From e3ee52ef18b637437e689786b7f705e1ec418867 Mon Sep 17 00:00:00 2001 From: awssdkgo Date: Thu, 7 Mar 2024 19:43:57 +0000 Subject: [PATCH] Release v1.50.34 (2024-03-07) === ### Service Client Updates * `service/appconfig`: Updates service API and documentation * `service/ec2`: Updates service API and documentation * This release adds an optional parameter to RegisterImage and CopyImage APIs to support tagging AMIs at the time of creation. * `service/grafana`: Updates service API and documentation * `service/lambda`: Updates service documentation * Documentation updates for AWS Lambda * `service/payment-cryptography-data`: Updates service API and documentation * `service/rds`: Updates service API, documentation, waiters, paginators, and examples * Updates Amazon RDS documentation for io2 storage for Multi-AZ DB clusters * `service/snowball`: Updates service documentation * Doc-only update for change to EKS-Anywhere ordering. * `service/wafv2`: Updates service API and documentation * `service/workspaces`: Updates service documentation * Added note for user decoupling --- CHANGELOG.md | 19 + aws/version.go | 2 +- models/apis/appconfig/2019-10-09/api-2.json | 21 +- models/apis/appconfig/2019-10-09/docs-2.json | 34 +- models/apis/ec2/2016-11-15/api-2.json | 12 +- models/apis/ec2/2016-11-15/docs-2.json | 12 +- models/apis/grafana/2020-08-18/api-2.json | 13 + models/apis/grafana/2020-08-18/docs-2.json | 27 +- .../2020-08-18/endpoint-rule-set-1.json | 40 +- models/apis/lambda/2015-03-31/docs-2.json | 92 ++-- .../2022-02-03/api-2.json | 43 +- .../2022-02-03/docs-2.json | 84 ++-- .../2022-02-03/endpoint-rule-set-1.json | 64 +-- models/apis/rds/2014-10-31/docs-2.json | 10 +- models/apis/snowball/2016-06-30/docs-2.json | 2 +- models/apis/wafv2/2019-07-29/api-2.json | 25 +- models/apis/wafv2/2019-07-29/docs-2.json | 45 +- models/apis/workspaces/2015-04-08/docs-2.json | 6 +- service/appconfig/api.go | 46 +- service/appconfig/doc.go | 165 +++++-- service/ec2/api.go | 55 ++- service/lambda/api.go | 92 ++-- service/managedgrafana/api.go | 93 +++- service/paymentcryptographydata/api.go | 417 +++++++++++++----- service/rds/api.go | 14 +- service/snowball/api.go | 2 +- service/wafv2/api.go | 265 +++++++---- service/workspaces/api.go | 45 +- 28 files changed, 1219 insertions(+), 526 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50ec91a4a3..b8f4108d61 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,22 @@ +Release v1.50.34 (2024-03-07) +=== + +### Service Client Updates +* `service/appconfig`: Updates service API and documentation +* `service/ec2`: Updates service API and documentation + * This release adds an optional parameter to RegisterImage and CopyImage APIs to support tagging AMIs at the time of creation. +* `service/grafana`: Updates service API and documentation +* `service/lambda`: Updates service documentation + * Documentation updates for AWS Lambda +* `service/payment-cryptography-data`: Updates service API and documentation +* `service/rds`: Updates service API, documentation, waiters, paginators, and examples + * Updates Amazon RDS documentation for io2 storage for Multi-AZ DB clusters +* `service/snowball`: Updates service documentation + * Doc-only update for change to EKS-Anywhere ordering. +* `service/wafv2`: Updates service API and documentation +* `service/workspaces`: Updates service documentation + * Added note for user decoupling + Release v1.50.33 (2024-03-06) === diff --git a/aws/version.go b/aws/version.go index 394a580ae1..f2ab1cd743 100644 --- a/aws/version.go +++ b/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.50.33" +const SDKVersion = "1.50.34" diff --git a/models/apis/appconfig/2019-10-09/api-2.json b/models/apis/appconfig/2019-10-09/api-2.json index 762c82e5df..90c8e369f1 100644 --- a/models/apis/appconfig/2019-10-09/api-2.json +++ b/models/apis/appconfig/2019-10-09/api-2.json @@ -1235,6 +1235,17 @@ "max":1024, "min":0 }, + "DynamicParameterKey":{ + "type":"string", + "pattern":"^([^#\\n]{1,96})#([^\\/#\\n]{1,64})$" + }, + "DynamicParameterMap":{ + "type":"map", + "key":{"shape":"DynamicParameterKey"}, + "value":{"shape":"StringWithLengthBetween1And2048"}, + "max":10, + "min":1 + }, "Environment":{ "type":"structure", "members":{ @@ -1886,21 +1897,22 @@ "type":"structure", "members":{ "Description":{"shape":"Description"}, - "Required":{"shape":"Boolean"} + "Required":{"shape":"Boolean"}, + "Dynamic":{"shape":"Boolean"} } }, "ParameterMap":{ "type":"map", "key":{"shape":"ExtensionOrParameterName"}, "value":{"shape":"Parameter"}, - "max":5, + "max":10, "min":1 }, "ParameterValueMap":{ "type":"map", "key":{"shape":"ExtensionOrParameterName"}, "value":{"shape":"StringWithLengthBetween1And2048"}, - "max":5, + "max":10, "min":0 }, "PayloadTooLargeException":{ @@ -1985,7 +1997,8 @@ "ConfigurationVersion":{"shape":"Version"}, "Description":{"shape":"Description"}, "Tags":{"shape":"TagMap"}, - "KmsKeyIdentifier":{"shape":"KmsKeyIdentifier"} + "KmsKeyIdentifier":{"shape":"KmsKeyIdentifier"}, + "DynamicExtensionParameters":{"shape":"DynamicParameterMap"} } }, "StopDeploymentRequest":{ diff --git a/models/apis/appconfig/2019-10-09/docs-2.json b/models/apis/appconfig/2019-10-09/docs-2.json index f05e860396..0ce90a66cf 100644 --- a/models/apis/appconfig/2019-10-09/docs-2.json +++ b/models/apis/appconfig/2019-10-09/docs-2.json @@ -1,13 +1,13 @@ { "version": "2.0", - "service": "

Use AppConfig, a capability of Amazon Web Services Systems Manager, to create, manage, and quickly deploy application configurations. AppConfig supports controlled deployments to applications of any size and includes built-in validation checks and monitoring. You can use AppConfig with applications hosted on Amazon EC2 instances, Lambda, containers, mobile applications, or IoT devices.

To prevent errors when deploying application configurations, especially for production systems where a simple typo could cause an unexpected outage, AppConfig includes validators. A validator provides a syntactic or semantic check to ensure that the configuration you want to deploy works as intended. To validate your application configuration data, you provide a schema or an Amazon Web Services Lambda function that runs against the configuration. The configuration deployment or update can only proceed when the configuration data is valid.

During a configuration deployment, AppConfig monitors the application to ensure that the deployment is successful. If the system encounters an error, AppConfig rolls back the change to minimize impact for your application users. You can configure a deployment strategy for each application or environment that includes deployment criteria, including velocity, bake time, and alarms to monitor. Similar to error monitoring, if a deployment triggers an alarm, AppConfig automatically rolls back to the previous version.

AppConfig supports multiple use cases. Here are some examples:

This reference is intended to be used with the AppConfig User Guide.

", + "service": "

AppConfig feature flags and dynamic configurations help software builders quickly and securely adjust application behavior in production environments without full code deployments. AppConfig speeds up software release frequency, improves application resiliency, and helps you address emergent issues more quickly. With feature flags, you can gradually release new capabilities to users and measure the impact of those changes before fully deploying the new capabilities to all users. With operational flags and dynamic configurations, you can update block lists, allow lists, throttling limits, logging verbosity, and perform other operational tuning to quickly respond to issues in production environments.

AppConfig is a capability of Amazon Web Services Systems Manager.

Despite the fact that application configuration content can vary greatly from application to application, AppConfig supports the following use cases, which cover a broad spectrum of customer needs:

How AppConfig works

This section provides a high-level description of how AppConfig works and how you get started.

1. Identify configuration values in code you want to manage in the cloud

Before you start creating AppConfig artifacts, we recommend you identify configuration data in your code that you want to dynamically manage using AppConfig. Good examples include feature flags or toggles, allow and block lists, logging verbosity, service limits, and throttling rules, to name a few.

If your configuration data already exists in the cloud, you can take advantage of AppConfig validation, deployment, and extension features to further streamline configuration data management.

2. Create an application namespace

To create a namespace, you create an AppConfig artifact called an application. An application is simply an organizational construct like a folder.

3. Create environments

For each AppConfig application, you define one or more environments. An environment is a logical grouping of targets, such as applications in a Beta or Production environment, Lambda functions, or containers. You can also define environments for application subcomponents, such as the Web, Mobile, and Back-end.

You can configure Amazon CloudWatch alarms for each environment. The system monitors alarms during a configuration deployment. If an alarm is triggered, the system rolls back the configuration.

4. Create a configuration profile

A configuration profile includes, among other things, a URI that enables AppConfig to locate your configuration data in its stored location and a profile type. AppConfig supports two configuration profile types: feature flags and freeform configurations. Feature flag configuration profiles store their data in the AppConfig hosted configuration store and the URI is simply hosted. For freeform configuration profiles, you can store your data in the AppConfig hosted configuration store or any Amazon Web Services service that integrates with AppConfig, as described in Creating a free form configuration profile in the the AppConfig User Guide.

A configuration profile can also include optional validators to ensure your configuration data is syntactically and semantically correct. AppConfig performs a check using the validators when you start a deployment. If any errors are detected, the deployment rolls back to the previous configuration data.

5. Deploy configuration data

When you create a new deployment, you specify the following:

  • An application ID

  • A configuration profile ID

  • A configuration version

  • An environment ID where you want to deploy the configuration data

  • A deployment strategy ID that defines how fast you want the changes to take effect

When you call the StartDeployment API action, AppConfig performs the following tasks:

  1. Retrieves the configuration data from the underlying data store by using the location URI in the configuration profile.

  2. Verifies the configuration data is syntactically and semantically correct by using the validators you specified when you created your configuration profile.

  3. Caches a copy of the data so it is ready to be retrieved by your application. This cached copy is called the deployed data.

6. Retrieve the configuration

You can configure AppConfig Agent as a local host and have the agent poll AppConfig for configuration updates. The agent calls the StartConfigurationSession and GetLatestConfiguration API actions and caches your configuration data locally. To retrieve the data, your application makes an HTTP call to the localhost server. AppConfig Agent supports several use cases, as described in Simplified retrieval methods in the the AppConfig User Guide.

If AppConfig Agent isn't supported for your use case, you can configure your application to poll AppConfig for configuration updates by directly calling the StartConfigurationSession and GetLatestConfiguration API actions.

This reference is intended to be used with the AppConfig User Guide.

", "operations": { "CreateApplication": "

Creates an application. In AppConfig, an application is simply an organizational construct like a folder. This organizational construct has a relationship with some unit of executable code. For example, you could create an application called MyMobileApp to organize and manage configuration data for a mobile application installed by your users.

", "CreateConfigurationProfile": "

Creates a configuration profile, which is information that enables AppConfig to access the configuration source. Valid configuration sources include the following:

A configuration profile includes the following information:

For more information, see Create a Configuration and a Configuration Profile in the AppConfig User Guide.

", "CreateDeploymentStrategy": "

Creates a deployment strategy that defines important criteria for rolling out your configuration to the designated targets. A deployment strategy includes the overall duration required, a percentage of targets to receive the deployment during each interval, an algorithm that defines how percentage grows, and bake time.

", "CreateEnvironment": "

Creates an environment. For each application, you define one or more environments. An environment is a deployment group of AppConfig targets, such as applications in a Beta or Production environment. You can also define environments for application subcomponents such as the Web, Mobile and Back-end components for your application. You can configure Amazon CloudWatch alarms for each environment. The system monitors alarms during a configuration deployment. If an alarm is triggered, the system rolls back the configuration.

", - "CreateExtension": "

Creates an AppConfig extension. An extension augments your ability to inject logic or behavior at different points during the AppConfig workflow of creating or deploying a configuration.

You can create your own extensions or use the Amazon Web Services authored extensions provided by AppConfig. For an AppConfig extension that uses Lambda, you must create a Lambda function to perform any computation and processing defined in the extension. If you plan to create custom versions of the Amazon Web Services authored notification extensions, you only need to specify an Amazon Resource Name (ARN) in the Uri field for the new extension version.

For more information about extensions, see Working with AppConfig extensions in the AppConfig User Guide.

", - "CreateExtensionAssociation": "

When you create an extension or configure an Amazon Web Services authored extension, you associate the extension with an AppConfig application, environment, or configuration profile. For example, you can choose to run the AppConfig deployment events to Amazon SNS Amazon Web Services authored extension and receive notifications on an Amazon SNS topic anytime a configuration deployment is started for a specific application. Defining which extension to associate with an AppConfig resource is called an extension association. An extension association is a specified relationship between an extension and an AppConfig resource, such as an application or a configuration profile. For more information about extensions and associations, see Working with AppConfig extensions in the AppConfig User Guide.

", + "CreateExtension": "

Creates an AppConfig extension. An extension augments your ability to inject logic or behavior at different points during the AppConfig workflow of creating or deploying a configuration.

You can create your own extensions or use the Amazon Web Services authored extensions provided by AppConfig. For an AppConfig extension that uses Lambda, you must create a Lambda function to perform any computation and processing defined in the extension. If you plan to create custom versions of the Amazon Web Services authored notification extensions, you only need to specify an Amazon Resource Name (ARN) in the Uri field for the new extension version.

For more information about extensions, see Extending workflows in the AppConfig User Guide.

", + "CreateExtensionAssociation": "

When you create an extension or configure an Amazon Web Services authored extension, you associate the extension with an AppConfig application, environment, or configuration profile. For example, you can choose to run the AppConfig deployment events to Amazon SNS Amazon Web Services authored extension and receive notifications on an Amazon SNS topic anytime a configuration deployment is started for a specific application. Defining which extension to associate with an AppConfig resource is called an extension association. An extension association is a specified relationship between an extension and an AppConfig resource, such as an application or a configuration profile. For more information about extensions and associations, see Extending workflows in the AppConfig User Guide.

", "CreateHostedConfigurationVersion": "

Creates a new configuration in the AppConfig hosted configuration store.

", "DeleteApplication": "

Deletes an application. Deleting an application does not delete a configuration from a host.

", "DeleteConfigurationProfile": "

Deletes a configuration profile. Deleting a configuration profile does not delete a configuration from a host.

", @@ -23,15 +23,15 @@ "GetDeploymentStrategy": "

Retrieves information about a deployment strategy. A deployment strategy defines important criteria for rolling out your configuration to the designated targets. A deployment strategy includes the overall duration required, a percentage of targets to receive the deployment during each interval, an algorithm that defines how percentage grows, and bake time.

", "GetEnvironment": "

Retrieves information about an environment. An environment is a deployment group of AppConfig applications, such as applications in a Production environment or in an EU_Region environment. Each configuration deployment targets an environment. You can enable one or more Amazon CloudWatch alarms for an environment. If an alarm is triggered during a deployment, AppConfig roles back the configuration.

", "GetExtension": "

Returns information about an AppConfig extension.

", - "GetExtensionAssociation": "

Returns information about an AppConfig extension association. For more information about extensions and associations, see Working with AppConfig extensions in the AppConfig User Guide.

", + "GetExtensionAssociation": "

Returns information about an AppConfig extension association. For more information about extensions and associations, see Extending workflows in the AppConfig User Guide.

", "GetHostedConfigurationVersion": "

Retrieves information about a specific configuration version.

", "ListApplications": "

Lists all applications in your Amazon Web Services account.

", "ListConfigurationProfiles": "

Lists the configuration profiles for an application.

", "ListDeploymentStrategies": "

Lists deployment strategies.

", "ListDeployments": "

Lists the deployments for an environment in descending deployment number order.

", "ListEnvironments": "

Lists the environments for an application.

", - "ListExtensionAssociations": "

Lists all AppConfig extension associations in the account. For more information about extensions and associations, see Working with AppConfig extensions in the AppConfig User Guide.

", - "ListExtensions": "

Lists all custom and Amazon Web Services authored AppConfig extensions in the account. For more information about extensions, see Working with AppConfig extensions in the AppConfig User Guide.

", + "ListExtensionAssociations": "

Lists all AppConfig extension associations in the account. For more information about extensions and associations, see Extending workflows in the AppConfig User Guide.

", + "ListExtensions": "

Lists all custom and Amazon Web Services authored AppConfig extensions in the account. For more information about extensions, see Extending workflows in the AppConfig User Guide.

", "ListHostedConfigurationVersions": "

Lists configurations stored in the AppConfig hosted configuration store by version.

", "ListTagsForResource": "

Retrieves the list of key-value tags assigned to the resource.

", "StartDeployment": "

Starts a deployment.

", @@ -42,8 +42,8 @@ "UpdateConfigurationProfile": "

Updates a configuration profile.

", "UpdateDeploymentStrategy": "

Updates a deployment strategy.

", "UpdateEnvironment": "

Updates an environment.

", - "UpdateExtension": "

Updates an AppConfig extension. For more information about extensions, see Working with AppConfig extensions in the AppConfig User Guide.

", - "UpdateExtensionAssociation": "

Updates an association. For more information about extensions and associations, see Working with AppConfig extensions in the AppConfig User Guide.

", + "UpdateExtension": "

Updates an AppConfig extension. For more information about extensions, see Extending workflows in the AppConfig User Guide.

", + "UpdateExtensionAssociation": "

Updates an association. For more information about extensions and associations, see Extending workflows in the AppConfig User Guide.

", "ValidateConfiguration": "

Uses the validators in a configuration profile to validate a configuration.

" }, "shapes": { @@ -164,7 +164,8 @@ "Boolean": { "base": null, "refs": { - "Parameter$Required": "

A parameter value must be specified in the extension association.

" + "Parameter$Required": "

A parameter value must be specified in the extension association.

", + "Parameter$Dynamic": "

Indicates whether this parameter's value can be supplied at the extension's action point instead of during extension association. Dynamic parameters can't be marked Required.

" } }, "BytesMeasure": { @@ -386,6 +387,18 @@ "UpdateExtensionRequest$Description": "

Information about the extension.

" } }, + "DynamicParameterKey": { + "base": null, + "refs": { + "DynamicParameterMap$key": null + } + }, + "DynamicParameterMap": { + "base": null, + "refs": { + "StartDeploymentRequest$DynamicExtensionParameters": "

A map of dynamic extension parameter names to values to pass to associated extensions with PRE_START_DEPLOYMENT actions.

" + } + }, "Environment": { "base": null, "refs": { @@ -836,7 +849,7 @@ } }, "Parameter": { - "base": "

A value such as an Amazon Resource Name (ARN) or an Amazon Simple Notification Service topic entered in an extension when invoked. Parameter values are specified in an extension association. For more information about extensions, see Working with AppConfig extensions in the AppConfig User Guide.

", + "base": "

A value such as an Amazon Resource Name (ARN) or an Amazon Simple Notification Service topic entered in an extension when invoked. Parameter values are specified in an extension association. For more information about extensions, see Extending workflows in the AppConfig User Guide.

", "refs": { "ParameterMap$value": null } @@ -950,6 +963,7 @@ "StringWithLengthBetween1And2048": { "base": null, "refs": { + "DynamicParameterMap$value": null, "Monitor$AlarmArn": "

Amazon Resource Name (ARN) of the Amazon CloudWatch alarm.

", "ParameterValueMap$value": null } diff --git a/models/apis/ec2/2016-11-15/api-2.json b/models/apis/ec2/2016-11-15/api-2.json index 19097e2afc..c716931ec9 100755 --- a/models/apis/ec2/2016-11-15/api-2.json +++ b/models/apis/ec2/2016-11-15/api-2.json @@ -10037,7 +10037,11 @@ "shape":"Boolean", "locationName":"dryRun" }, - "CopyImageTags":{"shape":"Boolean"} + "CopyImageTags":{"shape":"Boolean"}, + "TagSpecifications":{ + "shape":"TagSpecificationList", + "locationName":"TagSpecification" + } } }, "CopyImageResult":{ @@ -37029,7 +37033,11 @@ "BootMode":{"shape":"BootModeValues"}, "TpmSupport":{"shape":"TpmSupportValues"}, "UefiData":{"shape":"StringType"}, - "ImdsSupport":{"shape":"ImdsSupportValues"} + "ImdsSupport":{"shape":"ImdsSupportValues"}, + "TagSpecifications":{ + "shape":"TagSpecificationList", + "locationName":"TagSpecification" + } } }, "RegisterImageResult":{ diff --git a/models/apis/ec2/2016-11-15/docs-2.json b/models/apis/ec2/2016-11-15/docs-2.json index c3c4240bbc..34fb759303 100755 --- a/models/apis/ec2/2016-11-15/docs-2.json +++ b/models/apis/ec2/2016-11-15/docs-2.json @@ -228,7 +228,7 @@ "DescribeAggregateIdFormat": "

Describes the longer ID format settings for all resource types in a specific Region. This request is useful for performing a quick audit to determine whether a specific Region is fully opted in for longer IDs (17-character IDs).

This request only returns information about resource types that support longer IDs.

The following resource types support longer IDs: bundle | conversion-task | customer-gateway | dhcp-options | elastic-ip-allocation | elastic-ip-association | export-task | flow-log | image | import-task | instance | internet-gateway | network-acl | network-acl-association | network-interface | network-interface-attachment | prefix-list | reservation | route-table | route-table-association | security-group | snapshot | subnet | subnet-cidr-block-association | volume | vpc | vpc-cidr-block-association | vpc-endpoint | vpc-peering-connection | vpn-connection | vpn-gateway.

", "DescribeAvailabilityZones": "

Describes the Availability Zones, Local Zones, and Wavelength Zones that are available to you. If there is an event impacting a zone, you can use this request to view the state and any provided messages for that zone.

For more information about Availability Zones, Local Zones, and Wavelength Zones, see Regions and zones in the Amazon Elastic Compute Cloud User Guide.

", "DescribeAwsNetworkPerformanceMetricSubscriptions": "

Describes the current Infrastructure Performance metric subscriptions.

", - "DescribeBundleTasks": "

Describes the specified bundle tasks or all of your bundle tasks.

Completed bundle tasks are listed for only a limited time. If your bundle task is no longer in the list, you can still register an AMI from it. Just use RegisterImage with the Amazon S3 bucket name and image manifest name you provided to the bundle task.

", + "DescribeBundleTasks": "

Describes the specified bundle tasks or all of your bundle tasks.

Completed bundle tasks are listed for only a limited time. If your bundle task is no longer in the list, you can still register an AMI from it. Just use RegisterImage with the Amazon S3 bucket name and image manifest name you provided to the bundle task.

The order of the elements in the response, including those within nested structures, might vary. Applications should not assume the elements appear in a particular order.

", "DescribeByoipCidrs": "

Describes the IP address ranges that were specified in calls to ProvisionByoipCidr.

To describe the address pools that were created when you provisioned the address ranges, use DescribePublicIpv4Pools or DescribeIpv6Pools.

", "DescribeCapacityBlockOfferings": "

Describes Capacity Block offerings available for purchase in the Amazon Web Services Region that you're currently using. With Capacity Blocks, you purchase a specific instance type for a period of time.

", "DescribeCapacityReservationFleets": "

Describes one or more Capacity Reservation Fleets.

", @@ -262,8 +262,8 @@ "DescribeIamInstanceProfileAssociations": "

Describes your IAM instance profile associations.

", "DescribeIdFormat": "

Describes the ID format settings for your resources on a per-Region basis, for example, to view which resource types are enabled for longer IDs. This request only returns information about resource types whose ID formats can be modified; it does not return information about other resource types.

The following resource types support longer IDs: bundle | conversion-task | customer-gateway | dhcp-options | elastic-ip-allocation | elastic-ip-association | export-task | flow-log | image | import-task | instance | internet-gateway | network-acl | network-acl-association | network-interface | network-interface-attachment | prefix-list | reservation | route-table | route-table-association | security-group | snapshot | subnet | subnet-cidr-block-association | volume | vpc | vpc-cidr-block-association | vpc-endpoint | vpc-peering-connection | vpn-connection | vpn-gateway.

These settings apply to the IAM user who makes the request; they do not apply to the entire Amazon Web Services account. By default, an IAM user defaults to the same settings as the root user, unless they explicitly override the settings by running the ModifyIdFormat command. Resources created with longer IDs are visible to all IAM users, regardless of these settings and provided that they have permission to use the relevant Describe command for the resource type.

", "DescribeIdentityIdFormat": "

Describes the ID format settings for resources for the specified IAM user, IAM role, or root user. For example, you can view the resource types that are enabled for longer IDs. This request only returns information about resource types whose ID formats can be modified; it does not return information about other resource types. For more information, see Resource IDs in the Amazon Elastic Compute Cloud User Guide.

The following resource types support longer IDs: bundle | conversion-task | customer-gateway | dhcp-options | elastic-ip-allocation | elastic-ip-association | export-task | flow-log | image | import-task | instance | internet-gateway | network-acl | network-acl-association | network-interface | network-interface-attachment | prefix-list | reservation | route-table | route-table-association | security-group | snapshot | subnet | subnet-cidr-block-association | volume | vpc | vpc-cidr-block-association | vpc-endpoint | vpc-peering-connection | vpn-connection | vpn-gateway.

These settings apply to the principal specified in the request. They do not apply to the principal that makes the request.

", - "DescribeImageAttribute": "

Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.

", - "DescribeImages": "

Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.

The images available to you include public images, private images that you own, and private images owned by other Amazon Web Services accounts for which you have explicit launch permissions.

Recently deregistered images appear in the returned results for a short interval and then return empty results. After all instances that reference a deregistered AMI are terminated, specifying the ID of the image will eventually return an error indicating that the AMI ID cannot be found.

", + "DescribeImageAttribute": "

Describes the specified attribute of the specified AMI. You can specify only one attribute at a time.

The order of the elements in the response, including those within nested structures, might vary. Applications should not assume the elements appear in a particular order.

", + "DescribeImages": "

Describes the specified images (AMIs, AKIs, and ARIs) available to you or all of the images available to you.

The images available to you include public images, private images that you own, and private images owned by other Amazon Web Services accounts for which you have explicit launch permissions.

Recently deregistered images appear in the returned results for a short interval and then return empty results. After all instances that reference a deregistered AMI are terminated, specifying the ID of the image will eventually return an error indicating that the AMI ID cannot be found.

The order of the elements in the response, including those within nested structures, might vary. Applications should not assume the elements appear in a particular order.

", "DescribeImportImageTasks": "

Displays details about an import virtual machine or import snapshot tasks that are already created.

", "DescribeImportSnapshotTasks": "

Describes your import snapshot tasks.

", "DescribeInstanceAttribute": "

Describes the specified attribute of the specified instance. You can specify only one attribute at a time. Valid attribute values are: instanceType | kernel | ramdisk | userData | disableApiTermination | instanceInitiatedShutdownBehavior | rootDeviceName | blockDeviceMapping | productCodes | sourceDestCheck | groupSet | ebsOptimized | sriovNetSupport

", @@ -559,7 +559,7 @@ "PurchaseReservedInstancesOffering": "

Purchases a Reserved Instance for use with your account. With Reserved Instances, you pay a lower hourly rate compared to On-Demand instance pricing.

Use DescribeReservedInstancesOfferings to get a list of Reserved Instance offerings that match your specifications. After you've purchased a Reserved Instance, you can check for your new Reserved Instance with DescribeReservedInstances.

To queue a purchase for a future date and time, specify a purchase time. If you do not specify a purchase time, the default is the current time.

For more information, see Reserved Instances and Reserved Instance Marketplace in the Amazon EC2 User Guide.

", "PurchaseScheduledInstances": "

You can no longer purchase Scheduled Instances.

Purchases the Scheduled Instances with the specified schedule.

Scheduled Instances enable you to purchase Amazon EC2 compute capacity by the hour for a one-year term. Before you can purchase a Scheduled Instance, you must call DescribeScheduledInstanceAvailability to check for available schedules and obtain a purchase token. After you purchase a Scheduled Instance, you must call RunScheduledInstances during each scheduled time period.

After you purchase a Scheduled Instance, you can't cancel, modify, or resell your purchase.

", "RebootInstances": "

Requests a reboot of the specified instances. This operation is asynchronous; it only queues a request to reboot the specified instances. The operation succeeds if the instances are valid and belong to you. Requests to reboot terminated instances are ignored.

If an instance does not cleanly shut down within a few minutes, Amazon EC2 performs a hard reboot.

For more information about troubleshooting, see Troubleshoot an unreachable instance in the Amazon EC2 User Guide.

", - "RegisterImage": "

Registers an AMI. When you're creating an AMI, this is the final step you must complete before you can launch an instance from the AMI. For more information about creating AMIs, see Create your own AMI in the Amazon Elastic Compute Cloud User Guide.

For Amazon EBS-backed instances, CreateImage creates and registers the AMI in a single request, so you don't have to register the AMI yourself. We recommend that you always use CreateImage unless you have a specific reason to use RegisterImage.

If needed, you can deregister an AMI at any time. Any modifications you make to an AMI backed by an instance store volume invalidates its registration. If you make changes to an image, deregister the previous image and register the new image.

Register a snapshot of a root device volume

You can use RegisterImage to create an Amazon EBS-backed Linux AMI from a snapshot of a root device volume. You specify the snapshot using a block device mapping. You can't set the encryption state of the volume using the block device mapping. If the snapshot is encrypted, or encryption by default is enabled, the root volume of an instance launched from the AMI is encrypted.

For more information, see Create a Linux AMI from a snapshot and Use encryption with Amazon EBS-backed AMIs in the Amazon Elastic Compute Cloud User Guide.

Amazon Web Services Marketplace product codes

If any snapshots have Amazon Web Services Marketplace product codes, they are copied to the new AMI.

Windows and some Linux distributions, such as Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES), use the Amazon EC2 billing product code associated with an AMI to verify the subscription status for package updates. To create a new AMI for operating systems that require a billing product code, instead of registering the AMI, do the following to preserve the billing product code association:

  1. Launch an instance from an existing AMI with that billing product code.

  2. Customize the instance.

  3. Create an AMI from the instance using CreateImage.

If you purchase a Reserved Instance to apply to an On-Demand Instance that was launched from an AMI with a billing product code, make sure that the Reserved Instance has the matching billing product code. If you purchase a Reserved Instance without the matching billing product code, the Reserved Instance will not be applied to the On-Demand Instance. For information about how to obtain the platform details and billing information of an AMI, see Understand AMI billing information in the Amazon EC2 User Guide.

", + "RegisterImage": "

Registers an AMI. When you're creating an instance-store backed AMI, registering the AMI is the final step in the creation process. For more information about creating AMIs, see Create your own AMI in the Amazon Elastic Compute Cloud User Guide.

For Amazon EBS-backed instances, CreateImage creates and registers the AMI in a single request, so you don't have to register the AMI yourself. We recommend that you always use CreateImage unless you have a specific reason to use RegisterImage.

If needed, you can deregister an AMI at any time. Any modifications you make to an AMI backed by an instance store volume invalidates its registration. If you make changes to an image, deregister the previous image and register the new image.

Register a snapshot of a root device volume

You can use RegisterImage to create an Amazon EBS-backed Linux AMI from a snapshot of a root device volume. You specify the snapshot using a block device mapping. You can't set the encryption state of the volume using the block device mapping. If the snapshot is encrypted, or encryption by default is enabled, the root volume of an instance launched from the AMI is encrypted.

For more information, see Create a Linux AMI from a snapshot and Use encryption with Amazon EBS-backed AMIs in the Amazon Elastic Compute Cloud User Guide.

Amazon Web Services Marketplace product codes

If any snapshots have Amazon Web Services Marketplace product codes, they are copied to the new AMI.

Windows and some Linux distributions, such as Red Hat Enterprise Linux (RHEL) and SUSE Linux Enterprise Server (SLES), use the Amazon EC2 billing product code associated with an AMI to verify the subscription status for package updates. To create a new AMI for operating systems that require a billing product code, instead of registering the AMI, do the following to preserve the billing product code association:

  1. Launch an instance from an existing AMI with that billing product code.

  2. Customize the instance.

  3. Create an AMI from the instance using CreateImage.

If you purchase a Reserved Instance to apply to an On-Demand Instance that was launched from an AMI with a billing product code, make sure that the Reserved Instance has the matching billing product code. If you purchase a Reserved Instance without the matching billing product code, the Reserved Instance will not be applied to the On-Demand Instance. For information about how to obtain the platform details and billing information of an AMI, see Understand AMI billing information in the Amazon EC2 User Guide.

", "RegisterInstanceEventNotificationAttributes": "

Registers a set of tag keys to include in scheduled event notifications for your resources.

To remove tags, use DeregisterInstanceEventNotificationAttributes.

", "RegisterTransitGatewayMulticastGroupMembers": "

Registers members (network interfaces) with the transit gateway multicast group. A member is a network interface associated with a supported EC2 instance that receives multicast traffic. For information about supported instances, see Multicast Consideration in Amazon VPC Transit Gateways.

After you add the members, use SearchTransitGatewayMulticastGroups to verify that the members were added to the transit gateway multicast group.

", "RegisterTransitGatewayMulticastGroupSources": "

Registers sources (network interfaces) with the specified transit gateway multicast group.

A multicast source is a network interface attached to a supported instance that sends multicast traffic. For information about supported instances, see Multicast Considerations in Amazon VPC Transit Gateways.

After you add the source, use SearchTransitGatewayMulticastGroups to verify that the source was added to the multicast group.

", @@ -11443,7 +11443,7 @@ "AttachClassicLinkVpcRequest$InstanceId": "

The ID of the EC2-Classic instance.

", "AttachNetworkInterfaceRequest$InstanceId": "

The ID of the instance.

", "AttachVolumeRequest$InstanceId": "

The ID of the instance.

", - "BundleInstanceRequest$InstanceId": "

The ID of the instance to bundle.

Type: String

Default: None

Required: Yes

", + "BundleInstanceRequest$InstanceId": "

The ID of the instance to bundle.

Default: None

", "ConfirmProductInstanceRequest$InstanceId": "

The ID of the instance.

", "CreateImageRequest$InstanceId": "

The ID of the instance.

", "CreateInstanceExportTaskRequest$InstanceId": "

The ID of the instance.

", @@ -21546,6 +21546,7 @@ "AssociateIpamResourceDiscoveryRequest$TagSpecifications": "

Tag specifications.

", "AuthorizeSecurityGroupEgressRequest$TagSpecifications": "

The tags applied to the security group rule.

", "AuthorizeSecurityGroupIngressRequest$TagSpecifications": "

[VPC Only] The tags applied to the security group rule.

", + "CopyImageRequest$TagSpecifications": "

The tags to apply to the new AMI and new snapshots. You can tag the AMI, the snapshots, or both.

If you specify other values for ResourceType, the request fails.

To tag an AMI or snapshot after it has been created, see CreateTags.

", "CopySnapshotRequest$TagSpecifications": "

The tags to apply to the new snapshot.

", "CreateCapacityReservationFleetRequest$TagSpecifications": "

The tags to assign to the Capacity Reservation Fleet. The tags are automatically assigned to the Capacity Reservations in the Fleet.

", "CreateCapacityReservationRequest$TagSpecifications": "

The tags to apply to the Capacity Reservation during launch.

", @@ -21618,6 +21619,7 @@ "ProvisionByoipCidrRequest$PoolTagSpecifications": "

The tags to apply to the address pool.

", "PurchaseCapacityBlockRequest$TagSpecifications": "

The tags to apply to the Capacity Block during launch.

", "PurchaseHostReservationRequest$TagSpecifications": "

The tags to apply to the Dedicated Host Reservation during purchase.

", + "RegisterImageRequest$TagSpecifications": "

The tags to apply to the AMI.

To tag the AMI, the value for ResourceType must be image. If you specify another value for ResourceType, the request fails.

To tag an AMI after it has been registered, see CreateTags.

", "RequestSpotInstancesRequest$TagSpecifications": "

The key-value pair for tagging the Spot Instance request on creation. The value for ResourceType must be spot-instances-request, otherwise the Spot Instance request fails. To tag the Spot Instance request after it has been created, see CreateTags.

", "RunInstancesRequest$TagSpecifications": "

The tags to apply to the resources that are created during instance launch.

You can specify tags for the following resources only:

To tag a resource after it has been created, see CreateTags.

", "SpotFleetRequestConfigData$TagSpecifications": "

The key-value pair for tagging the Spot Fleet request on creation. The value for ResourceType must be spot-fleet-request, otherwise the Spot Fleet request fails. To tag instances at launch, specify the tags in the launch template (valid only if you use LaunchTemplateConfigs) or in the SpotFleetTagSpecification (valid only if you use LaunchSpecifications). For information about tagging after launch, see Tag your resources.

", diff --git a/models/apis/grafana/2020-08-18/api-2.json b/models/apis/grafana/2020-08-18/api-2.json index b4b989c8a5..debf750724 100644 --- a/models/apis/grafana/2020-08-18/api-2.json +++ b/models/apis/grafana/2020-08-18/api-2.json @@ -405,6 +405,11 @@ "workspaceId" ], "members":{ + "grafanaToken":{ + "shape":"GrafanaToken", + "location":"header", + "locationName":"Grafana-Token" + }, "licenseType":{ "shape":"LicenseType", "location":"uri", @@ -723,6 +728,11 @@ "max":2048, "min":1 }, + "GrafanaToken":{ + "type":"string", + "max":36, + "min":1 + }, "GrafanaVersion":{ "type":"string", "max":255, @@ -1437,6 +1447,7 @@ "endpoint":{"shape":"Endpoint"}, "freeTrialConsumed":{"shape":"Boolean"}, "freeTrialExpiration":{"shape":"Timestamp"}, + "grafanaToken":{"shape":"GrafanaToken"}, "grafanaVersion":{"shape":"GrafanaVersion"}, "id":{"shape":"WorkspaceId"}, "licenseExpiration":{"shape":"Timestamp"}, @@ -1502,8 +1513,10 @@ "created":{"shape":"Timestamp"}, "description":{"shape":"Description"}, "endpoint":{"shape":"Endpoint"}, + "grafanaToken":{"shape":"GrafanaToken"}, "grafanaVersion":{"shape":"GrafanaVersion"}, "id":{"shape":"WorkspaceId"}, + "licenseType":{"shape":"LicenseType"}, "modified":{"shape":"Timestamp"}, "name":{"shape":"WorkspaceName"}, "notificationDestinations":{"shape":"NotificationDestinationsList"}, diff --git a/models/apis/grafana/2020-08-18/docs-2.json b/models/apis/grafana/2020-08-18/docs-2.json index 004c1d3e3b..45f5edf6bb 100644 --- a/models/apis/grafana/2020-08-18/docs-2.json +++ b/models/apis/grafana/2020-08-18/docs-2.json @@ -108,8 +108,8 @@ "refs": { "AuthenticationDescription$providers": "

Specifies whether this workspace uses IAM Identity Center, SAML, or both methods to authenticate users to use the Grafana console in the Amazon Managed Grafana workspace.

", "AuthenticationSummary$providers": "

Specifies whether the workspace uses SAML, IAM Identity Center, or both methods for user authentication.

", - "CreateWorkspaceRequest$authenticationProviders": "

Specifies whether this workspace uses SAML 2.0, IAM Identity Center (successor to Single Sign-On), or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.

", - "UpdateWorkspaceAuthenticationRequest$authenticationProviders": "

Specifies whether this workspace uses SAML 2.0, IAM Identity Center (successor to Single Sign-On), or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.

" + "CreateWorkspaceRequest$authenticationProviders": "

Specifies whether this workspace uses SAML 2.0, IAM Identity Center, or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.

", + "UpdateWorkspaceAuthenticationRequest$authenticationProviders": "

Specifies whether this workspace uses SAML 2.0, IAM Identity Center, or both to authenticate users for using the Grafana console within a workspace. For more information, see User authentication in Amazon Managed Grafana.

" } }, "AuthenticationSummary": { @@ -130,7 +130,7 @@ "refs": { "UpdateWorkspaceRequest$removeNetworkAccessConfiguration": "

Whether to remove the network access configuration from the workspace.

Setting this to true and providing a networkAccessControl to set will return an error.

If you remove this configuration by setting this to true, then all IP addresses and VPC endpoints will be allowed. Standard Grafana authentication and authorization will still be required.

", "UpdateWorkspaceRequest$removeVpcConfiguration": "

Whether to remove the VPC configuration from the workspace.

Setting this to true and providing a vpcConfiguration to set will return an error.

", - "WorkspaceDescription$freeTrialConsumed": "

Specifies whether this workspace has already fully used its free trial for Grafana Enterprise.

" + "WorkspaceDescription$freeTrialConsumed": "

Specifies whether this workspace has already fully used its free trial for Grafana Enterprise.

Amazon Managed Grafana workspaces no longer support Grafana Enterprise free trials.

" } }, "ClientToken": { @@ -260,13 +260,21 @@ "WorkspaceSummary$endpoint": "

The URL endpoint to use to access the Grafana console in the workspace.

" } }, + "GrafanaToken": { + "base": null, + "refs": { + "AssociateLicenseRequest$grafanaToken": "

A token from Grafana Labs that ties your Amazon Web Services account with a Grafana Labs account. For more information, see Register with Grafana Labs.

", + "WorkspaceDescription$grafanaToken": "

The token that ties this workspace to a Grafana Labs account. For more information, see Register with Grafana Labs.

", + "WorkspaceSummary$grafanaToken": "

The token that ties this workspace to a Grafana Labs account. For more information, see Register with Grafana Labs.

" + } + }, "GrafanaVersion": { "base": null, "refs": { - "CreateWorkspaceRequest$grafanaVersion": "

Specifies the version of Grafana to support in the new workspace.

To get a list of supported version, use the ListVersions operation.

", + "CreateWorkspaceRequest$grafanaVersion": "

Specifies the version of Grafana to support in the new workspace. If not specified, defaults to the latest version (for example, 9.4).

To get a list of supported versions, use the ListVersions operation.

", "DescribeWorkspaceConfigurationResponse$grafanaVersion": "

The supported Grafana version for the workspace.

", "GrafanaVersionList$member": null, - "UpdateWorkspaceConfigurationRequest$grafanaVersion": "

Specifies the version of Grafana to support in the new workspace.

Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).

To know what versions are available to upgrade to for a specific workspace, see the ListVersions operation.

", + "UpdateWorkspaceConfigurationRequest$grafanaVersion": "

Specifies the version of Grafana to support in the workspace. If not specified, keeps the current version of the workspace.

Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade (for example, from 9.4 to 8.4).

To know what versions are available to upgrade to for a specific workspace, see the ListVersions operation.

", "WorkspaceDescription$grafanaVersion": "

The version of Grafana supported in this workspace.

", "WorkspaceSummary$grafanaVersion": "

The Grafana version that the workspace is running.

" } @@ -312,9 +320,10 @@ "LicenseType": { "base": null, "refs": { - "AssociateLicenseRequest$licenseType": "

The type of license to associate with the workspace.

", + "AssociateLicenseRequest$licenseType": "

The type of license to associate with the workspace.

Amazon Managed Grafana workspaces no longer support Grafana Enterprise free trials.

", "DisassociateLicenseRequest$licenseType": "

The type of license to remove from the workspace.

", - "WorkspaceDescription$licenseType": "

Specifies whether this workspace has a full Grafana Enterprise license or a free trial license.

" + "WorkspaceDescription$licenseType": "

Specifies whether this workspace has a full Grafana Enterprise license.

Amazon Managed Grafana workspaces no longer support Grafana Enterprise free trials.

", + "WorkspaceSummary$licenseType": "

Specifies whether this workspace has a full Grafana Enterprise license.

Amazon Managed Grafana workspaces no longer support Grafana Enterprise free trials.

" } }, "ListPermissionsRequest": { @@ -657,8 +666,8 @@ "base": null, "refs": { "WorkspaceDescription$created": "

The date that the workspace was created.

", - "WorkspaceDescription$freeTrialExpiration": "

If this workspace is currently in the free trial period for Grafana Enterprise, this value specifies when that free trial ends.

", - "WorkspaceDescription$licenseExpiration": "

If this workspace has a full Grafana Enterprise license, this specifies when the license ends and will need to be renewed.

", + "WorkspaceDescription$freeTrialExpiration": "

If this workspace is currently in the free trial period for Grafana Enterprise, this value specifies when that free trial ends.

Amazon Managed Grafana workspaces no longer support Grafana Enterprise free trials.

", + "WorkspaceDescription$licenseExpiration": "

If this workspace has a full Grafana Enterprise license purchased through Amazon Web Services Marketplace, this specifies when the license ends and will need to be renewed. Purchasing the Enterprise plugins option through Amazon Managed Grafana does not have an expiration. It is valid until the license is removed.

", "WorkspaceDescription$modified": "

The most recent date that the workspace was modified.

", "WorkspaceSummary$created": "

The date that the workspace was created.

", "WorkspaceSummary$modified": "

The most recent date that the workspace was modified.

" diff --git a/models/apis/grafana/2020-08-18/endpoint-rule-set-1.json b/models/apis/grafana/2020-08-18/endpoint-rule-set-1.json index 6c513fce87..065bc63813 100644 --- a/models/apis/grafana/2020-08-18/endpoint-rule-set-1.json +++ b/models/apis/grafana/2020-08-18/endpoint-rule-set-1.json @@ -40,7 +40,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -83,7 +82,8 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -96,7 +96,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -110,7 +109,6 @@ "assign": "PartitionResult" } ], - "type": "tree", "rules": [ { "conditions": [ @@ -133,7 +131,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -168,7 +165,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], @@ -179,14 +175,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS and DualStack are enabled, but this partition does not support one or both", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -200,14 +198,12 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ - true, { "fn": "getAttr", "argv": [ @@ -216,11 +212,11 @@ }, "supportsFIPS" ] - } + }, + true ] } ], - "type": "tree", "rules": [ { "conditions": [], @@ -231,14 +227,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS is enabled but this partition does not support FIPS", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -252,7 +250,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -272,7 +269,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], @@ -283,14 +279,16 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "DualStack is enabled but this partition does not support DualStack", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [], @@ -301,9 +299,11 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], diff --git a/models/apis/lambda/2015-03-31/docs-2.json b/models/apis/lambda/2015-03-31/docs-2.json index 044d945d82..3db0d9eb57 100644 --- a/models/apis/lambda/2015-03-31/docs-2.json +++ b/models/apis/lambda/2015-03-31/docs-2.json @@ -785,44 +785,44 @@ "FunctionName": { "base": null, "refs": { - "AddPermissionRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "CreateAliasRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "CreateEventSourceMappingRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", - "CreateFunctionRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "CreateFunctionUrlConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteAliasRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteFunctionCodeSigningConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteFunctionConcurrencyRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteFunctionEventInvokeConfigRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteFunctionRequest$FunctionName": "

The name of the Lambda function or version.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteFunctionUrlConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "DeleteProvisionedConcurrencyConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetAliasRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionCodeSigningConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionCodeSigningConfigResponse$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionConcurrencyRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionEventInvokeConfigRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionUrlConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetProvisionedConcurrencyConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "ListAliasesRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "ListEventSourceMappingsRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", - "ListFunctionEventInvokeConfigsRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "ListFunctionUrlConfigsRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "ListProvisionedConcurrencyConfigsRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PublishVersionRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutFunctionCodeSigningConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutFunctionCodeSigningConfigResponse$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutFunctionConcurrencyRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutFunctionEventInvokeConfigRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutProvisionedConcurrencyConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "PutRuntimeManagementConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "RemovePermissionRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "UpdateAliasRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "UpdateEventSourceMappingRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", - "UpdateFunctionCodeRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "UpdateFunctionConfigurationRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "UpdateFunctionEventInvokeConfigRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "UpdateFunctionUrlConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

" + "AddPermissionRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "CreateAliasRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "CreateEventSourceMappingRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", + "CreateFunctionRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "CreateFunctionUrlConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteAliasRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteFunctionCodeSigningConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteFunctionConcurrencyRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteFunctionEventInvokeConfigRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteFunctionRequest$FunctionName": "

The name or ARN of the Lambda function or version.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteFunctionUrlConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "DeleteProvisionedConcurrencyConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetAliasRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionCodeSigningConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionCodeSigningConfigResponse$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionConcurrencyRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionEventInvokeConfigRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionUrlConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetProvisionedConcurrencyConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "ListAliasesRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "ListEventSourceMappingsRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", + "ListFunctionEventInvokeConfigsRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "ListFunctionUrlConfigsRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "ListProvisionedConcurrencyConfigsRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PublishVersionRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutFunctionCodeSigningConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutFunctionCodeSigningConfigResponse$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutFunctionConcurrencyRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutFunctionEventInvokeConfigRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutProvisionedConcurrencyConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "PutRuntimeManagementConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "RemovePermissionRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "UpdateAliasRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "UpdateEventSourceMappingRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it's limited to 64 characters in length.

", + "UpdateFunctionCodeRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "UpdateFunctionConfigurationRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "UpdateFunctionEventInvokeConfigRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "UpdateFunctionUrlConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

" } }, "FunctionResponseType": { @@ -1631,14 +1631,14 @@ "base": null, "refs": { "FunctionConfiguration$FunctionName": "

The name of the function.

", - "GetFunctionConfigurationRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetFunctionRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetPolicyRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "GetRuntimeManagementConfigRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "InvocationRequest$FunctionName": "

The name of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "InvokeAsyncRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "InvokeWithResponseStreamRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", - "ListVersionsByFunctionRequest$FunctionName": "

The name of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

" + "GetFunctionConfigurationRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetFunctionRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetPolicyRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "GetRuntimeManagementConfigRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "InvocationRequest$FunctionName": "

The name or ARN of the Lambda function, version, or alias.

Name formats

You can append a version number or alias to any of the formats. The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "InvokeAsyncRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "InvokeWithResponseStreamRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

", + "ListVersionsByFunctionRequest$FunctionName": "

The name or ARN of the Lambda function.

Name formats

The length constraint applies only to the full ARN. If you specify only the function name, it is limited to 64 characters in length.

" } }, "NamespacedStatementId": { diff --git a/models/apis/payment-cryptography-data/2022-02-03/api-2.json b/models/apis/payment-cryptography-data/2022-02-03/api-2.json index f6460898de..5d3bf2273f 100644 --- a/models/apis/payment-cryptography-data/2022-02-03/api-2.json +++ b/models/apis/payment-cryptography-data/2022-02-03/api-2.json @@ -450,6 +450,37 @@ "ServiceCode":{"shape":"NumberLengthEquals3"} } }, + "EmvEncryptionAttributes":{ + "type":"structure", + "required":[ + "MajorKeyDerivationMode", + "PanSequenceNumber", + "PrimaryAccountNumber", + "SessionDerivationData" + ], + "members":{ + "InitializationVector":{"shape":"HexLength16Or32"}, + "MajorKeyDerivationMode":{"shape":"EmvMajorKeyDerivationMode"}, + "Mode":{"shape":"EmvEncryptionMode"}, + "PanSequenceNumber":{"shape":"HexLengthEquals2"}, + "PrimaryAccountNumber":{"shape":"NumberLengthBetween12And19"}, + "SessionDerivationData":{"shape":"HexLengthEquals16"} + } + }, + "EmvEncryptionMode":{ + "type":"string", + "enum":[ + "ECB", + "CBC" + ] + }, + "EmvMajorKeyDerivationMode":{ + "type":"string", + "enum":[ + "EMV_OPTION_A", + "EMV_OPTION_B" + ] + }, "EncryptDataInput":{ "type":"structure", "required":[ @@ -484,6 +515,7 @@ "members":{ "Asymmetric":{"shape":"AsymmetricEncryptionAttributes"}, "Dukpt":{"shape":"DukptEncryptionAttributes"}, + "Emv":{"shape":"EmvEncryptionAttributes"}, "Symmetric":{"shape":"SymmetricEncryptionAttributes"} }, "union":true @@ -569,10 +601,7 @@ "GenerationAttributes":{"shape":"PinGenerationAttributes"}, "GenerationKeyIdentifier":{"shape":"KeyArnOrKeyAliasType"}, "PinBlockFormat":{"shape":"PinBlockFormatForPinData"}, - "PinDataLength":{ - "shape":"IntegerRangeBetween4And12", - "box":true - }, + "PinDataLength":{"shape":"IntegerRangeBetween4And12"}, "PrimaryAccountNumber":{"shape":"NumberLengthBetween12And19"} } }, @@ -800,6 +829,7 @@ }, "IntegerRangeBetween4And12":{ "type":"integer", + "box":true, "max":12, "min":4 }, @@ -1349,10 +1379,7 @@ "EncryptedPinBlock":{"shape":"HexLengthBetween16And32"}, "EncryptionKeyIdentifier":{"shape":"KeyArnOrKeyAliasType"}, "PinBlockFormat":{"shape":"PinBlockFormatForPinData"}, - "PinDataLength":{ - "shape":"IntegerRangeBetween4And12", - "box":true - }, + "PinDataLength":{"shape":"IntegerRangeBetween4And12"}, "PrimaryAccountNumber":{"shape":"NumberLengthBetween12And19"}, "VerificationAttributes":{"shape":"PinVerificationAttributes"}, "VerificationKeyIdentifier":{"shape":"KeyArnOrKeyAliasType"} diff --git a/models/apis/payment-cryptography-data/2022-02-03/docs-2.json b/models/apis/payment-cryptography-data/2022-02-03/docs-2.json index a33c4d25e7..028da47619 100644 --- a/models/apis/payment-cryptography-data/2022-02-03/docs-2.json +++ b/models/apis/payment-cryptography-data/2022-02-03/docs-2.json @@ -2,16 +2,16 @@ "version": "2.0", "service": "

You use the Amazon Web Services Payment Cryptography Data Plane to manage how encryption keys are used for payment-related transaction processing and associated cryptographic operations. You can encrypt, decrypt, generate, verify, and translate payment-related cryptographic operations in Amazon Web Services Payment Cryptography. For more information, see Data operations in the Amazon Web Services Payment Cryptography User Guide.

To manage your encryption keys, you use the Amazon Web Services Payment Cryptography Control Plane. You can create, import, export, share, manage, and delete keys. You can also manage Identity and Access Management (IAM) policies for keys.

", "operations": { - "DecryptData": "

Decrypts ciphertext data to plaintext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA. When you use DUKPT, for TDES algorithm, the ciphertext data length must be a multiple of 16 bytes. For AES algorithm, the ciphertext data length must be a multiple of 32 bytes.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "EncryptData": "

Encrypts plaintext data to ciphertext using symmetric, asymmetric, or DUKPT data encryption key. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey).

for symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA. To encrypt using DUKPT, you must already have a DUKPT key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "DecryptData": "

Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Decrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can use an encryption key generated within Amazon Web Services Payment Cryptography, or you can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Decrypt. In asymmetric decryption, Amazon Web Services Payment Cryptography decrypts the ciphertext using the private component of the asymmetric encryption key pair. For data encryption outside of Amazon Web Services Payment Cryptography, you can export the public component of the asymmetric key pair by calling GetPublicCertificate.

For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV decryption, Amazon Web Services Payment Cryptography supports TDES algorithms. For asymmetric decryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "EncryptData": "

Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

You can generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey. You can import your own encryption key by calling ImportKey. For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric encryption, plaintext is encrypted using public component. You can import the public component of an asymmetric key pair created outside Amazon Web Services Payment Cryptography by calling ImportKey.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For EMV encryption, Amazon Web Services Payment Cryptography supports TDES algorithms.For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA.

When you use TDES or TDES DUKPT, the plaintext data length must be a multiple of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple of 16 bytes. For RSA, it sould be equal to the key size unless padding is enabled.

To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) key in your account with KeyModesOfUse set to DeriveKey, or you can generate a new DUKPT key by calling CreateKey. To encrypt using EMV, you must already have an IMK (Issuer Master Key) key in your account with KeyModesOfUse set to DeriveKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GenerateCardValidationData": "

Generates card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2), or Card Security Codes (CSC). For more information, see Generate card data in the Amazon Web Services Payment Cryptography User Guide.

This operation generates a CVV or CSC value that is printed on a payment credit or debit card during card production. The CVV or CSC, PAN (Primary Account Number) and expiration date of the card are required to check its validity during transaction processing. To begin this operation, a CVK (Card Verification Key) encryption key is required. You can use CreateKey or ImportKey to establish a CVK within Amazon Web Services Payment Cryptography. The KeyModesOfUse should be set to Generate and Verify for a CVK encryption key.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "GenerateMac": "

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for comparision without sending or receiving data in ciphertext or plaintext. You can use this operation to generate a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "GenerateMac": "

Generates a Message Authentication Code (MAC) cryptogram within Amazon Web Services Payment Cryptography.

You can use this operation to authenticate card-related data by using known data values to generate MAC for data validation between the sending and receiving parties. This operation uses message data, a secret encryption key and MAC algorithm to generate a unique MAC value for transmission. The receiving party of the MAC must use the same message data, secret encryption key and MAC algorithm to reproduce another MAC value for comparision.

You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. The MAC generation encryption key must have valid values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse set to Generate and Verify.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "GeneratePinData": "

Generates pin-related data such as PIN, PIN Verification Value (PVV), PIN Block, and PIN Offset during new card issuance or reissuance. For more information, see Generate PIN data in the Amazon Web Services Payment Cryptography User Guide.

PIN data is never transmitted in clear to or from Amazon Web Services Payment Cryptography. This operation generates PIN, PVV, or PIN Offset and then encrypts it using Pin Encryption Key (PEK) to create an EncryptedPinBlock for transmission from Amazon Web Services Payment Cryptography. This operation uses a separate Pin Verification Key (PVK) for VISA PVV generation.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "ReEncryptData": "

Re-encrypt ciphertext using DUKPT, Symmetric and Asymmetric Data Encryption Keys.

You can either generate an encryption key within Amazon Web Services Payment Cryptography by calling CreateKey or import your own encryption key by calling ImportKey. The KeyArn for use with this operation must be in a compatible key state with KeyModesOfUse set to Encrypt. In asymmetric encryption, ciphertext is encrypted using public component (imported by calling ImportKey) of the asymmetric key pair created outside of Amazon Web Services Payment Cryptography.

For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography supports TDES and AES algorithms. For asymmetric encryption, Amazon Web Services Payment Cryptography supports RSA. To encrypt using DUKPT, a DUKPT key must already exist within your account with KeyModesOfUse set to DeriveKey or a new DUKPT can be generated by calling CreateKey.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "TranslatePinData": "

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT tranlations. You can use this operation for P2PE (Point to Point Encryption) use cases where the encryption keys should change but the processing system either does not need to, or is not permitted to, decrypt the data.

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

At this time, Amazon Web Services Payment Cryptography does not support translations to PIN format 4.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "TranslatePinData": "

Translates encrypted PIN block from and to ISO 9564 formats 0,1,3,4. For more information, see Translate PIN data in the Amazon Web Services Payment Cryptography User Guide.

PIN block translation involves changing the encrytion of PIN block from one encryption key to another encryption key and changing PIN block format from one to another without PIN block data leaving Amazon Web Services Payment Cryptography. The encryption key transformation can be from PEK (Pin Encryption Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. Amazon Web Services Payment Cryptography supports TDES and AES key derivation type for DUKPT translations.

The allowed combinations of PIN block format translations are guided by PCI. It is important to note that not all encrypted PIN block formats (example, format 1) require PAN (Primary Account Number) as input. And as such, PIN block format that requires PAN (example, formats 0,3,4) cannot be translated to a format (format 1) that does not require a PAN for generation.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Amazon Web Services Payment Cryptography currently supports ISO PIN block 4 translation for PIN block built using legacy PAN length. That is, PAN is the right most 12 digits excluding the check digits.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "VerifyAuthRequestCryptogram": "

Verifies Authorization Request Cryptogram (ARQC) for a EMV chip payment card authorization. For more information, see Verify auth request cryptogram in the Amazon Web Services Payment Cryptography User Guide.

ARQC generation is done outside of Amazon Web Services Payment Cryptography and is typically generated on a point of sale terminal for an EMV chip card to obtain payment authorization during transaction time. For ARQC verification, you must first import the ARQC generated outside of Amazon Web Services Payment Cryptography by calling ImportKey. This operation uses the imported ARQC and an major encryption key (DUKPT) created by calling CreateKey to either provide a boolean ARQC verification result or provide an APRC (Authorization Response Cryptogram) response using Method 1 or Method 2. The ARPC_METHOD_1 uses AuthResponseCode to generate ARPC and ARPC_METHOD_2 uses CardStatusUpdate to generate ARPC.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "VerifyCardValidationData": "

Verifies card-related validation data using algorithms such as Card Verification Values (CVV/CVV2), Dynamic Card Verification Values (dCVV/dCVV2) and Card Security Codes (CSC). For more information, see Verify card data in the Amazon Web Services Payment Cryptography User Guide.

This operation validates the CVV or CSC codes that is printed on a payment credit or debit card during card payment transaction. The input values are typically provided as part of an inbound transaction to an issuer or supporting platform partner. Amazon Web Services Payment Cryptography uses CVV or CSC, PAN (Primary Account Number) and expiration date of the card to check its validity during transaction processing. In this operation, the CVK (Card Verification Key) encryption key for use with card data verification is same as the one in used for GenerateCardValidationData.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", - "VerifyMac": "

Verifies a Message Authentication Code (MAC).

You can use this operation when keys won't be shared but mutual data is present on both ends for validation. In this case, known data values are used to generate a MAC on both ends for verification without sending or receiving data in ciphertext or plaintext. You can use this operation to verify a DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values. Use the same encryption key for MAC verification as you use for GenerateMac.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", + "VerifyMac": "

Verifies a Message Authentication Code (MAC).

You can use this operation to verify MAC for message data authentication such as . In this operation, you must use the same message data, secret encryption key and MAC algorithm that was used to generate MAC. You can use this operation to verify a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes and algorithm to the associated values.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

", "VerifyPinData": "

Verifies pin-related data such as PIN and PIN Offset using algorithms including VISA PVV and IBM3624. For more information, see Verify PIN data in the Amazon Web Services Payment Cryptography User Guide.

This operation verifies PIN data for user payment card. A card holder PIN data is never transmitted in clear to or from Amazon Web Services Payment Cryptography. This operation uses PIN Verification Key (PVK) for PIN or PIN Offset generation and then encrypts it using PIN Encryption Key (PEK) to create an EncryptedPinBlock for transmission from Amazon Web Services Payment Cryptography.

For information about valid keys for this operation, see Understanding key attributes and Key types for specific data operations in the Amazon Web Services Payment Cryptography User Guide.

Cross-account use: This operation can't be used across different Amazon Web Services accounts.

Related operations:

" }, "shapes": { @@ -116,7 +116,7 @@ "DukptDerivationAttributes": { "base": "

Parameters required for encryption or decryption of data using DUKPT.

", "refs": { - "TranslatePinDataInput$IncomingDukptAttributes": "

The attributes and values to use for incoming DUKPT encryption key for PIN block tranlation.

", + "TranslatePinDataInput$IncomingDukptAttributes": "

The attributes and values to use for incoming DUKPT encryption key for PIN block translation.

", "TranslatePinDataInput$OutgoingDukptAttributes": "

The attributes and values to use for outgoing DUKPT encryption key after PIN block translation.

" } }, @@ -139,7 +139,7 @@ "DukptEncryptionMode": { "base": null, "refs": { - "DukptEncryptionAttributes$Mode": "

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size, for example, 128 bits. The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

The default is CBC.

" + "DukptEncryptionAttributes$Mode": "

The block cipher method to use for encryption.

The default is CBC.

" } }, "DukptKeyVariant": { @@ -164,6 +164,24 @@ "CardVerificationAttributes$DynamicCardVerificationValue": "

Card data parameters that are required to verify CDynamic Card Verification Value (dCVV) for the payment card.

" } }, + "EmvEncryptionAttributes": { + "base": "

Parameters for plaintext encryption using EMV keys.

", + "refs": { + "EncryptionDecryptionAttributes$Emv": "

Parameters for plaintext encryption using EMV keys.

" + } + }, + "EmvEncryptionMode": { + "base": null, + "refs": { + "EmvEncryptionAttributes$Mode": "

The block cipher method to use for encryption.

" + } + }, + "EmvMajorKeyDerivationMode": { + "base": null, + "refs": { + "EmvEncryptionAttributes$MajorKeyDerivationMode": "

The EMV derivation mode to use for ICC master key derivation as per EMV version 4.3 book 2.

" + } + }, "EncryptDataInput": { "base": null, "refs": { @@ -184,7 +202,7 @@ "EncryptionMode": { "base": null, "refs": { - "SymmetricEncryptionAttributes$Mode": "

The block cipher mode of operation. Block ciphers are designed to encrypt a block of data of fixed size (for example, 128 bits). The size of the input block is usually same as the size of the encrypted output block, while the key length can be different. A mode of operation describes how to repeatedly apply a cipher's single-block operation to securely transform amounts of data larger than a block.

" + "SymmetricEncryptionAttributes$Mode": "

The block cipher method to use for encryption.

" } }, "GenerateCardValidationDataInput": { @@ -226,14 +244,14 @@ "HexEvenLengthBetween16And4064": { "base": null, "refs": { - "EncryptDataInput$PlainText": "

The plaintext to be encrypted.

" + "EncryptDataInput$PlainText": "

The plaintext to be encrypted.

For encryption using asymmetric keys, plaintext data length is constrained by encryption key strength that you define in KeyAlgorithm and padding type that you define in AsymmetricEncryptionAttributes. For more information, see Encrypt data in the Amazon Web Services Payment Cryptography User Guide.

" } }, "HexEvenLengthBetween16And4096": { "base": null, "refs": { "DecryptDataInput$CipherText": "

The ciphertext to decrypt.

", - "DecryptDataOutput$PlainText": "

The decrypted plaintext data.

", + "DecryptDataOutput$PlainText": "

The decrypted plaintext data in hexBinary format.

", "EncryptDataOutput$CipherText": "

The encrypted ciphertext.

", "ReEncryptDataInput$CipherText": "

Ciphertext to be encrypted. The minimum allowed length is 16 bytes and maximum allowed length is 4096 bytes.

", "ReEncryptDataOutput$CipherText": "

The encrypted ciphertext.

" @@ -242,8 +260,8 @@ "HexEvenLengthBetween2And4096": { "base": null, "refs": { - "GenerateMacInput$MessageData": "

The data for which a MAC is under generation.

", - "VerifyMacInput$MessageData": "

The data on for which MAC is under verification.

" + "GenerateMacInput$MessageData": "

The data for which a MAC is under generation. This value must be hexBinary.

", + "VerifyMacInput$MessageData": "

The data on for which MAC is under verification. This value must be hexBinary.

" } }, "HexEvenLengthBetween4And128": { @@ -255,8 +273,9 @@ "HexLength16Or32": { "base": null, "refs": { - "DukptEncryptionAttributes$InitializationVector": "

An input to cryptographic primitive used to provide the intial state. Typically the InitializationVector must have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If you don't provide a value, Amazon Web Services Payment Cryptography generates a random value.

", - "SymmetricEncryptionAttributes$InitializationVector": "

An input to cryptographic primitive used to provide the intial state. The InitializationVector is typically required have a random or psuedo-random value, but sometimes it only needs to be unpredictable or unique. If a value is not provided, Amazon Web Services Payment Cryptography generates a random value.

" + "DukptEncryptionAttributes$InitializationVector": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

", + "EmvEncryptionAttributes$InitializationVector": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

", + "SymmetricEncryptionAttributes$InitializationVector": "

An input used to provide the intial state. If no value is provided, Amazon Web Services Payment Cryptography defaults it to zero.

" } }, "HexLengthBetween10And24": { @@ -273,7 +292,7 @@ "refs": { "GeneratePinDataOutput$EncryptedPinBlock": "

The PIN block encrypted under PEK from Amazon Web Services Payment Cryptography. The encrypted PIN block is a composite of PAN (Primary Account Number) and PIN (Personal Identification Number), generated in accordance with ISO 9564 standard.

", "Ibm3624PinOffset$EncryptedPinBlock": "

The encrypted PIN block data. According to ISO 9564 standard, a PIN Block is an encoded representation of a payment card Personal Account Number (PAN) and the cardholder Personal Identification Number (PIN).

", - "TranslatePinDataOutput$PinBlock": "

The ougoing encrypted PIN block data after tranlation.

", + "TranslatePinDataOutput$PinBlock": "

The outgoing encrypted PIN block data after translation.

", "VerifyPinDataInput$EncryptedPinBlock": "

The encrypted PIN block data that Amazon Web Services Payment Cryptography verifies.

", "VisaPinVerificationValue$EncryptedPinBlock": "

The encrypted PIN block data to verify.

" } @@ -338,6 +357,7 @@ "HexLengthEquals16": { "base": null, "refs": { + "EmvEncryptionAttributes$SessionDerivationData": "

The derivation value used to derive the ICC session key. It is typically the application transaction counter value padded with zeros or previous ARQC value padded with zeros as per EMV version 4.3 book 2.

", "SessionKeyDerivationValue$ApplicationCryptogram": "

The cryptogram provided by the terminal during transaction processing.

", "VerifyAuthRequestCryptogramInput$AuthRequestCryptogram": "

The auth request cryptogram imported into Amazon Web Services Payment Cryptography for ARQC verification using a major encryption key and transaction data.

" } @@ -348,6 +368,7 @@ "CardHolderVerificationValue$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", "DynamicCardVerificationCode$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", "DynamicCardVerificationValue$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", + "EmvEncryptionAttributes$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", "MacAlgorithmEmv$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", "SessionKeyAmex$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", "SessionKeyEmv2000$PanSequenceNumber": "

A number that identifies and differentiates payment cards with the same Primary Account Number (PAN).

", @@ -472,19 +493,19 @@ "KeyCheckValue": { "base": null, "refs": { - "DecryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "EncryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "GenerateCardValidationDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "GenerateMacOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "GeneratePinDataOutput$EncryptionKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "GeneratePinDataOutput$GenerationKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "ReEncryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "TranslatePinDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "VerifyAuthRequestCryptogramOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "VerifyCardValidationDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "VerifyMacOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "VerifyPinDataOutput$EncryptionKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

", - "VerifyPinDataOutput$VerificationKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed. Amazon Web Services Payment Cryptography calculates the KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or \"00\" or \"01\" and then truncating the result to the first 3 bytes, or 6 hex digits, of the resulting cryptogram.

" + "DecryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "EncryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "GenerateCardValidationDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "GenerateMacOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "GeneratePinDataOutput$EncryptionKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "GeneratePinDataOutput$GenerationKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "ReEncryptDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "TranslatePinDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "VerifyAuthRequestCryptogramOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "VerifyCardValidationDataOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "VerifyMacOutput$KeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "VerifyPinDataOutput$EncryptionKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

", + "VerifyPinDataOutput$VerificationKeyCheckValue": "

The key check value (KCV) of the encryption key. The KCV is used to check if all parties holding a given key have the same key or to detect that a key has changed.

Amazon Web Services Payment Cryptography computes the KCV according to the CMAC specification.

" } }, "MacAlgorithm": { @@ -498,7 +519,7 @@ "refs": { "MacAttributes$DukptCmac": "

Parameters that are required for MAC generation or verification using DUKPT CMAC algorithm.

", "MacAttributes$DukptIso9797Algorithm1": "

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm1.

", - "MacAttributes$DukptIso9797Algorithm3": "

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm2.

" + "MacAttributes$DukptIso9797Algorithm3": "

Parameters that are required for MAC generation or verification using DUKPT ISO 9797 algorithm3.

" } }, "MacAlgorithmEmv": { @@ -524,6 +545,7 @@ "NumberLengthBetween12And19": { "base": null, "refs": { + "EmvEncryptionAttributes$PrimaryAccountNumber": "

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card and associates the card to a specific account holder.

", "GenerateCardValidationDataInput$PrimaryAccountNumber": "

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card that associates the card with a specific account holder.

", "GeneratePinDataInput$PrimaryAccountNumber": "

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card that associates the card with a specific account holder.

", "MacAlgorithmEmv$PrimaryAccountNumber": "

The Primary Account Number (PAN), a unique identifier for a payment credit or debit card and associates the card to a specific account holder.

", @@ -733,8 +755,8 @@ "TranslationIsoFormats": { "base": "

Parameters that are required for translation between ISO9564 PIN block formats 0,1,3,4.

", "refs": { - "TranslatePinDataInput$IncomingTranslationAttributes": "

The format of the incoming PIN block data for tranlation within Amazon Web Services Payment Cryptography.

", - "TranslatePinDataInput$OutgoingTranslationAttributes": "

The format of the outgoing PIN block data after tranlation by Amazon Web Services Payment Cryptography.

" + "TranslatePinDataInput$IncomingTranslationAttributes": "

The format of the incoming PIN block data for translation within Amazon Web Services Payment Cryptography.

", + "TranslatePinDataInput$OutgoingTranslationAttributes": "

The format of the outgoing PIN block data after translation by Amazon Web Services Payment Cryptography.

" } }, "TranslationPinDataIsoFormat034": { diff --git a/models/apis/payment-cryptography-data/2022-02-03/endpoint-rule-set-1.json b/models/apis/payment-cryptography-data/2022-02-03/endpoint-rule-set-1.json index 0686f59b32..6b5a79cbf7 100644 --- a/models/apis/payment-cryptography-data/2022-02-03/endpoint-rule-set-1.json +++ b/models/apis/payment-cryptography-data/2022-02-03/endpoint-rule-set-1.json @@ -40,7 +40,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -59,7 +58,6 @@ }, { "conditions": [], - "type": "tree", "rules": [ { "conditions": [ @@ -87,13 +85,14 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], - "type": "tree", "rules": [ { "conditions": [ @@ -106,7 +105,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -120,7 +118,6 @@ "assign": "PartitionResult" } ], - "type": "tree", "rules": [ { "conditions": [ @@ -143,7 +140,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -178,11 +174,9 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], - "type": "tree", "rules": [ { "conditions": [], @@ -193,16 +187,19 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS and DualStack are enabled, but this partition does not support one or both", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -216,14 +213,12 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ { "fn": "booleanEquals", "argv": [ - true, { "fn": "getAttr", "argv": [ @@ -232,15 +227,14 @@ }, "supportsFIPS" ] - } + }, + true ] } ], - "type": "tree", "rules": [ { "conditions": [], - "type": "tree", "rules": [ { "conditions": [], @@ -251,16 +245,19 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "FIPS is enabled but this partition does not support FIPS", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [ @@ -274,7 +271,6 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [ @@ -294,11 +290,9 @@ ] } ], - "type": "tree", "rules": [ { "conditions": [], - "type": "tree", "rules": [ { "conditions": [], @@ -309,20 +303,22 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "DualStack is enabled but this partition does not support DualStack", "type": "error" } - ] + ], + "type": "tree" }, { "conditions": [], - "type": "tree", "rules": [ { "conditions": [], @@ -333,18 +329,22 @@ }, "type": "endpoint" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" } - ] + ], + "type": "tree" }, { "conditions": [], "error": "Invalid Configuration: Missing Region", "type": "error" } - ] + ], + "type": "tree" } ] } \ No newline at end of file diff --git a/models/apis/rds/2014-10-31/docs-2.json b/models/apis/rds/2014-10-31/docs-2.json index 1ad1894bd3..05b36affa9 100644 --- a/models/apis/rds/2014-10-31/docs-2.json +++ b/models/apis/rds/2014-10-31/docs-2.json @@ -4671,13 +4671,13 @@ "CreateDBClusterMessage$Domain": "

The Active Directory directory ID to create the DB cluster in.

For Amazon Aurora DB clusters, Amazon RDS can use Kerberos authentication to authenticate users that connect to the DB cluster.

For more information, see Kerberos authentication in the Amazon Aurora User Guide.

Valid for Cluster Type: Aurora DB clusters only

", "CreateDBClusterMessage$DomainIAMRoleName": "

The name of the IAM role to use when making API calls to the Directory Service.

Valid for Cluster Type: Aurora DB clusters only

", "CreateDBClusterMessage$DBClusterInstanceClass": "

The compute and memory capacity of each DB instance in the Multi-AZ DB cluster, for example db.m6gd.xlarge. Not all DB instance classes are available in all Amazon Web Services Regions, or for all database engines.

For the full list of DB instance classes and availability for your engine, see DB instance class in the Amazon RDS User Guide.

This setting is required to create a Multi-AZ DB cluster.

Valid for Cluster Type: Multi-AZ DB clusters only

", - "CreateDBClusterMessage$StorageType": "

The storage type to associate with the DB cluster.

For information on storage types for Aurora DB clusters, see Storage configurations for Amazon Aurora DB clusters. For information on storage types for Multi-AZ DB clusters, see Settings for creating Multi-AZ DB clusters.

This setting is required to create a Multi-AZ DB cluster.

When specified for a Multi-AZ DB cluster, a value for the Iops parameter is required.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

Valid Values:

Default:

When you create an Aurora DB cluster with the storage type set to aurora-iopt1, the storage type is returned in the response. The storage type isn't returned when you set it to aurora.

", + "CreateDBClusterMessage$StorageType": "

The storage type to associate with the DB cluster.

For information on storage types for Aurora DB clusters, see Storage configurations for Amazon Aurora DB clusters. For information on storage types for Multi-AZ DB clusters, see Settings for creating Multi-AZ DB clusters.

This setting is required to create a Multi-AZ DB cluster.

When specified for a Multi-AZ DB cluster, a value for the Iops parameter is required.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

Valid Values:

Default:

When you create an Aurora DB cluster with the storage type set to aurora-iopt1, the storage type is returned in the response. The storage type isn't returned when you set it to aurora.

", "CreateDBClusterMessage$MonitoringRoleArn": "

The Amazon Resource Name (ARN) for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs. An example is arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, see Setting up and enabling Enhanced Monitoring in the Amazon RDS User Guide.

If MonitoringInterval is set to a value other than 0, supply a MonitoringRoleArn value.

Valid for Cluster Type: Multi-AZ DB clusters only

", "CreateDBClusterMessage$PerformanceInsightsKMSKeyId": "

The Amazon Web Services KMS key identifier for encryption of Performance Insights data.

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.

If you don't specify a value for PerformanceInsightsKMSKeyId, then Amazon RDS uses your default KMS key. There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

Valid for Cluster Type: Multi-AZ DB clusters only

", "CreateDBClusterMessage$NetworkType": "

The network type of the DB cluster.

The network type is determined by the DBSubnetGroup specified for the DB cluster. A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 protocols (DUAL).

For more information, see Working with a DB instance in a VPC in the Amazon Aurora User Guide.

Valid for Cluster Type: Aurora DB clusters only

Valid Values: IPV4 | DUAL

", "CreateDBClusterMessage$DBSystemId": "

Reserved for future use.

", "CreateDBClusterMessage$MasterUserSecretKmsKeyId": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.

This setting is valid only if the master user password is managed by RDS in Amazon Web Services Secrets Manager for the DB cluster.

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

If you don't specify MasterUserSecretKmsKeyId, then the aws/secretsmanager KMS key is used to encrypt the secret. If the secret is in a different Amazon Web Services account, then you can't use the aws/secretsmanager KMS key to encrypt the secret, and you must use a customer managed KMS key.

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

", - "CreateDBClusterMessage$CACertificateIdentifier": "

The CA certificate identifier to use for the DB cluster's server certificate.

Valid for Cluster Type: Multi-AZ DB clusters

", + "CreateDBClusterMessage$CACertificateIdentifier": "

The CA certificate identifier to use for the DB cluster's server certificate.

For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS User Guide.

Valid for Cluster Type: Multi-AZ DB clusters

", "CreateDBClusterParameterGroupMessage$DBClusterParameterGroupName": "

The name of the DB cluster parameter group.

Constraints:

This value is stored as a lowercase string.

", "CreateDBClusterParameterGroupMessage$DBParameterGroupFamily": "

The DB cluster parameter group family name. A DB cluster parameter group can be associated with one and only one DB cluster parameter group family, and can be applied only to a DB cluster running a database engine and engine version compatible with that DB cluster parameter group family.

Aurora MySQL

Example: aurora-mysql5.7, aurora-mysql8.0

Aurora PostgreSQL

Example: aurora-postgresql14

RDS for MySQL

Example: mysql8.0

RDS for PostgreSQL

Example: postgres13

To list all of the available parameter group families for a DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine <engine>

For example, to list all of the available parameter group families for the Aurora PostgreSQL DB engine, use the following command:

aws rds describe-db-engine-versions --query \"DBEngineVersions[].DBParameterGroupFamily\" --engine aurora-postgresql

The output contains duplicates.

The following are the valid DB engine values:

", "CreateDBClusterParameterGroupMessage$Description": "

The description for the DB cluster parameter group.

", @@ -5298,13 +5298,13 @@ "ModifyDBClusterMessage$Domain": "

The Active Directory directory ID to move the DB cluster to. Specify none to remove the cluster from its current domain. The domain must be created prior to this operation.

For more information, see Kerberos Authentication in the Amazon Aurora User Guide.

Valid for Cluster Type: Aurora DB clusters only

", "ModifyDBClusterMessage$DomainIAMRoleName": "

The name of the IAM role to use when making API calls to the Directory Service.

Valid for Cluster Type: Aurora DB clusters only

", "ModifyDBClusterMessage$DBClusterInstanceClass": "

The compute and memory capacity of each DB instance in the Multi-AZ DB cluster, for example db.m6gd.xlarge. Not all DB instance classes are available in all Amazon Web Services Regions, or for all database engines.

For the full list of DB instance classes and availability for your engine, see DB Instance Class in the Amazon RDS User Guide.

Valid for Cluster Type: Multi-AZ DB clusters only

", - "ModifyDBClusterMessage$StorageType": "

The storage type to associate with the DB cluster.

For information on storage types for Aurora DB clusters, see Storage configurations for Amazon Aurora DB clusters. For information on storage types for Multi-AZ DB clusters, see Settings for creating Multi-AZ DB clusters.

When specified for a Multi-AZ DB cluster, a value for the Iops parameter is required.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

Valid Values:

Default:

", + "ModifyDBClusterMessage$StorageType": "

The storage type to associate with the DB cluster.

For information on storage types for Aurora DB clusters, see Storage configurations for Amazon Aurora DB clusters. For information on storage types for Multi-AZ DB clusters, see Settings for creating Multi-AZ DB clusters.

When specified for a Multi-AZ DB cluster, a value for the Iops parameter is required.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

Valid Values:

Default:

", "ModifyDBClusterMessage$MonitoringRoleArn": "

The Amazon Resource Name (ARN) for the IAM role that permits RDS to send Enhanced Monitoring metrics to Amazon CloudWatch Logs. An example is arn:aws:iam:123456789012:role/emaccess. For information on creating a monitoring role, see To create an IAM role for Amazon RDS Enhanced Monitoring in the Amazon RDS User Guide.

If MonitoringInterval is set to a value other than 0, supply a MonitoringRoleArn value.

Valid for Cluster Type: Multi-AZ DB clusters only

", "ModifyDBClusterMessage$PerformanceInsightsKMSKeyId": "

The Amazon Web Services KMS key identifier for encryption of Performance Insights data.

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key.

If you don't specify a value for PerformanceInsightsKMSKeyId, then Amazon RDS uses your default KMS key. There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

Valid for Cluster Type: Multi-AZ DB clusters only

", "ModifyDBClusterMessage$NetworkType": "

The network type of the DB cluster.

The network type is determined by the DBSubnetGroup specified for the DB cluster. A DBSubnetGroup can support only the IPv4 protocol or the IPv4 and the IPv6 protocols (DUAL).

For more information, see Working with a DB instance in a VPC in the Amazon Aurora User Guide.

Valid for Cluster Type: Aurora DB clusters only

Valid Values: IPV4 | DUAL

", "ModifyDBClusterMessage$MasterUserSecretKmsKeyId": "

The Amazon Web Services KMS key identifier to encrypt a secret that is automatically generated and managed in Amazon Web Services Secrets Manager.

This setting is valid only if both of the following conditions are met:

The Amazon Web Services KMS key identifier is the key ARN, key ID, alias ARN, or alias name for the KMS key. To use a KMS key in a different Amazon Web Services account, specify the key ARN or alias ARN.

There is a default KMS key for your Amazon Web Services account. Your Amazon Web Services account has a different default KMS key for each Amazon Web Services Region.

Valid for Cluster Type: Aurora DB clusters and Multi-AZ DB clusters

", "ModifyDBClusterMessage$EngineMode": "

The DB engine mode of the DB cluster, either provisioned or serverless.

The DB engine mode can be modified only from serverless to provisioned.

For more information, see CreateDBCluster.

Valid for Cluster Type: Aurora DB clusters only

", - "ModifyDBClusterMessage$CACertificateIdentifier": "

The CA certificate identifier to use for the DB cluster's server certificate.

Valid for Cluster Type: Multi-AZ DB clusters

", + "ModifyDBClusterMessage$CACertificateIdentifier": "

The CA certificate identifier to use for the DB cluster's server certificate.

For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS User Guide.

Valid for Cluster Type: Multi-AZ DB clusters

", "ModifyDBClusterParameterGroupMessage$DBClusterParameterGroupName": "

The name of the DB cluster parameter group to modify.

", "ModifyDBClusterSnapshotAttributeMessage$DBClusterSnapshotIdentifier": "

The identifier for the DB cluster snapshot to modify the attributes for.

", "ModifyDBClusterSnapshotAttributeMessage$AttributeName": "

The name of the DB cluster snapshot attribute to modify.

To manage authorization for other Amazon Web Services accounts to copy or restore a manual DB cluster snapshot, set this value to restore.

To view the list of attributes available to modify, use the DescribeDBClusterSnapshotAttributes API operation.

", @@ -5319,7 +5319,7 @@ "ModifyDBInstanceMessage$LicenseModel": "

The license model for the DB instance.

This setting doesn't apply to Amazon Aurora or RDS Custom DB instances.

Valid Values:

", "ModifyDBInstanceMessage$OptionGroupName": "

The option group to associate the DB instance with.

Changing this parameter doesn't result in an outage, with one exception. If the parameter change results in an option group that enables OEM, it can cause a brief period, lasting less than a second, during which new connections are rejected but existing connections aren't interrupted.

The change is applied during the next maintenance window unless the ApplyImmediately parameter is enabled for this request.

Permanent options, such as the TDE option for Oracle Advanced Security TDE, can't be removed from an option group, and that option group can't be removed from a DB instance after it is associated with a DB instance.

This setting doesn't apply to RDS Custom DB instances.

", "ModifyDBInstanceMessage$NewDBInstanceIdentifier": "

The new identifier for the DB instance when renaming a DB instance. When you change the DB instance identifier, an instance reboot occurs immediately if you enable ApplyImmediately, or will occur during the next maintenance window if you disable ApplyImmediately. This value is stored as a lowercase string.

This setting doesn't apply to RDS Custom DB instances.

Constraints:

Example: mydbinstance

", - "ModifyDBInstanceMessage$StorageType": "

The storage type to associate with the DB instance.

If you specify io1), io2, or gp3 you must also include a value for the Iops parameter.

If you choose to migrate your DB instance from using standard storage to using Provisioned IOPS, or from using Provisioned IOPS to using standard storage, the process can take time. The duration of the migration depends on several factors such as database load, storage size, storage type (standard or Provisioned IOPS), amount of IOPS provisioned (if any), and the number of prior scale storage operations. Typical migration times are under 24 hours, but the process can take up to several days in some cases. During the migration, the DB instance is available for use, but might experience performance degradation. While the migration takes place, nightly backups for the instance are suspended. No other Amazon RDS operations can take place for the instance, including modifying the instance, rebooting the instance, deleting the instance, creating a read replica for the instance, and creating a DB snapshot of the instance.

Valid Values: gp2 | gp3 | io1 | io2 | standard

Default: io1, if the Iops parameter is specified. Otherwise, gp2.

", + "ModifyDBInstanceMessage$StorageType": "

The storage type to associate with the DB instance.

If you specify io1, io2, or gp3 you must also include a value for the Iops parameter.

If you choose to migrate your DB instance from using standard storage to using Provisioned IOPS, or from using Provisioned IOPS to using standard storage, the process can take time. The duration of the migration depends on several factors such as database load, storage size, storage type (standard or Provisioned IOPS), amount of IOPS provisioned (if any), and the number of prior scale storage operations. Typical migration times are under 24 hours, but the process can take up to several days in some cases. During the migration, the DB instance is available for use, but might experience performance degradation. While the migration takes place, nightly backups for the instance are suspended. No other Amazon RDS operations can take place for the instance, including modifying the instance, rebooting the instance, deleting the instance, creating a read replica for the instance, and creating a DB snapshot of the instance.

Valid Values: gp2 | gp3 | io1 | io2 | standard

Default: io1, if the Iops parameter is specified. Otherwise, gp2.

", "ModifyDBInstanceMessage$TdeCredentialArn": "

The ARN from the key store with which to associate the instance for TDE encryption.

This setting doesn't apply to RDS Custom DB instances.

", "ModifyDBInstanceMessage$TdeCredentialPassword": "

The password for the given ARN from the key store in order to access the device.

This setting doesn't apply to RDS Custom DB instances.

", "ModifyDBInstanceMessage$CACertificateIdentifier": "

The CA certificate identifier to use for the DB instance's server certificate.

This setting doesn't apply to RDS Custom DB instances.

For more information, see Using SSL/TLS to encrypt a connection to a DB instance in the Amazon RDS User Guide and Using SSL/TLS to encrypt a connection to a DB cluster in the Amazon Aurora User Guide.

", diff --git a/models/apis/snowball/2016-06-30/docs-2.json b/models/apis/snowball/2016-06-30/docs-2.json index 52de45c951..4e9abea635 100755 --- a/models/apis/snowball/2016-06-30/docs-2.json +++ b/models/apis/snowball/2016-06-30/docs-2.json @@ -951,7 +951,7 @@ "DescribeAddressesResult$NextToken": "

HTTP requests are stateless. If you use the automatically generated NextToken value in your next DescribeAddresses call, your list of returned addresses will start from this point in the array.

", "DescribeReturnShippingLabelResult$ReturnShippingLabelURI": "

The pre-signed Amazon S3 URI used to download the return shipping label.

", "EKSOnDeviceServiceConfiguration$KubernetesVersion": "

The Kubernetes version for EKS Anywhere on the Snow Family device.

", - "EKSOnDeviceServiceConfiguration$EKSAnywhereVersion": "

The version of EKS Anywhere on the Snow Family device.

", + "EKSOnDeviceServiceConfiguration$EKSAnywhereVersion": "

The optional version of EKS Anywhere on the Snow Family device.

", "Ec2AmiResource$SnowballAmiId": "

The ID of the AMI on the Snow device.

", "Ec2RequestFailedException$Message": null, "GetJobManifestResult$ManifestURI": "

The Amazon S3 presigned URL for the manifest file associated with the specified JobId value.

", diff --git a/models/apis/wafv2/2019-07-29/api-2.json b/models/apis/wafv2/2019-07-29/api-2.json index 82db69a946..13b5b972c5 100755 --- a/models/apis/wafv2/2019-07-29/api-2.json +++ b/models/apis/wafv2/2019-07-29/api-2.json @@ -297,7 +297,8 @@ "output":{"shape":"DescribeAllManagedProductsResponse"}, "errors":[ {"shape":"WAFInvalidOperationException"}, - {"shape":"WAFInternalErrorException"} + {"shape":"WAFInternalErrorException"}, + {"shape":"WAFInvalidParameterException"} ] }, "DescribeManagedProductsByVendor":{ @@ -371,6 +372,7 @@ "output":{"shape":"GetDecryptedAPIKeyResponse"}, "errors":[ {"shape":"WAFInternalErrorException"}, + {"shape":"WAFNonexistentItemException"}, {"shape":"WAFInvalidParameterException"}, {"shape":"WAFInvalidOperationException"}, {"shape":"WAFInvalidResourceException"} @@ -956,7 +958,7 @@ "required":["InspectionLevel"], "members":{ "InspectionLevel":{"shape":"InspectionLevel"}, - "EnableMachineLearning":{"shape":"Boolean"} + "EnableMachineLearning":{"shape":"EnableMachineLearning"} } }, "Action":{"type":"string"}, @@ -1030,7 +1032,13 @@ }, "AssociatedResourceType":{ "type":"string", - "enum":["CLOUDFRONT"] + "enum":[ + "CLOUDFRONT", + "API_GATEWAY", + "COGNITO_USER_POOL", + "APP_RUNNER_SERVICE", + "VERIFIED_ACCESS_INSTANCE" + ] }, "AssociationConfig":{ "type":"structure", @@ -1858,6 +1866,7 @@ "Identifier":{"shape":"FieldIdentifier"} } }, + "EnableMachineLearning":{"type":"boolean"}, "EntityDescription":{ "type":"string", "max":256, @@ -3240,8 +3249,7 @@ "RateBasedStatementCustomKeys":{ "type":"list", "member":{"shape":"RateBasedStatementCustomKey"}, - "max":5, - "min":1 + "max":5 }, "RateBasedStatementManagedKeysIPSet":{ "type":"structure", @@ -3646,8 +3654,7 @@ "RuleActionOverrides":{ "type":"list", "member":{"shape":"RuleActionOverride"}, - "max":100, - "min":1 + "max":100 }, "RuleGroup":{ "type":"structure", @@ -3807,6 +3814,7 @@ ] }, "SolveTimestamp":{"type":"long"}, + "SourceType":{"type":"string"}, "SqliMatchStatement":{ "type":"structure", "required":[ @@ -4257,7 +4265,8 @@ "WAFLimitsExceededException":{ "type":"structure", "members":{ - "Message":{"shape":"ErrorMessage"} + "Message":{"shape":"ErrorMessage"}, + "SourceType":{"shape":"SourceType"} }, "exception":true }, diff --git a/models/apis/wafv2/2019-07-29/docs-2.json b/models/apis/wafv2/2019-07-29/docs-2.json index 172d07db60..a2b7abfdd9 100755 --- a/models/apis/wafv2/2019-07-29/docs-2.json +++ b/models/apis/wafv2/2019-07-29/docs-2.json @@ -184,11 +184,11 @@ } }, "AssociationConfig": { - "base": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

", + "base": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

", "refs": { - "CreateWebACLRequest$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

", - "UpdateWebACLRequest$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

", - "WebACL$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

" + "CreateWebACLRequest$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

", + "UpdateWebACLRequest$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

", + "WebACL$AssociationConfig": "

Specifies custom configurations for the associations between the web ACL and protected resources.

Use this to customize the maximum size of the request body that your protected resources forward to WAF for inspection. You can customize this setting for CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. The default setting is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

" } }, "BlockAction": { @@ -201,7 +201,7 @@ "Body": { "base": "

Inspect the body of the web request. The body immediately follows the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch specification.

", "refs": { - "FieldToMatch$Body": "

Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.

A limited amount of the request body is forwarded to WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.

For information about how to handle oversized request bodies, see the Body object configuration.

" + "FieldToMatch$Body": "

Inspect the request body as plain text. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.

WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.

For information about how to handle oversized request bodies, see the Body object configuration.

" } }, "BodyParsingFallbackBehavior": { @@ -215,7 +215,6 @@ "refs": { "AWSManagedRulesACFPRuleSet$EnableRegexInPath": "

Allow the use of regular expressions in the registration page path and the account creation path.

", "AWSManagedRulesATPRuleSet$EnableRegexInPath": "

Allow the use of regular expressions in the login page path.

", - "AWSManagedRulesBotControlRuleSet$EnableMachineLearning": "

Applies only to the targeted inspection level.

Determines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules TGT_ML_CoordinatedActivityLow and TGT_ML_CoordinatedActivityMedium, which inspect for anomalous behavior that might indicate distributed, coordinated bot activity.

For more information about this choice, see the listing for these rules in the table at Bot Control rules listing in the WAF Developer Guide.

Default: TRUE

", "LoggingConfiguration$ManagedByFirewallManager": "

Indicates whether the logging configuration was created by Firewall Manager, as part of an WAF policy configuration. If true, only Firewall Manager can modify or delete the configuration.

", "ManagedProductDescriptor$IsVersioningSupported": "

Indicates whether the rule group is versioned.

", "ManagedProductDescriptor$IsAdvancedManagedRuleSet": "

Indicates whether the rule group provides an advanced set of protections, such as the the Amazon Web Services Managed Rules rule groups that are used for WAF intelligent threat mitigation.

", @@ -614,6 +613,12 @@ "RequestInspectionACFP$EmailField": "

The name of the field in the request payload that contains your customer's email.

How you specify this depends on the request inspection payload type.

" } }, + "EnableMachineLearning": { + "base": null, + "refs": { + "AWSManagedRulesBotControlRuleSet$EnableMachineLearning": "

Applies only to the targeted inspection level.

Determines whether to use machine learning (ML) to analyze your web traffic for bot-related activity. Machine learning is required for the Bot Control rules TGT_ML_CoordinatedActivityLow and TGT_ML_CoordinatedActivityMedium, which inspect for anomalous behavior that might indicate distributed, coordinated bot activity.

For more information about this choice, see the listing for these rules in the table at Bot Control rules listing in the WAF Developer Guide.

Default: TRUE

" + } + }, "EntityDescription": { "base": null, "refs": { @@ -809,7 +814,7 @@ } }, "FieldToMatch": { - "base": "

The part of the web request that you want WAF to inspect. Include the single FieldToMatch type that you want to inspect, with additional specifications as needed, according to the type. You specify a single request component in FieldToMatch for each rule statement that requires it. To inspect more than one component of the web request, create a separate rule statement for each component.

Example JSON for a QueryString field to match:

\"FieldToMatch\": { \"QueryString\": {} }

Example JSON for a Method field to match specification:

\"FieldToMatch\": { \"Method\": { \"Name\": \"DELETE\" } }

", + "base": "

Specifies a web request component to be used in a rule match statement or in a logging configuration.

", "refs": { "ByteMatchStatement$FieldToMatch": "

The part of the web request that you want WAF to inspect.

", "RedactedFields$member": null, @@ -1181,7 +1186,7 @@ "JsonBody": { "base": "

Inspect the body of the web request as JSON. The body immediately follows the request headers.

This is used to indicate the web request component to inspect, in the FieldToMatch specification.

Use the specifications in this object to indicate which parts of the JSON body to inspect using the rule's inspection criteria. WAF inspects only the parts of the JSON that result from the matches that you indicate.

Example JSON: \"JsonBody\": { \"MatchPattern\": { \"All\": {} }, \"MatchScope\": \"ALL\" }

", "refs": { - "FieldToMatch$JsonBody": "

Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.

A limited amount of the request body is forwarded to WAF for inspection by the underlying host service. For regional resources, the limit is 8 KB (8,192 bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). For CloudFront distributions, you can increase the limit in the web ACL's AssociationConfig, for additional processing fees.

For information about how to handle oversized request bodies, see the JsonBody object configuration.

" + "FieldToMatch$JsonBody": "

Inspect the request body as JSON. The request body immediately follows the request headers. This is the part of a request that contains any additional data that you want to send to your web server as the HTTP request body, such as data from a form.

WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.

For information about how to handle oversized request bodies, see the JsonBody object configuration.

" } }, "JsonMatchPattern": { @@ -1639,11 +1644,11 @@ "OversizeHandling": { "base": null, "refs": { - "Body$OversizeHandling": "

What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to WAF for inspection.

The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL AssociationConfig, for additional processing fees.

The options for oversize handling are the following:

You can combine the MATCH or NO_MATCH settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.

Default: CONTINUE

", + "Body$OversizeHandling": "

What WAF should do if the body is larger than WAF can inspect.

WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.

The options for oversize handling are the following:

You can combine the MATCH or NO_MATCH settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.

Default: CONTINUE

", "Cookies$OversizeHandling": "

What WAF should do if the cookies of the request are more numerous or larger than WAF can inspect. WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to WAF.

The options for oversize handling are the following:

", "HeaderOrder$OversizeHandling": "

What WAF should do if the headers of the request are more numerous or larger than WAF can inspect. WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to WAF.

The options for oversize handling are the following:

", "Headers$OversizeHandling": "

What WAF should do if the headers of the request are more numerous or larger than WAF can inspect. WAF does not support inspecting the entire contents of request headers when they exceed 8 KB (8192 bytes) or 200 total headers. The underlying host service forwards a maximum of 200 headers and at most 8 KB of header contents to WAF.

The options for oversize handling are the following:

", - "JsonBody$OversizeHandling": "

What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. If the body is larger than the limit, the underlying host service only forwards the contents that are below the limit to WAF for inspection.

The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB (16,384 bytes) for CloudFront distributions. For CloudFront distributions, you can increase the limit in the web ACL AssociationConfig, for additional processing fees.

The options for oversize handling are the following:

You can combine the MATCH or NO_MATCH settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.

Default: CONTINUE

" + "JsonBody$OversizeHandling": "

What WAF should do if the body is larger than WAF can inspect.

WAF does not support inspecting the entire contents of the web request body if the body exceeds the limit for the resource type. When a web request body is larger than the limit, the underlying host service only forwards the contents that are within the limit to WAF for inspection.

The options for oversize handling are the following:

You can combine the MATCH or NO_MATCH settings for oversize handling with your rule and web ACL action settings, so that you block any request whose body is over the limit.

Default: CONTINUE

" } }, "PaginationLimit": { @@ -1796,9 +1801,9 @@ } }, "RateBasedStatement": { - "base": "

A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.

You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.

Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.

For example, assume the rule evaluates web requests with the following IP address and HTTP method values:

The rule would create different aggregation instances according to your aggregation criteria, for example:

For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which WAF counts and rate-limits individually.

You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.

You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.

For additional information about the options, see Rate limiting web requests using rate-based rules in the WAF Developer Guide.

If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that WAF is currently rate limiting for a rule through the API call GetRateBasedStatementManagedKeys. This option is not available for other aggregation configurations.

WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.

", + "base": "

A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.

If you change any of these settings in a rule that's currently in use, the change resets the rule's rate limiting counts. This can pause the rule's rate limiting activities for up to a minute.

You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.

Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.

For example, assume the rule evaluates web requests with the following IP address and HTTP method values:

The rule would create different aggregation instances according to your aggregation criteria, for example:

For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which WAF counts and rate-limits individually.

You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.

You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.

For additional information about the options, see Rate limiting web requests using rate-based rules in the WAF Developer Guide.

If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that WAF is currently rate limiting for a rule through the API call GetRateBasedStatementManagedKeys. This option is not available for other aggregation configurations.

WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.

", "refs": { - "Statement$RateBasedStatement": "

A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.

You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.

Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.

For example, assume the rule evaluates web requests with the following IP address and HTTP method values:

The rule would create different aggregation instances according to your aggregation criteria, for example:

For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which WAF counts and rate-limits individually.

You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.

You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.

For additional information about the options, see Rate limiting web requests using rate-based rules in the WAF Developer Guide.

If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that WAF is currently rate limiting for a rule through the API call GetRateBasedStatementManagedKeys. This option is not available for other aggregation configurations.

WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.

" + "Statement$RateBasedStatement": "

A rate-based rule counts incoming requests and rate limits requests when they are coming at too fast a rate. The rule categorizes requests according to your aggregation criteria, collects them into aggregation instances, and counts and rate limits the requests for each instance.

If you change any of these settings in a rule that's currently in use, the change resets the rule's rate limiting counts. This can pause the rule's rate limiting activities for up to a minute.

You can specify individual aggregation keys, like IP address or HTTP method. You can also specify aggregation key combinations, like IP address and HTTP method, or HTTP method, query argument, and cookie.

Each unique set of values for the aggregation keys that you specify is a separate aggregation instance, with the value from each key contributing to the aggregation instance definition.

For example, assume the rule evaluates web requests with the following IP address and HTTP method values:

The rule would create different aggregation instances according to your aggregation criteria, for example:

For any n-tuple of aggregation keys, each unique combination of values for the keys defines a separate aggregation instance, which WAF counts and rate-limits individually.

You can optionally nest another statement inside the rate-based statement, to narrow the scope of the rule so that it only counts and rate limits requests that match the nested statement. You can use this nested scope-down statement in conjunction with your aggregation key specifications or you can just count and rate limit all requests that match the scope-down statement, without additional aggregation. When you choose to just manage all requests that match a scope-down statement, the aggregation instance is singular for the rule.

You cannot nest a RateBasedStatement inside another statement, for example inside a NotStatement or OrStatement. You can define a RateBasedStatement inside a web ACL and inside a rule group.

For additional information about the options, see Rate limiting web requests using rate-based rules in the WAF Developer Guide.

If you only aggregate on the individual IP address or forwarded IP address, you can retrieve the list of IP addresses that WAF is currently rate limiting for a rule through the API call GetRateBasedStatementManagedKeys. This option is not available for other aggregation configurations.

WAF tracks and manages web requests separately for each instance of a rate-based rule that you use. For example, if you provide the same rate-based rule settings in two web ACLs, each of the two rule statements represents a separate instance of the rate-based rule and gets its own tracking and management by WAF. If you define a rate-based rule inside a rule group, and then use that rule group in multiple places, each use creates a separate instance of the rate-based rule that gets its own tracking and management by WAF.

" } }, "RateBasedStatementAggregateKeyType": { @@ -1971,11 +1976,11 @@ "RequestBody": { "base": null, "refs": { - "AssociationConfig$RequestBody": "

Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

" + "AssociationConfig$RequestBody": "

Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

Example JSON: { \"API_GATEWAY\": \"KB_48\", \"APP_RUNNER_SERVICE\": \"KB_32\" }

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

" } }, "RequestBodyAssociatedResourceTypeConfig": { - "base": "

Customizes the maximum size of the request body that your protected CloudFront distributions forward to WAF for inspection. The default size is 16 KB (16,384 bytes).

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

This is used in the AssociationConfig of the web ACL.

", + "base": "

Customizes the maximum size of the request body that your protected CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward to WAF for inspection. The default size is 16 KB (16,384 bytes). You can change the setting for any of the available resource types.

You are charged additional fees when your protected resources forward body sizes that are larger than the default. For more information, see WAF Pricing.

Example JSON: { \"API_GATEWAY\": \"KB_48\", \"APP_RUNNER_SERVICE\": \"KB_32\" }

For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 bytes).

This is used in the AssociationConfig of the web ACL.

", "refs": { "RequestBody$value": null } @@ -2338,15 +2343,15 @@ } }, "SizeConstraintStatement": { - "base": "

A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.

If you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.

If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

", + "base": "

A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.

If you configure WAF to inspect the request body, WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see Body and JsonBody settings for the FieldToMatch data type.

If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

", "refs": { - "Statement$SizeConstraintStatement": "

A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.

If you configure WAF to inspect the request body, WAF inspects only the number of bytes of the body up to the limit for the web ACL. By default, for regional web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase the limit in the web ACL AssociationConfig, for additional fees. If you know that the request body for your web requests should never exceed the inspection limit, you could use a size constraint statement to block requests that have a larger request body size.

If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

" + "Statement$SizeConstraintStatement": "

A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). For example, you can use a size constraint statement to look for query strings that are longer than 100 bytes.

If you configure WAF to inspect the request body, WAF inspects only the number of bytes in the body up to the limit for the web ACL and protected resource type. If you know that the request body for your web requests should never exceed the inspection limit, you can use a size constraint statement to block requests that have a larger request body size. For more information about the inspection limits, see Body and JsonBody settings for the FieldToMatch data type.

If you choose URI for the value of Part of the request to filter on, the slash (/) in the URI counts as one character. For example, the URI /logo.jpg is nine characters long.

" } }, "SizeInspectionLimit": { "base": null, "refs": { - "RequestBodyAssociatedResourceTypeConfig$DefaultSizeInspectionLimit": "

Specifies the maximum size of the web request body component that an associated CloudFront distribution should send to WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.

Default: 16 KB (16,384 bytes)

" + "RequestBodyAssociatedResourceTypeConfig$DefaultSizeInspectionLimit": "

Specifies the maximum size of the web request body component that an associated CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resource should send to WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body.

Default: 16 KB (16,384 bytes)

" } }, "SolveTimestamp": { @@ -2356,6 +2361,12 @@ "ChallengeResponse$SolveTimestamp": "

The time that the challenge was last solved for the supplied token.

" } }, + "SourceType": { + "base": null, + "refs": { + "WAFLimitsExceededException$SourceType": "

Source type for the exception.

" + } + }, "SqliMatchStatement": { "base": "

A rule statement that inspects for malicious SQL code. Attackers insert malicious SQL code into web requests to do things like modify your database or extract data from it.

", "refs": { diff --git a/models/apis/workspaces/2015-04-08/docs-2.json b/models/apis/workspaces/2015-04-08/docs-2.json index aa38f44e29..15c5394f4e 100644 --- a/models/apis/workspaces/2015-04-08/docs-2.json +++ b/models/apis/workspaces/2015-04-08/docs-2.json @@ -15,7 +15,7 @@ "CreateUpdatedWorkspaceImage": "

Creates a new updated WorkSpace image based on the specified source image. The new updated WorkSpace image has the latest drivers and other updates required by the Amazon WorkSpaces components.

To determine which WorkSpace images need to be updated with the latest Amazon WorkSpaces requirements, use DescribeWorkspaceImages.

", "CreateWorkspaceBundle": "

Creates the specified WorkSpace bundle. For more information about creating WorkSpace bundles, see Create a Custom WorkSpaces Image and Bundle.

", "CreateWorkspaceImage": "

Creates a new WorkSpace image from an existing WorkSpace.

", - "CreateWorkspaces": "

Creates one or more WorkSpaces.

This operation is asynchronous and returns before the WorkSpaces are created.

", + "CreateWorkspaces": "

Creates one or more WorkSpaces.

This operation is asynchronous and returns before the WorkSpaces are created.

", "DeleteClientBranding": "

Deletes customized client branding. Client branding allows you to customize your WorkSpace's client login portal. You can tailor your login portal company logo, the support email address, support link, link to reset password, and a custom message for users trying to sign in.

After you delete your customized client branding, your login portal reverts to the default client branding.

", "DeleteConnectClientAddIn": "

Deletes a client-add-in for Amazon Connect that is configured within a directory.

", "DeleteConnectionAlias": "

Deletes the specified connection alias. For more information, see Cross-Region Redirection for Amazon WorkSpaces.

If you will no longer be using a fully qualified domain name (FQDN) as the registration code for your WorkSpaces users, you must take certain precautions to prevent potential security issues. For more information, see Security Considerations if You Stop Using Cross-Region Redirection.

To delete a connection alias that has been shared, the shared account must first disassociate the connection alias from any directories it has been associated with. Then you must unshare the connection alias from the account it has been shared with. You can delete a connection alias only after it is no longer shared with any accounts or associated with any directories.

", @@ -62,7 +62,7 @@ "ModifyWorkspaceCreationProperties": "

Modify the default properties used to create WorkSpaces.

", "ModifyWorkspaceProperties": "

Modifies the specified WorkSpace properties. For important information about how to modify the size of the root and user volumes, see Modify a WorkSpace.

The MANUAL running mode value is only supported by Amazon WorkSpaces Core. Contact your account team to be allow-listed to use this value. For more information, see Amazon WorkSpaces Core.

", "ModifyWorkspaceState": "

Sets the state of the specified WorkSpace.

To maintain a WorkSpace without being interrupted, set the WorkSpace state to ADMIN_MAINTENANCE. WorkSpaces in this state do not respond to requests to reboot, stop, start, rebuild, or restore. An AutoStop WorkSpace in this state is not stopped. Users cannot log into a WorkSpace in the ADMIN_MAINTENANCE state.

", - "RebootWorkspaces": "

Reboots the specified WorkSpaces.

You cannot reboot a WorkSpace unless its state is AVAILABLE or UNHEALTHY.

This operation is asynchronous and returns before the WorkSpaces have rebooted.

", + "RebootWorkspaces": "

Reboots the specified WorkSpaces.

You cannot reboot a WorkSpace unless its state is AVAILABLE, UNHEALTHY, or REBOOTING. Reboot a WorkSpace in the REBOOTING state only if your WorkSpace has been stuck in the REBOOTING state for over 20 minutes.

This operation is asynchronous and returns before the WorkSpaces have rebooted.

", "RebuildWorkspaces": "

Rebuilds the specified WorkSpace.

You cannot rebuild a WorkSpace unless its state is AVAILABLE, ERROR, UNHEALTHY, STOPPED, or REBOOTING.

Rebuilding a WorkSpace is a potentially destructive action that can result in the loss of data. For more information, see Rebuild a WorkSpace.

This operation is asynchronous and returns before the WorkSpaces have been completely rebuilt.

", "RegisterWorkspaceDirectory": "

Registers the specified directory. This operation is asynchronous and returns before the WorkSpace directory is registered. If this is the first time you are registering a directory, you will need to create the workspaces_DefaultRole role before you can register a directory. For more information, see Creating the workspaces_DefaultRole Role.

", "RestoreWorkspace": "

Restores the specified WorkSpace to its last known healthy state.

You cannot restore a WorkSpace unless its state is AVAILABLE, ERROR, UNHEALTHY, or STOPPED.

Restoring a WorkSpace is a potentially destructive action that can result in the loss of data. For more information, see Restore a WorkSpace.

This operation is asynchronous and returns before the WorkSpace is completely restored.

", @@ -2648,7 +2648,7 @@ "refs": { "PendingCreateStandbyWorkspacesRequest$State": "

The operational state of the standby WorkSpace.

", "RelatedWorkspaceProperties$State": "

Indicates the state of the WorkSpace.

", - "Workspace$State": "

The operational state of the WorkSpace.

After a WorkSpace is terminated, the TERMINATED state is returned only briefly before the WorkSpace directory metadata is cleaned up, so this state is rarely returned. To confirm that a WorkSpace is terminated, check for the WorkSpace ID by using DescribeWorkSpaces. If the WorkSpace ID isn't returned, then the WorkSpace has been successfully terminated.

" + "Workspace$State": "

The operational state of the WorkSpace.

After a WorkSpace is terminated, the TERMINATED state is returned only briefly before the WorkSpace directory metadata is cleaned up, so this state is rarely returned. To confirm that a WorkSpace is terminated, check for the WorkSpace ID by using DescribeWorkSpaces. If the WorkSpace ID isn't returned, then the WorkSpace has been successfully terminated.

" } }, "WorkspacesDefaultRoleNotFoundException": { diff --git a/service/appconfig/api.go b/service/appconfig/api.go index f7862a84fd..cd2f31138c 100644 --- a/service/appconfig/api.go +++ b/service/appconfig/api.go @@ -528,8 +528,7 @@ func (c *AppConfig) CreateExtensionRequest(input *CreateExtensionInput) (req *re // - For a custom Amazon SQS notification extension, enter the ARN of an // Amazon SQS message queue in the Uri field. // -// For more information about extensions, see Working with AppConfig extensions -// (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// For more information about extensions, see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -643,8 +642,7 @@ func (c *AppConfig) CreateExtensionAssociationRequest(input *CreateExtensionAsso // with an AppConfig resource is called an extension association. An extension // association is a specified relationship between an extension and an AppConfig // resource, such as an application or a configuration profile. For more information -// about extensions and associations, see Working with AppConfig extensions -// (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// about extensions and associations, see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -2112,8 +2110,7 @@ func (c *AppConfig) GetExtensionAssociationRequest(input *GetExtensionAssociatio // GetExtensionAssociation API operation for Amazon AppConfig. // // Returns information about an AppConfig extension association. For more information -// about extensions and associations, see Working with AppConfig extensions -// (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// about extensions and associations, see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -3003,8 +3000,7 @@ func (c *AppConfig) ListExtensionAssociationsRequest(input *ListExtensionAssocia // ListExtensionAssociations API operation for Amazon AppConfig. // // Lists all AppConfig extension associations in the account. For more information -// about extensions and associations, see Working with AppConfig extensions -// (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// about extensions and associations, see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -3146,8 +3142,8 @@ func (c *AppConfig) ListExtensionsRequest(input *ListExtensionsInput) (req *requ // ListExtensions API operation for Amazon AppConfig. // // Lists all custom and Amazon Web Services authored AppConfig extensions in -// the account. For more information about extensions, see Working with AppConfig -// extensions (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// the account. For more information about extensions, see Extending workflows +// (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -4210,7 +4206,7 @@ func (c *AppConfig) UpdateExtensionRequest(input *UpdateExtensionInput) (req *re // UpdateExtension API operation for Amazon AppConfig. // // Updates an AppConfig extension. For more information about extensions, see -// Working with AppConfig extensions (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -4302,7 +4298,7 @@ func (c *AppConfig) UpdateExtensionAssociationRequest(input *UpdateExtensionAsso // UpdateExtensionAssociation API operation for Amazon AppConfig. // // Updates an association. For more information about extensions and associations, -// see Working with AppConfig extensions (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -10422,7 +10418,7 @@ func (s *Monitor) SetAlarmRoleArn(v string) *Monitor { // A value such as an Amazon Resource Name (ARN) or an Amazon Simple Notification // Service topic entered in an extension when invoked. Parameter values are // specified in an extension association. For more information about extensions, -// see Working with AppConfig extensions (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) +// see Extending workflows (https://docs.aws.amazon.com/appconfig/latest/userguide/working-with-appconfig-extensions.html) // in the AppConfig User Guide. type Parameter struct { _ struct{} `type:"structure"` @@ -10430,6 +10426,11 @@ type Parameter struct { // Information about the parameter. Description *string `type:"string"` + // Indicates whether this parameter's value can be supplied at the extension's + // action point instead of during extension association. Dynamic parameters + // can't be marked Required. + Dynamic *bool `type:"boolean"` + // A parameter value must be specified in the extension association. Required *bool `type:"boolean"` } @@ -10458,6 +10459,12 @@ func (s *Parameter) SetDescription(v string) *Parameter { return s } +// SetDynamic sets the Dynamic field's value. +func (s *Parameter) SetDynamic(v bool) *Parameter { + s.Dynamic = &v + return s +} + // SetRequired sets the Required field's value. func (s *Parameter) SetRequired(v bool) *Parameter { s.Required = &v @@ -10706,6 +10713,10 @@ type StartDeploymentInput struct { // A description of the deployment. Description *string `type:"string"` + // A map of dynamic extension parameter names to values to pass to associated + // extensions with PRE_START_DEPLOYMENT actions. + DynamicExtensionParameters map[string]*string `min:"1" type:"map"` + // The environment ID. // // EnvironmentId is a required field @@ -10760,6 +10771,9 @@ func (s *StartDeploymentInput) Validate() error { if s.DeploymentStrategyId == nil { invalidParams.Add(request.NewErrParamRequired("DeploymentStrategyId")) } + if s.DynamicExtensionParameters != nil && len(s.DynamicExtensionParameters) < 1 { + invalidParams.Add(request.NewErrParamMinLen("DynamicExtensionParameters", 1)) + } if s.EnvironmentId == nil { invalidParams.Add(request.NewErrParamRequired("EnvironmentId")) } @@ -10806,6 +10820,12 @@ func (s *StartDeploymentInput) SetDescription(v string) *StartDeploymentInput { return s } +// SetDynamicExtensionParameters sets the DynamicExtensionParameters field's value. +func (s *StartDeploymentInput) SetDynamicExtensionParameters(v map[string]*string) *StartDeploymentInput { + s.DynamicExtensionParameters = v + return s +} + // SetEnvironmentId sets the EnvironmentId field's value. func (s *StartDeploymentInput) SetEnvironmentId(v string) *StartDeploymentInput { s.EnvironmentId = &v diff --git a/service/appconfig/doc.go b/service/appconfig/doc.go index 0f2755e7bc..ba492599ce 100644 --- a/service/appconfig/doc.go +++ b/service/appconfig/doc.go @@ -3,43 +3,134 @@ // Package appconfig provides the client and types for making API // requests to Amazon AppConfig. // -// Use AppConfig, a capability of Amazon Web Services Systems Manager, to create, -// manage, and quickly deploy application configurations. AppConfig supports -// controlled deployments to applications of any size and includes built-in -// validation checks and monitoring. You can use AppConfig with applications -// hosted on Amazon EC2 instances, Lambda, containers, mobile applications, -// or IoT devices. -// -// To prevent errors when deploying application configurations, especially for -// production systems where a simple typo could cause an unexpected outage, -// AppConfig includes validators. A validator provides a syntactic or semantic -// check to ensure that the configuration you want to deploy works as intended. -// To validate your application configuration data, you provide a schema or -// an Amazon Web Services Lambda function that runs against the configuration. -// The configuration deployment or update can only proceed when the configuration -// data is valid. -// -// During a configuration deployment, AppConfig monitors the application to -// ensure that the deployment is successful. If the system encounters an error, -// AppConfig rolls back the change to minimize impact for your application users. -// You can configure a deployment strategy for each application or environment -// that includes deployment criteria, including velocity, bake time, and alarms -// to monitor. Similar to error monitoring, if a deployment triggers an alarm, -// AppConfig automatically rolls back to the previous version. -// -// AppConfig supports multiple use cases. Here are some examples: -// -// - Feature flags: Use AppConfig to turn on new features that require a -// timely deployment, such as a product launch or announcement. -// -// - Application tuning: Use AppConfig to carefully introduce changes to -// your application that can only be tested with production traffic. -// -// - Allow list: Use AppConfig to allow premium subscribers to access paid -// content. -// -// - Operational issues: Use AppConfig to reduce stress on your application -// when a dependency or other external factor impacts the system. +// AppConfig feature flags and dynamic configurations help software builders +// quickly and securely adjust application behavior in production environments +// without full code deployments. AppConfig speeds up software release frequency, +// improves application resiliency, and helps you address emergent issues more +// quickly. With feature flags, you can gradually release new capabilities to +// users and measure the impact of those changes before fully deploying the +// new capabilities to all users. With operational flags and dynamic configurations, +// you can update block lists, allow lists, throttling limits, logging verbosity, +// and perform other operational tuning to quickly respond to issues in production +// environments. +// +// AppConfig is a capability of Amazon Web Services Systems Manager. +// +// Despite the fact that application configuration content can vary greatly +// from application to application, AppConfig supports the following use cases, +// which cover a broad spectrum of customer needs: +// +// - Feature flags and toggles - Safely release new capabilities to your +// customers in a controlled environment. Instantly roll back changes if +// you experience a problem. +// +// - Application tuning - Carefully introduce application changes while testing +// the impact of those changes with users in production environments. +// +// - Allow list or block list - Control access to premium features or instantly +// block specific users without deploying new code. +// +// - Centralized configuration storage - Keep your configuration data organized +// and consistent across all of your workloads. You can use AppConfig to +// deploy configuration data stored in the AppConfig hosted configuration +// store, Secrets Manager, Systems Manager, Parameter Store, or Amazon S3. +// +// # How AppConfig works +// +// This section provides a high-level description of how AppConfig works and +// how you get started. +// +// 1. Identify configuration values in code you want to manage in the cloud +// +// Before you start creating AppConfig artifacts, we recommend you identify +// configuration data in your code that you want to dynamically manage using +// AppConfig. Good examples include feature flags or toggles, allow and block +// lists, logging verbosity, service limits, and throttling rules, to name a +// few. +// +// If your configuration data already exists in the cloud, you can take advantage +// of AppConfig validation, deployment, and extension features to further streamline +// configuration data management. +// +// 2. Create an application namespace +// +// To create a namespace, you create an AppConfig artifact called an application. +// An application is simply an organizational construct like a folder. +// +// 3. Create environments +// +// For each AppConfig application, you define one or more environments. An environment +// is a logical grouping of targets, such as applications in a Beta or Production +// environment, Lambda functions, or containers. You can also define environments +// for application subcomponents, such as the Web, Mobile, and Back-end. +// +// You can configure Amazon CloudWatch alarms for each environment. The system +// monitors alarms during a configuration deployment. If an alarm is triggered, +// the system rolls back the configuration. +// +// 4. Create a configuration profile +// +// A configuration profile includes, among other things, a URI that enables +// AppConfig to locate your configuration data in its stored location and a +// profile type. AppConfig supports two configuration profile types: feature +// flags and freeform configurations. Feature flag configuration profiles store +// their data in the AppConfig hosted configuration store and the URI is simply +// hosted. For freeform configuration profiles, you can store your data in the +// AppConfig hosted configuration store or any Amazon Web Services service that +// integrates with AppConfig, as described in Creating a free form configuration +// profile (http://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-free-form-configurations-creating.html) +// in the the AppConfig User Guide. +// +// A configuration profile can also include optional validators to ensure your +// configuration data is syntactically and semantically correct. AppConfig performs +// a check using the validators when you start a deployment. If any errors are +// detected, the deployment rolls back to the previous configuration data. +// +// 5. Deploy configuration data +// +// When you create a new deployment, you specify the following: +// +// - An application ID +// +// - A configuration profile ID +// +// - A configuration version +// +// - An environment ID where you want to deploy the configuration data +// +// - A deployment strategy ID that defines how fast you want the changes +// to take effect +// +// When you call the StartDeployment (https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_StartDeployment.html) +// API action, AppConfig performs the following tasks: +// +// Retrieves the configuration data from the underlying data store by using +// the location URI in the configuration profile. +// +// Verifies the configuration data is syntactically and semantically correct +// by using the validators you specified when you created your configuration +// profile. +// +// Caches a copy of the data so it is ready to be retrieved by your application. +// This cached copy is called the deployed data. +// +// 6. Retrieve the configuration +// +// You can configure AppConfig Agent as a local host and have the agent poll +// AppConfig for configuration updates. The agent calls the StartConfigurationSession +// (https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_StartConfigurationSession.html) +// and GetLatestConfiguration (https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) +// API actions and caches your configuration data locally. To retrieve the data, +// your application makes an HTTP call to the localhost server. AppConfig Agent +// supports several use cases, as described in Simplified retrieval methods +// (http://docs.aws.amazon.com/appconfig/latest/userguide/appconfig-retrieving-simplified-methods.html) +// in the the AppConfig User Guide. +// +// If AppConfig Agent isn't supported for your use case, you can configure your +// application to poll AppConfig for configuration updates by directly calling +// the StartConfigurationSession (https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_StartConfigurationSession.html) +// and GetLatestConfiguration (https://docs.aws.amazon.com/appconfig/2019-10-09/APIReference/API_appconfigdata_GetLatestConfiguration.html) +// API actions. // // This reference is intended to be used with the AppConfig User Guide (http://docs.aws.amazon.com/appconfig/latest/userguide/what-is-appconfig.html). // diff --git a/service/ec2/api.go b/service/ec2/api.go index 952021a38b..f9eee24a1c 100644 --- a/service/ec2/api.go +++ b/service/ec2/api.go @@ -18134,6 +18134,10 @@ func (c *EC2) DescribeBundleTasksRequest(input *DescribeBundleTasksInput) (req * // use RegisterImage with the Amazon S3 bucket name and image manifest name // you provided to the bundle task. // +// The order of the elements in the response, including those within nested +// structures, might vary. Applications should not assume the elements appear +// in a particular order. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -22088,6 +22092,10 @@ func (c *EC2) DescribeImageAttributeRequest(input *DescribeImageAttributeInput) // Describes the specified attribute of the specified AMI. You can specify only // one attribute at a time. // +// The order of the elements in the response, including those within nested +// structures, might vary. Applications should not assume the elements appear +// in a particular order. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -22177,6 +22185,10 @@ func (c *EC2) DescribeImagesRequest(input *DescribeImagesInput) (req *request.Re // AMI are terminated, specifying the ID of the image will eventually return // an error indicating that the AMI ID cannot be found. // +// The order of the elements in the response, including those within nested +// structures, might vary. Applications should not assume the elements appear +// in a particular order. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -51552,9 +51564,9 @@ func (c *EC2) RegisterImageRequest(input *RegisterImageInput) (req *request.Requ // RegisterImage API operation for Amazon Elastic Compute Cloud. // -// Registers an AMI. When you're creating an AMI, this is the final step you -// must complete before you can launch an instance from the AMI. For more information -// about creating AMIs, see Create your own AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami.html) +// Registers an AMI. When you're creating an instance-store backed AMI, registering +// the AMI is the final step in the creation process. For more information about +// creating AMIs, see Create your own AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami.html) // in the Amazon Elastic Compute Cloud User Guide. // // For Amazon EBS-backed instances, CreateImage creates and registers the AMI @@ -64072,12 +64084,8 @@ type BundleInstanceInput struct { // The ID of the instance to bundle. // - // Type: String - // // Default: None // - // Required: Yes - // // InstanceId is a required field InstanceId *string `type:"string" required:"true"` @@ -69287,6 +69295,19 @@ type CopyImageInput struct { // // SourceRegion is a required field SourceRegion *string `type:"string" required:"true"` + + // The tags to apply to the new AMI and new snapshots. You can tag the AMI, + // the snapshots, or both. + // + // * To tag the new AMI, the value for ResourceType must be image. + // + // * To tag the new snapshots, the value for ResourceType must be snapshot. + // The same tag is applied to all the new snapshots. + // + // If you specify other values for ResourceType, the request fails. + // + // To tag an AMI or snapshot after it has been created, see CreateTags (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html). + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } // String returns the string representation. @@ -69386,6 +69407,12 @@ func (s *CopyImageInput) SetSourceRegion(v string) *CopyImageInput { return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CopyImageInput) SetTagSpecifications(v []*TagSpecification) *CopyImageInput { + s.TagSpecifications = v + return s +} + // Contains the output of CopyImage. type CopyImageOutput struct { _ struct{} `type:"structure"` @@ -163294,6 +163321,14 @@ type RegisterImageInput struct { // PV AMI can make instances launched from the AMI unreachable. SriovNetSupport *string `locationName:"sriovNetSupport" type:"string"` + // The tags to apply to the AMI. + // + // To tag the AMI, the value for ResourceType must be image. If you specify + // another value for ResourceType, the request fails. + // + // To tag an AMI after it has been registered, see CreateTags (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html). + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + // Set to v2.0 to enable Trusted Platform Module (TPM) support. For more information, // see NitroTPM (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitrotpm.html) // in the Amazon EC2 User Guide. @@ -163428,6 +163463,12 @@ func (s *RegisterImageInput) SetSriovNetSupport(v string) *RegisterImageInput { return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *RegisterImageInput) SetTagSpecifications(v []*TagSpecification) *RegisterImageInput { + s.TagSpecifications = v + return s +} + // SetTpmSupport sets the TpmSupport field's value. func (s *RegisterImageInput) SetTpmSupport(v string) *RegisterImageInput { s.TpmSupport = &v diff --git a/service/lambda/api.go b/service/lambda/api.go index fd541f2028..c29cb6b1d5 100644 --- a/service/lambda/api.go +++ b/service/lambda/api.go @@ -7764,7 +7764,7 @@ type AddPermissionInput struct { // For Alexa Smart Home functions, a token that the invoker must supply. EventSourceToken *string `type:"string"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -8612,7 +8612,7 @@ type CreateAliasInput struct { // A description of the alias. Description *string `type:"string"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -8890,7 +8890,7 @@ type CreateEventSourceMappingInput struct { // (https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html). FilterCriteria *FilterCriteria `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -9241,7 +9241,7 @@ type CreateFunctionInput struct { // Connection settings for an Amazon EFS file system. FileSystemConfigs []*FileSystemConfig `type:"list"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -9569,7 +9569,7 @@ type CreateFunctionUrlConfigInput struct { // settings for your function URL. Cors *Cors `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -9805,7 +9805,7 @@ func (s *DeadLetterConfig) SetTargetArn(v string) *DeadLetterConfig { type DeleteAliasInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -10024,7 +10024,7 @@ func (s *DeleteEventSourceMappingInput) SetUUID(v string) *DeleteEventSourceMapp type DeleteFunctionCodeSigningConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -10106,7 +10106,7 @@ func (s DeleteFunctionCodeSigningConfigOutput) GoString() string { type DeleteFunctionConcurrencyInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -10188,7 +10188,7 @@ func (s DeleteFunctionConcurrencyOutput) GoString() string { type DeleteFunctionEventInvokeConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -10283,7 +10283,7 @@ func (s DeleteFunctionEventInvokeConfigOutput) GoString() string { type DeleteFunctionInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function or version. + // The name or ARN of the Lambda function or version. // // Name formats // @@ -10378,7 +10378,7 @@ func (s DeleteFunctionOutput) GoString() string { type DeleteFunctionUrlConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -10557,7 +10557,7 @@ func (s DeleteLayerVersionOutput) GoString() string { type DeleteProvisionedConcurrencyConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -12711,7 +12711,7 @@ func (s *GetAccountSettingsOutput) SetAccountUsage(v *AccountUsage) *GetAccountS type GetAliasInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -12919,7 +12919,7 @@ func (s *GetEventSourceMappingInput) SetUUID(v string) *GetEventSourceMappingInp type GetFunctionCodeSigningConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -12984,7 +12984,7 @@ type GetFunctionCodeSigningConfigOutput struct { // CodeSigningConfigArn is a required field CodeSigningConfigArn *string `type:"string" required:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -13034,7 +13034,7 @@ func (s *GetFunctionCodeSigningConfigOutput) SetFunctionName(v string) *GetFunct type GetFunctionConcurrencyInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -13125,7 +13125,7 @@ func (s *GetFunctionConcurrencyOutput) SetReservedConcurrentExecutions(v int64) type GetFunctionConfigurationInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -13199,7 +13199,7 @@ func (s *GetFunctionConfigurationInput) SetQualifier(v string) *GetFunctionConfi type GetFunctionEventInvokeConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -13349,7 +13349,7 @@ func (s *GetFunctionEventInvokeConfigOutput) SetMaximumRetryAttempts(v int64) *G type GetFunctionInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -13481,7 +13481,7 @@ func (s *GetFunctionOutput) SetTags(v map[string]*string) *GetFunctionOutput { type GetFunctionUrlConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -14092,7 +14092,7 @@ func (s *GetLayerVersionPolicyOutput) SetRevisionId(v string) *GetLayerVersionPo type GetPolicyInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -14205,7 +14205,7 @@ func (s *GetPolicyOutput) SetRevisionId(v string) *GetPolicyOutput { type GetProvisionedConcurrencyConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -14362,7 +14362,7 @@ func (s *GetProvisionedConcurrencyConfigOutput) SetStatusReason(v string) *GetPr type GetRuntimeManagementConfigInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -15094,7 +15094,7 @@ func (s *InvalidZipFileException) RequestID() string { type InvokeAsyncInput struct { _ struct{} `deprecated:"true" type:"structure" payload:"InvokeArgs"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -15208,7 +15208,7 @@ type InvokeInput struct { // to your function for synchronous invocations only. ClientContext *string `location:"header" locationName:"X-Amz-Client-Context" type:"string"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -15553,7 +15553,7 @@ type InvokeWithResponseStreamInput struct { // to the function in the context object. ClientContext *string `location:"header" locationName:"X-Amz-Client-Context" type:"string"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -16510,7 +16510,7 @@ func (s *LayersListItem) SetLayerName(v string) *LayersListItem { type ListAliasesInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -16755,7 +16755,7 @@ type ListEventSourceMappingsInput struct { // * Amazon DocumentDB – The ARN of the DocumentDB change stream. EventSourceArn *string `location:"querystring" locationName:"EventSourceArn" type:"string"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -16882,7 +16882,7 @@ func (s *ListEventSourceMappingsOutput) SetNextMarker(v string) *ListEventSource type ListFunctionEventInvokeConfigsInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -17004,7 +17004,7 @@ func (s *ListFunctionEventInvokeConfigsOutput) SetNextMarker(v string) *ListFunc type ListFunctionUrlConfigsInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -17604,7 +17604,7 @@ func (s *ListLayersOutput) SetNextMarker(v string) *ListLayersOutput { type ListProvisionedConcurrencyConfigsInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -17807,7 +17807,7 @@ func (s *ListTagsOutput) SetTags(v map[string]*string) *ListTagsOutput { type ListVersionsByFunctionInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -18614,7 +18614,7 @@ type PublishVersionInput struct { // configuration. Description *string `type:"string"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -18702,7 +18702,7 @@ type PutFunctionCodeSigningConfigInput struct { // CodeSigningConfigArn is a required field CodeSigningConfigArn *string `type:"string" required:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -18776,7 +18776,7 @@ type PutFunctionCodeSigningConfigOutput struct { // CodeSigningConfigArn is a required field CodeSigningConfigArn *string `type:"string" required:"true"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -18826,7 +18826,7 @@ func (s *PutFunctionCodeSigningConfigOutput) SetFunctionName(v string) *PutFunct type PutFunctionConcurrencyInput struct { _ struct{} `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -18945,7 +18945,7 @@ type PutFunctionEventInvokeConfigInput struct { // * Event Bus - The ARN of an Amazon EventBridge event bus. DestinationConfig *DestinationConfig `type:"structure"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -19122,7 +19122,7 @@ func (s *PutFunctionEventInvokeConfigOutput) SetMaximumRetryAttempts(v int64) *P type PutProvisionedConcurrencyConfigInput struct { _ struct{} `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -19296,7 +19296,7 @@ func (s *PutProvisionedConcurrencyConfigOutput) SetStatusReason(v string) *PutPr type PutRuntimeManagementConfigInput struct { _ struct{} `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -19652,7 +19652,7 @@ func (s RemoveLayerVersionPermissionOutput) GoString() string { type RemovePermissionInput struct { _ struct{} `type:"structure" nopayload:"true"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -21226,7 +21226,7 @@ type UpdateAliasInput struct { // A description of the alias. Description *string `type:"string"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -21500,7 +21500,7 @@ type UpdateEventSourceMappingInput struct { // (https://docs.aws.amazon.com/lambda/latest/dg/invocation-eventfiltering.html). FilterCriteria *FilterCriteria `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -21747,7 +21747,7 @@ type UpdateFunctionCodeInput struct { // modifying the function code. DryRun *bool `type:"boolean"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -21928,7 +21928,7 @@ type UpdateFunctionConfigurationInput struct { // Connection settings for an Amazon EFS file system. FileSystemConfigs []*FileSystemConfig `type:"list"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // @@ -22205,7 +22205,7 @@ type UpdateFunctionEventInvokeConfigInput struct { // * Event Bus - The ARN of an Amazon EventBridge event bus. DestinationConfig *DestinationConfig `type:"structure"` - // The name of the Lambda function, version, or alias. + // The name or ARN of the Lambda function, version, or alias. // // Name formats // @@ -22392,7 +22392,7 @@ type UpdateFunctionUrlConfigInput struct { // settings for your function URL. Cors *Cors `type:"structure"` - // The name of the Lambda function. + // The name or ARN of the Lambda function. // // Name formats // diff --git a/service/managedgrafana/api.go b/service/managedgrafana/api.go index 0b43e8a4b5..d1c89488a5 100644 --- a/service/managedgrafana/api.go +++ b/service/managedgrafana/api.go @@ -2151,8 +2151,16 @@ func (s *AssertionAttributes) SetRole(v string) *AssertionAttributes { type AssociateLicenseInput struct { _ struct{} `type:"structure" nopayload:"true"` + // A token from Grafana Labs that ties your Amazon Web Services account with + // a Grafana Labs account. For more information, see Register with Grafana Labs + // (https://docs.aws.amazon.com/grafana/latest/userguide/upgrade-to-Grafana-Enterprise.html#AMG-workspace-register-enterprise). + GrafanaToken *string `location:"header" locationName:"Grafana-Token" min:"1" type:"string"` + // The type of license to associate with the workspace. // + // Amazon Managed Grafana workspaces no longer support Grafana Enterprise free + // trials. + // // LicenseType is a required field LicenseType *string `location:"uri" locationName:"licenseType" type:"string" required:"true" enum:"LicenseType"` @@ -2183,6 +2191,9 @@ func (s AssociateLicenseInput) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *AssociateLicenseInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "AssociateLicenseInput"} + if s.GrafanaToken != nil && len(*s.GrafanaToken) < 1 { + invalidParams.Add(request.NewErrParamMinLen("GrafanaToken", 1)) + } if s.LicenseType == nil { invalidParams.Add(request.NewErrParamRequired("LicenseType")) } @@ -2202,6 +2213,12 @@ func (s *AssociateLicenseInput) Validate() error { return nil } +// SetGrafanaToken sets the GrafanaToken field's value. +func (s *AssociateLicenseInput) SetGrafanaToken(v string) *AssociateLicenseInput { + s.GrafanaToken = &v + return s +} + // SetLicenseType sets the LicenseType field's value. func (s *AssociateLicenseInput) SetLicenseType(v string) *AssociateLicenseInput { s.LicenseType = &v @@ -2632,10 +2649,9 @@ type CreateWorkspaceInput struct { // AccountAccessType is a required field AccountAccessType *string `locationName:"accountAccessType" type:"string" required:"true" enum:"AccountAccessType"` - // Specifies whether this workspace uses SAML 2.0, IAM Identity Center (successor - // to Single Sign-On), or both to authenticate users for using the Grafana console - // within a workspace. For more information, see User authentication in Amazon - // Managed Grafana (https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html). + // Specifies whether this workspace uses SAML 2.0, IAM Identity Center, or both + // to authenticate users for using the Grafana console within a workspace. For + // more information, see User authentication in Amazon Managed Grafana (https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html). // // AuthenticationProviders is a required field AuthenticationProviders []*string `locationName:"authenticationProviders" type:"list" required:"true" enum:"AuthenticationProviderTypes"` @@ -2649,9 +2665,10 @@ type CreateWorkspaceInput struct { // Grafana workspace (https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-workspace.html). Configuration *string `locationName:"configuration" min:"2" type:"string"` - // Specifies the version of Grafana to support in the new workspace. + // Specifies the version of Grafana to support in the new workspace. If not + // specified, defaults to the latest version (for example, 9.4). // - // To get a list of supported version, use the ListVersions operation. + // To get a list of supported versions, use the ListVersions operation. GrafanaVersion *string `locationName:"grafanaVersion" min:"1" type:"string"` // Configuration for network access to your workspace. @@ -5063,10 +5080,9 @@ func (s *UpdatePermissionsOutput) SetErrors(v []*UpdateError) *UpdatePermissions type UpdateWorkspaceAuthenticationInput struct { _ struct{} `type:"structure"` - // Specifies whether this workspace uses SAML 2.0, IAM Identity Center (successor - // to Single Sign-On), or both to authenticate users for using the Grafana console - // within a workspace. For more information, see User authentication in Amazon - // Managed Grafana (https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html). + // Specifies whether this workspace uses SAML 2.0, IAM Identity Center, or both + // to authenticate users for using the Grafana console within a workspace. For + // more information, see User authentication in Amazon Managed Grafana (https://docs.aws.amazon.com/grafana/latest/userguide/authentication-in-AMG.html). // // AuthenticationProviders is a required field AuthenticationProviders []*string `locationName:"authenticationProviders" type:"list" required:"true" enum:"AuthenticationProviderTypes"` @@ -5186,13 +5202,15 @@ type UpdateWorkspaceConfigurationInput struct { // Configuration is a required field Configuration *string `locationName:"configuration" min:"2" type:"string" required:"true"` - // Specifies the version of Grafana to support in the new workspace. + // Specifies the version of Grafana to support in the workspace. If not specified, + // keeps the current version of the workspace. // // Can only be used to upgrade (for example, from 8.4 to 9.4), not downgrade // (for example, from 9.4 to 8.4). // // To know what versions are available to upgrade to for a specific workspace, - // see the ListVersions operation. + // see the ListVersions (https://docs.aws.amazon.com/grafana/latest/APIReference/API_ListVersions.html) + // operation. GrafanaVersion *string `locationName:"grafanaVersion" min:"1" type:"string"` // The ID of the workspace to update. @@ -5890,12 +5908,22 @@ type WorkspaceDescription struct { // Specifies whether this workspace has already fully used its free trial for // Grafana Enterprise. + // + // Amazon Managed Grafana workspaces no longer support Grafana Enterprise free + // trials. FreeTrialConsumed *bool `locationName:"freeTrialConsumed" type:"boolean"` // If this workspace is currently in the free trial period for Grafana Enterprise, // this value specifies when that free trial ends. + // + // Amazon Managed Grafana workspaces no longer support Grafana Enterprise free + // trials. FreeTrialExpiration *time.Time `locationName:"freeTrialExpiration" type:"timestamp"` + // The token that ties this workspace to a Grafana Labs account. For more information, + // see Register with Grafana Labs (https://docs.aws.amazon.com/grafana/latest/userguide/upgrade-to-Grafana-Enterprise.html#AMG-workspace-register-enterprise). + GrafanaToken *string `locationName:"grafanaToken" min:"1" type:"string"` + // The version of Grafana supported in this workspace. // // GrafanaVersion is a required field @@ -5906,12 +5934,17 @@ type WorkspaceDescription struct { // Id is a required field Id *string `locationName:"id" type:"string" required:"true"` - // If this workspace has a full Grafana Enterprise license, this specifies when - // the license ends and will need to be renewed. + // If this workspace has a full Grafana Enterprise license purchased through + // Amazon Web Services Marketplace, this specifies when the license ends and + // will need to be renewed. Purchasing the Enterprise plugins option through + // Amazon Managed Grafana does not have an expiration. It is valid until the + // license is removed. LicenseExpiration *time.Time `locationName:"licenseExpiration" type:"timestamp"` - // Specifies whether this workspace has a full Grafana Enterprise license or - // a free trial license. + // Specifies whether this workspace has a full Grafana Enterprise license. + // + // Amazon Managed Grafana workspaces no longer support Grafana Enterprise free + // trials. LicenseType *string `locationName:"licenseType" type:"string" enum:"LicenseType"` // The most recent date that the workspace was modified. @@ -6061,6 +6094,12 @@ func (s *WorkspaceDescription) SetFreeTrialExpiration(v time.Time) *WorkspaceDes return s } +// SetGrafanaToken sets the GrafanaToken field's value. +func (s *WorkspaceDescription) SetGrafanaToken(v string) *WorkspaceDescription { + s.GrafanaToken = &v + return s +} + // SetGrafanaVersion sets the GrafanaVersion field's value. func (s *WorkspaceDescription) SetGrafanaVersion(v string) *WorkspaceDescription { s.GrafanaVersion = &v @@ -6184,6 +6223,10 @@ type WorkspaceSummary struct { // Endpoint is a required field Endpoint *string `locationName:"endpoint" min:"1" type:"string" required:"true"` + // The token that ties this workspace to a Grafana Labs account. For more information, + // see Register with Grafana Labs (https://docs.aws.amazon.com/grafana/latest/userguide/upgrade-to-Grafana-Enterprise.html#AMG-workspace-register-enterprise). + GrafanaToken *string `locationName:"grafanaToken" min:"1" type:"string"` + // The Grafana version that the workspace is running. // // GrafanaVersion is a required field @@ -6194,6 +6237,12 @@ type WorkspaceSummary struct { // Id is a required field Id *string `locationName:"id" type:"string" required:"true"` + // Specifies whether this workspace has a full Grafana Enterprise license. + // + // Amazon Managed Grafana workspaces no longer support Grafana Enterprise free + // trials. + LicenseType *string `locationName:"licenseType" type:"string" enum:"LicenseType"` + // The most recent date that the workspace was modified. // // Modified is a required field @@ -6262,6 +6311,12 @@ func (s *WorkspaceSummary) SetEndpoint(v string) *WorkspaceSummary { return s } +// SetGrafanaToken sets the GrafanaToken field's value. +func (s *WorkspaceSummary) SetGrafanaToken(v string) *WorkspaceSummary { + s.GrafanaToken = &v + return s +} + // SetGrafanaVersion sets the GrafanaVersion field's value. func (s *WorkspaceSummary) SetGrafanaVersion(v string) *WorkspaceSummary { s.GrafanaVersion = &v @@ -6274,6 +6329,12 @@ func (s *WorkspaceSummary) SetId(v string) *WorkspaceSummary { return s } +// SetLicenseType sets the LicenseType field's value. +func (s *WorkspaceSummary) SetLicenseType(v string) *WorkspaceSummary { + s.LicenseType = &v + return s +} + // SetModified sets the Modified field's value. func (s *WorkspaceSummary) SetModified(v time.Time) *WorkspaceSummary { s.Modified = &v diff --git a/service/paymentcryptographydata/api.go b/service/paymentcryptographydata/api.go index 454b9dbf61..0733ad40b6 100644 --- a/service/paymentcryptographydata/api.go +++ b/service/paymentcryptographydata/api.go @@ -54,8 +54,9 @@ func (c *PaymentCryptographyData) DecryptDataRequest(input *DecryptDataInput) (r // DecryptData API operation for Payment Cryptography Data Plane. // -// Decrypts ciphertext data to plaintext using symmetric, asymmetric, or DUKPT -// data encryption key. For more information, see Decrypt data (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html) +// Decrypts ciphertext data to plaintext using a symmetric (TDES, AES), asymmetric +// (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, +// see Decrypt data (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/decrypt-data.html) // in the Amazon Web Services Payment Cryptography User Guide. // // You can use an encryption key generated within Amazon Web Services Payment @@ -69,10 +70,14 @@ func (c *PaymentCryptographyData) DecryptDataRequest(input *DecryptDataInput) (r // (https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_GetPublicKeyCertificate.html). // // For symmetric and DUKPT decryption, Amazon Web Services Payment Cryptography -// supports TDES and AES algorithms. For asymmetric decryption, Amazon Web Services -// Payment Cryptography supports RSA. When you use DUKPT, for TDES algorithm, -// the ciphertext data length must be a multiple of 16 bytes. For AES algorithm, -// the ciphertext data length must be a multiple of 32 bytes. +// supports TDES and AES algorithms. For EMV decryption, Amazon Web Services +// Payment Cryptography supports TDES algorithms. For asymmetric decryption, +// Amazon Web Services Payment Cryptography supports RSA. +// +// When you use TDES or TDES DUKPT, the ciphertext data length must be a multiple +// of 8 bytes. For AES or AES DUKPT, the ciphertext data length must be a multiple +// of 16 bytes. For RSA, it sould be equal to the key size unless padding is +// enabled. // // For information about valid keys for this operation, see Understanding key // attributes (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) @@ -180,8 +185,9 @@ func (c *PaymentCryptographyData) EncryptDataRequest(input *EncryptDataInput) (r // EncryptData API operation for Payment Cryptography Data Plane. // -// Encrypts plaintext data to ciphertext using symmetric, asymmetric, or DUKPT -// data encryption key. For more information, see Encrypt data (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html) +// Encrypts plaintext data to ciphertext using a symmetric (TDES, AES), asymmetric +// (RSA), or derived (DUKPT or EMV) encryption key scheme. For more information, +// see Encrypt data (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html) // in the Amazon Web Services Payment Cryptography User Guide. // // You can generate an encryption key within Amazon Web Services Payment Cryptography @@ -190,13 +196,23 @@ func (c *PaymentCryptographyData) EncryptDataRequest(input *EncryptDataInput) (r // For this operation, the key must have KeyModesOfUse set to Encrypt. In asymmetric // encryption, plaintext is encrypted using public component. You can import // the public component of an asymmetric key pair created outside Amazon Web -// Services Payment Cryptography by calling ImportKey (https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html)). +// Services Payment Cryptography by calling ImportKey (https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_ImportKey.html). // -// for symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography -// supports TDES and AES algorithms. For asymmetric encryption, Amazon Web Services -// Payment Cryptography supports RSA. To encrypt using DUKPT, you must already -// have a DUKPT key in your account with KeyModesOfUse set to DeriveKey, or -// you can generate a new DUKPT key by calling CreateKey (https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html). +// For symmetric and DUKPT encryption, Amazon Web Services Payment Cryptography +// supports TDES and AES algorithms. For EMV encryption, Amazon Web Services +// Payment Cryptography supports TDES algorithms.For asymmetric encryption, +// Amazon Web Services Payment Cryptography supports RSA. +// +// When you use TDES or TDES DUKPT, the plaintext data length must be a multiple +// of 8 bytes. For AES or AES DUKPT, the plaintext data length must be a multiple +// of 16 bytes. For RSA, it sould be equal to the key size unless padding is +// enabled. +// +// To encrypt using DUKPT, you must already have a BDK (Base Derivation Key) +// key in your account with KeyModesOfUse set to DeriveKey, or you can generate +// a new DUKPT key by calling CreateKey (https://docs.aws.amazon.com/payment-cryptography/latest/APIReference/API_CreateKey.html). +// To encrypt using EMV, you must already have an IMK (Issuer Master Key) key +// in your account with KeyModesOfUse set to DeriveKey. // // For information about valid keys for this operation, see Understanding key // attributes (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) @@ -427,14 +443,18 @@ func (c *PaymentCryptographyData) GenerateMacRequest(input *GenerateMacInput) (r // Generates a Message Authentication Code (MAC) cryptogram within Amazon Web // Services Payment Cryptography. // -// You can use this operation when keys won't be shared but mutual data is present -// on both ends for validation. In this case, known data values are used to -// generate a MAC on both ends for comparision without sending or receiving -// data in ciphertext or plaintext. You can use this operation to generate a -// DUPKT, HMAC or EMV MAC by setting generation attributes and algorithm to -// the associated values. The MAC generation encryption key must have valid -// values for KeyUsage such as TR31_M7_HMAC_KEY for HMAC generation, and they -// key must have KeyModesOfUse set to Generate and Verify. +// You can use this operation to authenticate card-related data by using known +// data values to generate MAC for data validation between the sending and receiving +// parties. This operation uses message data, a secret encryption key and MAC +// algorithm to generate a unique MAC value for transmission. The receiving +// party of the MAC must use the same message data, secret encryption key and +// MAC algorithm to reproduce another MAC value for comparision. +// +// You can use this operation to generate a DUPKT, CMAC, HMAC or EMV MAC by +// setting generation attributes and algorithm to the associated values. The +// MAC generation encryption key must have valid values for KeyUsage such as +// TR31_M7_HMAC_KEY for HMAC generation, and they key must have KeyModesOfUse +// set to Generate and Verify. // // For information about valid keys for this operation, see Understanding key // attributes (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) @@ -791,10 +811,7 @@ func (c *PaymentCryptographyData) TranslatePinDataRequest(input *TranslatePinDat // Cryptography. The encryption key transformation can be from PEK (Pin Encryption // Key) to BDK (Base Derivation Key) for DUKPT or from BDK for DUKPT to PEK. // Amazon Web Services Payment Cryptography supports TDES and AES key derivation -// type for DUKPT tranlations. You can use this operation for P2PE (Point to -// Point Encryption) use cases where the encryption keys should change but the -// processing system either does not need to, or is not permitted to, decrypt -// the data. +// type for DUKPT translations. // // The allowed combinations of PIN block format translations are guided by PCI. // It is important to note that not all encrypted PIN block formats (example, @@ -807,8 +824,9 @@ func (c *PaymentCryptographyData) TranslatePinDataRequest(input *TranslatePinDat // and Key types for specific data operations (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/crypto-ops-validkeys-ops.html) // in the Amazon Web Services Payment Cryptography User Guide. // -// At this time, Amazon Web Services Payment Cryptography does not support translations -// to PIN format 4. +// Amazon Web Services Payment Cryptography currently supports ISO PIN block +// 4 translation for PIN block built using legacy PAN length. That is, PAN is +// the right most 12 digits excluding the check digits. // // Cross-account use: This operation can't be used across different Amazon Web // Services accounts. @@ -1157,12 +1175,11 @@ func (c *PaymentCryptographyData) VerifyMacRequest(input *VerifyMacInput) (req * // // Verifies a Message Authentication Code (MAC). // -// You can use this operation when keys won't be shared but mutual data is present -// on both ends for validation. In this case, known data values are used to -// generate a MAC on both ends for verification without sending or receiving -// data in ciphertext or plaintext. You can use this operation to verify a DUPKT, -// HMAC or EMV MAC by setting generation attributes and algorithm to the associated -// values. Use the same encryption key for MAC verification as you use for GenerateMac. +// You can use this operation to verify MAC for message data authentication +// such as . In this operation, you must use the same message data, secret encryption +// key and MAC algorithm that was used to generate MAC. You can use this operation +// to verify a DUPKT, CMAC, HMAC or EMV MAC by setting generation attributes +// and algorithm to the associated values. // // For information about valid keys for this operation, see Understanding key // attributes (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/keys-validattributes.html) @@ -2345,15 +2362,15 @@ type DecryptDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` - // The decrypted plaintext data. + // The decrypted plaintext data in hexBinary format. // // PlainText is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by DecryptDataOutput's @@ -2642,10 +2659,8 @@ type DukptEncryptionAttributes struct { // data encryption, or both. DukptKeyVariant *string `type:"string" enum:"DukptKeyVariant"` - // An input to cryptographic primitive used to provide the intial state. Typically - // the InitializationVector must have a random or psuedo-random value, but sometimes - // it only needs to be unpredictable or unique. If you don't provide a value, - // Amazon Web Services Payment Cryptography generates a random value. + // An input used to provide the intial state. If no value is provided, Amazon + // Web Services Payment Cryptography defaults it to zero. // // InitializationVector is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by DukptEncryptionAttributes's @@ -2659,12 +2674,7 @@ type DukptEncryptionAttributes struct { // KeySerialNumber is a required field KeySerialNumber *string `min:"10" type:"string" required:"true"` - // The block cipher mode of operation. Block ciphers are designed to encrypt - // a block of data of fixed size, for example, 128 bits. The size of the input - // block is usually same as the size of the encrypted output block, while the - // key length can be different. A mode of operation describes how to repeatedly - // apply a cipher's single-block operation to securely transform amounts of - // data larger than a block. + // The block cipher method to use for encryption. // // The default is CBC. Mode *string `type:"string" enum:"DukptEncryptionMode"` @@ -2946,6 +2956,139 @@ func (s *DynamicCardVerificationValue) SetServiceCode(v string) *DynamicCardVeri return s } +// Parameters for plaintext encryption using EMV keys. +type EmvEncryptionAttributes struct { + _ struct{} `type:"structure"` + + // An input used to provide the intial state. If no value is provided, Amazon + // Web Services Payment Cryptography defaults it to zero. + // + // InitializationVector is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by EmvEncryptionAttributes's + // String and GoString methods. + InitializationVector *string `min:"16" type:"string" sensitive:"true"` + + // The EMV derivation mode to use for ICC master key derivation as per EMV version + // 4.3 book 2. + // + // MajorKeyDerivationMode is a required field + MajorKeyDerivationMode *string `type:"string" required:"true" enum:"EmvMajorKeyDerivationMode"` + + // The block cipher method to use for encryption. + Mode *string `type:"string" enum:"EmvEncryptionMode"` + + // A number that identifies and differentiates payment cards with the same Primary + // Account Number (PAN). + // + // PanSequenceNumber is a required field + PanSequenceNumber *string `min:"2" type:"string" required:"true"` + + // The Primary Account Number (PAN), a unique identifier for a payment credit + // or debit card and associates the card to a specific account holder. + // + // PrimaryAccountNumber is a sensitive parameter and its value will be + // replaced with "sensitive" in string returned by EmvEncryptionAttributes's + // String and GoString methods. + // + // PrimaryAccountNumber is a required field + PrimaryAccountNumber *string `min:"12" type:"string" required:"true" sensitive:"true"` + + // The derivation value used to derive the ICC session key. It is typically + // the application transaction counter value padded with zeros or previous ARQC + // value padded with zeros as per EMV version 4.3 book 2. + // + // SessionDerivationData is a required field + SessionDerivationData *string `min:"16" type:"string" required:"true"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EmvEncryptionAttributes) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s EmvEncryptionAttributes) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EmvEncryptionAttributes) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EmvEncryptionAttributes"} + if s.InitializationVector != nil && len(*s.InitializationVector) < 16 { + invalidParams.Add(request.NewErrParamMinLen("InitializationVector", 16)) + } + if s.MajorKeyDerivationMode == nil { + invalidParams.Add(request.NewErrParamRequired("MajorKeyDerivationMode")) + } + if s.PanSequenceNumber == nil { + invalidParams.Add(request.NewErrParamRequired("PanSequenceNumber")) + } + if s.PanSequenceNumber != nil && len(*s.PanSequenceNumber) < 2 { + invalidParams.Add(request.NewErrParamMinLen("PanSequenceNumber", 2)) + } + if s.PrimaryAccountNumber == nil { + invalidParams.Add(request.NewErrParamRequired("PrimaryAccountNumber")) + } + if s.PrimaryAccountNumber != nil && len(*s.PrimaryAccountNumber) < 12 { + invalidParams.Add(request.NewErrParamMinLen("PrimaryAccountNumber", 12)) + } + if s.SessionDerivationData == nil { + invalidParams.Add(request.NewErrParamRequired("SessionDerivationData")) + } + if s.SessionDerivationData != nil && len(*s.SessionDerivationData) < 16 { + invalidParams.Add(request.NewErrParamMinLen("SessionDerivationData", 16)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetInitializationVector sets the InitializationVector field's value. +func (s *EmvEncryptionAttributes) SetInitializationVector(v string) *EmvEncryptionAttributes { + s.InitializationVector = &v + return s +} + +// SetMajorKeyDerivationMode sets the MajorKeyDerivationMode field's value. +func (s *EmvEncryptionAttributes) SetMajorKeyDerivationMode(v string) *EmvEncryptionAttributes { + s.MajorKeyDerivationMode = &v + return s +} + +// SetMode sets the Mode field's value. +func (s *EmvEncryptionAttributes) SetMode(v string) *EmvEncryptionAttributes { + s.Mode = &v + return s +} + +// SetPanSequenceNumber sets the PanSequenceNumber field's value. +func (s *EmvEncryptionAttributes) SetPanSequenceNumber(v string) *EmvEncryptionAttributes { + s.PanSequenceNumber = &v + return s +} + +// SetPrimaryAccountNumber sets the PrimaryAccountNumber field's value. +func (s *EmvEncryptionAttributes) SetPrimaryAccountNumber(v string) *EmvEncryptionAttributes { + s.PrimaryAccountNumber = &v + return s +} + +// SetSessionDerivationData sets the SessionDerivationData field's value. +func (s *EmvEncryptionAttributes) SetSessionDerivationData(v string) *EmvEncryptionAttributes { + s.SessionDerivationData = &v + return s +} + type EncryptDataInput struct { _ struct{} `type:"structure"` @@ -2962,6 +3105,12 @@ type EncryptDataInput struct { // The plaintext to be encrypted. // + // For encryption using asymmetric keys, plaintext data length is constrained + // by encryption key strength that you define in KeyAlgorithm and padding type + // that you define in AsymmetricEncryptionAttributes. For more information, + // see Encrypt data (https://docs.aws.amazon.com/payment-cryptography/latest/userguide/encrypt-data.html) + // in the Amazon Web Services Payment Cryptography User Guide. + // // PlainText is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by EncryptDataInput's // String and GoString methods. @@ -3056,10 +3205,10 @@ type EncryptDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. KeyCheckValue *string `min:"4" type:"string"` } @@ -3109,6 +3258,9 @@ type EncryptionDecryptionAttributes struct { // Parameters that are required to encrypt plaintext data using DUKPT. Dukpt *DukptEncryptionAttributes `type:"structure"` + // Parameters for plaintext encryption using EMV keys. + Emv *EmvEncryptionAttributes `type:"structure"` + // Parameters that are required to perform encryption and decryption using symmetric // keys. Symmetric *SymmetricEncryptionAttributes `type:"structure"` @@ -3140,6 +3292,11 @@ func (s *EncryptionDecryptionAttributes) Validate() error { invalidParams.AddNested("Dukpt", err.(request.ErrInvalidParams)) } } + if s.Emv != nil { + if err := s.Emv.Validate(); err != nil { + invalidParams.AddNested("Emv", err.(request.ErrInvalidParams)) + } + } if s.Symmetric != nil { if err := s.Symmetric.Validate(); err != nil { invalidParams.AddNested("Symmetric", err.(request.ErrInvalidParams)) @@ -3164,6 +3321,12 @@ func (s *EncryptionDecryptionAttributes) SetDukpt(v *DukptEncryptionAttributes) return s } +// SetEmv sets the Emv field's value. +func (s *EncryptionDecryptionAttributes) SetEmv(v *EmvEncryptionAttributes) *EncryptionDecryptionAttributes { + s.Emv = v + return s +} + // SetSymmetric sets the Symmetric field's value. func (s *EncryptionDecryptionAttributes) SetSymmetric(v *SymmetricEncryptionAttributes) *EncryptionDecryptionAttributes { s.Symmetric = v @@ -3285,10 +3448,10 @@ type GenerateCardValidationDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -3353,7 +3516,7 @@ type GenerateMacInput struct { // The length of a MAC under generation. MacLength *int64 `min:"4" type:"integer"` - // The data for which a MAC is under generation. + // The data for which a MAC is under generation. This value must be hexBinary. // // MessageData is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by GenerateMacInput's @@ -3449,10 +3612,10 @@ type GenerateMacOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -3661,10 +3824,10 @@ type GeneratePinDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // EncryptionKeyCheckValue is a required field EncryptionKeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -3677,10 +3840,10 @@ type GeneratePinDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // GenerationKeyCheckValue is a required field GenerationKeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -4513,7 +4676,7 @@ type MacAttributes struct { DukptIso9797Algorithm1 *MacAlgorithmDukpt `type:"structure"` // Parameters that are required for MAC generation or verification using DUKPT - // ISO 9797 algorithm2. + // ISO 9797 algorithm3. DukptIso9797Algorithm3 *MacAlgorithmDukpt `type:"structure"` // Parameters that are required for MAC generation or verification using EMV @@ -4970,10 +5133,10 @@ type ReEncryptDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -5752,23 +5915,15 @@ func (s *SessionKeyVisa) SetPrimaryAccountNumber(v string) *SessionKeyVisa { type SymmetricEncryptionAttributes struct { _ struct{} `type:"structure"` - // An input to cryptographic primitive used to provide the intial state. The - // InitializationVector is typically required have a random or psuedo-random - // value, but sometimes it only needs to be unpredictable or unique. If a value - // is not provided, Amazon Web Services Payment Cryptography generates a random - // value. + // An input used to provide the intial state. If no value is provided, Amazon + // Web Services Payment Cryptography defaults it to zero. // // InitializationVector is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by SymmetricEncryptionAttributes's // String and GoString methods. InitializationVector *string `min:"16" type:"string" sensitive:"true"` - // The block cipher mode of operation. Block ciphers are designed to encrypt - // a block of data of fixed size (for example, 128 bits). The size of the input - // block is usually same as the size of the encrypted output block, while the - // key length can be different. A mode of operation describes how to repeatedly - // apply a cipher's single-block operation to securely transform amounts of - // data larger than a block. + // The block cipher method to use for encryption. // // Mode is a required field Mode *string `type:"string" required:"true" enum:"EncryptionMode"` @@ -5907,7 +6062,7 @@ type TranslatePinDataInput struct { EncryptedPinBlock *string `min:"16" type:"string" required:"true" sensitive:"true"` // The attributes and values to use for incoming DUKPT encryption key for PIN - // block tranlation. + // block translation. IncomingDukptAttributes *DukptDerivationAttributes `type:"structure"` // The keyARN of the encryption key under which incoming PIN block data is encrypted. @@ -5916,7 +6071,7 @@ type TranslatePinDataInput struct { // IncomingKeyIdentifier is a required field IncomingKeyIdentifier *string `min:"7" type:"string" required:"true"` - // The format of the incoming PIN block data for tranlation within Amazon Web + // The format of the incoming PIN block data for translation within Amazon Web // Services Payment Cryptography. // // IncomingTranslationAttributes is a required field @@ -5932,7 +6087,7 @@ type TranslatePinDataInput struct { // OutgoingKeyIdentifier is a required field OutgoingKeyIdentifier *string `min:"7" type:"string" required:"true"` - // The format of the outgoing PIN block data after tranlation by Amazon Web + // The format of the outgoing PIN block data after translation by Amazon Web // Services Payment Cryptography. // // OutgoingTranslationAttributes is a required field @@ -6064,15 +6219,15 @@ type TranslatePinDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` - // The ougoing encrypted PIN block data after tranlation. + // The outgoing encrypted PIN block data after translation. // // PinBlock is a required field PinBlock *string `min:"16" type:"string" required:"true"` @@ -6616,10 +6771,10 @@ type VerifyAuthRequestCryptogramOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -6782,10 +6937,10 @@ type VerifyCardValidationDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -6842,7 +6997,7 @@ type VerifyMacInput struct { // The length of the MAC. MacLength *int64 `min:"4" type:"integer"` - // The data on for which MAC is under verification. + // The data on for which MAC is under verification. This value must be hexBinary. // // MessageData is a sensitive parameter and its value will be // replaced with "sensitive" in string returned by VerifyMacInput's @@ -6956,10 +7111,10 @@ type VerifyMacOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // KeyCheckValue is a required field KeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -7180,10 +7335,10 @@ type VerifyPinDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // EncryptionKeyCheckValue is a required field EncryptionKeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -7196,10 +7351,10 @@ type VerifyPinDataOutput struct { // The key check value (KCV) of the encryption key. The KCV is used to check // if all parties holding a given key have the same key or to detect that a - // key has changed. Amazon Web Services Payment Cryptography calculates the - // KCV by using standard algorithms, typically by encrypting 8 or 16 bytes or - // "00" or "01" and then truncating the result to the first 3 bytes, or 6 hex - // digits, of the resulting cryptogram. + // key has changed. + // + // Amazon Web Services Payment Cryptography computes the KCV according to the + // CMAC specification. // // VerificationKeyCheckValue is a required field VerificationKeyCheckValue *string `min:"4" type:"string" required:"true"` @@ -7491,6 +7646,38 @@ func DukptKeyVariant_Values() []string { } } +const ( + // EmvEncryptionModeEcb is a EmvEncryptionMode enum value + EmvEncryptionModeEcb = "ECB" + + // EmvEncryptionModeCbc is a EmvEncryptionMode enum value + EmvEncryptionModeCbc = "CBC" +) + +// EmvEncryptionMode_Values returns all elements of the EmvEncryptionMode enum +func EmvEncryptionMode_Values() []string { + return []string{ + EmvEncryptionModeEcb, + EmvEncryptionModeCbc, + } +} + +const ( + // EmvMajorKeyDerivationModeEmvOptionA is a EmvMajorKeyDerivationMode enum value + EmvMajorKeyDerivationModeEmvOptionA = "EMV_OPTION_A" + + // EmvMajorKeyDerivationModeEmvOptionB is a EmvMajorKeyDerivationMode enum value + EmvMajorKeyDerivationModeEmvOptionB = "EMV_OPTION_B" +) + +// EmvMajorKeyDerivationMode_Values returns all elements of the EmvMajorKeyDerivationMode enum +func EmvMajorKeyDerivationMode_Values() []string { + return []string{ + EmvMajorKeyDerivationModeEmvOptionA, + EmvMajorKeyDerivationModeEmvOptionB, + } +} + const ( // EncryptionModeEcb is a EncryptionMode enum value EncryptionModeEcb = "ECB" diff --git a/service/rds/api.go b/service/rds/api.go index fa1ab87b12..2c2045b304 100644 --- a/service/rds/api.go +++ b/service/rds/api.go @@ -21921,6 +21921,10 @@ type CreateDBClusterInput struct { // The CA certificate identifier to use for the DB cluster's server certificate. // + // For more information, see Using SSL/TLS to encrypt a connection to a DB instance + // (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) + // in the Amazon RDS User Guide. + // // Valid for Cluster Type: Multi-AZ DB clusters CACertificateIdentifier *string `type:"string"` @@ -22561,7 +22565,7 @@ type CreateDBClusterInput struct { // // * Aurora DB clusters - aurora | aurora-iopt1 // - // * Multi-AZ DB clusters - io1 + // * Multi-AZ DB clusters - io1 | io2 | gp3 // // Default: // @@ -46746,6 +46750,10 @@ type ModifyDBClusterInput struct { // The CA certificate identifier to use for the DB cluster's server certificate. // + // For more information, see Using SSL/TLS to encrypt a connection to a DB instance + // (https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html) + // in the Amazon RDS User Guide. + // // Valid for Cluster Type: Multi-AZ DB clusters CACertificateIdentifier *string `type:"string"` @@ -47226,7 +47234,7 @@ type ModifyDBClusterInput struct { // // * Aurora DB clusters - aurora | aurora-iopt1 // - // * Multi-AZ DB clusters - io1 + // * Multi-AZ DB clusters - io1 | io2 | gp3 // // Default: // @@ -48650,7 +48658,7 @@ type ModifyDBInstanceInput struct { // The storage type to associate with the DB instance. // - // If you specify io1), io2, or gp3 you must also include a value for the Iops + // If you specify io1, io2, or gp3 you must also include a value for the Iops // parameter. // // If you choose to migrate your DB instance from using standard storage to diff --git a/service/snowball/api.go b/service/snowball/api.go index 08d82b80d6..9b0872559b 100644 --- a/service/snowball/api.go +++ b/service/snowball/api.go @@ -5188,7 +5188,7 @@ func (s *DeviceConfiguration) SetSnowconeDeviceConfiguration(v *SnowconeDeviceCo type EKSOnDeviceServiceConfiguration struct { _ struct{} `type:"structure"` - // The version of EKS Anywhere on the Snow Family device. + // The optional version of EKS Anywhere on the Snow Family device. EKSAnywhereVersion *string `min:"1" type:"string"` // The Kubernetes version for EKS Anywhere on the Snow Family device. diff --git a/service/wafv2/api.go b/service/wafv2/api.go index 1ffe109326..0d89fa526b 100644 --- a/service/wafv2/api.go +++ b/service/wafv2/api.go @@ -1979,6 +1979,21 @@ func (c *WAFV2) DescribeAllManagedProductsRequest(input *DescribeAllManagedProdu // Your request is valid, but WAF couldn’t perform the operation because of // a system problem. Retry your request. // +// - WAFInvalidParameterException +// The operation failed because WAF didn't recognize a parameter in the request. +// For example: +// +// - You specified a parameter name or value that isn't valid. +// +// - Your nested statement isn't valid. You might have tried to nest a statement +// that can’t be nested. +// +// - You tried to update a WebACL with a DefaultAction that isn't among the +// types available at DefaultAction. +// +// - Your request references an ARN that is malformed, or corresponds to +// a resource with which a web ACL can't be associated. +// // See also, https://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DescribeAllManagedProducts func (c *WAFV2) DescribeAllManagedProducts(input *DescribeAllManagedProductsInput) (*DescribeAllManagedProductsOutput, error) { req, out := c.DescribeAllManagedProductsRequest(input) @@ -2511,6 +2526,12 @@ func (c *WAFV2) GetDecryptedAPIKeyRequest(input *GetDecryptedAPIKeyInput) (req * // Your request is valid, but WAF couldn’t perform the operation because of // a system problem. Retry your request. // +// - WAFNonexistentItemException +// WAF couldn’t perform the operation because your resource doesn't exist. +// If you've just created a resource that you're using in this operation, you +// might just need to wait a few minutes. It can take from a few seconds to +// a number of minutes for changes to propagate. +// // - WAFInvalidParameterException // The operation failed because WAF didn't recognize a parameter in the request. // For example: @@ -7276,22 +7297,32 @@ func (s AssociateWebACLOutput) GoString() string { // and protected resources. // // Use this to customize the maximum size of the request body that your protected -// CloudFront distributions forward to WAF for inspection. The default is 16 -// KB (16,384 bytes). +// resources forward to WAF for inspection. You can customize this setting for +// CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. +// The default setting is 16 KB (16,384 bytes). // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). +// +// For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 +// bytes). type AssociationConfig struct { _ struct{} `type:"structure"` - // Customizes the maximum size of the request body that your protected CloudFront - // distributions forward to WAF for inspection. The default size is 16 KB (16,384 - // bytes). + // Customizes the maximum size of the request body that your protected CloudFront, + // API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward + // to WAF for inspection. The default size is 16 KB (16,384 bytes). You can + // change the setting for any of the available resource types. // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). + // + // Example JSON: { "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" } + // + // For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + // bytes). RequestBody map[string]*RequestBodyAssociatedResourceTypeConfig `type:"map"` } @@ -7402,16 +7433,20 @@ func (s *BlockAction) SetCustomResponse(v *CustomResponse) *BlockAction { type Body struct { _ struct{} `type:"structure"` - // What WAF should do if the body is larger than WAF can inspect. WAF does not - // support inspecting the entire contents of the web request body if the body - // exceeds the limit for the resource type. If the body is larger than the limit, - // the underlying host service only forwards the contents that are below the - // limit to WAF for inspection. + // What WAF should do if the body is larger than WAF can inspect. + // + // WAF does not support inspecting the entire contents of the web request body + // if the body exceeds the limit for the resource type. When a web request body + // is larger than the limit, the underlying host service only forwards the contents + // that are within the limit to WAF for inspection. // - // The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB - // (16,384 bytes) for CloudFront distributions. For CloudFront distributions, - // you can increase the limit in the web ACL AssociationConfig, for additional - // processing fees. + // * For Application Load Balancer and AppSync, the limit is fixed at 8 KB + // (8,192 bytes). + // + // * For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified + // Access, the default limit is 16 KB (16,384 bytes), and you can increase + // the limit for each resource type in the web ACL AssociationConfig, for + // additional processing fees. // // The options for oversize handling are the following: // @@ -9165,12 +9200,16 @@ type CreateWebACLInput struct { // and protected resources. // // Use this to customize the maximum size of the request body that your protected - // CloudFront distributions forward to WAF for inspection. The default is 16 - // KB (16,384 bytes). + // resources forward to WAF for inspection. You can customize this setting for + // CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. + // The default setting is 16 KB (16,384 bytes). // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). + // + // For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + // bytes). AssociationConfig *AssociationConfig `type:"structure"` // Specifies how WAF should handle CAPTCHA evaluations for rules that don't @@ -11389,20 +11428,27 @@ func (s *ExcludedRule) SetName(v string) *ExcludedRule { return s } -// The part of the web request that you want WAF to inspect. Include the single -// FieldToMatch type that you want to inspect, with additional specifications -// as needed, according to the type. You specify a single request component -// in FieldToMatch for each rule statement that requires it. To inspect more -// than one component of the web request, create a separate rule statement for -// each component. -// -// Example JSON for a QueryString field to match: -// -// "FieldToMatch": { "QueryString": {} } -// -// Example JSON for a Method field to match specification: -// -// "FieldToMatch": { "Method": { "Name": "DELETE" } } +// Specifies a web request component to be used in a rule match statement or +// in a logging configuration. +// +// - In a rule statement, this is the part of the web request that you want +// WAF to inspect. Include the single FieldToMatch type that you want to +// inspect, with additional specifications as needed, according to the type. +// You specify a single request component in FieldToMatch for each rule statement +// that requires it. To inspect more than one component of the web request, +// create a separate rule statement for each component. Example JSON for +// a QueryString field to match: "FieldToMatch": { "QueryString": {} } Example +// JSON for a Method field to match specification: "FieldToMatch": { "Method": +// { "Name": "DELETE" } } +// +// - In a logging configuration, this is used in the RedactedFields property +// to specify a field to redact from the logging records. For this use case, +// note the following: Even though all FieldToMatch settings are available, +// the only valid settings for field redaction are UriPath, QueryString, +// SingleHeader, and Method. In this documentation, the descriptions of the +// individual fields talk about specifying the web request component to inspect, +// but for field redaction, you are specifying the component type to redact +// from the logs. type FieldToMatch struct { _ struct{} `type:"structure"` @@ -11414,11 +11460,18 @@ type FieldToMatch struct { // data that you want to send to your web server as the HTTP request body, such // as data from a form. // - // A limited amount of the request body is forwarded to WAF for inspection by - // the underlying host service. For regional resources, the limit is 8 KB (8,192 - // bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). - // For CloudFront distributions, you can increase the limit in the web ACL's - // AssociationConfig, for additional processing fees. + // WAF does not support inspecting the entire contents of the web request body + // if the body exceeds the limit for the resource type. When a web request body + // is larger than the limit, the underlying host service only forwards the contents + // that are within the limit to WAF for inspection. + // + // * For Application Load Balancer and AppSync, the limit is fixed at 8 KB + // (8,192 bytes). + // + // * For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified + // Access, the default limit is 16 KB (16,384 bytes), and you can increase + // the limit for each resource type in the web ACL AssociationConfig, for + // additional processing fees. // // For information about how to handle oversized request bodies, see the Body // object configuration. @@ -11476,11 +11529,18 @@ type FieldToMatch struct { // data that you want to send to your web server as the HTTP request body, such // as data from a form. // - // A limited amount of the request body is forwarded to WAF for inspection by - // the underlying host service. For regional resources, the limit is 8 KB (8,192 - // bytes) and for CloudFront distributions, the limit is 16 KB (16,384 bytes). - // For CloudFront distributions, you can increase the limit in the web ACL's - // AssociationConfig, for additional processing fees. + // WAF does not support inspecting the entire contents of the web request body + // if the body exceeds the limit for the resource type. When a web request body + // is larger than the limit, the underlying host service only forwards the contents + // that are within the limit to WAF for inspection. + // + // * For Application Load Balancer and AppSync, the limit is fixed at 8 KB + // (8,192 bytes). + // + // * For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified + // Access, the default limit is 16 KB (16,384 bytes), and you can increase + // the limit for each resource type in the web ACL AssociationConfig, for + // additional processing fees. // // For information about how to handle oversized request bodies, see the JsonBody // object configuration. @@ -14705,16 +14765,20 @@ type JsonBody struct { // MatchScope is a required field MatchScope *string `type:"string" required:"true" enum:"JsonMatchScope"` - // What WAF should do if the body is larger than WAF can inspect. WAF does not - // support inspecting the entire contents of the web request body if the body - // exceeds the limit for the resource type. If the body is larger than the limit, - // the underlying host service only forwards the contents that are below the - // limit to WAF for inspection. + // What WAF should do if the body is larger than WAF can inspect. // - // The default limit is 8 KB (8,192 bytes) for regional resources and 16 KB - // (16,384 bytes) for CloudFront distributions. For CloudFront distributions, - // you can increase the limit in the web ACL AssociationConfig, for additional - // processing fees. + // WAF does not support inspecting the entire contents of the web request body + // if the body exceeds the limit for the resource type. When a web request body + // is larger than the limit, the underlying host service only forwards the contents + // that are within the limit to WAF for inspection. + // + // * For Application Load Balancer and AppSync, the limit is fixed at 8 KB + // (8,192 bytes). + // + // * For CloudFront, API Gateway, Amazon Cognito, App Runner, and Verified + // Access, the default limit is 16 KB (16,384 bytes), and you can increase + // the limit for each resource type in the web ACL AssociationConfig, for + // additional processing fees. // // The options for oversize handling are the following: // @@ -17271,7 +17335,7 @@ type ManagedRuleGroupStatement struct { // how the rule group would handle your web traffic. You can also permanently // override some or all actions, to modify how the rule group manages your web // traffic. - RuleActionOverrides []*RuleActionOverride `min:"1" type:"list"` + RuleActionOverrides []*RuleActionOverride `type:"list"` // An optional nested statement that narrows the scope of the web requests that // are evaluated by the managed rule group. Requests are only evaluated by the @@ -17320,9 +17384,6 @@ func (s *ManagedRuleGroupStatement) Validate() error { if s.Name != nil && len(*s.Name) < 1 { invalidParams.Add(request.NewErrParamMinLen("Name", 1)) } - if s.RuleActionOverrides != nil && len(s.RuleActionOverrides) < 1 { - invalidParams.Add(request.NewErrParamMinLen("RuleActionOverrides", 1)) - } if s.VendorName == nil { invalidParams.Add(request.NewErrParamRequired("VendorName")) } @@ -18783,6 +18844,10 @@ func (s QueryString) GoString() string { // to your aggregation criteria, collects them into aggregation instances, and // counts and rate limits the requests for each instance. // +// If you change any of these settings in a rule that's currently in use, the +// change resets the rule's rate limiting counts. This can pause the rule's +// rate limiting activities for up to a minute. +// // You can specify individual aggregation keys, like IP address or HTTP method. // You can also specify aggregation key combinations, like IP address and HTTP // method, or HTTP method, query argument, and cookie. @@ -18891,7 +18956,7 @@ type RateBasedStatement struct { AggregateKeyType *string `type:"string" required:"true" enum:"RateBasedStatementAggregateKeyType"` // Specifies the aggregate keys to use in a rate-base rule. - CustomKeys []*RateBasedStatementCustomKey `min:"1" type:"list"` + CustomKeys []*RateBasedStatementCustomKey `type:"list"` // The amount of time, in seconds, that WAF should include in its request counts, // looking back from the current time. For example, for a setting of 120, when @@ -18964,9 +19029,6 @@ func (s *RateBasedStatement) Validate() error { if s.AggregateKeyType == nil { invalidParams.Add(request.NewErrParamRequired("AggregateKeyType")) } - if s.CustomKeys != nil && len(s.CustomKeys) < 1 { - invalidParams.Add(request.NewErrParamMinLen("CustomKeys", 1)) - } if s.Limit == nil { invalidParams.Add(request.NewErrParamRequired("Limit")) } @@ -20294,21 +20356,28 @@ func (s *ReleaseSummary) SetTimestamp(v time.Time) *ReleaseSummary { return s } -// Customizes the maximum size of the request body that your protected CloudFront -// distributions forward to WAF for inspection. The default size is 16 KB (16,384 -// bytes). +// Customizes the maximum size of the request body that your protected CloudFront, +// API Gateway, Amazon Cognito, App Runner, and Verified Access resources forward +// to WAF for inspection. The default size is 16 KB (16,384 bytes). You can +// change the setting for any of the available resource types. // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). // +// Example JSON: { "API_GATEWAY": "KB_48", "APP_RUNNER_SERVICE": "KB_32" } +// +// For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 +// bytes). +// // This is used in the AssociationConfig of the web ACL. type RequestBodyAssociatedResourceTypeConfig struct { _ struct{} `type:"structure"` // Specifies the maximum size of the web request body component that an associated - // CloudFront distribution should send to WAF for inspection. This applies to - // statements in the web ACL that inspect the body or JSON body. + // CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resource + // should send to WAF for inspection. This applies to statements in the web + // ACL that inspect the body or JSON body. // // Default: 16 KB (16,384 bytes) // @@ -21805,7 +21874,7 @@ type RuleGroupReferenceStatement struct { // how the rule group would handle your web traffic. You can also permanently // override some or all actions, to modify how the rule group manages your web // traffic. - RuleActionOverrides []*RuleActionOverride `min:"1" type:"list"` + RuleActionOverrides []*RuleActionOverride `type:"list"` } // String returns the string representation. @@ -21835,9 +21904,6 @@ func (s *RuleGroupReferenceStatement) Validate() error { if s.ARN != nil && len(*s.ARN) < 20 { invalidParams.Add(request.NewErrParamMinLen("ARN", 20)) } - if s.RuleActionOverrides != nil && len(s.RuleActionOverrides) < 1 { - invalidParams.Add(request.NewErrParamMinLen("RuleActionOverrides", 1)) - } if s.ExcludedRules != nil { for i, v := range s.ExcludedRules { if v == nil { @@ -22275,13 +22341,12 @@ func (s *SingleQueryArgument) SetName(v string) *SingleQueryArgument { // query strings that are longer than 100 bytes. // // If you configure WAF to inspect the request body, WAF inspects only the number -// of bytes of the body up to the limit for the web ACL. By default, for regional -// web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this -// limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase -// the limit in the web ACL AssociationConfig, for additional fees. If you know -// that the request body for your web requests should never exceed the inspection -// limit, you could use a size constraint statement to block requests that have -// a larger request body size. +// of bytes in the body up to the limit for the web ACL and protected resource +// type. If you know that the request body for your web requests should never +// exceed the inspection limit, you can use a size constraint statement to block +// requests that have a larger request body size. For more information about +// the inspection limits, see Body and JsonBody settings for the FieldToMatch +// data type. // // If you choose URI for the value of Part of the request to filter on, the // slash (/) in the URI counts as one character. For example, the URI /logo.jpg @@ -22609,6 +22674,10 @@ type Statement struct { // to your aggregation criteria, collects them into aggregation instances, and // counts and rate limits the requests for each instance. // + // If you change any of these settings in a rule that's currently in use, the + // change resets the rule's rate limiting counts. This can pause the rule's + // rate limiting activities for up to a minute. + // // You can specify individual aggregation keys, like IP address or HTTP method. // You can also specify aggregation key combinations, like IP address and HTTP // method, or HTTP method, query argument, and cookie. @@ -22717,13 +22786,12 @@ type Statement struct { // query strings that are longer than 100 bytes. // // If you configure WAF to inspect the request body, WAF inspects only the number - // of bytes of the body up to the limit for the web ACL. By default, for regional - // web ACLs, this limit is 8 KB (8,192 bytes) and for CloudFront web ACLs, this - // limit is 16 KB (16,384 bytes). For CloudFront web ACLs, you can increase - // the limit in the web ACL AssociationConfig, for additional fees. If you know - // that the request body for your web requests should never exceed the inspection - // limit, you could use a size constraint statement to block requests that have - // a larger request body size. + // of bytes in the body up to the limit for the web ACL and protected resource + // type. If you know that the request body for your web requests should never + // exceed the inspection limit, you can use a size constraint statement to block + // requests that have a larger request body size. For more information about + // the inspection limits, see Body and JsonBody settings for the FieldToMatch + // data type. // // If you choose URI for the value of Part of the request to filter on, the // slash (/) in the URI counts as one character. For example, the URI /logo.jpg @@ -24247,12 +24315,16 @@ type UpdateWebACLInput struct { // and protected resources. // // Use this to customize the maximum size of the request body that your protected - // CloudFront distributions forward to WAF for inspection. The default is 16 - // KB (16,384 bytes). + // resources forward to WAF for inspection. You can customize this setting for + // CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. + // The default setting is 16 KB (16,384 bytes). // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). + // + // For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + // bytes). AssociationConfig *AssociationConfig `type:"structure"` // Specifies how WAF should handle CAPTCHA evaluations for rules that don't @@ -25463,6 +25535,9 @@ type WAFLimitsExceededException struct { RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` Message_ *string `locationName:"Message" type:"string"` + + // Source type for the exception. + SourceType *string `type:"string"` } // String returns the string representation. @@ -25508,7 +25583,7 @@ func (s *WAFLimitsExceededException) OrigErr() error { } func (s *WAFLimitsExceededException) Error() string { - return fmt.Sprintf("%s: %s", s.Code(), s.Message()) + return fmt.Sprintf("%s: %s\n%s", s.Code(), s.Message(), s.String()) } // Status code returns the HTTP status code for the request's response error. @@ -26144,12 +26219,16 @@ type WebACL struct { // and protected resources. // // Use this to customize the maximum size of the request body that your protected - // CloudFront distributions forward to WAF for inspection. The default is 16 - // KB (16,384 bytes). + // resources forward to WAF for inspection. You can customize this setting for + // CloudFront, API Gateway, Amazon Cognito, App Runner, or Verified Access resources. + // The default setting is 16 KB (16,384 bytes). // // You are charged additional fees when your protected resources forward body // sizes that are larger than the default. For more information, see WAF Pricing // (http://aws.amazon.com/waf/pricing/). + // + // For Application Load Balancer and AppSync, the limit is fixed at 8 KB (8,192 + // bytes). AssociationConfig *AssociationConfig `type:"structure"` // The web ACL capacity units (WCUs) currently being used by this web ACL. @@ -26592,12 +26671,28 @@ func ActionValue_Values() []string { const ( // AssociatedResourceTypeCloudfront is a AssociatedResourceType enum value AssociatedResourceTypeCloudfront = "CLOUDFRONT" + + // AssociatedResourceTypeApiGateway is a AssociatedResourceType enum value + AssociatedResourceTypeApiGateway = "API_GATEWAY" + + // AssociatedResourceTypeCognitoUserPool is a AssociatedResourceType enum value + AssociatedResourceTypeCognitoUserPool = "COGNITO_USER_POOL" + + // AssociatedResourceTypeAppRunnerService is a AssociatedResourceType enum value + AssociatedResourceTypeAppRunnerService = "APP_RUNNER_SERVICE" + + // AssociatedResourceTypeVerifiedAccessInstance is a AssociatedResourceType enum value + AssociatedResourceTypeVerifiedAccessInstance = "VERIFIED_ACCESS_INSTANCE" ) // AssociatedResourceType_Values returns all elements of the AssociatedResourceType enum func AssociatedResourceType_Values() []string { return []string{ AssociatedResourceTypeCloudfront, + AssociatedResourceTypeApiGateway, + AssociatedResourceTypeCognitoUserPool, + AssociatedResourceTypeAppRunnerService, + AssociatedResourceTypeVerifiedAccessInstance, } } diff --git a/service/workspaces/api.go b/service/workspaces/api.go index 459abc8c38..b7659f5e8a 100644 --- a/service/workspaces/api.go +++ b/service/workspaces/api.go @@ -1347,6 +1347,8 @@ func (c *WorkSpaces) CreateWorkspacesRequest(input *CreateWorkspacesInput) (req // - You don't need to specify the PCOIP protocol for Linux bundles because // WSP is the default protocol for those bundles. // +// - User-decoupled WorkSpaces are only supported by Amazon WorkSpaces Core. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -5824,7 +5826,9 @@ func (c *WorkSpaces) RebootWorkspacesRequest(input *RebootWorkspacesInput) (req // // Reboots the specified WorkSpaces. // -// You cannot reboot a WorkSpace unless its state is AVAILABLE or UNHEALTHY. +// You cannot reboot a WorkSpace unless its state is AVAILABLE, UNHEALTHY, or +// REBOOTING. Reboot a WorkSpace in the REBOOTING state only if your WorkSpace +// has been stuck in the REBOOTING state for over 20 minutes. // // This operation is asynchronous and returns before the WorkSpaces have rebooted. // @@ -18469,6 +18473,45 @@ type Workspace struct { // The operational state of the WorkSpace. // + // * PENDING – The WorkSpace is in a waiting state (for example, the WorkSpace + // is being created). + // + // * AVAILABLE – The WorkSpace is running and has passed the health checks. + // + // * IMPAIRED – Refer to UNHEALTHY state. + // + // * UNHEALTHY – The WorkSpace is not responding to health checks. + // + // * REBOOTING – The WorkSpace is being rebooted (restarted). + // + // * STARTING – The WorkSpace is starting up and health checks are being + // run. + // + // * REBUILDING – The WorkSpace is being rebuilt. + // + // * RESTORING – The WorkSpace is being restored. + // + // * MAINTENANCE – The WorkSpace is undergoing scheduled maintenance by + // Amazon Web Services. + // + // * ADMIN_MAINTENANCE – The WorkSpace is undergoing maintenance by the + // WorkSpaces administrator. + // + // * TERMINATING – The WorkSpace is being deleted. + // + // * TERMINATED – The WorkSpace has been deleted. + // + // * SUSPENDED – The WorkSpace has been suspended for image creation. + // + // * UPDATING – The WorkSpace is undergoing an update. + // + // * STOPPING – The WorkSpace is being stopped. + // + // * STOPPED – The WorkSpace has been stopped. + // + // * ERROR – The WorkSpace is an error state (for example, an error occurred + // during startup). + // // After a WorkSpace is terminated, the TERMINATED state is returned only briefly // before the WorkSpace directory metadata is cleaned up, so this state is rarely // returned. To confirm that a WorkSpace is terminated, check for the WorkSpace