{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.SecretsManager.ValidateResourcePolicy -- Copyright : (c) 2013-2023 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Validates that a resource policy does not grant a wide range of -- principals access to your secret. A resource-based policy is optional -- for secrets. -- -- The API performs three checks when validating the policy: -- -- - Sends a call to -- , -- an automated reasoning engine, to ensure your resource policy does -- not allow broad access to your secret, for example policies that use -- a wildcard for the principal. -- -- - Checks for correct syntax in a policy. -- -- - Verifies the policy does not lock out a caller. -- -- Secrets Manager generates a CloudTrail log entry when you call this -- action. Do not include sensitive information in request parameters -- because it might be logged. For more information, see -- . -- -- __Required permissions:__ @secretsmanager:ValidateResourcePolicy@. For -- more information, see -- -- and -- . module Amazonka.SecretsManager.ValidateResourcePolicy ( -- * Creating a Request ValidateResourcePolicy (..), newValidateResourcePolicy, -- * Request Lenses validateResourcePolicy_secretId, validateResourcePolicy_resourcePolicy, -- * Destructuring the Response ValidateResourcePolicyResponse (..), newValidateResourcePolicyResponse, -- * Response Lenses validateResourcePolicyResponse_policyValidationPassed, validateResourcePolicyResponse_validationErrors, validateResourcePolicyResponse_httpStatus, ) where import qualified Amazonka.Core as Core import qualified Amazonka.Core.Lens.Internal as Lens import qualified Amazonka.Data as Data import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response import Amazonka.SecretsManager.Types -- | /See:/ 'newValidateResourcePolicy' smart constructor. data ValidateResourcePolicy = ValidateResourcePolicy' { -- | This field is reserved for internal use. secretId :: Prelude.Maybe Prelude.Text, -- | A JSON-formatted string that contains an Amazon Web Services -- resource-based policy. The policy in the string identifies who can -- access or manage this secret and its versions. For example policies, see -- . resourcePolicy :: Prelude.Text } deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic) -- | -- Create a value of 'ValidateResourcePolicy' with all optional fields omitted. -- -- Use or to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'secretId', 'validateResourcePolicy_secretId' - This field is reserved for internal use. -- -- 'resourcePolicy', 'validateResourcePolicy_resourcePolicy' - A JSON-formatted string that contains an Amazon Web Services -- resource-based policy. The policy in the string identifies who can -- access or manage this secret and its versions. For example policies, see -- . newValidateResourcePolicy :: -- | 'resourcePolicy' Prelude.Text -> ValidateResourcePolicy newValidateResourcePolicy pResourcePolicy_ = ValidateResourcePolicy' { secretId = Prelude.Nothing, resourcePolicy = pResourcePolicy_ } -- | This field is reserved for internal use. validateResourcePolicy_secretId :: Lens.Lens' ValidateResourcePolicy (Prelude.Maybe Prelude.Text) validateResourcePolicy_secretId = Lens.lens (\ValidateResourcePolicy' {secretId} -> secretId) (\s@ValidateResourcePolicy' {} a -> s {secretId = a} :: ValidateResourcePolicy) -- | A JSON-formatted string that contains an Amazon Web Services -- resource-based policy. The policy in the string identifies who can -- access or manage this secret and its versions. For example policies, see -- . validateResourcePolicy_resourcePolicy :: Lens.Lens' ValidateResourcePolicy Prelude.Text validateResourcePolicy_resourcePolicy = Lens.lens (\ValidateResourcePolicy' {resourcePolicy} -> resourcePolicy) (\s@ValidateResourcePolicy' {} a -> s {resourcePolicy = a} :: ValidateResourcePolicy) instance Core.AWSRequest ValidateResourcePolicy where type AWSResponse ValidateResourcePolicy = ValidateResourcePolicyResponse request overrides = Request.postJSON (overrides defaultService) response = Response.receiveJSON ( \s h x -> ValidateResourcePolicyResponse' Prelude.<$> (x Data..?> "PolicyValidationPassed") Prelude.<*> ( x Data..?> "ValidationErrors" Core..!@ Prelude.mempty ) Prelude.<*> (Prelude.pure (Prelude.fromEnum s)) ) instance Prelude.Hashable ValidateResourcePolicy where hashWithSalt _salt ValidateResourcePolicy' {..} = _salt `Prelude.hashWithSalt` secretId `Prelude.hashWithSalt` resourcePolicy instance Prelude.NFData ValidateResourcePolicy where rnf ValidateResourcePolicy' {..} = Prelude.rnf secretId `Prelude.seq` Prelude.rnf resourcePolicy instance Data.ToHeaders ValidateResourcePolicy where toHeaders = Prelude.const ( Prelude.mconcat [ "X-Amz-Target" Data.=# ( "secretsmanager.ValidateResourcePolicy" :: Prelude.ByteString ), "Content-Type" Data.=# ( "application/x-amz-json-1.1" :: Prelude.ByteString ) ] ) instance Data.ToJSON ValidateResourcePolicy where toJSON ValidateResourcePolicy' {..} = Data.object ( Prelude.catMaybes [ ("SecretId" Data..=) Prelude.<$> secretId, Prelude.Just ("ResourcePolicy" Data..= resourcePolicy) ] ) instance Data.ToPath ValidateResourcePolicy where toPath = Prelude.const "/" instance Data.ToQuery ValidateResourcePolicy where toQuery = Prelude.const Prelude.mempty -- | /See:/ 'newValidateResourcePolicyResponse' smart constructor. data ValidateResourcePolicyResponse = ValidateResourcePolicyResponse' { -- | True if your policy passes validation, otherwise false. policyValidationPassed :: Prelude.Maybe Prelude.Bool, -- | Validation errors if your policy didn\'t pass validation. validationErrors :: Prelude.Maybe [ValidationErrorsEntry], -- | The response's http status code. httpStatus :: Prelude.Int } deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic) -- | -- Create a value of 'ValidateResourcePolicyResponse' with all optional fields omitted. -- -- Use or to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'policyValidationPassed', 'validateResourcePolicyResponse_policyValidationPassed' - True if your policy passes validation, otherwise false. -- -- 'validationErrors', 'validateResourcePolicyResponse_validationErrors' - Validation errors if your policy didn\'t pass validation. -- -- 'httpStatus', 'validateResourcePolicyResponse_httpStatus' - The response's http status code. newValidateResourcePolicyResponse :: -- | 'httpStatus' Prelude.Int -> ValidateResourcePolicyResponse newValidateResourcePolicyResponse pHttpStatus_ = ValidateResourcePolicyResponse' { policyValidationPassed = Prelude.Nothing, validationErrors = Prelude.Nothing, httpStatus = pHttpStatus_ } -- | True if your policy passes validation, otherwise false. validateResourcePolicyResponse_policyValidationPassed :: Lens.Lens' ValidateResourcePolicyResponse (Prelude.Maybe Prelude.Bool) validateResourcePolicyResponse_policyValidationPassed = Lens.lens (\ValidateResourcePolicyResponse' {policyValidationPassed} -> policyValidationPassed) (\s@ValidateResourcePolicyResponse' {} a -> s {policyValidationPassed = a} :: ValidateResourcePolicyResponse) -- | Validation errors if your policy didn\'t pass validation. validateResourcePolicyResponse_validationErrors :: Lens.Lens' ValidateResourcePolicyResponse (Prelude.Maybe [ValidationErrorsEntry]) validateResourcePolicyResponse_validationErrors = Lens.lens (\ValidateResourcePolicyResponse' {validationErrors} -> validationErrors) (\s@ValidateResourcePolicyResponse' {} a -> s {validationErrors = a} :: ValidateResourcePolicyResponse) Prelude.. Lens.mapping Lens.coerced -- | The response's http status code. validateResourcePolicyResponse_httpStatus :: Lens.Lens' ValidateResourcePolicyResponse Prelude.Int validateResourcePolicyResponse_httpStatus = Lens.lens (\ValidateResourcePolicyResponse' {httpStatus} -> httpStatus) (\s@ValidateResourcePolicyResponse' {} a -> s {httpStatus = a} :: ValidateResourcePolicyResponse) instance Prelude.NFData ValidateResourcePolicyResponse where rnf ValidateResourcePolicyResponse' {..} = Prelude.rnf policyValidationPassed `Prelude.seq` Prelude.rnf validationErrors `Prelude.seq` Prelude.rnf httpStatus