure the SNS topic to allow the Firewall Manager role AWSServiceRoleForFMS to publish SNS logs. For more information, see Firewall Manager required permissions for API actions in the Firewall Manager Developer Guide.
Designates the IAM role and Amazon Simple Notification Service (SNS) topic that Firewall Manager uses to record SNS logs.
To perform this action outside of the console, you must first configure the SNS topic's access policy to allow the SnsRoleName to publish SNS logs. If the SnsRoleName provided is a role other than the AWSServiceRoleForFMS service-linked role, this role must have a trust relationship configured to allow the Firewall Manager service principal fms.amazonaws.com to assume this role. For information about configuring an SNS access policy, see Service roles for Firewall Manager in the Firewall Manager Developer Guide.
Creates an Firewall Manager policy.
Firewall Manager provides the following types of policies:
An WAF policy (type WAFV2), which defines rule groups to run first in the corresponding WAF web ACL and rule groups to run last in the web ACL.
An WAF Classic policy (type WAF), which defines a rule group.
A Shield Advanced policy, which applies Shield Advanced protection to specified accounts and resources.
A security group policy, which manages VPC security groups across your Amazon Web Services organization.
An Network Firewall policy, which provides firewall rules to filter network traffic in specified Amazon VPCs.
A DNS Firewall policy, which provides RouteĀ 53 Resolver DNS Firewall rules to filter DNS queries for specified VPCs.
Each policy is specific to one of the types. If you want to enforce more than one policy type across accounts, create multiple policies. You can create multiple policies for each type.
You must be subscribed to Shield Advanced to create a Shield Advanced policy. For more information about subscribing to Shield Advanced, see CreateSubscription.
", "PutProtocolsList": "Creates an Firewall Manager protocols list.
", "PutResourceSet": "Creates the resource set.
An Firewall Manager resource set defines the resources to import into an Firewall Manager policy from another Amazon Web Services service.
", @@ -46,9 +50,12 @@ "base": null, "refs": { "AWSAccountIdList$member": null, - "AssociateAdminAccountRequest$AdminAccount": "The Amazon Web Services account ID to associate with Firewall Manager as the Firewall Manager administrator account. This must be an Organizations member account. For more information about Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", + "AccountIdList$member": null, + "AdminAccountSummary$AdminAccount": "The Amazon Web Services account ID of the Firewall Manager administrator's account.
", + "AssociateAdminAccountRequest$AdminAccount": "The Amazon Web Services account ID to associate with Firewall Manager as the Firewall Manager default administrator account. This account must be a member account of the organization in Organizations whose resources you want to protect. For more information about Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "DiscoveredResource$AccountId": "The Amazon Web Services account ID associated with the discovered resource.
", - "GetAdminAccountResponse$AdminAccount": "The Amazon Web Services account that is set as the Firewall Manager administrator.
", + "GetAdminAccountResponse$AdminAccount": "The account that is set as the Firewall Manager default administrator.
", + "GetAdminScopeRequest$AdminAccount": "The administator account that you want to get the details for.
", "GetComplianceDetailRequest$MemberAccount": "The Amazon Web Services account that owns the resources that you want to get the details for.
", "GetProtectionStatusRequest$MemberAccountId": "The Amazon Web Services account that is in scope of the policy that you want to get the details for.
", "GetProtectionStatusResponse$AdminAccountId": "The ID of the Firewall Manager administrator account for this policy.
", @@ -58,6 +65,7 @@ "PolicyComplianceDetail$MemberAccount": "The Amazon Web Services account ID.
", "PolicyComplianceStatus$PolicyOwner": "The Amazon Web Services account that created the Firewall Manager policy.
", "PolicyComplianceStatus$MemberAccount": "The member account ID.
", + "PutAdminAccountRequest$AdminAccount": "The Amazon Web Services account ID to add as an Firewall Manager administrator account. The account must be a member of the organization that was onboarded to Firewall Manager by AssociateAdminAccount. For more information about Organizations, see Managing the Amazon Web Services Accounts in Your Organization.
", "Resource$AccountId": "The Amazon Web Services account ID that the associated resource belongs to.
", "ViolationDetail$MemberAccount": "The Amazon Web Services account that the violation details were requested for.
" } @@ -68,10 +76,35 @@ "ListDiscoveredResourcesRequest$MemberAccountIds": "The Amazon Web Services account IDs to discover resources in. Only one account is supported per request. The account must be a member of your organization.
" } }, + "AWSRegion": { + "base": null, + "refs": { + "AWSRegionList$member": null + } + }, + "AWSRegionList": { + "base": null, + "refs": { + "RegionScope$Regions": "The Amazon Web Services Regions that the specified Firewall Manager administrator can perform actions in.
" + } + }, + "AccountIdList": { + "base": null, + "refs": { + "AccountScope$Accounts": "The list of accounts within the organization that the specified Firewall Manager administrator either can or cannot apply policies to, based on the value of ExcludeSpecifiedAccounts. If ExcludeSpecifiedAccounts is set to true, then the Firewall Manager administrator can apply policies to all members of the organization except for the accounts in this list. If ExcludeSpecifiedAccounts is set to false, then the Firewall Manager administrator can only apply policies to the accounts in this list.
The list of accounts who manage member accounts within their AdminScope.
" + } + }, "AccountRoleStatus": { "base": null, "refs": { - "GetAdminAccountResponse$RoleStatus": "The status of the Amazon Web Services account that you set as the Firewall Manager administrator.
" + "GetAdminAccountResponse$RoleStatus": "The status of the account that you set as the Firewall Manager default administrator.
" + } + }, + "AccountScope": { + "base": "Configures the accounts within the administrator's Organizations organization that the specified Firewall Manager administrator can apply policies to.
", + "refs": { + "AdminScope$AccountScope": "Defines the accounts that the specified Firewall Manager administrator can apply policies to.
" } }, "ActionTarget": { @@ -93,6 +126,25 @@ "EC2ReplaceRouteTableAssociationAction$RouteTableId": "Information about the ID of the new route table to associate with the subnet.
" } }, + "AdminAccountSummary": { + "base": "Contains high level information about the Firewall Manager administrator account.
", + "refs": { + "AdminAccountSummaryList$member": null + } + }, + "AdminAccountSummaryList": { + "base": null, + "refs": { + "ListAdminAccountsForOrganizationResponse$AdminAccounts": "A list of Firewall Manager administrator accounts within the organization that were onboarded as administrators by AssociateAdminAccount or PutAdminAccount.
" + } + }, + "AdminScope": { + "base": "Defines the resources that the Firewall Manager administrator can manage. For more information about administrative scope, see Managing Firewall Manager administrators in the Firewall Manager Developer Guide.
", + "refs": { + "GetAdminScopeResponse$AdminScope": "Contains details about the administrative scope of the requested account.
", + "PutAdminAccountRequest$AdminScope": "Configures the resources that the specified Firewall Manager administrator can manage. As a best practice, set the administrative scope according to the principles of least privilege. Only grant the administrator the specific resources or permissions that they need to perform the duties of their role.
" + } + }, "App": { "base": "An individual Firewall Manager application.
", "refs": { @@ -170,8 +222,8 @@ "Base62Id": { "base": null, "refs": { - "DeleteResourceSetRequest$Identifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", - "GetResourceSetRequest$Identifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", + "DeleteResourceSetRequest$Identifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", + "GetResourceSetRequest$Identifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", "ResourceSet$Id": "A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
", "ResourceSetIds$member": null, "ResourceSetSummary$Id": "A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
" @@ -207,6 +259,9 @@ "Boolean": { "base": null, "refs": { + "AccountScope$AllAccountsEnabled": "A boolean value that indicates if the administrator can apply policies to all accounts within an organization. If true, the administrator can apply policies to all accounts within the organization. You can either enable management of all accounts through this operation, or you can specify a list of accounts to manage in AccountScope$Accounts. You cannot specify both.
A boolean value that excludes the accounts in AccountScope$Accounts from the administrator's scope. If true, the Firewall Manager administrator can apply policies to all members of the organization except for the accounts listed in AccountScope$Accounts. You can either specify a list of accounts to exclude by AccountScope$Accounts, or you can enable management of all accounts by AccountScope$AllAccountsEnabled. You cannot specify both.
A boolean value that indicates if the administrator is the default administrator. If true, then this is the default administrator account. The default administrator can manage third-party firewalls and has full administrative scope. There is only one default administrator account per organization. For information about Firewall Manager default administrator accounts, see Managing Firewall Manager administrators in the Firewall Manager Developer Guide.
", "DeletePolicyRequest$DeleteAllPolicyResources": "If True, the request performs cleanup according to the policy type.
For WAF and Shield Advanced policies, the cleanup does the following:
Deletes rule groups created by Firewall Manager
Removes web ACLs from in-scope resources
Deletes web ACLs that contain no rules or rule groups
For security group policies, the cleanup does the following for each security group in the policy:
Disassociates the security group from in-scope resources
Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy
After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you create and accounts that you associate with the policy. When creating the policy, if you specify that only resources in specific accounts or with specific tags are in scope of the policy, those accounts and resources are handled by the policy. All others are out of scope. If you don't specify tags or accounts, all resources are in scope.
", "EvaluationResult$EvaluationLimitExceeded": "Indicates that over 100 resources are noncompliant with the Firewall Manager policy.
", "GetAppsListRequest$DefaultList": "Specifies whether the list to retrieve is a default list owned by Firewall Manager.
", @@ -215,13 +270,17 @@ "ListProtocolsListsRequest$DefaultLists": "Specifies whether the lists to retrieve are default lists owned by Firewall Manager.
", "NetworkFirewallInternetTrafficNotInspectedViolation$IsRouteTableUsedInDifferentAZ": "Information about whether the route table is used in another Availability Zone.
", "NetworkFirewallInvalidRouteConfigurationViolation$IsRouteTableUsedInDifferentAZ": "Information about whether the route table is used in another Availability Zone.
", + "OrganizationalUnitScope$AllOrganizationalUnitsEnabled": "A boolean value that indicates if the administrator can apply policies to all OUs within an organization. If true, the administrator can manage all OUs within the organization. You can either enable management of all OUs through this operation, or you can specify OUs to manage in OrganizationalUnitScope$OrganizationalUnits. You cannot specify both.
A boolean value that excludes the OUs in OrganizationalUnitScope$OrganizationalUnits from the administrator's scope. If true, the Firewall Manager administrator can apply policies to all OUs in the organization except for the OUs listed in OrganizationalUnitScope$OrganizationalUnits. You can either specify a list of OUs to exclude by OrganizationalUnitScope$OrganizationalUnits, or you can enable management of all OUs by OrganizationalUnitScope$AllOrganizationalUnitsEnabled. You cannot specify both.
If set to True, resources with the tags that are specified in the ResourceTag array are not in scope of the policy. If set to False, and the ResourceTag array is not null, only resources with the specified tags are in scope of the policy.
Indicates if the policy should be automatically applied to new resources.
", "Policy$DeleteUnusedFMManagedResources": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.
By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
This option is not available for Shield Advanced or WAF Classic policies.
", "PolicyComplianceDetail$EvaluationLimitExceeded": "Indicates if over 100 resources are noncompliant with the Firewall Manager policy.
", "PolicySummary$RemediationEnabled": "Indicates if the policy should be automatically applied to new resources.
", "PolicySummary$DeleteUnusedFMManagedResources": "Indicates whether Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.
By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
This option is not available for Shield Advanced or WAF Classic policies.
", + "PolicyTypeScope$AllPolicyTypesEnabled": "Allows the specified Firewall Manager administrator to manage all Firewall Manager policy types, except for third-party policy types. Third-party policy types can only be managed by the Firewall Manager default administrator.
", "PossibleRemediationAction$IsDefaultAction": "Information about whether an action is taken by default.
", + "RegionScope$AllRegionsEnabled": "Allows the specified Firewall Manager administrator to manage all Amazon Web Services Regions.
", "SecurityGroupRemediationAction$IsDefaultAction": "Indicates if the current action is the default action.
" } }, @@ -284,6 +343,13 @@ "Policy$ExcludeMap": "Specifies the Amazon Web Services account IDs and Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an IncludeMap, Firewall Manager applies the policy to all accounts specified by the IncludeMap, and does not evaluate any ExcludeMap specifications. If you do not specify an IncludeMap, then Firewall Manager applies the policy to all accounts except for those specified by the ExcludeMap.
You can specify account IDs, OUs, or a combination:
Specify account IDs by setting the key to ACCOUNT. For example, the following is a valid map: {āACCOUNTā : [āaccountID1ā, āaccountID2ā]}.
Specify OUs by setting the key to ORG_UNIT. For example, the following is a valid map: {āORG_UNITā : [āouid111ā, āouid112ā]}.
Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: {āACCOUNTā : [āaccountID1ā, āaccountID2ā], āORG_UNITā : [āouid111ā, āouid112ā]}.
Indicates whether the policy is in or out of an admin's policy or Region scope.
ACTIVE - The administrator can manage and delete the policy.
OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.
Indicates whether the policy is in or out of an admin's policy or Region scope.
ACTIVE - The administrator can manage and delete the policy.
OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they can't edit or delete the policy. Existing policy protections stay in place. Any new resources that come into scope of the policy won't be protected.
A unique identifier for the resource set, used in a TODO to refer to the resource set.
", - "BatchAssociateResourceResponse$ResourceSetIdentifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", - "BatchDisassociateResourceRequest$ResourceSetIdentifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", - "BatchDisassociateResourceResponse$ResourceSetIdentifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", + "BatchAssociateResourceRequest$ResourceSetIdentifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", + "BatchAssociateResourceResponse$ResourceSetIdentifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", + "BatchDisassociateResourceRequest$ResourceSetIdentifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", + "BatchDisassociateResourceResponse$ResourceSetIdentifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", "DiscoveredResource$URI": "The universal resource identifier (URI) of the discovered resource.
", "FailedItem$URI": "The univeral resource indicator (URI) of the resource that failed.
", "IdentifierList$member": null, @@ -736,6 +812,26 @@ "refs": { } }, + "ListAdminAccountsForOrganizationRequest": { + "base": null, + "refs": { + } + }, + "ListAdminAccountsForOrganizationResponse": { + "base": null, + "refs": { + } + }, + "ListAdminsManagingAccountRequest": { + "base": null, + "refs": { + } + }, + "ListAdminsManagingAccountResponse": { + "base": null, + "refs": { + } + }, "ListAppsListsRequest": { "base": null, "refs": { @@ -853,7 +949,7 @@ "base": null, "refs": { "FMSPolicyUpdateFirewallCreationConfigAction$FirewallCreationConfig": "A FirewallCreationConfig that you can copy into your current policy's SecurityServiceData in order to remedy scope violations.
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: THIRD_PARTY_FIREWALL
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: WAFV2
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAmazonIpReputationList\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
In the loggingConfiguration, you can specify one logDestinationConfigs, you can optionally provide up to 20 redactedFields, and the RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
Details about the service that are specific to the service type, in JSON format.
Example: DNS_FIREWALL
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: IMPORT_NETWORK_FIREWALL \"{\\\"type\\\":\\\"IMPORT_NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\\/rg1\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:drop\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:pass\\\"],\\\"networkFirewallStatelessCustomActions\\\":[],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\\/ThreatSignaturesEmergingEventsStrictOrder\\\",\\\"priority\\\":8}],\\\"networkFirewallStatefulEngineOptions\\\":{\\\"ruleOrder\\\":\\\"STRICT_ORDER\\\"},\\\"networkFirewallStatefulDefaultActions\\\":[\\\"aws:drop_strict\\\"]}}\"
\"{\\\"type\\\":\\\"DNS_FIREWALL\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-1\\\",\\\"priority\\\":10}],\\\"postProcessRuleGroups\\\":[{\\\"ruleGroupId\\\":\\\"rslvr-frg-2\\\",\\\"priority\\\":9911}]}\"
Valid values for preProcessRuleGroups are between 1 and 99. Valid values for postProcessRuleGroups are between 9901 and 10000.
Example: NETWORK_FIREWALL - Centralized deployment model
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"awsNetworkFirewallConfig\\\":{\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}},\\\"firewallDeploymentModel\\\":{\\\"centralizedFirewallDeploymentModel\\\":{\\\"centralizedFirewallOrchestrationConfig\\\":{\\\"inspectionVpcIds\\\":[{\\\"resourceId\\\":\\\"vpc-1234\\\",\\\"accountId\\\":\\\"123456789011\\\"}],\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneId\\\":null,\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"allowedIPV4CidrList\\\":[]}}}}\"
To use the centralized deployment model, you must set PolicyOption to CENTRALIZED.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"OFF\\\"},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with automatic Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\",\\\"192.168.0.0/28\\\"],\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"]},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\": \\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":true}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\", \\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{ \\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[ \\\"10.0.0.0/28\\\"]}]} },\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"OFF\\\",\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring firewallCreationConfig. To configure the Availability Zones in firewallCreationConfig, specify either the availabilityZoneName or availabilityZoneId parameter, not both parameters.
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: NETWORK_FIREWALL - Distributed deployment model with custom Availability Zone configuration and route management
\"{\\\"type\\\":\\\"NETWORK_FIREWALL\\\",\\\"networkFirewallStatelessRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\\\",\\\"priority\\\":1}],\\\"networkFirewallStatelessDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"customActionName\\\"],\\\"networkFirewallStatelessFragmentDefaultActions\\\":[\\\"aws:forward_to_sfe\\\",\\\"fragmentcustomactionname\\\"],\\\"networkFirewallStatelessCustomActions\\\":[{\\\"actionName\\\":\\\"customActionName\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"metricdimensionvalue\\\"}]}}},{\\\"actionName\\\":\\\"fragmentcustomactionname\\\",\\\"actionDefinition\\\":{\\\"publishMetricAction\\\":{\\\"dimensions\\\":[{\\\"value\\\":\\\"fragmentmetricdimensionvalue\\\"}]}}}],\\\"networkFirewallStatefulRuleGroupReferences\\\":[{\\\"resourceARN\\\":\\\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\\\"}],\\\"networkFirewallOrchestrationConfig\\\":{\\\"firewallCreationConfig\\\":{\\\"endpointLocation\\\":{\\\"availabilityZoneConfigList\\\":[{\\\"availabilityZoneName\\\":\\\"us-east-1a\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]},{\\\"availabilityZoneName\\\":\\\"us-east-1b\\\",\\\"allowedIPV4CidrList\\\":[\\\"10.0.0.0/28\\\"]}]}},\\\"singleFirewallEndpointPerVPC\\\":false,\\\"allowedIPV4CidrList\\\":null,\\\"routeManagementAction\\\":\\\"MONITOR\\\",\\\"routeManagementTargetTypes\\\":[\\\"InternetGateway\\\"],\\\"routeManagementConfig\\\":{\\\"allowCrossAZTrafficIfNoEndpoint\\\":true}},\\\"networkFirewallLoggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"ALERT\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}},{\\\"logDestinationType\\\":\\\"S3\\\",\\\"logType\\\":\\\"FLOW\\\",\\\"logDestination\\\":{\\\"bucketName\\\":\\\"s3-bucket-name\\\"}}],\\\"overrideExistingConfig\\\":boolean}}\"
To use the distributed deployment model, you must set PolicyOption to NULL.
Example: THIRD_PARTY_FIREWALL
\"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] }, \"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{ \"firewallCreationConfig\":{ \"endpointLocation\":{ \"availabilityZoneConfigList\":[ { \"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }\"
Example: SECURITY_GROUPS_COMMON
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_COMMON - Security group tag distribution
\"\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"revertManualSecurityGroupChanges\\\":true,\\\"exclusiveResourceSecurityGroupManagement\\\":false,\\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":false,\\\"enableTagDistribution\\\":true}\"\"
Firewall Manager automatically distributes tags from the primary group to the security groups created by this policy. To use security group tag distribution, you must also set revertManualSecurityGroupChanges to true, otherwise Firewall Manager won't be able to create the policy. When you enable revertManualSecurityGroupChanges, Firewall Manager identifies and reports when the security groups created by this policy become non-compliant.
Firewall Manager won't distrubute system tags added by Amazon Web Services services into the replica security groups. System tags begin with the aws: prefix.
Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
\"{\\\"type\\\":\\\"SECURITY_GROUPS_COMMON\\\",\\\"revertManualSecurityGroupChanges\\\":false,\\\"exclusiveResourceSecurityGroupManagement\\\":false, \\\"applyToAllEC2InstanceENIs\\\":false,\\\"includeSharedVPC\\\":true,\\\"securityGroups\\\":[{\\\"id\\\":\\\" sg-000e55995d61a06bd\\\"}]}\"
Example: SECURITY_GROUPS_CONTENT_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_CONTENT_AUDIT\\\",\\\"securityGroups\\\":[{\\\"id\\\":\\\"sg-000e55995d61a06bd\\\"}],\\\"securityGroupAction\\\":{\\\"type\\\":\\\"ALLOW\\\"}}\"
The security group action for content audit can be ALLOW or DENY. For ALLOW, all in-scope security group rules must be within the allowed range of the policy's security group rules. For DENY, all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
Example: SECURITY_GROUPS_USAGE_AUDIT
\"{\\\"type\\\":\\\"SECURITY_GROUPS_USAGE_AUDIT\\\",\\\"deleteUnusedSecurityGroups\\\":true,\\\"coalesceRedundantSecurityGroups\\\":true}\"
Specification for SHIELD_ADVANCED for Amazon CloudFront distributions
\"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED|IGNORED|DISABLED\\\", \\\"automaticResponseAction\\\":\\\"BLOCK|COUNT\\\"}, \\\"overrideCustomerWebaclClassic\\\":true|false}\"
For example: \"{\\\"type\\\":\\\"SHIELD_ADVANCED\\\",\\\"automaticResponseConfiguration\\\": {\\\"automaticResponseStatus\\\":\\\"ENABLED\\\", \\\"automaticResponseAction\\\":\\\"COUNT\\\"}}\"
The default value for automaticResponseStatus is IGNORED. The value for automaticResponseAction is only required when automaticResponseStatus is set to ENABLED. The default value for overrideCustomerWebaclClassic is false.
For other resource types that you can protect with a Shield Advanced policy, this ManagedServiceData configuration is an empty string.
Example: WAFV2 - Account takeover prevention and Bot Control managed rule groups, and rule action override
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesATPRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesATPRuleSet\\\":{\\\"loginPath\\\":\\\"/loginpath\\\",\\\"requestInspection\\\":{\\\"payloadType\\\":\\\"FORM_ENCODED|JSON\\\",\\\"usernameField\\\":{\\\"identifier\\\":\\\"/form/username\\\"},\\\"passwordField\\\":{\\\"identifier\\\":\\\"/form/password\\\"}}}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true},{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesBotControlRuleSet\\\",\\\"managedRuleGroupConfigs\\\":[{\\\"awsmanagedRulesBotControlRuleSet\\\":{\\\"inspectionLevel\\\":\\\"TARGETED|COMMON\\\"}}]},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true,\\\"ruleActionOverrides\\\":[{\\\"name\\\":\\\"Rule1\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}},{\\\"name\\\":\\\"Rule2\\\",\\\"actionToUse\\\":{\\\"allow|block|count|captcha|challenge\\\":{}}}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Fraud Control account takeover prevention (ATP) - For information about the properties available for AWSManagedRulesATPRuleSet managed rule groups, see AWSManagedRulesATPRuleSet in the WAF API Reference.
Bot Control - For information about AWSManagedRulesBotControlRuleSet managed rule groups, see AWSManagedRulesBotControlRuleSet in the WAF API Reference.
Rule action overrides - Firewall Manager supports rule action overrides only for managed rule groups. To configure a RuleActionOverrides add the Name of the rule to override, and ActionToUse, which is the new action to use for the rule. For information about using rule action override, see RuleActionOverride in the WAF API Reference.
Example: WAFV2 - CAPTCHA and Challenge configs
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[],\\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\":null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":null,\\\"sampledRequestsEnabledForDefaultActions\\\":true,\\\"captchaConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":500}},\\\"challengeConfig\\\":{\\\"immunityTimeProperty\\\":{\\\"immunityTime\\\":800}},\\\"tokenDomains\\\":[\\\"google.com\\\",\\\"amazon.com\\\"]}\"
If you update the policy's values for captchaConfig, challengeConfig, or tokenDomains, Firewall Manager will overwrite your local web ACLs to contain the new value(s). However, if you don't update the policy's captchaConfig, challengeConfig, or tokenDomains values, the values in your local web ACLs will remain unchanged. For information about CAPTCHA and Challenge configs, see CaptchaConfig and ChallengeConfig in the WAF API Reference.
Example: WAFV2 - Firewall Manager support for WAF managed rule group versioning
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null,\\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\":{\\\"versionEnabled\\\":true,\\\"version\\\":\\\"Version_2.0\\\",\\\"vendorName\\\":\\\"AWS\\\",\\\"managedRuleGroupName\\\":\\\"AWSManagedRulesCommonRuleSet\\\"},\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[{\\\"name\\\":\\\"NoUserAgent_HEADER\\\"}]}],\\\"postProcessRuleGroups\\\":[],\\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"overrideCustomerWebACLAssociation\\\":false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\":[\\\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\\\"],\\\"redactedFields\\\":[{\\\"redactedFieldType\\\":\\\"SingleHeader\\\",\\\"redactedFieldValue\\\":\\\"Cookies\\\"},{\\\"redactedFieldType\\\":\\\"Method\\\"}]}}\"
To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set versionEnabled to true, and set version to the version you'd like to use. If you don't set versionEnabled to true, or if you omit versionEnabled, then Firewall Manager uses the default version of the WAF managed rule group.
Example: WAFV2 - Logging configurations
\"{\\\"type\\\":\\\"WAFV2\\\",\\\"preProcessRuleGroups\\\":[{\\\"ruleGroupArn\\\":null, \\\"overrideAction\\\":{\\\"type\\\":\\\"NONE\\\"},\\\"managedRuleGroupIdentifier\\\": {\\\"versionEnabled\\\":null,\\\"version\\\":null,\\\"vendorName\\\":\\\"AWS\\\", \\\"managedRuleGroupName\\\":\\\"AWSManagedRulesAdminProtectionRuleSet\\\"} ,\\\"ruleGroupType\\\":\\\"ManagedRuleGroup\\\",\\\"excludeRules\\\":[], \\\"sampledRequestsEnabled\\\":true}],\\\"postProcessRuleGroups\\\":[], \\\"defaultAction\\\":{\\\"type\\\":\\\"ALLOW\\\"},\\\"customRequestHandling\\\" :null,\\\"customResponse\\\":null,\\\"overrideCustomerWebACLAssociation\\\" :false,\\\"loggingConfiguration\\\":{\\\"logDestinationConfigs\\\": [\\\"arn:aws:s3:::aws-waf-logs-example-bucket\\\"] ,\\\"redactedFields\\\":[],\\\"loggingFilterConfigs\\\":{\\\"defaultBehavior\\\":\\\"KEEP\\\", \\\"filters\\\":[{\\\"behavior\\\":\\\"KEEP\\\",\\\"requirement\\\":\\\"MEETS_ALL\\\", \\\"conditions\\\":[{\\\"actionCondition\\\":\\\"CAPTCHA\\\"},{\\\"actionCondition\\\": \\\"CHALLENGE\\\"}, {\\\"actionCondition\\\":\\\"EXCLUDED_AS_COUNT\\\"}]}]}},\\\"sampledRequestsEnabledForDefaultActions\\\":true}\"
Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as the logDestinationConfigs in your loggingConfiguration. For information about WAF logging configurations, see LoggingConfiguration in the WAF API Reference
In the loggingConfiguration, you can specify one logDestinationConfigs. Optionally provide as many as 20 redactedFields. The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD.
Example: WAF Classic
\"{\\\"type\\\": \\\"WAF\\\", \\\"ruleGroups\\\": [{\\\"id\\\":\\\"12345678-1bcd-9012-efga-0987654321ab\\\", \\\"overrideAction\\\" : {\\\"type\\\": \\\"COUNT\\\"}}], \\\"defaultAction\\\": {\\\"type\\\": \\\"BLOCK\\\"}}\"
The ordered list of remediation actions.
" } }, + "OrganizationStatus": { + "base": null, + "refs": { + "AdminAccountSummary$Status": "The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The current status of the request to onboard a member account as an Firewall Manager administator.
ONBOARDING - The account is onboarding to Firewall Manager as an administrator.
ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall Manager as an administrator, and can perform actions on the resources defined in their AdminScope.
OFFBOARDING - The account is being removed as an Firewall Manager administrator.
OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager administrator.
The list of OUs within the organization that the specified Firewall Manager administrator either can or cannot apply policies to, based on the value of OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits. If OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits is set to true, then the Firewall Manager administrator can apply policies to all OUs in the organization except for the OUs in this list. If OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits is set to false, then the Firewall Manager administrator can only apply policies to the OUs in this list.
Defines the Organizations organizational units (OUs) that the specified Firewall Manager administrator can apply policies to. For more information about OUs in Organizations, see Managing organizational units (OUs) in the Organizations User Guide.
", + "refs": { + "AdminScope$OrganizationalUnitScope": "Defines the Organizations organizational units that the specified Firewall Manager administrator can apply policies to. For more information about OUs in Organizations, see Managing organizational units (OUs) in the Organizations User Guide.
" + } + }, "PaginationMaxResults": { "base": null, "refs": { "GetProtectionStatusRequest$MaxResults": "Specifies the number of objects that you want Firewall Manager to return for this request. If you have more objects than the number that you specify for MaxResults, the response includes a NextToken value that you can use to get another batch of objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more objects are available, in the response, Firewall Manager provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more objects are available, in the response, Firewall Manager provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more objects are available, in the response, Firewall Manager provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
If you don't specify this, Firewall Manager returns all available objects.
", "ListComplianceStatusRequest$MaxResults": "Specifies the number of PolicyComplianceStatus objects that you want Firewall Manager to return for this request. If you have more PolicyComplianceStatus objects than the number that you specify for MaxResults, the response includes a NextToken value that you can use to get another batch of PolicyComplianceStatus objects.
The maximum number of objects that you want Firewall Manager to return for this request. If more objects are available, in the response, Firewall Manager provides a NextToken value that you can use in a subsequent call to get the next batch of objects.
If you specify a value for MaxResults and you have more objects than the number that you specify for MaxResults, Firewall Manager returns a NextToken value in the response, which you can use to retrieve another group of objects. For the second and subsequent GetProtectionStatus requests, specify the value of NextToken from the previous response to get information about another batch of objects.
If you have more objects than the number that you specified for MaxResults in the request, the response includes a NextToken value. To list more objects, submit another GetProtectionStatus request, and specify the NextToken value from the response in the NextToken value in the next request.
Amazon Web Services SDKs provide auto-pagination that identify NextToken in a response and make subsequent request calls automatically on your behalf. However, this feature is not supported by GetProtectionStatus. You must submit subsequent requests with NextToken using your own processes.
When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.
When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.
When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.
When you request a list of objects with a MaxResults setting, if the number of objects that are still available for retrieval exceeds the maximum you requested, Firewall Manager returns a NextToken value in the response. To retrieve the next batch of objects, use the token returned from the prior request in your next request.
If you specify a value for MaxResults in your list request, and you have more objects than the maximum, Firewall Manager returns this token in the response. For all but the first request, you provide the token returned by the prior request in the request parameters, to retrieve the next batch of objects.
If you specify a value for MaxResults in your list request, and you have more objects than the maximum, Firewall Manager returns this token in the response. You can use this token in subsequent requests to retrieve the next batch of objects.
If you specify a value for MaxResults and you have more PolicyComplianceStatus objects than the number that you specify for MaxResults, Firewall Manager returns a NextToken value in the response that allows you to list another group of PolicyComplianceStatus objects. For the second and subsequent ListComplianceStatus requests, specify the value of NextToken from the previous response to get information about another batch of PolicyComplianceStatus objects.
An array of PolicySummary objects.
Defines the policy types that the specified Firewall Manager administrator can manage.
", + "refs": { + "AdminScope$PolicyTypeScope": "Defines the Firewall Manager policy types that the specified Firewall Manager administrator can create and manage.
" + } + }, "PolicyUpdateToken": { "base": null, "refs": { @@ -1197,6 +1330,11 @@ "ListProtocolsListsResponse$ProtocolsLists": "An array of ProtocolsListDataSummary objects.
The reference rule from the primary security group of the Firewall Manager policy.
" } }, + "RegionScope": { + "base": "Defines the Amazon Web Services Regions that the specified Firewall Manager administrator can manage.
", + "refs": { + "AdminScope$RegionScope": "Defines the Amazon Web Services Regions that the specified Firewall Manager administrator can perform actions in.
" + } + }, "RemediationAction": { "base": "Information about an individual action you can take to remediate a violation.
", "refs": { @@ -1328,7 +1472,7 @@ "FirewallSubnetMissingVPCEndpointViolation$FirewallSubnetId": "The ID of the firewall that this VPC endpoint is associated with.
", "FirewallSubnetMissingVPCEndpointViolation$VpcId": "The resource ID of the VPC associated with the deleted VPC subnet.
", "GetViolationDetailsRequest$ResourceId": "The ID of the resource that has violations.
", - "ListResourceSetResourcesRequest$Identifier": "A unique identifier for the resource set, used in a TODO to refer to the resource set.
", + "ListResourceSetResourcesRequest$Identifier": "A unique identifier for the resource set, used in a request to refer to the resource set.
", "NetworkFirewallBlackHoleRouteDetectedViolation$RouteTableId": "Information about the route table ID.
", "NetworkFirewallBlackHoleRouteDetectedViolation$VpcId": "Information about the VPC ID.
", "NetworkFirewallInternetTrafficNotInspectedViolation$SubnetId": "The subnet ID.
", @@ -1427,6 +1571,13 @@ "Policy$ResourceSetIds": "The unique identifiers of the resource sets used by the policy.
" } }, + "ResourceSetStatus": { + "base": null, + "refs": { + "ResourceSet$ResourceSetStatus": "Indicates whether the resource set is in or out of an admin's Region scope.
ACTIVE - The administrator can manage and delete the resource set.
OUT_OF_ADMIN_SCOPE - The administrator can view the resource set, but they can't edit or delete the resource set. Existing protections stay in place. Any new resource that come into scope of the resource set won't be protected.
Indicates whether the resource set is in or out of an admin's Region scope.
ACTIVE - The administrator can manage and delete the resource set.
OUT_OF_ADMIN_SCOPE - The administrator can view the resource set, but they can't edit or delete the resource set. Existing protections stay in place. Any new resource that come into scope of the resource set won't be protected.
Summarizes the resource sets used in a policy.
", "refs": { @@ -1559,7 +1710,14 @@ "refs": { "GetProtectionStatusResponse$ServiceType": "The service type that is protected by the policy. Currently, this is always SHIELD_ADVANCED.
The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an WAF policy, a Shield Advanced policy, or a security group policy.
", - "SecurityServicePolicyData$Type": "The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting Amazon Web Services Support.
" + "SecurityServicePolicyData$Type": "The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting Amazon Web Services Support.
", + "SecurityServiceTypeList$member": null + } + }, + "SecurityServiceTypeList": { + "base": null, + "refs": { + "PolicyTypeScope$PolicyTypes": "The list of policy types that the specified Firewall Manager administrator can manage.
" } }, "StatefulEngineOptions": { diff --git a/models/apis/fms/2018-01-01/endpoint-rule-set-1.json b/models/apis/fms/2018-01-01/endpoint-rule-set-1.json index 3851e455a3e..127a40b5796 100644 --- a/models/apis/fms/2018-01-01/endpoint-rule-set-1.json +++ b/models/apis/fms/2018-01-01/endpoint-rule-set-1.json @@ -3,7 +3,7 @@ "parameters": { "Region": { "builtIn": "AWS::Region", - "required": true, + "required": false, "documentation": "The AWS region used to dispatch the request.", "type": "String" }, @@ -32,13 +32,12 @@ { "conditions": [ { - "fn": "aws.partition", + "fn": "isSet", "argv": [ { - "ref": "Region" + "ref": "Endpoint" } - ], - "assign": "PartitionResult" + ] } ], "type": "tree", @@ -46,14 +45,20 @@ { "conditions": [ { - "fn": "isSet", + "fn": "booleanEquals", "argv": [ { - "ref": "Endpoint" - } + "ref": "UseFIPS" + }, + true ] } ], + "error": "Invalid Configuration: FIPS and custom endpoint are not supported", + "type": "error" + }, + { + "conditions": [], "type": "tree", "rules": [ { @@ -62,67 +67,42 @@ "fn": "booleanEquals", "argv": [ { - "ref": "UseFIPS" + "ref": "UseDualStack" }, true ] } ], - "error": "Invalid Configuration: FIPS and custom endpoint are not supported", + "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", "type": "error" }, { "conditions": [], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "error": "Invalid Configuration: Dualstack and custom endpoint are not supported", - "type": "error" + "endpoint": { + "url": { + "ref": "Endpoint" }, - { - "conditions": [], - "endpoint": { - "url": { - "ref": "Endpoint" - }, - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] + "properties": {}, + "headers": {} + }, + "type": "endpoint" } ] - }, + } + ] + }, + { + "conditions": [], + "type": "tree", + "rules": [ { "conditions": [ { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" - }, - true - ] - }, - { - "fn": "booleanEquals", + "fn": "isSet", "argv": [ { - "ref": "UseDualStack" - }, - true + "ref": "Region" + } ] } ], @@ -131,90 +111,215 @@ { "conditions": [ { - "fn": "booleanEquals", + "fn": "aws.partition", "argv": [ - true, { - "fn": "getAttr", + "ref": "Region" + } + ], + "assign": "PartitionResult" + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + { + "ref": "UseFIPS" + }, + true + ] + }, + { + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseDualStack" + }, + true + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } + ] }, - "supportsFIPS" + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://fms-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } ] + }, + { + "conditions": [], + "error": "FIPS and DualStack are enabled, but this partition does not support one or both", + "type": "error" } ] }, { - "fn": "booleanEquals", - "argv": [ - true, + "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseFIPS" }, - "supportsDualStack" + true ] } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsFIPS" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://fms-fips.{Region}.{PartitionResult#dnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } + ] + }, + { + "conditions": [], + "error": "FIPS is enabled but this partition does not support FIPS", + "type": "error" + } ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://fms-fips.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] - }, - { - "conditions": [], - "error": "FIPS and DualStack are enabled, but this partition does not support one or both", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseFIPS" }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ { - "fn": "booleanEquals", - "argv": [ - true, + "conditions": [ { - "fn": "getAttr", + "fn": "booleanEquals", "argv": [ { - "ref": "PartitionResult" + "ref": "UseDualStack" }, - "supportsFIPS" + true + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [ + { + "fn": "booleanEquals", + "argv": [ + true, + { + "fn": "getAttr", + "argv": [ + { + "ref": "PartitionResult" + }, + "supportsDualStack" + ] + } + ] + } + ], + "type": "tree", + "rules": [ + { + "conditions": [], + "type": "tree", + "rules": [ + { + "conditions": [], + "endpoint": { + "url": "https://fms.{Region}.{PartitionResult#dualStackDnsSuffix}", + "properties": {}, + "headers": {} + }, + "type": "endpoint" + } + ] + } ] + }, + { + "conditions": [], + "error": "DualStack is enabled but this partition does not support DualStack", + "type": "error" } ] - } - ], - "type": "tree", - "rules": [ + }, { "conditions": [], "type": "tree", @@ -222,7 +327,7 @@ { "conditions": [], "endpoint": { - "url": "https://fms-fips.{Region}.{PartitionResult#dnsSuffix}", + "url": "https://fms.{Region}.{PartitionResult#dnsSuffix}", "properties": {}, "headers": {} }, @@ -231,74 +336,13 @@ ] } ] - }, - { - "conditions": [], - "error": "FIPS is enabled but this partition does not support FIPS", - "type": "error" - } - ] - }, - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - { - "ref": "UseDualStack" - }, - true - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [ - { - "fn": "booleanEquals", - "argv": [ - true, - { - "fn": "getAttr", - "argv": [ - { - "ref": "PartitionResult" - }, - "supportsDualStack" - ] - } - ] - } - ], - "type": "tree", - "rules": [ - { - "conditions": [], - "endpoint": { - "url": "https://fms.{Region}.{PartitionResult#dualStackDnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" - } - ] - }, - { - "conditions": [], - "error": "DualStack is enabled but this partition does not support DualStack", - "type": "error" } ] }, { "conditions": [], - "endpoint": { - "url": "https://fms.{Region}.{PartitionResult#dnsSuffix}", - "properties": {}, - "headers": {} - }, - "type": "endpoint" + "error": "Invalid Configuration: Missing Region", + "type": "error" } ] } diff --git a/models/apis/fms/2018-01-01/endpoint-tests-1.json b/models/apis/fms/2018-01-01/endpoint-tests-1.json index 7dfd202b781..2307d65e701 100644 --- a/models/apis/fms/2018-01-01/endpoint-tests-1.json +++ b/models/apis/fms/2018-01-01/endpoint-tests-1.json @@ -1,460 +1,5 @@ { "testCases": [ - { - "documentation": "For region ap-south-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ap-south-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-south-1" - } - }, - { - "documentation": "For region ap-south-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ap-south-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-south-1" - } - }, - { - "documentation": "For region ap-south-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.ap-south-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-south-1" - } - }, - { - "documentation": "For region ap-south-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.ap-south-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-south-1" - } - }, - { - "documentation": "For region eu-south-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-south-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-south-1" - } - }, - { - "documentation": "For region eu-south-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-south-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-south-1" - } - }, - { - "documentation": "For region eu-south-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-south-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-south-1" - } - }, - { - "documentation": "For region eu-south-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-south-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-south-1" - } - }, - { - "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-gov-east-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "us-gov-east-1" - } - }, - { - "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-gov-east-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-east-1" - } - }, - { - "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.us-gov-east-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "us-gov-east-1" - } - }, - { - "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.us-gov-east-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-east-1" - } - }, - { - "documentation": "For region me-central-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.me-central-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "me-central-1" - } - }, - { - "documentation": "For region me-central-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.me-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "me-central-1" - } - }, - { - "documentation": "For region me-central-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.me-central-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "me-central-1" - } - }, - { - "documentation": "For region me-central-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.me-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "me-central-1" - } - }, - { - "documentation": "For region ca-central-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ca-central-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ca-central-1" - } - }, - { - "documentation": "For region ca-central-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ca-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "ca-central-1" - } - }, - { - "documentation": "For region ca-central-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.ca-central-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "ca-central-1" - } - }, - { - "documentation": "For region ca-central-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.ca-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "ca-central-1" - } - }, - { - "documentation": "For region eu-central-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-central-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-central-1" - } - }, - { - "documentation": "For region eu-central-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-central-1" - } - }, - { - "documentation": "For region eu-central-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-central-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-central-1" - } - }, - { - "documentation": "For region eu-central-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-central-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-central-1" - } - }, - { - "documentation": "For region us-west-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-west-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "us-west-1" - } - }, - { - "documentation": "For region us-west-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-west-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "us-west-1" - } - }, - { - "documentation": "For region us-west-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.us-west-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "us-west-1" - } - }, - { - "documentation": "For region us-west-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.us-west-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "us-west-1" - } - }, - { - "documentation": "For region us-west-2 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-west-2.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "us-west-2" - } - }, - { - "documentation": "For region us-west-2 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.us-west-2.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "us-west-2" - } - }, - { - "documentation": "For region us-west-2 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.us-west-2.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "us-west-2" - } - }, - { - "documentation": "For region us-west-2 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.us-west-2.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "us-west-2" - } - }, - { - "documentation": "For region af-south-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.af-south-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "af-south-1" - } - }, - { - "documentation": "For region af-south-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.af-south-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "af-south-1" - } - }, - { - "documentation": "For region af-south-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.af-south-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "af-south-1" - } - }, { "documentation": "For region af-south-1 with FIPS disabled and DualStack disabled", "expect": { @@ -463,256 +8,100 @@ } }, "params": { + "Region": "af-south-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "af-south-1" - } - }, - { - "documentation": "For region eu-north-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-north-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-north-1" - } - }, - { - "documentation": "For region eu-north-1 with FIPS enabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-north-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-north-1" - } - }, - { - "documentation": "For region eu-north-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-north-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-north-1" - } - }, - { - "documentation": "For region eu-north-1 with FIPS disabled and DualStack disabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-north-1.amazonaws.com" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-north-1" - } - }, - { - "documentation": "For region eu-west-3 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-west-3.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-west-3" + "UseDualStack": false } }, { - "documentation": "For region eu-west-3 with FIPS enabled and DualStack disabled", + "documentation": "For region af-south-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.eu-west-3.amazonaws.com" + "url": "https://fms-fips.af-south-1.amazonaws.com" } }, "params": { + "Region": "af-south-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-west-3" - } - }, - { - "documentation": "For region eu-west-3 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-west-3.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-west-3" + "UseDualStack": false } }, { - "documentation": "For region eu-west-3 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.eu-west-3.amazonaws.com" + "url": "https://fms.ap-east-1.amazonaws.com" } }, "params": { + "Region": "ap-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-3" - } - }, - { - "documentation": "For region eu-west-2 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-west-2.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-west-2" + "UseDualStack": false } }, { - "documentation": "For region eu-west-2 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.eu-west-2.amazonaws.com" + "url": "https://fms-fips.ap-east-1.amazonaws.com" } }, "params": { + "Region": "ap-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-west-2" - } - }, - { - "documentation": "For region eu-west-2 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-west-2.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-west-2" + "UseDualStack": false } }, { - "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.eu-west-2.amazonaws.com" + "url": "https://fms.ap-northeast-1.amazonaws.com" } }, "params": { + "Region": "ap-northeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-2" - } - }, - { - "documentation": "For region eu-west-1 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.eu-west-1.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "eu-west-1" + "UseDualStack": false } }, { - "documentation": "For region eu-west-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-northeast-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.eu-west-1.amazonaws.com" + "url": "https://fms-fips.ap-northeast-1.amazonaws.com" } }, "params": { + "Region": "ap-northeast-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "eu-west-1" - } - }, - { - "documentation": "For region eu-west-1 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.eu-west-1.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "eu-west-1" + "UseDualStack": false } }, { - "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-northeast-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.eu-west-1.amazonaws.com" + "url": "https://fms.ap-northeast-2.amazonaws.com" } }, "params": { + "Region": "ap-northeast-2", "UseFIPS": false, - "UseDualStack": false, - "Region": "eu-west-1" - } - }, - { - "documentation": "For region ap-northeast-3 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ap-northeast-3.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-northeast-3" + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-3 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-northeast-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-northeast-3.amazonaws.com" + "url": "https://fms-fips.ap-northeast-2.amazonaws.com" } }, "params": { + "Region": "ap-northeast-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-northeast-3" - } - }, - { - "documentation": "For region ap-northeast-3 with FIPS disabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms.ap-northeast-3.api.aws" - } - }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-northeast-3" + "UseDualStack": false } }, { @@ -723,689 +112,695 @@ } }, "params": { + "Region": "ap-northeast-3", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-3" - } - }, - { - "documentation": "For region ap-northeast-2 with FIPS enabled and DualStack enabled", - "expect": { - "endpoint": { - "url": "https://fms-fips.ap-northeast-2.api.aws" - } - }, - "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-northeast-2" + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-2 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-northeast-2.amazonaws.com" + "url": "https://fms.ap-south-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-northeast-2" + "Region": "ap-south-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-2 with FIPS disabled and DualStack enabled", + "documentation": "For region ap-south-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-northeast-2.api.aws" + "url": "https://fms-fips.ap-south-1.amazonaws.com" } }, - "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-northeast-2" + "params": { + "Region": "ap-south-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-2 with FIPS disabled and DualStack disabled", + "documentation": "For region ap-southeast-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-northeast-2.amazonaws.com" + "url": "https://fms.ap-southeast-1.amazonaws.com" } }, "params": { + "Region": "ap-southeast-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-2" + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS enabled and DualStack enabled", + "documentation": "For region ap-southeast-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-northeast-1.api.aws" + "url": "https://fms-fips.ap-southeast-1.amazonaws.com" } }, "params": { + "Region": "ap-southeast-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-northeast-1" + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS enabled and DualStack disabled", + "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-northeast-1.amazonaws.com" + "url": "https://fms.ap-southeast-2.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-northeast-1" + "Region": "ap-southeast-2", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack enabled", + "documentation": "For region ap-southeast-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-northeast-1.api.aws" + "url": "https://fms-fips.ap-southeast-2.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-northeast-1" + "Region": "ap-southeast-2", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-northeast-1 with FIPS disabled and DualStack disabled", + "documentation": "For region ca-central-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-northeast-1.amazonaws.com" + "url": "https://fms.ca-central-1.amazonaws.com" } }, "params": { + "Region": "ca-central-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-northeast-1" + "UseDualStack": false } }, { - "documentation": "For region me-south-1 with FIPS enabled and DualStack enabled", + "documentation": "For region ca-central-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.me-south-1.api.aws" + "url": "https://fms-fips.ca-central-1.amazonaws.com" } }, "params": { + "Region": "ca-central-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "me-south-1" + "UseDualStack": false } }, { - "documentation": "For region me-south-1 with FIPS enabled and DualStack disabled", + "documentation": "For region eu-central-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.me-south-1.amazonaws.com" + "url": "https://fms.eu-central-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "me-south-1" + "Region": "eu-central-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region me-south-1 with FIPS disabled and DualStack enabled", + "documentation": "For region eu-central-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.me-south-1.api.aws" + "url": "https://fms-fips.eu-central-1.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "me-south-1" + "Region": "eu-central-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region me-south-1 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-north-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.me-south-1.amazonaws.com" + "url": "https://fms.eu-north-1.amazonaws.com" } }, "params": { + "Region": "eu-north-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "me-south-1" + "UseDualStack": false } }, { - "documentation": "For region sa-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region eu-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.sa-east-1.api.aws" + "url": "https://fms.eu-south-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "sa-east-1" + "Region": "eu-south-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region sa-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region eu-south-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.sa-east-1.amazonaws.com" + "url": "https://fms-fips.eu-south-1.amazonaws.com" } }, "params": { + "Region": "eu-south-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "sa-east-1" + "UseDualStack": false } }, { - "documentation": "For region sa-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region eu-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.sa-east-1.api.aws" + "url": "https://fms.eu-west-1.amazonaws.com" } }, "params": { + "Region": "eu-west-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "sa-east-1" + "UseDualStack": false } }, { - "documentation": "For region sa-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-west-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.sa-east-1.amazonaws.com" + "url": "https://fms-fips.eu-west-1.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "sa-east-1" + "Region": "eu-west-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region eu-west-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-east-1.api.aws" + "url": "https://fms.eu-west-2.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-east-1" + "Region": "eu-west-2", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region eu-west-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-east-1.amazonaws.com" + "url": "https://fms-fips.eu-west-2.amazonaws.com" } }, "params": { + "Region": "eu-west-2", "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-east-1" + "UseDualStack": false } }, { - "documentation": "For region ap-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region eu-west-3 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-east-1.api.aws" + "url": "https://fms.eu-west-3.amazonaws.com" } }, "params": { + "Region": "eu-west-3", "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-east-1" + "UseDualStack": false } }, { - "documentation": "For region ap-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region eu-west-3 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-east-1.amazonaws.com" + "url": "https://fms-fips.eu-west-3.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-east-1" + "Region": "eu-west-3", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", + "documentation": "For region me-south-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.cn-north-1.api.amazonwebservices.com.cn" + "url": "https://fms.me-south-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "cn-north-1" + "Region": "me-south-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", + "documentation": "For region me-south-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.cn-north-1.amazonaws.com.cn" + "url": "https://fms-fips.me-south-1.amazonaws.com" } }, "params": { + "Region": "me-south-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "cn-north-1" + "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", + "documentation": "For region sa-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.cn-north-1.api.amazonwebservices.com.cn" + "url": "https://fms.sa-east-1.amazonaws.com" } }, "params": { + "Region": "sa-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "cn-north-1" + "UseDualStack": false } }, { - "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", + "documentation": "For region sa-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.cn-north-1.amazonaws.com.cn" + "url": "https://fms-fips.sa-east-1.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "cn-north-1" + "Region": "sa-east-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-gov-west-1.api.aws" + "url": "https://fms.us-east-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "us-gov-west-1" + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-gov-west-1.amazonaws.com" + "url": "https://fms-fips.us-east-1.amazonaws.com" } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-east-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.us-gov-west-1.api.aws" + "url": "https://fms.us-east-2.amazonaws.com" } }, "params": { + "Region": "us-east-2", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-gov-west-1" + "UseDualStack": false } }, { - "documentation": "For region us-gov-west-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-east-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.us-gov-west-1.amazonaws.com" + "url": "https://fms-fips.us-east-2.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "us-gov-west-1" + "Region": "us-east-2", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-1.api.aws" + "url": "https://fms.us-west-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-southeast-1" + "Region": "us-west-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-west-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-1.amazonaws.com" + "url": "https://fms-fips.us-west-1.amazonaws.com" } }, "params": { + "Region": "us-west-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-southeast-1" + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-west-2 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-1.api.aws" + "url": "https://fms.us-west-2.amazonaws.com" } }, "params": { + "Region": "us-west-2", "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-southeast-1" + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-west-2 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-1.amazonaws.com" + "url": "https://fms-fips.us-west-2.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-1" + "Region": "us-west-2", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-2 with FIPS enabled and DualStack enabled", + "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-2.api.aws" + "url": "https://fms-fips.us-east-1.api.aws" } }, "params": { + "Region": "us-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-southeast-2" + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-2 with FIPS enabled and DualStack disabled", + "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-2.amazonaws.com" + "url": "https://fms.us-east-1.api.aws" } }, "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-southeast-2" + "Region": "us-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack enabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-2.api.aws" + "url": "https://fms.cn-north-1.amazonaws.com.cn" } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-southeast-2" + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-2 with FIPS disabled and DualStack disabled", + "documentation": "For region cn-northwest-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-2.amazonaws.com" + "url": "https://fms.cn-northwest-1.amazonaws.com.cn" } }, "params": { + "Region": "cn-northwest-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-2" + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-3 with FIPS enabled and DualStack enabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-3.api.aws" + "url": "https://fms-fips.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "ap-southeast-3" + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-3 with FIPS enabled and DualStack disabled", + "documentation": "For region cn-north-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.ap-southeast-3.amazonaws.com" + "url": "https://fms-fips.cn-north-1.amazonaws.com.cn" } }, "params": { + "Region": "cn-north-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "ap-southeast-3" + "UseDualStack": false } }, { - "documentation": "For region ap-southeast-3 with FIPS disabled and DualStack enabled", + "documentation": "For region cn-north-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-3.api.aws" + "url": "https://fms.cn-north-1.api.amazonwebservices.com.cn" } }, "params": { + "Region": "cn-north-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "ap-southeast-3" + "UseDualStack": true } }, { - "documentation": "For region ap-southeast-3 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.ap-southeast-3.amazonaws.com" + "url": "https://fms.us-gov-east-1.amazonaws.com" } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "ap-southeast-3" + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-east-1.api.aws" + "url": "https://fms-fips.us-gov-east-1.amazonaws.com" } }, "params": { + "Region": "us-gov-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-east-1" + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-gov-west-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-east-1.amazonaws.com" + "url": "https://fms.us-gov-west-1.amazonaws.com" } }, "params": { - "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-1" + "Region": "us-gov-west-1", + "UseFIPS": false, + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-gov-west-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.us-east-1.api.aws" + "url": "https://fms-fips.us-gov-west-1.amazonaws.com" } }, "params": { - "UseFIPS": false, - "UseDualStack": true, - "Region": "us-east-1" + "Region": "us-gov-west-1", + "UseFIPS": true, + "UseDualStack": false } }, { - "documentation": "For region us-east-1 with FIPS disabled and DualStack disabled", + "documentation": "For region us-gov-east-1 with FIPS enabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms.us-east-1.amazonaws.com" + "url": "https://fms-fips.us-gov-east-1.api.aws" } }, "params": { - "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-1" + "Region": "us-gov-east-1", + "UseFIPS": true, + "UseDualStack": true } }, { - "documentation": "For region us-east-2 with FIPS enabled and DualStack enabled", + "documentation": "For region us-gov-east-1 with FIPS disabled and DualStack enabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-east-2.api.aws" + "url": "https://fms.us-gov-east-1.api.aws" } }, "params": { + "Region": "us-gov-east-1", + "UseFIPS": false, + "UseDualStack": true + } + }, + { + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack enabled", + "expect": { + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" + }, + "params": { + "Region": "us-iso-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "us-east-2" + "UseDualStack": true } }, { - "documentation": "For region us-east-2 with FIPS enabled and DualStack disabled", + "documentation": "For region us-iso-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.us-east-2.amazonaws.com" + "url": "https://fms-fips.us-iso-east-1.c2s.ic.gov" } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { - "documentation": "For region us-east-2 with FIPS disabled and DualStack enabled", + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://fms.us-east-2.api.aws" - } + "error": "DualStack is enabled but this partition does not support DualStack" }, "params": { + "Region": "us-iso-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "us-east-2" + "UseDualStack": true } }, { - "documentation": "For region us-east-2 with FIPS disabled and DualStack disabled", + "documentation": "For region us-iso-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.us-east-2.amazonaws.com" + "url": "https://fms.us-iso-east-1.c2s.ic.gov" } }, "params": { + "Region": "us-iso-east-1", "UseFIPS": false, - "UseDualStack": false, - "Region": "us-east-2" + "UseDualStack": false } }, { - "documentation": "For region cn-northwest-1 with FIPS enabled and DualStack enabled", + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack enabled", "expect": { - "endpoint": { - "url": "https://fms-fips.cn-northwest-1.api.amazonwebservices.com.cn" - } + "error": "FIPS and DualStack are enabled, but this partition does not support one or both" }, "params": { + "Region": "us-isob-east-1", "UseFIPS": true, - "UseDualStack": true, - "Region": "cn-northwest-1" + "UseDualStack": true } }, { - "documentation": "For region cn-northwest-1 with FIPS enabled and DualStack disabled", + "documentation": "For region us-isob-east-1 with FIPS enabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms-fips.cn-northwest-1.amazonaws.com.cn" + "url": "https://fms-fips.us-isob-east-1.sc2s.sgov.gov" } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": true, - "UseDualStack": false, - "Region": "cn-northwest-1" + "UseDualStack": false + } + }, + { + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack enabled", + "expect": { + "error": "DualStack is enabled but this partition does not support DualStack" + }, + "params": { + "Region": "us-isob-east-1", + "UseFIPS": false, + "UseDualStack": true } }, { - "documentation": "For region cn-northwest-1 with FIPS disabled and DualStack enabled", + "documentation": "For region us-isob-east-1 with FIPS disabled and DualStack disabled", "expect": { "endpoint": { - "url": "https://fms.cn-northwest-1.api.amazonwebservices.com.cn" + "url": "https://fms.us-isob-east-1.sc2s.sgov.gov" } }, "params": { + "Region": "us-isob-east-1", "UseFIPS": false, - "UseDualStack": true, - "Region": "cn-northwest-1" + "UseDualStack": false } }, { - "documentation": "For region cn-northwest-1 with FIPS disabled and DualStack disabled", + "documentation": "For custom endpoint with region set and fips disabled and dualstack disabled", "expect": { "endpoint": { - "url": "https://fms.cn-northwest-1.amazonaws.com.cn" + "url": "https://example.com" } }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": false, - "Region": "cn-northwest-1" + "Endpoint": "https://example.com" } }, { - "documentation": "For custom endpoint with fips disabled and dualstack disabled", + "documentation": "For custom endpoint with region not set and fips disabled and dualstack disabled", "expect": { "endpoint": { "url": "https://example.com" @@ -1414,7 +809,6 @@ "params": { "UseFIPS": false, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -1424,9 +818,9 @@ "error": "Invalid Configuration: FIPS and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": true, "UseDualStack": false, - "Region": "us-east-1", "Endpoint": "https://example.com" } }, @@ -1436,11 +830,17 @@ "error": "Invalid Configuration: Dualstack and custom endpoint are not supported" }, "params": { + "Region": "us-east-1", "UseFIPS": false, "UseDualStack": true, - "Region": "us-east-1", "Endpoint": "https://example.com" } + }, + { + "documentation": "Missing region", + "expect": { + "error": "Invalid Configuration: Missing Region" + } } ], "version": "1.0" diff --git a/models/apis/fms/2018-01-01/paginators-1.json b/models/apis/fms/2018-01-01/paginators-1.json index b6fef983691..d8807f302fc 100644 --- a/models/apis/fms/2018-01-01/paginators-1.json +++ b/models/apis/fms/2018-01-01/paginators-1.json @@ -1,5 +1,17 @@ { "pagination": { + "ListAdminAccountsForOrganization": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "AdminAccounts" + }, + "ListAdminsManagingAccount": { + "input_token": "NextToken", + "limit_key": "MaxResults", + "output_token": "NextToken", + "result_key": "AdminAccounts" + }, "ListAppsLists": { "input_token": "NextToken", "limit_key": "MaxResults", diff --git a/models/endpoints/endpoints.json b/models/endpoints/endpoints.json index d1d5d7f065d..f23b832f67f 100644 --- a/models/endpoints/endpoints.json +++ b/models/endpoints/endpoints.json @@ -1202,6 +1202,7 @@ "deprecated" : true, "hostname" : "api.tunneling.iot-fips.us-west-2.amazonaws.com" }, + "me-central-1" : { }, "me-south-1" : { }, "sa-east-1" : { }, "us-east-1" : { @@ -2065,7 +2066,12 @@ "ap-southeast-2" : { }, "ap-southeast-3" : { }, "ap-southeast-4" : { }, - "ca-central-1" : { }, + "ca-central-1" : { + "variants" : [ { + "hostname" : "autoscaling-fips.ca-central-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, "eu-central-1" : { }, "eu-central-2" : { }, "eu-north-1" : { }, @@ -2074,13 +2080,68 @@ "eu-west-1" : { }, "eu-west-2" : { }, "eu-west-3" : { }, + "fips-ca-central-1" : { + "credentialScope" : { + "region" : "ca-central-1" + }, + "deprecated" : true, + "hostname" : "autoscaling-fips.ca-central-1.amazonaws.com" + }, + "fips-us-east-1" : { + "credentialScope" : { + "region" : "us-east-1" + }, + "deprecated" : true, + "hostname" : "autoscaling-fips.us-east-1.amazonaws.com" + }, + "fips-us-east-2" : { + "credentialScope" : { + "region" : "us-east-2" + }, + "deprecated" : true, + "hostname" : "autoscaling-fips.us-east-2.amazonaws.com" + }, + "fips-us-west-1" : { + "credentialScope" : { + "region" : "us-west-1" + }, + "deprecated" : true, + "hostname" : "autoscaling-fips.us-west-1.amazonaws.com" + }, + "fips-us-west-2" : { + "credentialScope" : { + "region" : "us-west-2" + }, + "deprecated" : true, + "hostname" : "autoscaling-fips.us-west-2.amazonaws.com" + }, "me-central-1" : { }, "me-south-1" : { }, "sa-east-1" : { }, - "us-east-1" : { }, - "us-east-2" : { }, - "us-west-1" : { }, - "us-west-2" : { } + "us-east-1" : { + "variants" : [ { + "hostname" : "autoscaling-fips.us-east-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-east-2" : { + "variants" : [ { + "hostname" : "autoscaling-fips.us-east-2.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-west-1" : { + "variants" : [ { + "hostname" : "autoscaling-fips.us-west-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-west-2" : { + "variants" : [ { + "hostname" : "autoscaling-fips.us-west-2.amazonaws.com", + "tags" : [ "fips" ] + } ] + } } }, "autoscaling-plans" : { @@ -2124,6 +2185,7 @@ "ap-southeast-1" : { }, "ap-southeast-2" : { }, "ap-southeast-3" : { }, + "ap-southeast-4" : { }, "ca-central-1" : { }, "eu-central-1" : { }, "eu-central-2" : { }, @@ -3739,11 +3801,15 @@ }, "controltower" : { "endpoints" : { + "af-south-1" : { }, + "ap-east-1" : { }, "ap-northeast-1" : { }, "ap-northeast-2" : { }, + "ap-northeast-3" : { }, "ap-south-1" : { }, "ap-southeast-1" : { }, "ap-southeast-2" : { }, + "ap-southeast-3" : { }, "ca-central-1" : { "variants" : [ { "hostname" : "controltower-fips.ca-central-1.amazonaws.com", @@ -3759,9 +3825,11 @@ }, "eu-central-1" : { }, "eu-north-1" : { }, + "eu-south-1" : { }, "eu-west-1" : { }, "eu-west-2" : { }, "eu-west-3" : { }, + "me-south-1" : { }, "sa-east-1" : { }, "us-east-1" : { "variants" : [ { @@ -3789,6 +3857,19 @@ "deprecated" : true, "hostname" : "controltower-fips.us-east-2.amazonaws.com" }, + "us-west-1" : { + "variants" : [ { + "hostname" : "controltower-fips.us-west-1.amazonaws.com", + "tags" : [ "fips" ] + } ] + }, + "us-west-1-fips" : { + "credentialScope" : { + "region" : "us-west-1" + }, + "deprecated" : true, + "hostname" : "controltower-fips.us-west-1.amazonaws.com" + }, "us-west-2" : { "variants" : [ { "hostname" : "controltower-fips.us-west-2.amazonaws.com", diff --git a/service/connect/api.go b/service/connect/api.go index 48fbb717092..aa13d8b45b7 100644 --- a/service/connect/api.go +++ b/service/connect/api.go @@ -1711,6 +1711,101 @@ func (c *Connect) CreateIntegrationAssociationWithContext(ctx aws.Context, input return out, req.Send() } +const opCreateParticipant = "CreateParticipant" + +// CreateParticipantRequest generates a "aws/request.Request" representing the +// client's request for the CreateParticipant operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateParticipant for more information on using the CreateParticipant +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the CreateParticipantRequest method. +// req, resp := client.CreateParticipantRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/connect-2017-08-08/CreateParticipant +func (c *Connect) CreateParticipantRequest(input *CreateParticipantInput) (req *request.Request, output *CreateParticipantOutput) { + op := &request.Operation{ + Name: opCreateParticipant, + HTTPMethod: "POST", + HTTPPath: "/contact/create-participant", + } + + if input == nil { + input = &CreateParticipantInput{} + } + + output = &CreateParticipantOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateParticipant API operation for Amazon Connect Service. +// +// Adds a new participant into an on-going chat contact. For more information, +// see Customize chat flow experiences by integrating custom participants (https://docs.aws.amazon.com/connect/latest/adminguide/chat-customize-flow.html). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Connect Service's +// API operation CreateParticipant for usage and error information. +// +// Returned Error Types: +// +// - InvalidRequestException +// The request is not valid. +// +// - InvalidParameterException +// One or more of the specified parameters are not valid. +// +// - ResourceNotFoundException +// The specified resource was not found. +// +// - InternalServiceException +// Request processing failed because of an error or failure with the service. +// +// - ServiceQuotaExceededException +// The service quota has been exceeded. +// +// - ThrottlingException +// The throttling limit has been exceeded. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/connect-2017-08-08/CreateParticipant +func (c *Connect) CreateParticipant(input *CreateParticipantInput) (*CreateParticipantOutput, error) { + req, out := c.CreateParticipantRequest(input) + return out, req.Send() +} + +// CreateParticipantWithContext is the same as CreateParticipant with the addition of +// the ability to pass a context and additional request options. +// +// See CreateParticipant for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *Connect) CreateParticipantWithContext(ctx aws.Context, input *CreateParticipantInput, opts ...request.Option) (*CreateParticipantOutput, error) { + req, out := c.CreateParticipantRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateQueue = "CreateQueue" // CreateQueueRequest generates a "aws/request.Request" representing the @@ -22455,6 +22550,152 @@ func (s *CreateIntegrationAssociationOutput) SetIntegrationAssociationId(v strin return s } +type CreateParticipantInput struct { + _ struct{} `type:"structure"` + + // A unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. If not provided, the Amazon Web Services SDK populates this + // field. For more information about idempotency, see Making retries safe with + // idempotent APIs (https://aws.amazon.com/builders-library/making-retries-safe-with-idempotent-APIs/). + ClientToken *string `type:"string" idempotencyToken:"true"` + + // The identifier of the contact in this instance of Amazon Connect. Only contacts + // in the CHAT channel are supported. + // + // ContactId is a required field + ContactId *string `min:"1" type:"string" required:"true"` + + // The identifier of the Amazon Connect instance. You can find the instance + // ID (https://docs.aws.amazon.com/connect/latest/adminguide/find-instance-arn.html) + // in the Amazon Resource Name (ARN) of the instance. + // + // InstanceId is a required field + InstanceId *string `min:"1" type:"string" required:"true"` + + // Information identifying the participant. + // + // The only Valid value for ParticipantRole is CUSTOM_BOT. + // + // DisplayName is Required. + // + // ParticipantDetails is a required field + ParticipantDetails *ParticipantDetailsToAdd `type:"structure" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateParticipantInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateParticipantInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateParticipantInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateParticipantInput"} + if s.ContactId == nil { + invalidParams.Add(request.NewErrParamRequired("ContactId")) + } + if s.ContactId != nil && len(*s.ContactId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ContactId", 1)) + } + if s.InstanceId == nil { + invalidParams.Add(request.NewErrParamRequired("InstanceId")) + } + if s.InstanceId != nil && len(*s.InstanceId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("InstanceId", 1)) + } + if s.ParticipantDetails == nil { + invalidParams.Add(request.NewErrParamRequired("ParticipantDetails")) + } + if s.ParticipantDetails != nil { + if err := s.ParticipantDetails.Validate(); err != nil { + invalidParams.AddNested("ParticipantDetails", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetClientToken sets the ClientToken field's value. +func (s *CreateParticipantInput) SetClientToken(v string) *CreateParticipantInput { + s.ClientToken = &v + return s +} + +// SetContactId sets the ContactId field's value. +func (s *CreateParticipantInput) SetContactId(v string) *CreateParticipantInput { + s.ContactId = &v + return s +} + +// SetInstanceId sets the InstanceId field's value. +func (s *CreateParticipantInput) SetInstanceId(v string) *CreateParticipantInput { + s.InstanceId = &v + return s +} + +// SetParticipantDetails sets the ParticipantDetails field's value. +func (s *CreateParticipantInput) SetParticipantDetails(v *ParticipantDetailsToAdd) *CreateParticipantInput { + s.ParticipantDetails = v + return s +} + +type CreateParticipantOutput struct { + _ struct{} `type:"structure"` + + // The token used by the chat participant to call CreateParticipantConnection. + // The participant token is valid for the lifetime of a chat participant. + ParticipantCredentials *ParticipantTokenCredentials `type:"structure"` + + // The identifier for a chat participant. The participantId for a chat participant + // is the same throughout the chat lifecycle. + ParticipantId *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateParticipantOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s CreateParticipantOutput) GoString() string { + return s.String() +} + +// SetParticipantCredentials sets the ParticipantCredentials field's value. +func (s *CreateParticipantOutput) SetParticipantCredentials(v *ParticipantTokenCredentials) *CreateParticipantOutput { + s.ParticipantCredentials = v + return s +} + +// SetParticipantId sets the ParticipantId field's value. +func (s *CreateParticipantOutput) SetParticipantId(v string) *CreateParticipantOutput { + s.ParticipantId = &v + return s +} + type CreateQueueInput struct { _ struct{} `type:"structure"` @@ -37679,7 +37920,10 @@ type MetricFilterV2 struct { // The key to use for filtering data. // - // Valid metric filter keys: INITIATION_METHOD, DISCONNECT_REASON + // Valid metric filter keys: INITIATION_METHOD, DISCONNECT_REASON. These are + // the same values as the InitiationMethod and DisconnectReason in the contact + // record. For more information, see ContactTraceRecord (https://docs.aws.amazon.com/connect/latest/adminguide/ctr-data-model.html#ctr-ContactTraceRecord) + // in the Amazon Connect Administrator's Guide. MetricFilterKey *string `type:"string"` // The values to use for filtering data. @@ -38266,6 +38510,60 @@ func (s *ParticipantDetails) SetDisplayName(v string) *ParticipantDetails { return s } +// The details to add for the participant. +type ParticipantDetailsToAdd struct { + _ struct{} `type:"structure"` + + // The display name of the participant. + DisplayName *string `min:"1" type:"string"` + + // The role of the participant being added. + ParticipantRole *string `type:"string" enum:"ParticipantRole"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ParticipantDetailsToAdd) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ParticipantDetailsToAdd) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ParticipantDetailsToAdd) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ParticipantDetailsToAdd"} + if s.DisplayName != nil && len(*s.DisplayName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("DisplayName", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDisplayName sets the DisplayName field's value. +func (s *ParticipantDetailsToAdd) SetDisplayName(v string) *ParticipantDetailsToAdd { + s.DisplayName = &v + return s +} + +// SetParticipantRole sets the ParticipantRole field's value. +func (s *ParticipantDetailsToAdd) SetParticipantRole(v string) *ParticipantDetailsToAdd { + s.ParticipantRole = &v + return s +} + // Configuration information for the timer. After the timer configuration is // set, it persists for the duration of the chat. It persists across new contacts // in the chain, for example, transfer contacts. @@ -38413,6 +38711,50 @@ func (s *ParticipantTimerValue) SetParticipantTimerDurationInMinutes(v int64) *P return s } +// The credentials used by the participant. +type ParticipantTokenCredentials struct { + _ struct{} `type:"structure"` + + // The expiration of the token. It's specified in ISO 8601 format: yyyy-MM-ddThh:mm:ss.SSSZ. + // For example, 2019-11-08T02:41:28.172Z. + Expiry *string `type:"string"` + + // The token used by the chat participant to call CreateParticipantConnection + // (https://docs.aws.amazon.com/connect-participant/latest/APIReference/API_CreateParticipantConnection.html). + // The participant token is valid for the lifetime of a chat participant. + ParticipantToken *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ParticipantTokenCredentials) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ParticipantTokenCredentials) GoString() string { + return s.String() +} + +// SetExpiry sets the Expiry field's value. +func (s *ParticipantTokenCredentials) SetExpiry(v string) *ParticipantTokenCredentials { + s.Expiry = &v + return s +} + +// SetParticipantToken sets the ParticipantToken field's value. +func (s *ParticipantTokenCredentials) SetParticipantToken(v string) *ParticipantTokenCredentials { + s.ParticipantToken = &v + return s +} + // Enable persistent chats. For more information about enabling persistent chat, // and for example use cases and how to configure for them, see Enable persistent // chat (https://docs.aws.amazon.com/connect/latest/adminguide/chat-persistence.html). @@ -52073,6 +52415,30 @@ func NotificationDeliveryType_Values() []string { } } +const ( + // ParticipantRoleAgent is a ParticipantRole enum value + ParticipantRoleAgent = "AGENT" + + // ParticipantRoleCustomer is a ParticipantRole enum value + ParticipantRoleCustomer = "CUSTOMER" + + // ParticipantRoleSystem is a ParticipantRole enum value + ParticipantRoleSystem = "SYSTEM" + + // ParticipantRoleCustomBot is a ParticipantRole enum value + ParticipantRoleCustomBot = "CUSTOM_BOT" +) + +// ParticipantRole_Values returns all elements of the ParticipantRole enum +func ParticipantRole_Values() []string { + return []string{ + ParticipantRoleAgent, + ParticipantRoleCustomer, + ParticipantRoleSystem, + ParticipantRoleCustomBot, + } +} + const ( // ParticipantTimerActionUnset is a ParticipantTimerAction enum value ParticipantTimerActionUnset = "Unset" diff --git a/service/connect/connectiface/interface.go b/service/connect/connectiface/interface.go index 247aa075c54..25d3878c8e2 100644 --- a/service/connect/connectiface/interface.go +++ b/service/connect/connectiface/interface.go @@ -128,6 +128,10 @@ type ConnectAPI interface { CreateIntegrationAssociationWithContext(aws.Context, *connect.CreateIntegrationAssociationInput, ...request.Option) (*connect.CreateIntegrationAssociationOutput, error) CreateIntegrationAssociationRequest(*connect.CreateIntegrationAssociationInput) (*request.Request, *connect.CreateIntegrationAssociationOutput) + CreateParticipant(*connect.CreateParticipantInput) (*connect.CreateParticipantOutput, error) + CreateParticipantWithContext(aws.Context, *connect.CreateParticipantInput, ...request.Option) (*connect.CreateParticipantOutput, error) + CreateParticipantRequest(*connect.CreateParticipantInput) (*request.Request, *connect.CreateParticipantOutput) + CreateQueue(*connect.CreateQueueInput) (*connect.CreateQueueOutput, error) CreateQueueWithContext(aws.Context, *connect.CreateQueueInput, ...request.Option) (*connect.CreateQueueOutput, error) CreateQueueRequest(*connect.CreateQueueInput) (*request.Request, *connect.CreateQueueOutput) diff --git a/service/ecs/api.go b/service/ecs/api.go index df30f3cb092..dd6135aa799 100644 --- a/service/ecs/api.go +++ b/service/ecs/api.go @@ -15367,6 +15367,9 @@ type LinuxParameters struct { // // If you're using tasks that use the Fargate launch type, the maxSwap parameter // isn't supported. + // + // If you're using tasks on Amazon Linux 2023 the swappiness parameter isn't + // supported. MaxSwap *int64 `locationName:"maxSwap" type:"integer"` // The value for the size (in MiB) of the /dev/shm volume. This parameter maps @@ -15386,6 +15389,9 @@ type LinuxParameters struct { // // If you're using tasks that use the Fargate launch type, the swappiness parameter // isn't supported. + // + // If you're using tasks on Amazon Linux 2023 the swappiness parameter isn't + // supported. Swappiness *int64 `locationName:"swappiness" type:"integer"` // The container path, mount options, and size (in MiB) of the tmpfs mount. @@ -18042,6 +18048,13 @@ func (s *PlatformUnknownException) RequestID() string { // the exposed ports using containerPort. The hostPort can be left blank or // it must be the same value as the containerPort. // +// Most fields of this parameter (containerPort, hostPort, protocol) maps to +// PortBindings in the Create a container (https://docs.docker.com/engine/api/v1.35/#operation/ContainerCreate) +// section of the Docker Remote API (https://docs.docker.com/engine/api/v1.35/) +// and the --publish option to docker run (https://docs.docker.com/engine/reference/commandline/run/). +// If the network mode of a task definition is set to host, host ports must +// either be undefined or match the container port in the port mapping. +// // You can't expose the same container port for multiple protocols. If you attempt // this, an error is returned. // @@ -18407,7 +18420,7 @@ type PutAccountSettingDefaultInput struct { // When you specify fargateFIPSMode for the name and enabled for the value, // Fargate uses FIPS-140 compliant cryptographic algorithms on your tasks. For // more information about FIPS-140 compliance with Fargate, see Amazon Web Services - // Fargate Federal Information Processing Standard (FIPS) 140-2 compliance (https://docs.aws.amazon.com/AWSEC2ContainerServiceDocs/build/server-root/AmazonECS/latest/developerguide/ecs-fips-compliance.html) + // Fargate Federal Information Processing Standard (FIPS) 140-2 compliance (https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-fips-compliance.html) // in the Amazon Elastic Container Service Developer Guide. // // Name is a required field diff --git a/service/fms/api.go b/service/fms/api.go index e9a3948ae66..dc20ad0d8eb 100644 --- a/service/fms/api.go +++ b/service/fms/api.go @@ -57,13 +57,15 @@ func (c *FMS) AssociateAdminAccountRequest(input *AssociateAdminAccountInput) (r // AssociateAdminAccount API operation for Firewall Management Service. // -// Sets the Firewall Manager administrator account. The account must be a member +// Sets a Firewall Manager default administrator account. The Firewall Manager +// default administrator account can manage third-party firewalls and has full +// administrative scope that allows administration of all policy types, accounts, +// organizational units, and Regions. This account must be a member account // of the organization in Organizations whose resources you want to protect. -// Firewall Manager sets the permissions that allow the account to administer -// your Firewall Manager policies. // -// The account that you associate with Firewall Manager is called the Firewall -// Manager administrator account. +// For information about working with Firewall Manager administrator accounts, +// see Managing Firewall Manager administrators (https://docs.aws.amazon.com/organizations/latest/userguide/fms-administrators.html) +// in the Firewall Manager Developer Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -929,9 +931,15 @@ func (c *FMS) DisassociateAdminAccountRequest(input *DisassociateAdminAccountInp // DisassociateAdminAccount API operation for Firewall Management Service. // -// Disassociates the account that has been set as the Firewall Manager administrator -// account. To set a different account as the administrator account, you must -// submit an AssociateAdminAccount request. +// Disassociates an Firewall Manager administrator account. To set a different +// account as an Firewall Manager administrator, submit a PutAdminAccount request. +// To set an account as a default administrator account, you must submit an +// AssociateAdminAccount request. +// +// Disassociation of the default administrator account follows the first in, +// last out principle. If you are the default administrator, all Firewall Manager +// administrators within the organization must first disassociate their accounts +// before you can disassociate your account. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -1120,7 +1128,7 @@ func (c *FMS) GetAdminAccountRequest(input *GetAdminAccountInput) (req *request. // GetAdminAccount API operation for Firewall Management Service. // // Returns the Organizations account that is associated with Firewall Manager -// as the Firewall Manager administrator. +// as the Firewall Manager default administrator. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -1168,6 +1176,102 @@ func (c *FMS) GetAdminAccountWithContext(ctx aws.Context, input *GetAdminAccount return out, req.Send() } +const opGetAdminScope = "GetAdminScope" + +// GetAdminScopeRequest generates a "aws/request.Request" representing the +// client's request for the GetAdminScope operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetAdminScope for more information on using the GetAdminScope +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the GetAdminScopeRequest method. +// req, resp := client.GetAdminScopeRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScope +func (c *FMS) GetAdminScopeRequest(input *GetAdminScopeInput) (req *request.Request, output *GetAdminScopeOutput) { + op := &request.Operation{ + Name: opGetAdminScope, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetAdminScopeInput{} + } + + output = &GetAdminScopeOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetAdminScope API operation for Firewall Management Service. +// +// Returns information about the specified account's administrative scope. The +// admistrative scope defines the resources that an Firewall Manager administrator +// can manage. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Firewall Management Service's +// API operation GetAdminScope for usage and error information. +// +// Returned Error Types: +// +// - InvalidOperationException +// The operation failed because there was nothing to do or the operation wasn't +// possible. For example, you might have submitted an AssociateAdminAccount +// request for an account ID that was already set as the Firewall Manager administrator. +// Or you might have tried to access a Region that's disabled by default, and +// that you need to enable for the Firewall Manager administrator account and +// for Organizations before you can access it. +// +// - InvalidInputException +// The parameters of the request were invalid. +// +// - ResourceNotFoundException +// The specified resource was not found. +// +// - InternalErrorException +// The operation failed because of a system problem, even though the request +// was valid. Retry your request. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminScope +func (c *FMS) GetAdminScope(input *GetAdminScopeInput) (*GetAdminScopeOutput, error) { + req, out := c.GetAdminScopeRequest(input) + return out, req.Send() +} + +// GetAdminScopeWithContext is the same as GetAdminScope with the addition of +// the ability to pass a context and additional request options. +// +// See GetAdminScope for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) GetAdminScopeWithContext(ctx aws.Context, input *GetAdminScopeInput, opts ...request.Option) (*GetAdminScopeOutput, error) { + req, out := c.GetAdminScopeRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opGetAppsList = "GetAppsList" // GetAppsListRequest generates a "aws/request.Request" representing the @@ -2013,34 +2117,34 @@ func (c *FMS) GetViolationDetailsWithContext(ctx aws.Context, input *GetViolatio return out, req.Send() } -const opListAppsLists = "ListAppsLists" +const opListAdminAccountsForOrganization = "ListAdminAccountsForOrganization" -// ListAppsListsRequest generates a "aws/request.Request" representing the -// client's request for the ListAppsLists operation. The "output" return +// ListAdminAccountsForOrganizationRequest generates a "aws/request.Request" representing the +// client's request for the ListAdminAccountsForOrganization operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See ListAppsLists for more information on using the ListAppsLists +// See ListAdminAccountsForOrganization for more information on using the ListAdminAccountsForOrganization // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // -// // Example sending a request using the ListAppsListsRequest method. -// req, resp := client.ListAppsListsRequest(params) +// // Example sending a request using the ListAdminAccountsForOrganizationRequest method. +// req, resp := client.ListAdminAccountsForOrganizationRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAppsLists -func (c *FMS) ListAppsListsRequest(input *ListAppsListsInput) (req *request.Request, output *ListAppsListsOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganization +func (c *FMS) ListAdminAccountsForOrganizationRequest(input *ListAdminAccountsForOrganizationInput) (req *request.Request, output *ListAdminAccountsForOrganizationOutput) { op := &request.Operation{ - Name: opListAppsLists, + Name: opListAdminAccountsForOrganization, HTTPMethod: "POST", HTTPPath: "/", Paginator: &request.Paginator{ @@ -2052,30 +2156,30 @@ func (c *FMS) ListAppsListsRequest(input *ListAppsListsInput) (req *request.Requ } if input == nil { - input = &ListAppsListsInput{} + input = &ListAdminAccountsForOrganizationInput{} } - output = &ListAppsListsOutput{} + output = &ListAdminAccountsForOrganizationOutput{} req = c.newRequest(op, input, output) return } -// ListAppsLists API operation for Firewall Management Service. +// ListAdminAccountsForOrganization API operation for Firewall Management Service. // -// Returns an array of AppsListDataSummary objects. +// Returns a AdminAccounts object that lists the Firewall Manager administrators +// within the organization that are onboarded to Firewall Manager by AssociateAdminAccount. +// +// This operation can be called only from the organization's management account. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for Firewall Management Service's -// API operation ListAppsLists for usage and error information. +// API operation ListAdminAccountsForOrganization for usage and error information. // // Returned Error Types: // -// - ResourceNotFoundException -// The specified resource was not found. -// // - InvalidOperationException // The operation failed because there was nothing to do or the operation wasn't // possible. For example, you might have submitted an AssociateAdminAccount @@ -2084,74 +2188,71 @@ func (c *FMS) ListAppsListsRequest(input *ListAppsListsInput) (req *request.Requ // that you need to enable for the Firewall Manager administrator account and // for Organizations before you can access it. // -// - LimitExceededException -// The operation exceeds a resource limit, for example, the maximum number of -// policy objects that you can create for an Amazon Web Services account. For -// more information, see Firewall Manager Limits (https://docs.aws.amazon.com/waf/latest/developerguide/fms-limits.html) -// in the WAF Developer Guide. +// - ResourceNotFoundException +// The specified resource was not found. // // - InternalErrorException // The operation failed because of a system problem, even though the request // was valid. Retry your request. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAppsLists -func (c *FMS) ListAppsLists(input *ListAppsListsInput) (*ListAppsListsOutput, error) { - req, out := c.ListAppsListsRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminAccountsForOrganization +func (c *FMS) ListAdminAccountsForOrganization(input *ListAdminAccountsForOrganizationInput) (*ListAdminAccountsForOrganizationOutput, error) { + req, out := c.ListAdminAccountsForOrganizationRequest(input) return out, req.Send() } -// ListAppsListsWithContext is the same as ListAppsLists with the addition of +// ListAdminAccountsForOrganizationWithContext is the same as ListAdminAccountsForOrganization with the addition of // the ability to pass a context and additional request options. // -// See ListAppsLists for details on how to use this API operation. +// See ListAdminAccountsForOrganization for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *FMS) ListAppsListsWithContext(ctx aws.Context, input *ListAppsListsInput, opts ...request.Option) (*ListAppsListsOutput, error) { - req, out := c.ListAppsListsRequest(input) +func (c *FMS) ListAdminAccountsForOrganizationWithContext(ctx aws.Context, input *ListAdminAccountsForOrganizationInput, opts ...request.Option) (*ListAdminAccountsForOrganizationOutput, error) { + req, out := c.ListAdminAccountsForOrganizationRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -// ListAppsListsPages iterates over the pages of a ListAppsLists operation, +// ListAdminAccountsForOrganizationPages iterates over the pages of a ListAdminAccountsForOrganization operation, // calling the "fn" function with the response data for each page. To stop // iterating, return false from the fn function. // -// See ListAppsLists method for more information on how to use this operation. +// See ListAdminAccountsForOrganization method for more information on how to use this operation. // // Note: This operation can generate multiple requests to a service. // -// // Example iterating over at most 3 pages of a ListAppsLists operation. +// // Example iterating over at most 3 pages of a ListAdminAccountsForOrganization operation. // pageNum := 0 -// err := client.ListAppsListsPages(params, -// func(page *fms.ListAppsListsOutput, lastPage bool) bool { +// err := client.ListAdminAccountsForOrganizationPages(params, +// func(page *fms.ListAdminAccountsForOrganizationOutput, lastPage bool) bool { // pageNum++ // fmt.Println(page) // return pageNum <= 3 // }) -func (c *FMS) ListAppsListsPages(input *ListAppsListsInput, fn func(*ListAppsListsOutput, bool) bool) error { - return c.ListAppsListsPagesWithContext(aws.BackgroundContext(), input, fn) +func (c *FMS) ListAdminAccountsForOrganizationPages(input *ListAdminAccountsForOrganizationInput, fn func(*ListAdminAccountsForOrganizationOutput, bool) bool) error { + return c.ListAdminAccountsForOrganizationPagesWithContext(aws.BackgroundContext(), input, fn) } -// ListAppsListsPagesWithContext same as ListAppsListsPages except +// ListAdminAccountsForOrganizationPagesWithContext same as ListAdminAccountsForOrganizationPages except // it takes a Context and allows setting request options on the pages. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *FMS) ListAppsListsPagesWithContext(ctx aws.Context, input *ListAppsListsInput, fn func(*ListAppsListsOutput, bool) bool, opts ...request.Option) error { +func (c *FMS) ListAdminAccountsForOrganizationPagesWithContext(ctx aws.Context, input *ListAdminAccountsForOrganizationInput, fn func(*ListAdminAccountsForOrganizationOutput, bool) bool, opts ...request.Option) error { p := request.Pagination{ NewRequest: func() (*request.Request, error) { - var inCpy *ListAppsListsInput + var inCpy *ListAdminAccountsForOrganizationInput if input != nil { tmp := *input inCpy = &tmp } - req, _ := c.ListAppsListsRequest(inCpy) + req, _ := c.ListAdminAccountsForOrganizationRequest(inCpy) req.SetContext(ctx) req.ApplyOptions(opts...) return req, nil @@ -2159,7 +2260,7 @@ func (c *FMS) ListAppsListsPagesWithContext(ctx aws.Context, input *ListAppsList } for p.Next() { - if !fn(p.Page().(*ListAppsListsOutput), !p.HasNextPage()) { + if !fn(p.Page().(*ListAdminAccountsForOrganizationOutput), !p.HasNextPage()) { break } } @@ -2167,34 +2268,34 @@ func (c *FMS) ListAppsListsPagesWithContext(ctx aws.Context, input *ListAppsList return p.Err() } -const opListComplianceStatus = "ListComplianceStatus" +const opListAdminsManagingAccount = "ListAdminsManagingAccount" -// ListComplianceStatusRequest generates a "aws/request.Request" representing the -// client's request for the ListComplianceStatus operation. The "output" return +// ListAdminsManagingAccountRequest generates a "aws/request.Request" representing the +// client's request for the ListAdminsManagingAccount operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See ListComplianceStatus for more information on using the ListComplianceStatus +// See ListAdminsManagingAccount for more information on using the ListAdminsManagingAccount // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // -// // Example sending a request using the ListComplianceStatusRequest method. -// req, resp := client.ListComplianceStatusRequest(params) +// // Example sending a request using the ListAdminsManagingAccountRequest method. +// req, resp := client.ListAdminsManagingAccountRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListComplianceStatus -func (c *FMS) ListComplianceStatusRequest(input *ListComplianceStatusInput) (req *request.Request, output *ListComplianceStatusOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccount +func (c *FMS) ListAdminsManagingAccountRequest(input *ListAdminsManagingAccountInput) (req *request.Request, output *ListAdminsManagingAccountOutput) { op := &request.Operation{ - Name: opListComplianceStatus, + Name: opListAdminsManagingAccount, HTTPMethod: "POST", HTTPPath: "/", Paginator: &request.Paginator{ @@ -2206,94 +2307,98 @@ func (c *FMS) ListComplianceStatusRequest(input *ListComplianceStatusInput) (req } if input == nil { - input = &ListComplianceStatusInput{} + input = &ListAdminsManagingAccountInput{} } - output = &ListComplianceStatusOutput{} + output = &ListAdminsManagingAccountOutput{} req = c.newRequest(op, input, output) return } -// ListComplianceStatus API operation for Firewall Management Service. +// ListAdminsManagingAccount API operation for Firewall Management Service. // -// Returns an array of PolicyComplianceStatus objects. Use PolicyComplianceStatus -// to get a summary of which member accounts are protected by the specified -// policy. +// Lists the accounts that are managing the specified Organizations member account. +// This is useful for any member account so that they can view the accounts +// who are managing their account. This operation only returns the managing +// administrators that have the requested account within their AdminScope. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for Firewall Management Service's -// API operation ListComplianceStatus for usage and error information. +// API operation ListAdminsManagingAccount for usage and error information. // // Returned Error Types: // // - ResourceNotFoundException // The specified resource was not found. // +// - InvalidInputException +// The parameters of the request were invalid. +// // - InternalErrorException // The operation failed because of a system problem, even though the request // was valid. Retry your request. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListComplianceStatus -func (c *FMS) ListComplianceStatus(input *ListComplianceStatusInput) (*ListComplianceStatusOutput, error) { - req, out := c.ListComplianceStatusRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAdminsManagingAccount +func (c *FMS) ListAdminsManagingAccount(input *ListAdminsManagingAccountInput) (*ListAdminsManagingAccountOutput, error) { + req, out := c.ListAdminsManagingAccountRequest(input) return out, req.Send() } -// ListComplianceStatusWithContext is the same as ListComplianceStatus with the addition of +// ListAdminsManagingAccountWithContext is the same as ListAdminsManagingAccount with the addition of // the ability to pass a context and additional request options. // -// See ListComplianceStatus for details on how to use this API operation. +// See ListAdminsManagingAccount for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *FMS) ListComplianceStatusWithContext(ctx aws.Context, input *ListComplianceStatusInput, opts ...request.Option) (*ListComplianceStatusOutput, error) { - req, out := c.ListComplianceStatusRequest(input) +func (c *FMS) ListAdminsManagingAccountWithContext(ctx aws.Context, input *ListAdminsManagingAccountInput, opts ...request.Option) (*ListAdminsManagingAccountOutput, error) { + req, out := c.ListAdminsManagingAccountRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -// ListComplianceStatusPages iterates over the pages of a ListComplianceStatus operation, +// ListAdminsManagingAccountPages iterates over the pages of a ListAdminsManagingAccount operation, // calling the "fn" function with the response data for each page. To stop // iterating, return false from the fn function. // -// See ListComplianceStatus method for more information on how to use this operation. +// See ListAdminsManagingAccount method for more information on how to use this operation. // // Note: This operation can generate multiple requests to a service. // -// // Example iterating over at most 3 pages of a ListComplianceStatus operation. +// // Example iterating over at most 3 pages of a ListAdminsManagingAccount operation. // pageNum := 0 -// err := client.ListComplianceStatusPages(params, -// func(page *fms.ListComplianceStatusOutput, lastPage bool) bool { +// err := client.ListAdminsManagingAccountPages(params, +// func(page *fms.ListAdminsManagingAccountOutput, lastPage bool) bool { // pageNum++ // fmt.Println(page) // return pageNum <= 3 // }) -func (c *FMS) ListComplianceStatusPages(input *ListComplianceStatusInput, fn func(*ListComplianceStatusOutput, bool) bool) error { - return c.ListComplianceStatusPagesWithContext(aws.BackgroundContext(), input, fn) +func (c *FMS) ListAdminsManagingAccountPages(input *ListAdminsManagingAccountInput, fn func(*ListAdminsManagingAccountOutput, bool) bool) error { + return c.ListAdminsManagingAccountPagesWithContext(aws.BackgroundContext(), input, fn) } -// ListComplianceStatusPagesWithContext same as ListComplianceStatusPages except +// ListAdminsManagingAccountPagesWithContext same as ListAdminsManagingAccountPages except // it takes a Context and allows setting request options on the pages. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *FMS) ListComplianceStatusPagesWithContext(ctx aws.Context, input *ListComplianceStatusInput, fn func(*ListComplianceStatusOutput, bool) bool, opts ...request.Option) error { +func (c *FMS) ListAdminsManagingAccountPagesWithContext(ctx aws.Context, input *ListAdminsManagingAccountInput, fn func(*ListAdminsManagingAccountOutput, bool) bool, opts ...request.Option) error { p := request.Pagination{ NewRequest: func() (*request.Request, error) { - var inCpy *ListComplianceStatusInput + var inCpy *ListAdminsManagingAccountInput if input != nil { tmp := *input inCpy = &tmp } - req, _ := c.ListComplianceStatusRequest(inCpy) + req, _ := c.ListAdminsManagingAccountRequest(inCpy) req.SetContext(ctx) req.ApplyOptions(opts...) return req, nil @@ -2301,7 +2406,7 @@ func (c *FMS) ListComplianceStatusPagesWithContext(ctx aws.Context, input *ListC } for p.Next() { - if !fn(p.Page().(*ListComplianceStatusOutput), !p.HasNextPage()) { + if !fn(p.Page().(*ListAdminsManagingAccountOutput), !p.HasNextPage()) { break } } @@ -2309,61 +2414,69 @@ func (c *FMS) ListComplianceStatusPagesWithContext(ctx aws.Context, input *ListC return p.Err() } -const opListDiscoveredResources = "ListDiscoveredResources" +const opListAppsLists = "ListAppsLists" -// ListDiscoveredResourcesRequest generates a "aws/request.Request" representing the -// client's request for the ListDiscoveredResources operation. The "output" return +// ListAppsListsRequest generates a "aws/request.Request" representing the +// client's request for the ListAppsLists operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // -// See ListDiscoveredResources for more information on using the ListDiscoveredResources +// See ListAppsLists for more information on using the ListAppsLists // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // -// // Example sending a request using the ListDiscoveredResourcesRequest method. -// req, resp := client.ListDiscoveredResourcesRequest(params) +// // Example sending a request using the ListAppsListsRequest method. +// req, resp := client.ListAppsListsRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResources -func (c *FMS) ListDiscoveredResourcesRequest(input *ListDiscoveredResourcesInput) (req *request.Request, output *ListDiscoveredResourcesOutput) { +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAppsLists +func (c *FMS) ListAppsListsRequest(input *ListAppsListsInput) (req *request.Request, output *ListAppsListsOutput) { op := &request.Operation{ - Name: opListDiscoveredResources, + Name: opListAppsLists, HTTPMethod: "POST", HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, } if input == nil { - input = &ListDiscoveredResourcesInput{} + input = &ListAppsListsInput{} } - output = &ListDiscoveredResourcesOutput{} + output = &ListAppsListsOutput{} req = c.newRequest(op, input, output) return } -// ListDiscoveredResources API operation for Firewall Management Service. +// ListAppsLists API operation for Firewall Management Service. // -// Returns an array of resources in the organization's accounts that are available -// to be associated with a resource set. +// Returns an array of AppsListDataSummary objects. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for Firewall Management Service's -// API operation ListDiscoveredResources for usage and error information. +// API operation ListAppsLists for usage and error information. // // Returned Error Types: // +// - ResourceNotFoundException +// The specified resource was not found. +// // - InvalidOperationException // The operation failed because there was nothing to do or the operation wasn't // possible. For example, you might have submitted an AssociateAdminAccount @@ -2372,60 +2485,348 @@ func (c *FMS) ListDiscoveredResourcesRequest(input *ListDiscoveredResourcesInput // that you need to enable for the Firewall Manager administrator account and // for Organizations before you can access it. // -// - InvalidInputException -// The parameters of the request were invalid. +// - LimitExceededException +// The operation exceeds a resource limit, for example, the maximum number of +// policy objects that you can create for an Amazon Web Services account. For +// more information, see Firewall Manager Limits (https://docs.aws.amazon.com/waf/latest/developerguide/fms-limits.html) +// in the WAF Developer Guide. // // - InternalErrorException // The operation failed because of a system problem, even though the request // was valid. Retry your request. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResources -func (c *FMS) ListDiscoveredResources(input *ListDiscoveredResourcesInput) (*ListDiscoveredResourcesOutput, error) { - req, out := c.ListDiscoveredResourcesRequest(input) +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListAppsLists +func (c *FMS) ListAppsLists(input *ListAppsListsInput) (*ListAppsListsOutput, error) { + req, out := c.ListAppsListsRequest(input) return out, req.Send() } -// ListDiscoveredResourcesWithContext is the same as ListDiscoveredResources with the addition of +// ListAppsListsWithContext is the same as ListAppsLists with the addition of // the ability to pass a context and additional request options. // -// See ListDiscoveredResources for details on how to use this API operation. +// See ListAppsLists for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. -func (c *FMS) ListDiscoveredResourcesWithContext(ctx aws.Context, input *ListDiscoveredResourcesInput, opts ...request.Option) (*ListDiscoveredResourcesOutput, error) { - req, out := c.ListDiscoveredResourcesRequest(input) +func (c *FMS) ListAppsListsWithContext(ctx aws.Context, input *ListAppsListsInput, opts ...request.Option) (*ListAppsListsOutput, error) { + req, out := c.ListAppsListsRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } -const opListMemberAccounts = "ListMemberAccounts" - -// ListMemberAccountsRequest generates a "aws/request.Request" representing the -// client's request for the ListMemberAccounts operation. The "output" return -// value will be populated with the request's response once the request completes -// successfully. -// -// Use "Send" method on the returned Request to send the API call to the service. -// the "output" return value is not valid until after Send returns without error. -// -// See ListMemberAccounts for more information on using the ListMemberAccounts -// API call, and error handling. +// ListAppsListsPages iterates over the pages of a ListAppsLists operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. // -// This method is useful when you want to inject custom logic or configuration -// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// See ListAppsLists method for more information on how to use this operation. // -// // Example sending a request using the ListMemberAccountsRequest method. -// req, resp := client.ListMemberAccountsRequest(params) +// Note: This operation can generate multiple requests to a service. // -// err := req.Send() -// if err == nil { // resp is now filled -// fmt.Println(resp) -// } +// // Example iterating over at most 3 pages of a ListAppsLists operation. +// pageNum := 0 +// err := client.ListAppsListsPages(params, +// func(page *fms.ListAppsListsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +func (c *FMS) ListAppsListsPages(input *ListAppsListsInput, fn func(*ListAppsListsOutput, bool) bool) error { + return c.ListAppsListsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListAppsListsPagesWithContext same as ListAppsListsPages except +// it takes a Context and allows setting request options on the pages. // -// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListMemberAccounts +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) ListAppsListsPagesWithContext(ctx aws.Context, input *ListAppsListsInput, fn func(*ListAppsListsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListAppsListsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListAppsListsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListAppsListsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListComplianceStatus = "ListComplianceStatus" + +// ListComplianceStatusRequest generates a "aws/request.Request" representing the +// client's request for the ListComplianceStatus operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListComplianceStatus for more information on using the ListComplianceStatus +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the ListComplianceStatusRequest method. +// req, resp := client.ListComplianceStatusRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListComplianceStatus +func (c *FMS) ListComplianceStatusRequest(input *ListComplianceStatusInput) (req *request.Request, output *ListComplianceStatusOutput) { + op := &request.Operation{ + Name: opListComplianceStatus, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &ListComplianceStatusInput{} + } + + output = &ListComplianceStatusOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListComplianceStatus API operation for Firewall Management Service. +// +// Returns an array of PolicyComplianceStatus objects. Use PolicyComplianceStatus +// to get a summary of which member accounts are protected by the specified +// policy. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Firewall Management Service's +// API operation ListComplianceStatus for usage and error information. +// +// Returned Error Types: +// +// - ResourceNotFoundException +// The specified resource was not found. +// +// - InternalErrorException +// The operation failed because of a system problem, even though the request +// was valid. Retry your request. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListComplianceStatus +func (c *FMS) ListComplianceStatus(input *ListComplianceStatusInput) (*ListComplianceStatusOutput, error) { + req, out := c.ListComplianceStatusRequest(input) + return out, req.Send() +} + +// ListComplianceStatusWithContext is the same as ListComplianceStatus with the addition of +// the ability to pass a context and additional request options. +// +// See ListComplianceStatus for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) ListComplianceStatusWithContext(ctx aws.Context, input *ListComplianceStatusInput, opts ...request.Option) (*ListComplianceStatusOutput, error) { + req, out := c.ListComplianceStatusRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// ListComplianceStatusPages iterates over the pages of a ListComplianceStatus operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See ListComplianceStatus method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a ListComplianceStatus operation. +// pageNum := 0 +// err := client.ListComplianceStatusPages(params, +// func(page *fms.ListComplianceStatusOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +func (c *FMS) ListComplianceStatusPages(input *ListComplianceStatusInput, fn func(*ListComplianceStatusOutput, bool) bool) error { + return c.ListComplianceStatusPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// ListComplianceStatusPagesWithContext same as ListComplianceStatusPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) ListComplianceStatusPagesWithContext(ctx aws.Context, input *ListComplianceStatusInput, fn func(*ListComplianceStatusOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *ListComplianceStatusInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.ListComplianceStatusRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*ListComplianceStatusOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + +const opListDiscoveredResources = "ListDiscoveredResources" + +// ListDiscoveredResourcesRequest generates a "aws/request.Request" representing the +// client's request for the ListDiscoveredResources operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListDiscoveredResources for more information on using the ListDiscoveredResources +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the ListDiscoveredResourcesRequest method. +// req, resp := client.ListDiscoveredResourcesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResources +func (c *FMS) ListDiscoveredResourcesRequest(input *ListDiscoveredResourcesInput) (req *request.Request, output *ListDiscoveredResourcesOutput) { + op := &request.Operation{ + Name: opListDiscoveredResources, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ListDiscoveredResourcesInput{} + } + + output = &ListDiscoveredResourcesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ListDiscoveredResources API operation for Firewall Management Service. +// +// Returns an array of resources in the organization's accounts that are available +// to be associated with a resource set. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Firewall Management Service's +// API operation ListDiscoveredResources for usage and error information. +// +// Returned Error Types: +// +// - InvalidOperationException +// The operation failed because there was nothing to do or the operation wasn't +// possible. For example, you might have submitted an AssociateAdminAccount +// request for an account ID that was already set as the Firewall Manager administrator. +// Or you might have tried to access a Region that's disabled by default, and +// that you need to enable for the Firewall Manager administrator account and +// for Organizations before you can access it. +// +// - InvalidInputException +// The parameters of the request were invalid. +// +// - InternalErrorException +// The operation failed because of a system problem, even though the request +// was valid. Retry your request. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListDiscoveredResources +func (c *FMS) ListDiscoveredResources(input *ListDiscoveredResourcesInput) (*ListDiscoveredResourcesOutput, error) { + req, out := c.ListDiscoveredResourcesRequest(input) + return out, req.Send() +} + +// ListDiscoveredResourcesWithContext is the same as ListDiscoveredResources with the addition of +// the ability to pass a context and additional request options. +// +// See ListDiscoveredResources for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) ListDiscoveredResourcesWithContext(ctx aws.Context, input *ListDiscoveredResourcesInput, opts ...request.Option) (*ListDiscoveredResourcesOutput, error) { + req, out := c.ListDiscoveredResourcesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +const opListMemberAccounts = "ListMemberAccounts" + +// ListMemberAccountsRequest generates a "aws/request.Request" representing the +// client's request for the ListMemberAccounts operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ListMemberAccounts for more information on using the ListMemberAccounts +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the ListMemberAccountsRequest method. +// req, resp := client.ListMemberAccountsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListMemberAccounts func (c *FMS) ListMemberAccountsRequest(input *ListMemberAccountsInput) (req *request.Request, output *ListMemberAccountsOutput) { op := &request.Operation{ Name: opListMemberAccounts, @@ -2453,8 +2854,8 @@ func (c *FMS) ListMemberAccountsRequest(input *ListMemberAccountsInput) (req *re // Returns a MemberAccounts object that lists the member accounts in the administrator's // Amazon Web Services organization. // -// The ListMemberAccounts must be submitted by the account that is set as the -// Firewall Manager administrator. +// Either an Firewall Manager administrator or the organization's management +// account can make this request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -3279,6 +3680,113 @@ func (c *FMS) ListThirdPartyFirewallFirewallPoliciesPagesWithContext(ctx aws.Con return p.Err() } +const opPutAdminAccount = "PutAdminAccount" + +// PutAdminAccountRequest generates a "aws/request.Request" representing the +// client's request for the PutAdminAccount operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See PutAdminAccount for more information on using the PutAdminAccount +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// // Example sending a request using the PutAdminAccountRequest method. +// req, resp := client.PutAdminAccountRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutAdminAccount +func (c *FMS) PutAdminAccountRequest(input *PutAdminAccountInput) (req *request.Request, output *PutAdminAccountOutput) { + op := &request.Operation{ + Name: opPutAdminAccount, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &PutAdminAccountInput{} + } + + output = &PutAdminAccountOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// PutAdminAccount API operation for Firewall Management Service. +// +// Creates or updates an Firewall Manager administrator account. The account +// must be a member of the organization that was onboarded to Firewall Manager +// by AssociateAdminAccount. Only the organization's management account can +// create an Firewall Manager administrator account. When you create an Firewall +// Manager administrator account, the service checks to see if the account is +// already a delegated administrator within Organizations. If the account isn't +// a delegated administrator, Firewall Manager calls Organizations to delegate +// the account within Organizations. For more information about administrator +// accounts within Organizations, see Managing the Amazon Web Services Accounts +// in Your Organization (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html). +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Firewall Management Service's +// API operation PutAdminAccount for usage and error information. +// +// Returned Error Types: +// +// - InvalidOperationException +// The operation failed because there was nothing to do or the operation wasn't +// possible. For example, you might have submitted an AssociateAdminAccount +// request for an account ID that was already set as the Firewall Manager administrator. +// Or you might have tried to access a Region that's disabled by default, and +// that you need to enable for the Firewall Manager administrator account and +// for Organizations before you can access it. +// +// - InvalidInputException +// The parameters of the request were invalid. +// +// - InternalErrorException +// The operation failed because of a system problem, even though the request +// was valid. Retry your request. +// +// - LimitExceededException +// The operation exceeds a resource limit, for example, the maximum number of +// policy objects that you can create for an Amazon Web Services account. For +// more information, see Firewall Manager Limits (https://docs.aws.amazon.com/waf/latest/developerguide/fms-limits.html) +// in the WAF Developer Guide. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PutAdminAccount +func (c *FMS) PutAdminAccount(input *PutAdminAccountInput) (*PutAdminAccountOutput, error) { + req, out := c.PutAdminAccountRequest(input) + return out, req.Send() +} + +// PutAdminAccountWithContext is the same as PutAdminAccount with the addition of +// the ability to pass a context and additional request options. +// +// See PutAdminAccount for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *FMS) PutAdminAccountWithContext(ctx aws.Context, input *PutAdminAccountInput, opts ...request.Option) (*PutAdminAccountOutput, error) { + req, out := c.PutAdminAccountRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opPutAppsList = "PutAppsList" // PutAppsListRequest generates a "aws/request.Request" representing the @@ -3426,10 +3934,13 @@ func (c *FMS) PutNotificationChannelRequest(input *PutNotificationChannelInput) // Designates the IAM role and Amazon Simple Notification Service (SNS) topic // that Firewall Manager uses to record SNS logs. // -// To perform this action outside of the console, you must configure the SNS -// topic to allow the Firewall Manager role AWSServiceRoleForFMS to publish -// SNS logs. For more information, see Firewall Manager required permissions -// for API actions (https://docs.aws.amazon.com/waf/latest/developerguide/fms-api-permissions-ref.html) +// To perform this action outside of the console, you must first configure the +// SNS topic's access policy to allow the SnsRoleName to publish SNS logs. If +// the SnsRoleName provided is a role other than the AWSServiceRoleForFMS service-linked +// role, this role must have a trust relationship configured to allow the Firewall +// Manager service principal fms.amazonaws.com to assume this role. For information +// about configuring an SNS access policy, see Service roles for Firewall Manager +// (https://docs.aws.amazon.com/waf/latest/developerguide/fms-security_iam_service-with-iam.html#fms-security_iam_service-with-iam-roles-service) // in the Firewall Manager Developer Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -4004,6 +4515,72 @@ func (c *FMS) UntagResourceWithContext(ctx aws.Context, input *UntagResourceInpu return out, req.Send() } +// Configures the accounts within the administrator's Organizations organization +// that the specified Firewall Manager administrator can apply policies to. +type AccountScope struct { + _ struct{} `type:"structure"` + + // The list of accounts within the organization that the specified Firewall + // Manager administrator either can or cannot apply policies to, based on the + // value of ExcludeSpecifiedAccounts. If ExcludeSpecifiedAccounts is set to + // true, then the Firewall Manager administrator can apply policies to all members + // of the organization except for the accounts in this list. If ExcludeSpecifiedAccounts + // is set to false, then the Firewall Manager administrator can only apply policies + // to the accounts in this list. + Accounts []*string `type:"list"` + + // A boolean value that indicates if the administrator can apply policies to + // all accounts within an organization. If true, the administrator can apply + // policies to all accounts within the organization. You can either enable management + // of all accounts through this operation, or you can specify a list of accounts + // to manage in AccountScope$Accounts. You cannot specify both. + AllAccountsEnabled *bool `type:"boolean"` + + // A boolean value that excludes the accounts in AccountScope$Accounts from + // the administrator's scope. If true, the Firewall Manager administrator can + // apply policies to all members of the organization except for the accounts + // listed in AccountScope$Accounts. You can either specify a list of accounts + // to exclude by AccountScope$Accounts, or you can enable management of all + // accounts by AccountScope$AllAccountsEnabled. You cannot specify both. + ExcludeSpecifiedAccounts *bool `type:"boolean"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AccountScope) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AccountScope) GoString() string { + return s.String() +} + +// SetAccounts sets the Accounts field's value. +func (s *AccountScope) SetAccounts(v []*string) *AccountScope { + s.Accounts = v + return s +} + +// SetAllAccountsEnabled sets the AllAccountsEnabled field's value. +func (s *AccountScope) SetAllAccountsEnabled(v bool) *AccountScope { + s.AllAccountsEnabled = &v + return s +} + +// SetExcludeSpecifiedAccounts sets the ExcludeSpecifiedAccounts field's value. +func (s *AccountScope) SetExcludeSpecifiedAccounts(v bool) *AccountScope { + s.ExcludeSpecifiedAccounts = &v + return s +} + // Describes a remediation action target. type ActionTarget struct { _ struct{} `type:"structure"` @@ -4045,6 +4622,144 @@ func (s *ActionTarget) SetResourceId(v string) *ActionTarget { return s } +// Contains high level information about the Firewall Manager administrator +// account. +type AdminAccountSummary struct { + _ struct{} `type:"structure"` + + // The Amazon Web Services account ID of the Firewall Manager administrator's + // account. + AdminAccount *string `min:"1" type:"string"` + + // A boolean value that indicates if the administrator is the default administrator. + // If true, then this is the default administrator account. The default administrator + // can manage third-party firewalls and has full administrative scope. There + // is only one default administrator account per organization. For information + // about Firewall Manager default administrator accounts, see Managing Firewall + // Manager administrators (https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html) + // in the Firewall Manager Developer Guide. + DefaultAdmin *bool `type:"boolean"` + + // The current status of the request to onboard a member account as an Firewall + // Manager administator. + // + // * ONBOARDING - The account is onboarding to Firewall Manager as an administrator. + // + // * ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall + // Manager as an administrator, and can perform actions on the resources + // defined in their AdminScope. + // + // * OFFBOARDING - The account is being removed as an Firewall Manager administrator. + // + // * OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager + // administrator. + Status *string `type:"string" enum:"OrganizationStatus"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AdminAccountSummary) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AdminAccountSummary) GoString() string { + return s.String() +} + +// SetAdminAccount sets the AdminAccount field's value. +func (s *AdminAccountSummary) SetAdminAccount(v string) *AdminAccountSummary { + s.AdminAccount = &v + return s +} + +// SetDefaultAdmin sets the DefaultAdmin field's value. +func (s *AdminAccountSummary) SetDefaultAdmin(v bool) *AdminAccountSummary { + s.DefaultAdmin = &v + return s +} + +// SetStatus sets the Status field's value. +func (s *AdminAccountSummary) SetStatus(v string) *AdminAccountSummary { + s.Status = &v + return s +} + +// Defines the resources that the Firewall Manager administrator can manage. +// For more information about administrative scope, see Managing Firewall Manager +// administrators (https://docs.aws.amazon.com/waf/latest/developerguide/fms-administrators.html) +// in the Firewall Manager Developer Guide. +type AdminScope struct { + _ struct{} `type:"structure"` + + // Defines the accounts that the specified Firewall Manager administrator can + // apply policies to. + AccountScope *AccountScope `type:"structure"` + + // Defines the Organizations organizational units that the specified Firewall + // Manager administrator can apply policies to. For more information about OUs + // in Organizations, see Managing organizational units (OUs) (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) + // in the Organizations User Guide. + OrganizationalUnitScope *OrganizationalUnitScope `type:"structure"` + + // Defines the Firewall Manager policy types that the specified Firewall Manager + // administrator can create and manage. + PolicyTypeScope *PolicyTypeScope `type:"structure"` + + // Defines the Amazon Web Services Regions that the specified Firewall Manager + // administrator can perform actions in. + RegionScope *RegionScope `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AdminScope) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s AdminScope) GoString() string { + return s.String() +} + +// SetAccountScope sets the AccountScope field's value. +func (s *AdminScope) SetAccountScope(v *AccountScope) *AdminScope { + s.AccountScope = v + return s +} + +// SetOrganizationalUnitScope sets the OrganizationalUnitScope field's value. +func (s *AdminScope) SetOrganizationalUnitScope(v *OrganizationalUnitScope) *AdminScope { + s.OrganizationalUnitScope = v + return s +} + +// SetPolicyTypeScope sets the PolicyTypeScope field's value. +func (s *AdminScope) SetPolicyTypeScope(v *PolicyTypeScope) *AdminScope { + s.PolicyTypeScope = v + return s +} + +// SetRegionScope sets the RegionScope field's value. +func (s *AdminScope) SetRegionScope(v *RegionScope) *AdminScope { + s.RegionScope = v + return s +} + // An individual Firewall Manager application. type App struct { _ struct{} `type:"structure"` @@ -4317,8 +5032,9 @@ type AssociateAdminAccountInput struct { _ struct{} `type:"structure"` // The Amazon Web Services account ID to associate with Firewall Manager as - // the Firewall Manager administrator account. This must be an Organizations - // member account. For more information about Organizations, see Managing the + // the Firewall Manager default administrator account. This account must be + // a member account of the organization in Organizations whose resources you + // want to protect. For more information about Organizations, see Managing the // Amazon Web Services Accounts in Your Organization (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html). // // AdminAccount is a required field @@ -4633,7 +5349,7 @@ type BatchAssociateResourceInput struct { // Items is a required field Items []*string `type:"list" required:"true"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // ResourceSetIdentifier is a required field @@ -4697,7 +5413,7 @@ type BatchAssociateResourceOutput struct { // FailedItems is a required field FailedItems []*FailedItem `type:"list" required:"true"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // ResourceSetIdentifier is a required field @@ -4743,7 +5459,7 @@ type BatchDisassociateResourceInput struct { // Items is a required field Items []*string `type:"list" required:"true"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // ResourceSetIdentifier is a required field @@ -4807,7 +5523,7 @@ type BatchDisassociateResourceOutput struct { // FailedItems is a required field FailedItems []*FailedItem `type:"list" required:"true"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // ResourceSetIdentifier is a required field @@ -5202,7 +5918,7 @@ func (s DeleteProtocolsListOutput) GoString() string { type DeleteResourceSetInput struct { _ struct{} `type:"structure"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // Identifier is a required field @@ -6431,14 +7147,81 @@ func (s *FirewallSubnetMissingVPCEndpointViolation) SetSubnetAvailabilityZoneId( return s } -// SetVpcId sets the VpcId field's value. -func (s *FirewallSubnetMissingVPCEndpointViolation) SetVpcId(v string) *FirewallSubnetMissingVPCEndpointViolation { - s.VpcId = &v +// SetVpcId sets the VpcId field's value. +func (s *FirewallSubnetMissingVPCEndpointViolation) SetVpcId(v string) *FirewallSubnetMissingVPCEndpointViolation { + s.VpcId = &v + return s +} + +type GetAdminAccountInput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s GetAdminAccountInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s GetAdminAccountInput) GoString() string { + return s.String() +} + +type GetAdminAccountOutput struct { + _ struct{} `type:"structure"` + + // The account that is set as the Firewall Manager default administrator. + AdminAccount *string `min:"1" type:"string"` + + // The status of the account that you set as the Firewall Manager default administrator. + RoleStatus *string `type:"string" enum:"AccountRoleStatus"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s GetAdminAccountOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s GetAdminAccountOutput) GoString() string { + return s.String() +} + +// SetAdminAccount sets the AdminAccount field's value. +func (s *GetAdminAccountOutput) SetAdminAccount(v string) *GetAdminAccountOutput { + s.AdminAccount = &v + return s +} + +// SetRoleStatus sets the RoleStatus field's value. +func (s *GetAdminAccountOutput) SetRoleStatus(v string) *GetAdminAccountOutput { + s.RoleStatus = &v return s } -type GetAdminAccountInput struct { +type GetAdminScopeInput struct { _ struct{} `type:"structure"` + + // The administator account that you want to get the details for. + // + // AdminAccount is a required field + AdminAccount *string `min:"1" type:"string" required:"true"` } // String returns the string representation. @@ -6446,7 +7229,7 @@ type GetAdminAccountInput struct { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s GetAdminAccountInput) String() string { +func (s GetAdminScopeInput) String() string { return awsutil.Prettify(s) } @@ -6455,19 +7238,52 @@ func (s GetAdminAccountInput) String() string { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s GetAdminAccountInput) GoString() string { +func (s GetAdminScopeInput) GoString() string { return s.String() } -type GetAdminAccountOutput struct { +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetAdminScopeInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetAdminScopeInput"} + if s.AdminAccount == nil { + invalidParams.Add(request.NewErrParamRequired("AdminAccount")) + } + if s.AdminAccount != nil && len(*s.AdminAccount) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AdminAccount", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAdminAccount sets the AdminAccount field's value. +func (s *GetAdminScopeInput) SetAdminAccount(v string) *GetAdminScopeInput { + s.AdminAccount = &v + return s +} + +type GetAdminScopeOutput struct { _ struct{} `type:"structure"` - // The Amazon Web Services account that is set as the Firewall Manager administrator. - AdminAccount *string `min:"1" type:"string"` + // Contains details about the administrative scope of the requested account. + AdminScope *AdminScope `type:"structure"` - // The status of the Amazon Web Services account that you set as the Firewall - // Manager administrator. - RoleStatus *string `type:"string" enum:"AccountRoleStatus"` + // The current status of the request to onboard a member account as an Firewall + // Manager administator. + // + // * ONBOARDING - The account is onboarding to Firewall Manager as an administrator. + // + // * ONBOARDING_COMPLETE - Firewall Manager The account is onboarded to Firewall + // Manager as an administrator, and can perform actions on the resources + // defined in their AdminScope. + // + // * OFFBOARDING - The account is being removed as an Firewall Manager administrator. + // + // * OFFBOARDING_COMPLETE - The account has been removed as an Firewall Manager + // administrator. + Status *string `type:"string" enum:"OrganizationStatus"` } // String returns the string representation. @@ -6475,7 +7291,7 @@ type GetAdminAccountOutput struct { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s GetAdminAccountOutput) String() string { +func (s GetAdminScopeOutput) String() string { return awsutil.Prettify(s) } @@ -6484,19 +7300,19 @@ func (s GetAdminAccountOutput) String() string { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s GetAdminAccountOutput) GoString() string { +func (s GetAdminScopeOutput) GoString() string { return s.String() } -// SetAdminAccount sets the AdminAccount field's value. -func (s *GetAdminAccountOutput) SetAdminAccount(v string) *GetAdminAccountOutput { - s.AdminAccount = &v +// SetAdminScope sets the AdminScope field's value. +func (s *GetAdminScopeOutput) SetAdminScope(v *AdminScope) *GetAdminScopeOutput { + s.AdminScope = v return s } -// SetRoleStatus sets the RoleStatus field's value. -func (s *GetAdminAccountOutput) SetRoleStatus(v string) *GetAdminAccountOutput { - s.RoleStatus = &v +// SetStatus sets the Status field's value. +func (s *GetAdminScopeOutput) SetStatus(v string) *GetAdminScopeOutput { + s.Status = &v return s } @@ -7150,7 +7966,7 @@ func (s *GetProtocolsListOutput) SetProtocolsListArn(v string) *GetProtocolsList type GetResourceSetInput struct { _ struct{} `type:"structure"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // Identifier is a required field @@ -7759,7 +8575,248 @@ type LimitExceededException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` - Message_ *string `locationName:"Message" type:"string"` + Message_ *string `locationName:"Message" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s LimitExceededException) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s LimitExceededException) GoString() string { + return s.String() +} + +func newErrorLimitExceededException(v protocol.ResponseMetadata) error { + return &LimitExceededException{ + RespMetadata: v, + } +} + +// Code returns the exception type name. +func (s *LimitExceededException) Code() string { + return "LimitExceededException" +} + +// Message returns the exception's message. +func (s *LimitExceededException) Message() string { + if s.Message_ != nil { + return *s.Message_ + } + return "" +} + +// OrigErr always returns nil, satisfies awserr.Error interface. +func (s *LimitExceededException) OrigErr() error { + return nil +} + +func (s *LimitExceededException) Error() string { + return fmt.Sprintf("%s: %s", s.Code(), s.Message()) +} + +// Status code returns the HTTP status code for the request's response error. +func (s *LimitExceededException) StatusCode() int { + return s.RespMetadata.StatusCode +} + +// RequestID returns the service's response RequestID for request. +func (s *LimitExceededException) RequestID() string { + return s.RespMetadata.RequestID +} + +type ListAdminAccountsForOrganizationInput struct { + _ struct{} `type:"structure"` + + // The maximum number of objects that you want Firewall Manager to return for + // this request. If more objects are available, in the response, Firewall Manager + // provides a NextToken value that you can use in a subsequent call to get the + // next batch of objects. + MaxResults *int64 `min:"1" type:"integer"` + + // When you request a list of objects with a MaxResults setting, if the number + // of objects that are still available for retrieval exceeds the maximum you + // requested, Firewall Manager returns a NextToken value in the response. To + // retrieve the next batch of objects, use the token returned from the prior + // request in your next request. + NextToken *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminAccountsForOrganizationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminAccountsForOrganizationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAdminAccountsForOrganizationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAdminAccountsForOrganizationInput"} + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + if s.NextToken != nil && len(*s.NextToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("NextToken", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetMaxResults sets the MaxResults field's value. +func (s *ListAdminAccountsForOrganizationInput) SetMaxResults(v int64) *ListAdminAccountsForOrganizationInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAdminAccountsForOrganizationInput) SetNextToken(v string) *ListAdminAccountsForOrganizationInput { + s.NextToken = &v + return s +} + +type ListAdminAccountsForOrganizationOutput struct { + _ struct{} `type:"structure"` + + // A list of Firewall Manager administrator accounts within the organization + // that were onboarded as administrators by AssociateAdminAccount or PutAdminAccount. + AdminAccounts []*AdminAccountSummary `type:"list"` + + // When you request a list of objects with a MaxResults setting, if the number + // of objects that are still available for retrieval exceeds the maximum you + // requested, Firewall Manager returns a NextToken value in the response. To + // retrieve the next batch of objects, use the token returned from the prior + // request in your next request. + NextToken *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminAccountsForOrganizationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminAccountsForOrganizationOutput) GoString() string { + return s.String() +} + +// SetAdminAccounts sets the AdminAccounts field's value. +func (s *ListAdminAccountsForOrganizationOutput) SetAdminAccounts(v []*AdminAccountSummary) *ListAdminAccountsForOrganizationOutput { + s.AdminAccounts = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAdminAccountsForOrganizationOutput) SetNextToken(v string) *ListAdminAccountsForOrganizationOutput { + s.NextToken = &v + return s +} + +type ListAdminsManagingAccountInput struct { + _ struct{} `type:"structure"` + + // The maximum number of objects that you want Firewall Manager to return for + // this request. If more objects are available, in the response, Firewall Manager + // provides a NextToken value that you can use in a subsequent call to get the + // next batch of objects. + MaxResults *int64 `min:"1" type:"integer"` + + // When you request a list of objects with a MaxResults setting, if the number + // of objects that are still available for retrieval exceeds the maximum you + // requested, Firewall Manager returns a NextToken value in the response. To + // retrieve the next batch of objects, use the token returned from the prior + // request in your next request. + NextToken *string `min:"1" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminsManagingAccountInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ListAdminsManagingAccountInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ListAdminsManagingAccountInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ListAdminsManagingAccountInput"} + if s.MaxResults != nil && *s.MaxResults < 1 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 1)) + } + if s.NextToken != nil && len(*s.NextToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("NextToken", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetMaxResults sets the MaxResults field's value. +func (s *ListAdminsManagingAccountInput) SetMaxResults(v int64) *ListAdminsManagingAccountInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *ListAdminsManagingAccountInput) SetNextToken(v string) *ListAdminsManagingAccountInput { + s.NextToken = &v + return s +} + +type ListAdminsManagingAccountOutput struct { + _ struct{} `type:"structure"` + + // The list of accounts who manage member accounts within their AdminScope. + AdminAccounts []*string `type:"list"` + + // When you request a list of objects with a MaxResults setting, if the number + // of objects that are still available for retrieval exceeds the maximum you + // requested, Firewall Manager returns a NextToken value in the response. To + // retrieve the next batch of objects, use the token returned from the prior + // request in your next request. + NextToken *string `min:"1" type:"string"` } // String returns the string representation. @@ -7767,7 +8824,7 @@ type LimitExceededException struct { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s LimitExceededException) String() string { +func (s ListAdminsManagingAccountOutput) String() string { return awsutil.Prettify(s) } @@ -7776,46 +8833,20 @@ func (s LimitExceededException) String() string { // API parameter values that are decorated as "sensitive" in the API will not // be included in the string output. The member name will be present, but the // value will be replaced with "sensitive". -func (s LimitExceededException) GoString() string { +func (s ListAdminsManagingAccountOutput) GoString() string { return s.String() } -func newErrorLimitExceededException(v protocol.ResponseMetadata) error { - return &LimitExceededException{ - RespMetadata: v, - } -} - -// Code returns the exception type name. -func (s *LimitExceededException) Code() string { - return "LimitExceededException" -} - -// Message returns the exception's message. -func (s *LimitExceededException) Message() string { - if s.Message_ != nil { - return *s.Message_ - } - return "" -} - -// OrigErr always returns nil, satisfies awserr.Error interface. -func (s *LimitExceededException) OrigErr() error { - return nil -} - -func (s *LimitExceededException) Error() string { - return fmt.Sprintf("%s: %s", s.Code(), s.Message()) -} - -// Status code returns the HTTP status code for the request's response error. -func (s *LimitExceededException) StatusCode() int { - return s.RespMetadata.StatusCode +// SetAdminAccounts sets the AdminAccounts field's value. +func (s *ListAdminsManagingAccountOutput) SetAdminAccounts(v []*string) *ListAdminsManagingAccountOutput { + s.AdminAccounts = v + return s } -// RequestID returns the service's response RequestID for request. -func (s *LimitExceededException) RequestID() string { - return s.RespMetadata.RequestID +// SetNextToken sets the NextToken field's value. +func (s *ListAdminsManagingAccountOutput) SetNextToken(v string) *ListAdminsManagingAccountOutput { + s.NextToken = &v + return s } type ListAppsListsInput struct { @@ -8547,7 +9578,7 @@ func (s *ListProtocolsListsOutput) SetProtocolsLists(v []*ProtocolsListDataSumma type ListResourceSetResourcesInput struct { _ struct{} `type:"structure"` - // A unique identifier for the resource set, used in a TODO to refer to the + // A unique identifier for the resource set, used in a request to refer to the // resource set. // // Identifier is a required field @@ -9977,6 +11008,75 @@ func (s *NetworkFirewallUnexpectedGatewayRoutesViolation) SetVpcId(v string) *Ne return s } +// Defines the Organizations organizational units (OUs) that the specified Firewall +// Manager administrator can apply policies to. For more information about OUs +// in Organizations, see Managing organizational units (OUs) (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_ous.html) +// in the Organizations User Guide. +type OrganizationalUnitScope struct { + _ struct{} `type:"structure"` + + // A boolean value that indicates if the administrator can apply policies to + // all OUs within an organization. If true, the administrator can manage all + // OUs within the organization. You can either enable management of all OUs + // through this operation, or you can specify OUs to manage in OrganizationalUnitScope$OrganizationalUnits. + // You cannot specify both. + AllOrganizationalUnitsEnabled *bool `type:"boolean"` + + // A boolean value that excludes the OUs in OrganizationalUnitScope$OrganizationalUnits + // from the administrator's scope. If true, the Firewall Manager administrator + // can apply policies to all OUs in the organization except for the OUs listed + // in OrganizationalUnitScope$OrganizationalUnits. You can either specify a + // list of OUs to exclude by OrganizationalUnitScope$OrganizationalUnits, or + // you can enable management of all OUs by OrganizationalUnitScope$AllOrganizationalUnitsEnabled. + // You cannot specify both. + ExcludeSpecifiedOrganizationalUnits *bool `type:"boolean"` + + // The list of OUs within the organization that the specified Firewall Manager + // administrator either can or cannot apply policies to, based on the value + // of OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits. If OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits + // is set to true, then the Firewall Manager administrator can apply policies + // to all OUs in the organization except for the OUs in this list. If OrganizationalUnitScope$ExcludeSpecifiedOrganizationalUnits + // is set to false, then the Firewall Manager administrator can only apply policies + // to the OUs in this list. + OrganizationalUnits []*string `type:"list"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s OrganizationalUnitScope) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s OrganizationalUnitScope) GoString() string { + return s.String() +} + +// SetAllOrganizationalUnitsEnabled sets the AllOrganizationalUnitsEnabled field's value. +func (s *OrganizationalUnitScope) SetAllOrganizationalUnitsEnabled(v bool) *OrganizationalUnitScope { + s.AllOrganizationalUnitsEnabled = &v + return s +} + +// SetExcludeSpecifiedOrganizationalUnits sets the ExcludeSpecifiedOrganizationalUnits field's value. +func (s *OrganizationalUnitScope) SetExcludeSpecifiedOrganizationalUnits(v bool) *OrganizationalUnitScope { + s.ExcludeSpecifiedOrganizationalUnits = &v + return s +} + +// SetOrganizationalUnits sets the OrganizationalUnits field's value. +func (s *OrganizationalUnitScope) SetOrganizationalUnits(v []*string) *OrganizationalUnitScope { + s.OrganizationalUnits = v + return s +} + // The reference rule that partially matches the ViolationTarget rule and violation // reason. type PartialMatch struct { @@ -10104,6 +11204,16 @@ type Policy struct { // PolicyName is a required field PolicyName *string `min:"1" type:"string" required:"true"` + // Indicates whether the policy is in or out of an admin's policy or Region + // scope. + // + // * ACTIVE - The administrator can manage and delete the policy. + // + // * OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they + // can't edit or delete the policy. Existing policy protections stay in place. + // Any new resources that come into scope of the policy won't be protected. + PolicyStatus *string `type:"string" enum:"CustomerPolicyStatus"` + // A unique identifier for each update to the policy. When issuing a PutPolicy // request, the PolicyUpdateToken in the request must match the PolicyUpdateToken // of the current policy version. To get the PolicyUpdateToken of the current @@ -10259,6 +11369,12 @@ func (s *Policy) SetPolicyName(v string) *Policy { return s } +// SetPolicyStatus sets the PolicyStatus field's value. +func (s *Policy) SetPolicyStatus(v string) *Policy { + s.PolicyStatus = &v + return s +} + // SetPolicyUpdateToken sets the PolicyUpdateToken field's value. func (s *Policy) SetPolicyUpdateToken(v string) *Policy { s.PolicyUpdateToken = &v @@ -10551,6 +11667,16 @@ type PolicySummary struct { // The name of the specified policy. PolicyName *string `min:"1" type:"string"` + // Indicates whether the policy is in or out of an admin's policy or Region + // scope. + // + // * ACTIVE - The administrator can manage and delete the policy. + // + // * OUT_OF_ADMIN_SCOPE - The administrator can view the policy, but they + // can't edit or delete the policy. Existing policy protections stay in place. + // Any new resources that come into scope of the policy won't be protected. + PolicyStatus *string `type:"string" enum:"CustomerPolicyStatus"` + // Indicates if the policy should be automatically applied to new resources. RemediationEnabled *bool `type:"boolean"` @@ -10613,6 +11739,12 @@ func (s *PolicySummary) SetPolicyName(v string) *PolicySummary { return s } +// SetPolicyStatus sets the PolicyStatus field's value. +func (s *PolicySummary) SetPolicyStatus(v string) *PolicySummary { + s.PolicyStatus = &v + return s +} + // SetRemediationEnabled sets the RemediationEnabled field's value. func (s *PolicySummary) SetRemediationEnabled(v bool) *PolicySummary { s.RemediationEnabled = &v @@ -10631,6 +11763,51 @@ func (s *PolicySummary) SetSecurityServiceType(v string) *PolicySummary { return s } +// Defines the policy types that the specified Firewall Manager administrator +// can manage. +type PolicyTypeScope struct { + _ struct{} `type:"structure"` + + // Allows the specified Firewall Manager administrator to manage all Firewall + // Manager policy types, except for third-party policy types. Third-party policy + // types can only be managed by the Firewall Manager default administrator. + AllPolicyTypesEnabled *bool `type:"boolean"` + + // The list of policy types that the specified Firewall Manager administrator + // can manage. + PolicyTypes []*string `type:"list" enum:"SecurityServiceType"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PolicyTypeScope) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PolicyTypeScope) GoString() string { + return s.String() +} + +// SetAllPolicyTypesEnabled sets the AllPolicyTypesEnabled field's value. +func (s *PolicyTypeScope) SetAllPolicyTypesEnabled(v bool) *PolicyTypeScope { + s.AllPolicyTypesEnabled = &v + return s +} + +// SetPolicyTypes sets the PolicyTypes field's value. +func (s *PolicyTypeScope) SetPolicyTypes(v []*string) *PolicyTypeScope { + s.PolicyTypes = v + return s +} + // A list of remediation actions. type PossibleRemediationAction struct { _ struct{} `type:"structure"` @@ -10901,6 +12078,93 @@ func (s *ProtocolsListDataSummary) SetProtocolsList(v []*string) *ProtocolsListD return s } +type PutAdminAccountInput struct { + _ struct{} `type:"structure"` + + // The Amazon Web Services account ID to add as an Firewall Manager administrator + // account. The account must be a member of the organization that was onboarded + // to Firewall Manager by AssociateAdminAccount. For more information about + // Organizations, see Managing the Amazon Web Services Accounts in Your Organization + // (https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts.html). + // + // AdminAccount is a required field + AdminAccount *string `min:"1" type:"string" required:"true"` + + // Configures the resources that the specified Firewall Manager administrator + // can manage. As a best practice, set the administrative scope according to + // the principles of least privilege. Only grant the administrator the specific + // resources or permissions that they need to perform the duties of their role. + AdminScope *AdminScope `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PutAdminAccountInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PutAdminAccountInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *PutAdminAccountInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "PutAdminAccountInput"} + if s.AdminAccount == nil { + invalidParams.Add(request.NewErrParamRequired("AdminAccount")) + } + if s.AdminAccount != nil && len(*s.AdminAccount) < 1 { + invalidParams.Add(request.NewErrParamMinLen("AdminAccount", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAdminAccount sets the AdminAccount field's value. +func (s *PutAdminAccountInput) SetAdminAccount(v string) *PutAdminAccountInput { + s.AdminAccount = &v + return s +} + +// SetAdminScope sets the AdminScope field's value. +func (s *PutAdminAccountInput) SetAdminScope(v *AdminScope) *PutAdminAccountInput { + s.AdminScope = v + return s +} + +type PutAdminAccountOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PutAdminAccountOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s PutAdminAccountOutput) GoString() string { + return s.String() +} + type PutAppsListInput struct { _ struct{} `type:"structure"` @@ -11439,6 +12703,50 @@ func (s *PutResourceSetOutput) SetResourceSetArn(v string) *PutResourceSetOutput return s } +// Defines the Amazon Web Services Regions that the specified Firewall Manager +// administrator can manage. +type RegionScope struct { + _ struct{} `type:"structure"` + + // Allows the specified Firewall Manager administrator to manage all Amazon + // Web Services Regions. + AllRegionsEnabled *bool `type:"boolean"` + + // The Amazon Web Services Regions that the specified Firewall Manager administrator + // can perform actions in. + Regions []*string `type:"list"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s RegionScope) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s RegionScope) GoString() string { + return s.String() +} + +// SetAllRegionsEnabled sets the AllRegionsEnabled field's value. +func (s *RegionScope) SetAllRegionsEnabled(v bool) *RegionScope { + s.AllRegionsEnabled = &v + return s +} + +// SetRegions sets the Regions field's value. +func (s *RegionScope) SetRegions(v []*string) *RegionScope { + s.Regions = v + return s +} + // Information about an individual action you can take to remediate a violation. type RemediationAction struct { _ struct{} `type:"structure"` @@ -11714,6 +13022,16 @@ type ResourceSet struct { // Name is a required field Name *string `min:"1" type:"string" required:"true"` + // Indicates whether the resource set is in or out of an admin's Region scope. + // + // * ACTIVE - The administrator can manage and delete the resource set. + // + // * OUT_OF_ADMIN_SCOPE - The administrator can view the resource set, but + // they can't edit or delete the resource set. Existing protections stay + // in place. Any new resource that come into scope of the resource set won't + // be protected. + ResourceSetStatus *string `type:"string" enum:"ResourceSetStatus"` + // Determines the resources that can be associated to the resource set. Depending // on your setting for max results and the number of resource sets, a single // call might not return the full list. @@ -11808,6 +13126,12 @@ func (s *ResourceSet) SetName(v string) *ResourceSet { return s } +// SetResourceSetStatus sets the ResourceSetStatus field's value. +func (s *ResourceSet) SetResourceSetStatus(v string) *ResourceSet { + s.ResourceSetStatus = &v + return s +} + // SetResourceTypeList sets the ResourceTypeList field's value. func (s *ResourceSet) SetResourceTypeList(v []*string) *ResourceSet { s.ResourceTypeList = v @@ -11838,6 +13162,16 @@ type ResourceSetSummary struct { // The descriptive name of the resource set. You can't change the name of a // resource set after you create it. Name *string `min:"1" type:"string"` + + // Indicates whether the resource set is in or out of an admin's Region scope. + // + // * ACTIVE - The administrator can manage and delete the resource set. + // + // * OUT_OF_ADMIN_SCOPE - The administrator can view the resource set, but + // they can't edit or delete the resource set. Existing protections stay + // in place. Any new resource that come into scope of the resource set won't + // be protected. + ResourceSetStatus *string `type:"string" enum:"ResourceSetStatus"` } // String returns the string representation. @@ -11882,6 +13216,12 @@ func (s *ResourceSetSummary) SetName(v string) *ResourceSetSummary { return s } +// SetResourceSetStatus sets the ResourceSetStatus field's value. +func (s *ResourceSetSummary) SetResourceSetStatus(v string) *ResourceSetSummary { + s.ResourceSetStatus = &v + return s +} + // The resource tags that Firewall Manager uses to determine if a particular // resource should be included or excluded from the Firewall Manager policy. // Tags enable you to categorize your Amazon Web Services resources in different @@ -12536,6 +13876,11 @@ type SecurityServicePolicyData struct { // Valid values for preProcessRuleGroups are between 1 and 99. Valid values // for postProcessRuleGroups are between 9901 and 10000. // + // * Example: IMPORT_NETWORK_FIREWALL "{\"type\":\"IMPORT_NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-2:000000000000:stateless-rulegroup\/rg1\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:drop\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:pass\"],\"networkFirewallStatelessCustomActions\":[],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-west-2:aws-managed:stateful-rulegroup\/ThreatSignaturesEmergingEventsStrictOrder\",\"priority\":8}],\"networkFirewallStatefulEngineOptions\":{\"ruleOrder\":\"STRICT_ORDER\"},\"networkFirewallStatefulDefaultActions\":[\"aws:drop_strict\"]}}" + // "{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}" + // Valid values for preProcessRuleGroups are between 1 and 99. Valid values + // for postProcessRuleGroups are between 9901 and 10000. + // // * Example: NETWORK_FIREWALL - Centralized deployment model "{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}" // To use the centralized deployment model, you must set PolicyOption (https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html) // to CENTRALIZED. @@ -12617,10 +13962,29 @@ type SecurityServicePolicyData struct { // is false. For other resource types that you can protect with a Shield // Advanced policy, this ManagedServiceData configuration is an empty string. // - // * Example: WAFV2 "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}" - // In the loggingConfiguration, you can specify one logDestinationConfigs, - // you can optionally provide up to 20 redactedFields, and the RedactedFieldType - // must be one of URI, QUERY_STRING, HEADER, or METHOD. + // * Example: WAFV2 - Account takeover prevention and Bot Control managed + // rule groups, and rule action override "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesATPRuleSet\",\"managedRuleGroupConfigs\":[{\"awsmanagedRulesATPRuleSet\":{\"loginPath\":\"/loginpath\",\"requestInspection\":{\"payloadType\":\"FORM_ENCODED|JSON\",\"usernameField\":{\"identifier\":\"/form/username\"},\"passwordField\":{\"identifier\":\"/form/password\"}}}}]},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true},{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesBotControlRuleSet\",\"managedRuleGroupConfigs\":[{\"awsmanagedRulesBotControlRuleSet\":{\"inspectionLevel\":\"TARGETED|COMMON\"}}]},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true,\"ruleActionOverrides\":[{\"name\":\"Rule1\",\"actionToUse\":{\"allow|block|count|captcha|challenge\":{}}},{\"name\":\"Rule2\",\"actionToUse\":{\"allow|block|count|captcha|challenge\":{}}}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\":null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":null,\"sampledRequestsEnabledForDefaultActions\":true}" + // Fraud Control account takeover prevention (ATP) - For information about + // the properties available for AWSManagedRulesATPRuleSet managed rule groups, + // see AWSManagedRulesATPRuleSet (https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesATPRuleSet.html) + // in the WAF API Reference. Bot Control - For information about AWSManagedRulesBotControlRuleSet + // managed rule groups, see AWSManagedRulesBotControlRuleSet (https://docs.aws.amazon.com/waf/latest/APIReference/API_AWSManagedRulesBotControlRuleSet.html) + // in the WAF API Reference. Rule action overrides - Firewall Manager supports + // rule action overrides only for managed rule groups. To configure a RuleActionOverrides + // add the Name of the rule to override, and ActionToUse, which is the new + // action to use for the rule. For information about using rule action override, + // see RuleActionOverride (https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleActionOverride.html) + // in the WAF API Reference. + // + // * Example: WAFV2 - CAPTCHA and Challenge configs "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAdminProtectionRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[],\"sampledRequestsEnabled\":true}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\":null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":null,\"sampledRequestsEnabledForDefaultActions\":true,\"captchaConfig\":{\"immunityTimeProperty\":{\"immunityTime\":500}},\"challengeConfig\":{\"immunityTimeProperty\":{\"immunityTime\":800}},\"tokenDomains\":[\"google.com\",\"amazon.com\"]}" + // If you update the policy's values for captchaConfig, challengeConfig, + // or tokenDomains, Firewall Manager will overwrite your local web ACLs to + // contain the new value(s). However, if you don't update the policy's captchaConfig, + // challengeConfig, or tokenDomains values, the values in your local web + // ACLs will remain unchanged. For information about CAPTCHA and Challenge + // configs, see CaptchaConfig (https://docs.aws.amazon.com/waf/latest/APIReference/API_CaptchaConfig.html) + // and ChallengeConfig (https://docs.aws.amazon.com/waf/latest/APIReference/API_ChallengeConfig.html) + // in the WAF API Reference. // // * Example: WAFV2 - Firewall Manager support for WAF managed rule group // versioning "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}" @@ -12630,6 +13994,22 @@ type SecurityServicePolicyData struct { // or if you omit versionEnabled, then Firewall Manager uses the default // version of the WAF managed rule group. // + // * Example: WAFV2 - Logging configurations "{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null, + // \"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\": + // {\"versionEnabled\":null,\"version\":null,\"vendorName\":\"AWS\", \"managedRuleGroupName\":\"AWSManagedRulesAdminProtectionRuleSet\"} + // ,\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[], \"sampledRequestsEnabled\":true}],\"postProcessRuleGroups\":[], + // \"defaultAction\":{\"type\":\"ALLOW\"},\"customRequestHandling\" :null,\"customResponse\":null,\"overrideCustomerWebACLAssociation\" + // :false,\"loggingConfiguration\":{\"logDestinationConfigs\": [\"arn:aws:s3:::aws-waf-logs-example-bucket\"] + // ,\"redactedFields\":[],\"loggingFilterConfigs\":{\"defaultBehavior\":\"KEEP\", + // \"filters\":[{\"behavior\":\"KEEP\",\"requirement\":\"MEETS_ALL\", \"conditions\":[{\"actionCondition\":\"CAPTCHA\"},{\"actionCondition\": + // \"CHALLENGE\"}, {\"actionCondition\":\"EXCLUDED_AS_COUNT\"}]}]}},\"sampledRequestsEnabledForDefaultActions\":true}" + // Firewall Manager supports Amazon Kinesis Data Firehose and Amazon S3 as + // the logDestinationConfigs in your loggingConfiguration. For information + // about WAF logging configurations, see LoggingConfiguration (https://docs.aws.amazon.com/waf/latest/APIReference/API_LoggingConfiguration.html) + // in the WAF API Reference In the loggingConfiguration, you can specify + // one logDestinationConfigs. Optionally provide as many as 20 redactedFields. + // The RedactedFieldType must be one of URI, QUERY_STRING, HEADER, or METHOD. + // // * Example: WAF Classic "{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", // \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": // \"BLOCK\"}}" @@ -13524,6 +14904,22 @@ func CustomerPolicyScopeIdType_Values() []string { } } +const ( + // CustomerPolicyStatusActive is a CustomerPolicyStatus enum value + CustomerPolicyStatusActive = "ACTIVE" + + // CustomerPolicyStatusOutOfAdminScope is a CustomerPolicyStatus enum value + CustomerPolicyStatusOutOfAdminScope = "OUT_OF_ADMIN_SCOPE" +) + +// CustomerPolicyStatus_Values returns all elements of the CustomerPolicyStatus enum +func CustomerPolicyStatus_Values() []string { + return []string{ + CustomerPolicyStatusActive, + CustomerPolicyStatusOutOfAdminScope, + } +} + const ( // DependentServiceNameAwsconfig is a DependentServiceName enum value DependentServiceNameAwsconfig = "AWSCONFIG" @@ -13648,6 +15044,30 @@ func NetworkFirewallOverrideAction_Values() []string { } } +const ( + // OrganizationStatusOnboarding is a OrganizationStatus enum value + OrganizationStatusOnboarding = "ONBOARDING" + + // OrganizationStatusOnboardingComplete is a OrganizationStatus enum value + OrganizationStatusOnboardingComplete = "ONBOARDING_COMPLETE" + + // OrganizationStatusOffboarding is a OrganizationStatus enum value + OrganizationStatusOffboarding = "OFFBOARDING" + + // OrganizationStatusOffboardingComplete is a OrganizationStatus enum value + OrganizationStatusOffboardingComplete = "OFFBOARDING_COMPLETE" +) + +// OrganizationStatus_Values returns all elements of the OrganizationStatus enum +func OrganizationStatus_Values() []string { + return []string{ + OrganizationStatusOnboarding, + OrganizationStatusOnboardingComplete, + OrganizationStatusOffboarding, + OrganizationStatusOffboardingComplete, + } +} + const ( // PolicyComplianceStatusTypeCompliant is a PolicyComplianceStatusType enum value PolicyComplianceStatusTypeCompliant = "COMPLIANT" @@ -13680,6 +15100,22 @@ func RemediationActionType_Values() []string { } } +const ( + // ResourceSetStatusActive is a ResourceSetStatus enum value + ResourceSetStatusActive = "ACTIVE" + + // ResourceSetStatusOutOfAdminScope is a ResourceSetStatus enum value + ResourceSetStatusOutOfAdminScope = "OUT_OF_ADMIN_SCOPE" +) + +// ResourceSetStatus_Values returns all elements of the ResourceSetStatus enum +func ResourceSetStatus_Values() []string { + return []string{ + ResourceSetStatusActive, + ResourceSetStatusOutOfAdminScope, + } +} + const ( // RuleOrderStrictOrder is a RuleOrder enum value RuleOrderStrictOrder = "STRICT_ORDER" diff --git a/service/fms/doc.go b/service/fms/doc.go index 2e223d339cb..44df8168805 100644 --- a/service/fms/doc.go +++ b/service/fms/doc.go @@ -9,8 +9,7 @@ // see the Firewall Manager Developer Guide (https://docs.aws.amazon.com/waf/latest/developerguide/fms-chapter.html). // // Some API actions require explicit resource permissions. For information, -// see the developer guide topic Firewall Manager required permissions for API -// actions (https://docs.aws.amazon.com/waf/latest/developerguide/fms-api-permissions-ref.html). +// see the developer guide topic Service roles for Firewall Manager (https://docs.aws.amazon.com/waf/latest/developerguide/fms-security_iam_service-with-iam.html#fms-security_iam_service-with-iam-roles-service). // // See https://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01 for more information on this service. // diff --git a/service/fms/fmsiface/interface.go b/service/fms/fmsiface/interface.go index 8a70c6a81b5..59b11d958ae 100644 --- a/service/fms/fmsiface/interface.go +++ b/service/fms/fmsiface/interface.go @@ -108,6 +108,10 @@ type FMSAPI interface { GetAdminAccountWithContext(aws.Context, *fms.GetAdminAccountInput, ...request.Option) (*fms.GetAdminAccountOutput, error) GetAdminAccountRequest(*fms.GetAdminAccountInput) (*request.Request, *fms.GetAdminAccountOutput) + GetAdminScope(*fms.GetAdminScopeInput) (*fms.GetAdminScopeOutput, error) + GetAdminScopeWithContext(aws.Context, *fms.GetAdminScopeInput, ...request.Option) (*fms.GetAdminScopeOutput, error) + GetAdminScopeRequest(*fms.GetAdminScopeInput) (*request.Request, *fms.GetAdminScopeOutput) + GetAppsList(*fms.GetAppsListInput) (*fms.GetAppsListOutput, error) GetAppsListWithContext(aws.Context, *fms.GetAppsListInput, ...request.Option) (*fms.GetAppsListOutput, error) GetAppsListRequest(*fms.GetAppsListInput) (*request.Request, *fms.GetAppsListOutput) @@ -144,6 +148,20 @@ type FMSAPI interface { GetViolationDetailsWithContext(aws.Context, *fms.GetViolationDetailsInput, ...request.Option) (*fms.GetViolationDetailsOutput, error) GetViolationDetailsRequest(*fms.GetViolationDetailsInput) (*request.Request, *fms.GetViolationDetailsOutput) + ListAdminAccountsForOrganization(*fms.ListAdminAccountsForOrganizationInput) (*fms.ListAdminAccountsForOrganizationOutput, error) + ListAdminAccountsForOrganizationWithContext(aws.Context, *fms.ListAdminAccountsForOrganizationInput, ...request.Option) (*fms.ListAdminAccountsForOrganizationOutput, error) + ListAdminAccountsForOrganizationRequest(*fms.ListAdminAccountsForOrganizationInput) (*request.Request, *fms.ListAdminAccountsForOrganizationOutput) + + ListAdminAccountsForOrganizationPages(*fms.ListAdminAccountsForOrganizationInput, func(*fms.ListAdminAccountsForOrganizationOutput, bool) bool) error + ListAdminAccountsForOrganizationPagesWithContext(aws.Context, *fms.ListAdminAccountsForOrganizationInput, func(*fms.ListAdminAccountsForOrganizationOutput, bool) bool, ...request.Option) error + + ListAdminsManagingAccount(*fms.ListAdminsManagingAccountInput) (*fms.ListAdminsManagingAccountOutput, error) + ListAdminsManagingAccountWithContext(aws.Context, *fms.ListAdminsManagingAccountInput, ...request.Option) (*fms.ListAdminsManagingAccountOutput, error) + ListAdminsManagingAccountRequest(*fms.ListAdminsManagingAccountInput) (*request.Request, *fms.ListAdminsManagingAccountOutput) + + ListAdminsManagingAccountPages(*fms.ListAdminsManagingAccountInput, func(*fms.ListAdminsManagingAccountOutput, bool) bool) error + ListAdminsManagingAccountPagesWithContext(aws.Context, *fms.ListAdminsManagingAccountInput, func(*fms.ListAdminsManagingAccountOutput, bool) bool, ...request.Option) error + ListAppsLists(*fms.ListAppsListsInput) (*fms.ListAppsListsOutput, error) ListAppsListsWithContext(aws.Context, *fms.ListAppsListsInput, ...request.Option) (*fms.ListAppsListsOutput, error) ListAppsListsRequest(*fms.ListAppsListsInput) (*request.Request, *fms.ListAppsListsOutput) @@ -202,6 +220,10 @@ type FMSAPI interface { ListThirdPartyFirewallFirewallPoliciesPages(*fms.ListThirdPartyFirewallFirewallPoliciesInput, func(*fms.ListThirdPartyFirewallFirewallPoliciesOutput, bool) bool) error ListThirdPartyFirewallFirewallPoliciesPagesWithContext(aws.Context, *fms.ListThirdPartyFirewallFirewallPoliciesInput, func(*fms.ListThirdPartyFirewallFirewallPoliciesOutput, bool) bool, ...request.Option) error + PutAdminAccount(*fms.PutAdminAccountInput) (*fms.PutAdminAccountOutput, error) + PutAdminAccountWithContext(aws.Context, *fms.PutAdminAccountInput, ...request.Option) (*fms.PutAdminAccountOutput, error) + PutAdminAccountRequest(*fms.PutAdminAccountInput) (*request.Request, *fms.PutAdminAccountOutput) + PutAppsList(*fms.PutAppsListInput) (*fms.PutAppsListOutput, error) PutAppsListWithContext(aws.Context, *fms.PutAppsListInput, ...request.Option) (*fms.PutAppsListOutput, error) PutAppsListRequest(*fms.PutAppsListInput) (*request.Request, *fms.PutAppsListOutput)