diff --git a/LICENSE b/LICENSE
new file mode 100644
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,367 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
diff --git a/README.md b/README.md
new file mode 100644
--- /dev/null
+++ b/README.md
@@ -0,0 +1,44 @@
+# Amazon IoT Secure Tunneling SDK
+
+* [Version](#version)
+* [Description](#description)
+* [Contribute](#contribute)
+* [Licence](#licence)
+
+
+## Version
+ 
+`2.0` - Derived from API version @2018-10-05@ of the AWS service descriptions, licensed under Apache 2.0.
+
+## Description
+
+Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-iotsecuretunneling)
+and the [AWS API Reference](https://aws.amazon.com/documentation/).
+
+The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),
+which provides mechanisms for specifying AuthN/AuthZ information, sending requests,
+and receiving responses.
+
+Lenses are used for constructing and manipulating types,
+due to the depth of nesting of AWS types and transparency regarding
+de/serialisation into more palatable Haskell values.
+The provided lenses should be compatible with any of the major lens libraries
+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).
+
+See [Amazonka.IoTSecureTunneling](http://hackage.haskell.org/package/amazonka-iotsecuretunneling/docs/Amazonka-IoTSecureTunneling.html)
+or [the AWS documentation](https://aws.amazon.com/documentation/) to get started.
+
+
+## Contribute
+
+For any problems, comments, or feedback please create an issue [here on GitHub](https://github.com/brendanhay/amazonka/issues).
+
+> _Note:_ this library is an auto-generated Haskell package. Please see `amazonka-gen` for more information.
+
+
+## Licence
+
+`amazonka-iotsecuretunneling` is released under the [Mozilla Public License Version 2.0](http://www.mozilla.org/MPL/).
+
+Parts of the code are derived from AWS service descriptions, licensed under Apache 2.0.
+Source files subject to this contain an additional licensing clause in their header.
diff --git a/amazonka-iotsecuretunneling.cabal b/amazonka-iotsecuretunneling.cabal
new file mode 100644
--- /dev/null
+++ b/amazonka-iotsecuretunneling.cabal
@@ -0,0 +1,100 @@
+cabal-version:      2.2
+name:               amazonka-iotsecuretunneling
+version:            2.0
+synopsis:           Amazon IoT Secure Tunneling SDK.
+homepage:           https://github.com/brendanhay/amazonka
+bug-reports:        https://github.com/brendanhay/amazonka/issues
+license:            MPL-2.0
+license-file:       LICENSE
+author:             Brendan Hay
+maintainer:
+  Brendan Hay <brendan.g.hay+amazonka@gmail.com>, Jack Kelly <jack@jackkelly.name>
+
+copyright:          Copyright (c) 2013-2023 Brendan Hay
+category:           AWS
+build-type:         Simple
+extra-source-files:
+  fixture/*.proto
+  fixture/*.yaml
+  README.md
+  src/.gitkeep
+
+description:
+  Derived from API version @2018-10-05@ of the AWS service descriptions, licensed under Apache 2.0.
+  .
+  The types from this library are intended to be used with <http://hackage.haskell.org/package/amazonka amazonka>,
+  which provides mechanisms for specifying AuthN/AuthZ information, sending requests, and receiving responses.
+  .
+  It is recommended to use generic lenses or optics from packages such as <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify optional fields and deconstruct responses.
+  .
+  Generated lenses can be found in "Amazonka.IoTSecureTunneling.Lens" and are
+  suitable for use with a lens package such as <http://hackage.haskell.org/package/lens lens> or <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
+  .
+  See "Amazonka.IoTSecureTunneling" and the <https://aws.amazon.com/documentation/ AWS documentation> to get started.
+
+source-repository head
+  type:     git
+  location: git://github.com/brendanhay/amazonka.git
+  subdir:   amazonka-iotsecuretunneling
+
+library
+  default-language: Haskell2010
+  hs-source-dirs:   src gen
+  ghc-options:
+    -Wall -fwarn-incomplete-uni-patterns
+    -fwarn-incomplete-record-updates -funbox-strict-fields
+
+  exposed-modules:
+    Amazonka.IoTSecureTunneling
+    Amazonka.IoTSecureTunneling.CloseTunnel
+    Amazonka.IoTSecureTunneling.DescribeTunnel
+    Amazonka.IoTSecureTunneling.Lens
+    Amazonka.IoTSecureTunneling.ListTagsForResource
+    Amazonka.IoTSecureTunneling.ListTunnels
+    Amazonka.IoTSecureTunneling.OpenTunnel
+    Amazonka.IoTSecureTunneling.RotateTunnelAccessToken
+    Amazonka.IoTSecureTunneling.TagResource
+    Amazonka.IoTSecureTunneling.Types
+    Amazonka.IoTSecureTunneling.Types.ClientMode
+    Amazonka.IoTSecureTunneling.Types.ConnectionState
+    Amazonka.IoTSecureTunneling.Types.ConnectionStatus
+    Amazonka.IoTSecureTunneling.Types.DestinationConfig
+    Amazonka.IoTSecureTunneling.Types.Tag
+    Amazonka.IoTSecureTunneling.Types.TimeoutConfig
+    Amazonka.IoTSecureTunneling.Types.Tunnel
+    Amazonka.IoTSecureTunneling.Types.TunnelStatus
+    Amazonka.IoTSecureTunneling.Types.TunnelSummary
+    Amazonka.IoTSecureTunneling.UntagResource
+    Amazonka.IoTSecureTunneling.Waiters
+
+  build-depends:
+    , amazonka-core  >=2.0  && <2.1
+    , base           >=4.12 && <5
+
+test-suite amazonka-iotsecuretunneling-test
+  type:             exitcode-stdio-1.0
+  default-language: Haskell2010
+  hs-source-dirs:   test
+  main-is:          Main.hs
+  ghc-options:      -Wall -threaded
+
+  -- This section is encoded by the template and any modules added by
+  -- hand outside these namespaces will not correctly be added to the
+  -- distribution package.
+  other-modules:
+    Test.Amazonka.Gen.IoTSecureTunneling
+    Test.Amazonka.IoTSecureTunneling
+    Test.Amazonka.IoTSecureTunneling.Internal
+
+  build-depends:
+    , amazonka-core                >=2.0 && <2.1
+    , amazonka-iotsecuretunneling
+    , amazonka-test                >=2.0 && <2.1
+    , base
+    , bytestring
+    , case-insensitive
+    , tasty
+    , tasty-hunit
+    , text
+    , time
+    , unordered-containers
diff --git a/fixture/CloseTunnel.yaml b/fixture/CloseTunnel.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CloseTunnel.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CloseTunnelResponse.proto b/fixture/CloseTunnelResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CloseTunnelResponse.proto
diff --git a/fixture/DescribeTunnel.yaml b/fixture/DescribeTunnel.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeTunnel.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeTunnelResponse.proto b/fixture/DescribeTunnelResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeTunnelResponse.proto
diff --git a/fixture/ListTagsForResource.yaml b/fixture/ListTagsForResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListTagsForResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListTagsForResourceResponse.proto b/fixture/ListTagsForResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListTagsForResourceResponse.proto
diff --git a/fixture/ListTunnels.yaml b/fixture/ListTunnels.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListTunnels.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListTunnelsResponse.proto b/fixture/ListTunnelsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListTunnelsResponse.proto
diff --git a/fixture/OpenTunnel.yaml b/fixture/OpenTunnel.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/OpenTunnel.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/OpenTunnelResponse.proto b/fixture/OpenTunnelResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/OpenTunnelResponse.proto
diff --git a/fixture/RotateTunnelAccessToken.yaml b/fixture/RotateTunnelAccessToken.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/RotateTunnelAccessToken.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/RotateTunnelAccessTokenResponse.proto b/fixture/RotateTunnelAccessTokenResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/RotateTunnelAccessTokenResponse.proto
diff --git a/fixture/TagResource.yaml b/fixture/TagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/TagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/TagResourceResponse.proto b/fixture/TagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/TagResourceResponse.proto
diff --git a/fixture/UntagResource.yaml b/fixture/UntagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/api.tunneling.iot/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  api.tunneling.iot.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UntagResourceResponse.proto b/fixture/UntagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResourceResponse.proto
diff --git a/gen/Amazonka/IoTSecureTunneling.hs b/gen/Amazonka/IoTSecureTunneling.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling.hs
@@ -0,0 +1,162 @@
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Derived from API version @2018-10-05@ of the AWS service descriptions, licensed under Apache 2.0.
+--
+-- IoT Secure Tunneling
+--
+-- IoT Secure Tunneling creates remote connections to devices deployed in
+-- the field.
+--
+-- For more information about how IoT Secure Tunneling works, see
+-- <https://docs.aws.amazon.com/iot/latest/developerguide/secure-tunneling.html IoT Secure Tunneling>.
+module Amazonka.IoTSecureTunneling
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    -- $errors
+
+    -- ** LimitExceededException
+    _LimitExceededException,
+
+    -- ** ResourceNotFoundException
+    _ResourceNotFoundException,
+
+    -- * Waiters
+    -- $waiters
+
+    -- * Operations
+    -- $operations
+
+    -- ** CloseTunnel
+    CloseTunnel (CloseTunnel'),
+    newCloseTunnel,
+    CloseTunnelResponse (CloseTunnelResponse'),
+    newCloseTunnelResponse,
+
+    -- ** DescribeTunnel
+    DescribeTunnel (DescribeTunnel'),
+    newDescribeTunnel,
+    DescribeTunnelResponse (DescribeTunnelResponse'),
+    newDescribeTunnelResponse,
+
+    -- ** ListTagsForResource
+    ListTagsForResource (ListTagsForResource'),
+    newListTagsForResource,
+    ListTagsForResourceResponse (ListTagsForResourceResponse'),
+    newListTagsForResourceResponse,
+
+    -- ** ListTunnels
+    ListTunnels (ListTunnels'),
+    newListTunnels,
+    ListTunnelsResponse (ListTunnelsResponse'),
+    newListTunnelsResponse,
+
+    -- ** OpenTunnel
+    OpenTunnel (OpenTunnel'),
+    newOpenTunnel,
+    OpenTunnelResponse (OpenTunnelResponse'),
+    newOpenTunnelResponse,
+
+    -- ** RotateTunnelAccessToken
+    RotateTunnelAccessToken (RotateTunnelAccessToken'),
+    newRotateTunnelAccessToken,
+    RotateTunnelAccessTokenResponse (RotateTunnelAccessTokenResponse'),
+    newRotateTunnelAccessTokenResponse,
+
+    -- ** TagResource
+    TagResource (TagResource'),
+    newTagResource,
+    TagResourceResponse (TagResourceResponse'),
+    newTagResourceResponse,
+
+    -- ** UntagResource
+    UntagResource (UntagResource'),
+    newUntagResource,
+    UntagResourceResponse (UntagResourceResponse'),
+    newUntagResourceResponse,
+
+    -- * Types
+
+    -- ** ClientMode
+    ClientMode (..),
+
+    -- ** ConnectionStatus
+    ConnectionStatus (..),
+
+    -- ** TunnelStatus
+    TunnelStatus (..),
+
+    -- ** ConnectionState
+    ConnectionState (ConnectionState'),
+    newConnectionState,
+
+    -- ** DestinationConfig
+    DestinationConfig (DestinationConfig'),
+    newDestinationConfig,
+
+    -- ** Tag
+    Tag (Tag'),
+    newTag,
+
+    -- ** TimeoutConfig
+    TimeoutConfig (TimeoutConfig'),
+    newTimeoutConfig,
+
+    -- ** Tunnel
+    Tunnel (Tunnel'),
+    newTunnel,
+
+    -- ** TunnelSummary
+    TunnelSummary (TunnelSummary'),
+    newTunnelSummary,
+  )
+where
+
+import Amazonka.IoTSecureTunneling.CloseTunnel
+import Amazonka.IoTSecureTunneling.DescribeTunnel
+import Amazonka.IoTSecureTunneling.Lens
+import Amazonka.IoTSecureTunneling.ListTagsForResource
+import Amazonka.IoTSecureTunneling.ListTunnels
+import Amazonka.IoTSecureTunneling.OpenTunnel
+import Amazonka.IoTSecureTunneling.RotateTunnelAccessToken
+import Amazonka.IoTSecureTunneling.TagResource
+import Amazonka.IoTSecureTunneling.Types
+import Amazonka.IoTSecureTunneling.UntagResource
+import Amazonka.IoTSecureTunneling.Waiters
+
+-- $errors
+-- Error matchers are designed for use with the functions provided by
+-- <http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
+-- This allows catching (and rethrowing) service specific errors returned
+-- by 'IoTSecureTunneling'.
+
+-- $operations
+-- Some AWS operations return results that are incomplete and require subsequent
+-- requests in order to obtain the entire result set. The process of sending
+-- subsequent requests to continue where a previous request left off is called
+-- pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
+-- 1000 objects at a time, and you must send subsequent requests with the
+-- appropriate Marker in order to retrieve the next page of results.
+--
+-- Operations that have an 'AWSPager' instance can transparently perform subsequent
+-- requests, correctly setting Markers and other request facets to iterate through
+-- the entire result set of a truncated API operation. Operations which support
+-- this have an additional note in the documentation.
+--
+-- Many operations have the ability to filter results on the server side. See the
+-- individual operation parameters for details.
+
+-- $waiters
+-- Waiters poll by repeatedly sending a request until some remote success condition
+-- configured by the 'Wait' specification is fulfilled. The 'Wait' specification
+-- determines how many attempts should be made, in addition to delay and retry strategies.
diff --git a/gen/Amazonka/IoTSecureTunneling/CloseTunnel.hs b/gen/Amazonka/IoTSecureTunneling/CloseTunnel.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/CloseTunnel.hs
@@ -0,0 +1,177 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.CloseTunnel
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Closes a tunnel identified by the unique tunnel id. When a @CloseTunnel@
+-- request is received, we close the WebSocket connections between the
+-- client and proxy server so no data can be transmitted.
+--
+-- Requires permission to access the
+-- <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions CloseTunnel>
+-- action.
+module Amazonka.IoTSecureTunneling.CloseTunnel
+  ( -- * Creating a Request
+    CloseTunnel (..),
+    newCloseTunnel,
+
+    -- * Request Lenses
+    closeTunnel_delete,
+    closeTunnel_tunnelId,
+
+    -- * Destructuring the Response
+    CloseTunnelResponse (..),
+    newCloseTunnelResponse,
+
+    -- * Response Lenses
+    closeTunnelResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newCloseTunnel' smart constructor.
+data CloseTunnel = CloseTunnel'
+  { -- | When set to true, IoT Secure Tunneling deletes the tunnel data
+    -- immediately.
+    delete' :: Prelude.Maybe Prelude.Bool,
+    -- | The ID of the tunnel to close.
+    tunnelId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CloseTunnel' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'delete'', 'closeTunnel_delete' - When set to true, IoT Secure Tunneling deletes the tunnel data
+-- immediately.
+--
+-- 'tunnelId', 'closeTunnel_tunnelId' - The ID of the tunnel to close.
+newCloseTunnel ::
+  -- | 'tunnelId'
+  Prelude.Text ->
+  CloseTunnel
+newCloseTunnel pTunnelId_ =
+  CloseTunnel'
+    { delete' = Prelude.Nothing,
+      tunnelId = pTunnelId_
+    }
+
+-- | When set to true, IoT Secure Tunneling deletes the tunnel data
+-- immediately.
+closeTunnel_delete :: Lens.Lens' CloseTunnel (Prelude.Maybe Prelude.Bool)
+closeTunnel_delete = Lens.lens (\CloseTunnel' {delete'} -> delete') (\s@CloseTunnel' {} a -> s {delete' = a} :: CloseTunnel)
+
+-- | The ID of the tunnel to close.
+closeTunnel_tunnelId :: Lens.Lens' CloseTunnel Prelude.Text
+closeTunnel_tunnelId = Lens.lens (\CloseTunnel' {tunnelId} -> tunnelId) (\s@CloseTunnel' {} a -> s {tunnelId = a} :: CloseTunnel)
+
+instance Core.AWSRequest CloseTunnel where
+  type AWSResponse CloseTunnel = CloseTunnelResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          CloseTunnelResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable CloseTunnel where
+  hashWithSalt _salt CloseTunnel' {..} =
+    _salt
+      `Prelude.hashWithSalt` delete'
+      `Prelude.hashWithSalt` tunnelId
+
+instance Prelude.NFData CloseTunnel where
+  rnf CloseTunnel' {..} =
+    Prelude.rnf delete'
+      `Prelude.seq` Prelude.rnf tunnelId
+
+instance Data.ToHeaders CloseTunnel where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.CloseTunnel" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON CloseTunnel where
+  toJSON CloseTunnel' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("delete" Data..=) Prelude.<$> delete',
+            Prelude.Just ("tunnelId" Data..= tunnelId)
+          ]
+      )
+
+instance Data.ToPath CloseTunnel where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery CloseTunnel where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newCloseTunnelResponse' smart constructor.
+data CloseTunnelResponse = CloseTunnelResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'CloseTunnelResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'closeTunnelResponse_httpStatus' - The response's http status code.
+newCloseTunnelResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  CloseTunnelResponse
+newCloseTunnelResponse pHttpStatus_ =
+  CloseTunnelResponse' {httpStatus = pHttpStatus_}
+
+-- | The response's http status code.
+closeTunnelResponse_httpStatus :: Lens.Lens' CloseTunnelResponse Prelude.Int
+closeTunnelResponse_httpStatus = Lens.lens (\CloseTunnelResponse' {httpStatus} -> httpStatus) (\s@CloseTunnelResponse' {} a -> s {httpStatus = a} :: CloseTunnelResponse)
+
+instance Prelude.NFData CloseTunnelResponse where
+  rnf CloseTunnelResponse' {..} = Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/DescribeTunnel.hs b/gen/Amazonka/IoTSecureTunneling/DescribeTunnel.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/DescribeTunnel.hs
@@ -0,0 +1,171 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.DescribeTunnel
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Gets information about a tunnel identified by the unique tunnel id.
+--
+-- Requires permission to access the
+-- <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions DescribeTunnel>
+-- action.
+module Amazonka.IoTSecureTunneling.DescribeTunnel
+  ( -- * Creating a Request
+    DescribeTunnel (..),
+    newDescribeTunnel,
+
+    -- * Request Lenses
+    describeTunnel_tunnelId,
+
+    -- * Destructuring the Response
+    DescribeTunnelResponse (..),
+    newDescribeTunnelResponse,
+
+    -- * Response Lenses
+    describeTunnelResponse_tunnel,
+    describeTunnelResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newDescribeTunnel' smart constructor.
+data DescribeTunnel = DescribeTunnel'
+  { -- | The tunnel to describe.
+    tunnelId :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeTunnel' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'tunnelId', 'describeTunnel_tunnelId' - The tunnel to describe.
+newDescribeTunnel ::
+  -- | 'tunnelId'
+  Prelude.Text ->
+  DescribeTunnel
+newDescribeTunnel pTunnelId_ =
+  DescribeTunnel' {tunnelId = pTunnelId_}
+
+-- | The tunnel to describe.
+describeTunnel_tunnelId :: Lens.Lens' DescribeTunnel Prelude.Text
+describeTunnel_tunnelId = Lens.lens (\DescribeTunnel' {tunnelId} -> tunnelId) (\s@DescribeTunnel' {} a -> s {tunnelId = a} :: DescribeTunnel)
+
+instance Core.AWSRequest DescribeTunnel where
+  type
+    AWSResponse DescribeTunnel =
+      DescribeTunnelResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          DescribeTunnelResponse'
+            Prelude.<$> (x Data..?> "tunnel")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable DescribeTunnel where
+  hashWithSalt _salt DescribeTunnel' {..} =
+    _salt `Prelude.hashWithSalt` tunnelId
+
+instance Prelude.NFData DescribeTunnel where
+  rnf DescribeTunnel' {..} = Prelude.rnf tunnelId
+
+instance Data.ToHeaders DescribeTunnel where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.DescribeTunnel" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON DescribeTunnel where
+  toJSON DescribeTunnel' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("tunnelId" Data..= tunnelId)]
+      )
+
+instance Data.ToPath DescribeTunnel where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery DescribeTunnel where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newDescribeTunnelResponse' smart constructor.
+data DescribeTunnelResponse = DescribeTunnelResponse'
+  { -- | The tunnel being described.
+    tunnel :: Prelude.Maybe Tunnel,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DescribeTunnelResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'tunnel', 'describeTunnelResponse_tunnel' - The tunnel being described.
+--
+-- 'httpStatus', 'describeTunnelResponse_httpStatus' - The response's http status code.
+newDescribeTunnelResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  DescribeTunnelResponse
+newDescribeTunnelResponse pHttpStatus_ =
+  DescribeTunnelResponse'
+    { tunnel = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The tunnel being described.
+describeTunnelResponse_tunnel :: Lens.Lens' DescribeTunnelResponse (Prelude.Maybe Tunnel)
+describeTunnelResponse_tunnel = Lens.lens (\DescribeTunnelResponse' {tunnel} -> tunnel) (\s@DescribeTunnelResponse' {} a -> s {tunnel = a} :: DescribeTunnelResponse)
+
+-- | The response's http status code.
+describeTunnelResponse_httpStatus :: Lens.Lens' DescribeTunnelResponse Prelude.Int
+describeTunnelResponse_httpStatus = Lens.lens (\DescribeTunnelResponse' {httpStatus} -> httpStatus) (\s@DescribeTunnelResponse' {} a -> s {httpStatus = a} :: DescribeTunnelResponse)
+
+instance Prelude.NFData DescribeTunnelResponse where
+  rnf DescribeTunnelResponse' {..} =
+    Prelude.rnf tunnel
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/Lens.hs b/gen/Amazonka/IoTSecureTunneling/Lens.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Lens.hs
@@ -0,0 +1,123 @@
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Lens
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Lens
+  ( -- * Operations
+
+    -- ** CloseTunnel
+    closeTunnel_delete,
+    closeTunnel_tunnelId,
+    closeTunnelResponse_httpStatus,
+
+    -- ** DescribeTunnel
+    describeTunnel_tunnelId,
+    describeTunnelResponse_tunnel,
+    describeTunnelResponse_httpStatus,
+
+    -- ** ListTagsForResource
+    listTagsForResource_resourceArn,
+    listTagsForResourceResponse_tags,
+    listTagsForResourceResponse_httpStatus,
+
+    -- ** ListTunnels
+    listTunnels_maxResults,
+    listTunnels_nextToken,
+    listTunnels_thingName,
+    listTunnelsResponse_nextToken,
+    listTunnelsResponse_tunnelSummaries,
+    listTunnelsResponse_httpStatus,
+
+    -- ** OpenTunnel
+    openTunnel_description,
+    openTunnel_destinationConfig,
+    openTunnel_tags,
+    openTunnel_timeoutConfig,
+    openTunnelResponse_destinationAccessToken,
+    openTunnelResponse_sourceAccessToken,
+    openTunnelResponse_tunnelArn,
+    openTunnelResponse_tunnelId,
+    openTunnelResponse_httpStatus,
+
+    -- ** RotateTunnelAccessToken
+    rotateTunnelAccessToken_destinationConfig,
+    rotateTunnelAccessToken_tunnelId,
+    rotateTunnelAccessToken_clientMode,
+    rotateTunnelAccessTokenResponse_destinationAccessToken,
+    rotateTunnelAccessTokenResponse_sourceAccessToken,
+    rotateTunnelAccessTokenResponse_tunnelArn,
+    rotateTunnelAccessTokenResponse_httpStatus,
+
+    -- ** TagResource
+    tagResource_resourceArn,
+    tagResource_tags,
+    tagResourceResponse_httpStatus,
+
+    -- ** UntagResource
+    untagResource_resourceArn,
+    untagResource_tagKeys,
+    untagResourceResponse_httpStatus,
+
+    -- * Types
+
+    -- ** ConnectionState
+    connectionState_lastUpdatedAt,
+    connectionState_status,
+
+    -- ** DestinationConfig
+    destinationConfig_thingName,
+    destinationConfig_services,
+
+    -- ** Tag
+    tag_key,
+    tag_value,
+
+    -- ** TimeoutConfig
+    timeoutConfig_maxLifetimeTimeoutMinutes,
+
+    -- ** Tunnel
+    tunnel_createdAt,
+    tunnel_description,
+    tunnel_destinationConfig,
+    tunnel_destinationConnectionState,
+    tunnel_lastUpdatedAt,
+    tunnel_sourceConnectionState,
+    tunnel_status,
+    tunnel_tags,
+    tunnel_timeoutConfig,
+    tunnel_tunnelArn,
+    tunnel_tunnelId,
+
+    -- ** TunnelSummary
+    tunnelSummary_createdAt,
+    tunnelSummary_description,
+    tunnelSummary_lastUpdatedAt,
+    tunnelSummary_status,
+    tunnelSummary_tunnelArn,
+    tunnelSummary_tunnelId,
+  )
+where
+
+import Amazonka.IoTSecureTunneling.CloseTunnel
+import Amazonka.IoTSecureTunneling.DescribeTunnel
+import Amazonka.IoTSecureTunneling.ListTagsForResource
+import Amazonka.IoTSecureTunneling.ListTunnels
+import Amazonka.IoTSecureTunneling.OpenTunnel
+import Amazonka.IoTSecureTunneling.RotateTunnelAccessToken
+import Amazonka.IoTSecureTunneling.TagResource
+import Amazonka.IoTSecureTunneling.Types.ConnectionState
+import Amazonka.IoTSecureTunneling.Types.DestinationConfig
+import Amazonka.IoTSecureTunneling.Types.Tag
+import Amazonka.IoTSecureTunneling.Types.TimeoutConfig
+import Amazonka.IoTSecureTunneling.Types.Tunnel
+import Amazonka.IoTSecureTunneling.Types.TunnelSummary
+import Amazonka.IoTSecureTunneling.UntagResource
diff --git a/gen/Amazonka/IoTSecureTunneling/ListTagsForResource.hs b/gen/Amazonka/IoTSecureTunneling/ListTagsForResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/ListTagsForResource.hs
@@ -0,0 +1,169 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.ListTagsForResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Lists the tags for the specified resource.
+module Amazonka.IoTSecureTunneling.ListTagsForResource
+  ( -- * Creating a Request
+    ListTagsForResource (..),
+    newListTagsForResource,
+
+    -- * Request Lenses
+    listTagsForResource_resourceArn,
+
+    -- * Destructuring the Response
+    ListTagsForResourceResponse (..),
+    newListTagsForResourceResponse,
+
+    -- * Response Lenses
+    listTagsForResourceResponse_tags,
+    listTagsForResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListTagsForResource' smart constructor.
+data ListTagsForResource = ListTagsForResource'
+  { -- | The resource ARN.
+    resourceArn :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTagsForResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'listTagsForResource_resourceArn' - The resource ARN.
+newListTagsForResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  ListTagsForResource
+newListTagsForResource pResourceArn_ =
+  ListTagsForResource' {resourceArn = pResourceArn_}
+
+-- | The resource ARN.
+listTagsForResource_resourceArn :: Lens.Lens' ListTagsForResource Prelude.Text
+listTagsForResource_resourceArn = Lens.lens (\ListTagsForResource' {resourceArn} -> resourceArn) (\s@ListTagsForResource' {} a -> s {resourceArn = a} :: ListTagsForResource)
+
+instance Core.AWSRequest ListTagsForResource where
+  type
+    AWSResponse ListTagsForResource =
+      ListTagsForResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListTagsForResourceResponse'
+            Prelude.<$> (x Data..?> "tags")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListTagsForResource where
+  hashWithSalt _salt ListTagsForResource' {..} =
+    _salt `Prelude.hashWithSalt` resourceArn
+
+instance Prelude.NFData ListTagsForResource where
+  rnf ListTagsForResource' {..} =
+    Prelude.rnf resourceArn
+
+instance Data.ToHeaders ListTagsForResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.ListTagsForResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListTagsForResource where
+  toJSON ListTagsForResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [Prelude.Just ("resourceArn" Data..= resourceArn)]
+      )
+
+instance Data.ToPath ListTagsForResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListTagsForResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListTagsForResourceResponse' smart constructor.
+data ListTagsForResourceResponse = ListTagsForResourceResponse'
+  { -- | The tags for the specified resource.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTagsForResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'tags', 'listTagsForResourceResponse_tags' - The tags for the specified resource.
+--
+-- 'httpStatus', 'listTagsForResourceResponse_httpStatus' - The response's http status code.
+newListTagsForResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListTagsForResourceResponse
+newListTagsForResourceResponse pHttpStatus_ =
+  ListTagsForResourceResponse'
+    { tags =
+        Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The tags for the specified resource.
+listTagsForResourceResponse_tags :: Lens.Lens' ListTagsForResourceResponse (Prelude.Maybe (Prelude.NonEmpty Tag))
+listTagsForResourceResponse_tags = Lens.lens (\ListTagsForResourceResponse' {tags} -> tags) (\s@ListTagsForResourceResponse' {} a -> s {tags = a} :: ListTagsForResourceResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | The response's http status code.
+listTagsForResourceResponse_httpStatus :: Lens.Lens' ListTagsForResourceResponse Prelude.Int
+listTagsForResourceResponse_httpStatus = Lens.lens (\ListTagsForResourceResponse' {httpStatus} -> httpStatus) (\s@ListTagsForResourceResponse' {} a -> s {httpStatus = a} :: ListTagsForResourceResponse)
+
+instance Prelude.NFData ListTagsForResourceResponse where
+  rnf ListTagsForResourceResponse' {..} =
+    Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/ListTunnels.hs b/gen/Amazonka/IoTSecureTunneling/ListTunnels.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/ListTunnels.hs
@@ -0,0 +1,221 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.ListTunnels
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- List all tunnels for an Amazon Web Services account. Tunnels are listed
+-- by creation time in descending order, newer tunnels will be listed
+-- before older tunnels.
+--
+-- Requires permission to access the
+-- <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions ListTunnels>
+-- action.
+module Amazonka.IoTSecureTunneling.ListTunnels
+  ( -- * Creating a Request
+    ListTunnels (..),
+    newListTunnels,
+
+    -- * Request Lenses
+    listTunnels_maxResults,
+    listTunnels_nextToken,
+    listTunnels_thingName,
+
+    -- * Destructuring the Response
+    ListTunnelsResponse (..),
+    newListTunnelsResponse,
+
+    -- * Response Lenses
+    listTunnelsResponse_nextToken,
+    listTunnelsResponse_tunnelSummaries,
+    listTunnelsResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newListTunnels' smart constructor.
+data ListTunnels = ListTunnels'
+  { -- | The maximum number of results to return at once.
+    maxResults :: Prelude.Maybe Prelude.Natural,
+    -- | To retrieve the next set of results, the nextToken value from a previous
+    -- response; otherwise null to receive the first set of results.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | The name of the IoT thing associated with the destination device.
+    thingName :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTunnels' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'maxResults', 'listTunnels_maxResults' - The maximum number of results to return at once.
+--
+-- 'nextToken', 'listTunnels_nextToken' - To retrieve the next set of results, the nextToken value from a previous
+-- response; otherwise null to receive the first set of results.
+--
+-- 'thingName', 'listTunnels_thingName' - The name of the IoT thing associated with the destination device.
+newListTunnels ::
+  ListTunnels
+newListTunnels =
+  ListTunnels'
+    { maxResults = Prelude.Nothing,
+      nextToken = Prelude.Nothing,
+      thingName = Prelude.Nothing
+    }
+
+-- | The maximum number of results to return at once.
+listTunnels_maxResults :: Lens.Lens' ListTunnels (Prelude.Maybe Prelude.Natural)
+listTunnels_maxResults = Lens.lens (\ListTunnels' {maxResults} -> maxResults) (\s@ListTunnels' {} a -> s {maxResults = a} :: ListTunnels)
+
+-- | To retrieve the next set of results, the nextToken value from a previous
+-- response; otherwise null to receive the first set of results.
+listTunnels_nextToken :: Lens.Lens' ListTunnels (Prelude.Maybe Prelude.Text)
+listTunnels_nextToken = Lens.lens (\ListTunnels' {nextToken} -> nextToken) (\s@ListTunnels' {} a -> s {nextToken = a} :: ListTunnels)
+
+-- | The name of the IoT thing associated with the destination device.
+listTunnels_thingName :: Lens.Lens' ListTunnels (Prelude.Maybe Prelude.Text)
+listTunnels_thingName = Lens.lens (\ListTunnels' {thingName} -> thingName) (\s@ListTunnels' {} a -> s {thingName = a} :: ListTunnels)
+
+instance Core.AWSRequest ListTunnels where
+  type AWSResponse ListTunnels = ListTunnelsResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          ListTunnelsResponse'
+            Prelude.<$> (x Data..?> "nextToken")
+            Prelude.<*> ( x
+                            Data..?> "tunnelSummaries"
+                            Core..!@ Prelude.mempty
+                        )
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable ListTunnels where
+  hashWithSalt _salt ListTunnels' {..} =
+    _salt
+      `Prelude.hashWithSalt` maxResults
+      `Prelude.hashWithSalt` nextToken
+      `Prelude.hashWithSalt` thingName
+
+instance Prelude.NFData ListTunnels where
+  rnf ListTunnels' {..} =
+    Prelude.rnf maxResults
+      `Prelude.seq` Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf thingName
+
+instance Data.ToHeaders ListTunnels where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.ListTunnels" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON ListTunnels where
+  toJSON ListTunnels' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("maxResults" Data..=) Prelude.<$> maxResults,
+            ("nextToken" Data..=) Prelude.<$> nextToken,
+            ("thingName" Data..=) Prelude.<$> thingName
+          ]
+      )
+
+instance Data.ToPath ListTunnels where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery ListTunnels where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newListTunnelsResponse' smart constructor.
+data ListTunnelsResponse = ListTunnelsResponse'
+  { -- | The token to use to get the next set of results, or null if there are no
+    -- additional results.
+    nextToken :: Prelude.Maybe Prelude.Text,
+    -- | A short description of the tunnels in an Amazon Web Services account.
+    tunnelSummaries :: Prelude.Maybe [TunnelSummary],
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ListTunnelsResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'nextToken', 'listTunnelsResponse_nextToken' - The token to use to get the next set of results, or null if there are no
+-- additional results.
+--
+-- 'tunnelSummaries', 'listTunnelsResponse_tunnelSummaries' - A short description of the tunnels in an Amazon Web Services account.
+--
+-- 'httpStatus', 'listTunnelsResponse_httpStatus' - The response's http status code.
+newListTunnelsResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  ListTunnelsResponse
+newListTunnelsResponse pHttpStatus_ =
+  ListTunnelsResponse'
+    { nextToken = Prelude.Nothing,
+      tunnelSummaries = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The token to use to get the next set of results, or null if there are no
+-- additional results.
+listTunnelsResponse_nextToken :: Lens.Lens' ListTunnelsResponse (Prelude.Maybe Prelude.Text)
+listTunnelsResponse_nextToken = Lens.lens (\ListTunnelsResponse' {nextToken} -> nextToken) (\s@ListTunnelsResponse' {} a -> s {nextToken = a} :: ListTunnelsResponse)
+
+-- | A short description of the tunnels in an Amazon Web Services account.
+listTunnelsResponse_tunnelSummaries :: Lens.Lens' ListTunnelsResponse (Prelude.Maybe [TunnelSummary])
+listTunnelsResponse_tunnelSummaries = Lens.lens (\ListTunnelsResponse' {tunnelSummaries} -> tunnelSummaries) (\s@ListTunnelsResponse' {} a -> s {tunnelSummaries = a} :: ListTunnelsResponse) Prelude.. Lens.mapping Lens.coerced
+
+-- | The response's http status code.
+listTunnelsResponse_httpStatus :: Lens.Lens' ListTunnelsResponse Prelude.Int
+listTunnelsResponse_httpStatus = Lens.lens (\ListTunnelsResponse' {httpStatus} -> httpStatus) (\s@ListTunnelsResponse' {} a -> s {httpStatus = a} :: ListTunnelsResponse)
+
+instance Prelude.NFData ListTunnelsResponse where
+  rnf ListTunnelsResponse' {..} =
+    Prelude.rnf nextToken
+      `Prelude.seq` Prelude.rnf tunnelSummaries
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/OpenTunnel.hs b/gen/Amazonka/IoTSecureTunneling/OpenTunnel.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/OpenTunnel.hs
@@ -0,0 +1,256 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.OpenTunnel
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates a new tunnel, and returns two client access tokens for clients
+-- to use to connect to the IoT Secure Tunneling proxy server.
+--
+-- Requires permission to access the
+-- <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions OpenTunnel>
+-- action.
+module Amazonka.IoTSecureTunneling.OpenTunnel
+  ( -- * Creating a Request
+    OpenTunnel (..),
+    newOpenTunnel,
+
+    -- * Request Lenses
+    openTunnel_description,
+    openTunnel_destinationConfig,
+    openTunnel_tags,
+    openTunnel_timeoutConfig,
+
+    -- * Destructuring the Response
+    OpenTunnelResponse (..),
+    newOpenTunnelResponse,
+
+    -- * Response Lenses
+    openTunnelResponse_destinationAccessToken,
+    openTunnelResponse_sourceAccessToken,
+    openTunnelResponse_tunnelArn,
+    openTunnelResponse_tunnelId,
+    openTunnelResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newOpenTunnel' smart constructor.
+data OpenTunnel = OpenTunnel'
+  { -- | A short text description of the tunnel.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The destination configuration for the OpenTunnel request.
+    destinationConfig :: Prelude.Maybe DestinationConfig,
+    -- | A collection of tag metadata.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | Timeout configuration for a tunnel.
+    timeoutConfig :: Prelude.Maybe TimeoutConfig
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'OpenTunnel' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'description', 'openTunnel_description' - A short text description of the tunnel.
+--
+-- 'destinationConfig', 'openTunnel_destinationConfig' - The destination configuration for the OpenTunnel request.
+--
+-- 'tags', 'openTunnel_tags' - A collection of tag metadata.
+--
+-- 'timeoutConfig', 'openTunnel_timeoutConfig' - Timeout configuration for a tunnel.
+newOpenTunnel ::
+  OpenTunnel
+newOpenTunnel =
+  OpenTunnel'
+    { description = Prelude.Nothing,
+      destinationConfig = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      timeoutConfig = Prelude.Nothing
+    }
+
+-- | A short text description of the tunnel.
+openTunnel_description :: Lens.Lens' OpenTunnel (Prelude.Maybe Prelude.Text)
+openTunnel_description = Lens.lens (\OpenTunnel' {description} -> description) (\s@OpenTunnel' {} a -> s {description = a} :: OpenTunnel)
+
+-- | The destination configuration for the OpenTunnel request.
+openTunnel_destinationConfig :: Lens.Lens' OpenTunnel (Prelude.Maybe DestinationConfig)
+openTunnel_destinationConfig = Lens.lens (\OpenTunnel' {destinationConfig} -> destinationConfig) (\s@OpenTunnel' {} a -> s {destinationConfig = a} :: OpenTunnel)
+
+-- | A collection of tag metadata.
+openTunnel_tags :: Lens.Lens' OpenTunnel (Prelude.Maybe (Prelude.NonEmpty Tag))
+openTunnel_tags = Lens.lens (\OpenTunnel' {tags} -> tags) (\s@OpenTunnel' {} a -> s {tags = a} :: OpenTunnel) Prelude.. Lens.mapping Lens.coerced
+
+-- | Timeout configuration for a tunnel.
+openTunnel_timeoutConfig :: Lens.Lens' OpenTunnel (Prelude.Maybe TimeoutConfig)
+openTunnel_timeoutConfig = Lens.lens (\OpenTunnel' {timeoutConfig} -> timeoutConfig) (\s@OpenTunnel' {} a -> s {timeoutConfig = a} :: OpenTunnel)
+
+instance Core.AWSRequest OpenTunnel where
+  type AWSResponse OpenTunnel = OpenTunnelResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          OpenTunnelResponse'
+            Prelude.<$> (x Data..?> "destinationAccessToken")
+            Prelude.<*> (x Data..?> "sourceAccessToken")
+            Prelude.<*> (x Data..?> "tunnelArn")
+            Prelude.<*> (x Data..?> "tunnelId")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable OpenTunnel where
+  hashWithSalt _salt OpenTunnel' {..} =
+    _salt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` destinationConfig
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` timeoutConfig
+
+instance Prelude.NFData OpenTunnel where
+  rnf OpenTunnel' {..} =
+    Prelude.rnf description
+      `Prelude.seq` Prelude.rnf destinationConfig
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf timeoutConfig
+
+instance Data.ToHeaders OpenTunnel where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.OpenTunnel" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON OpenTunnel where
+  toJSON OpenTunnel' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("description" Data..=) Prelude.<$> description,
+            ("destinationConfig" Data..=)
+              Prelude.<$> destinationConfig,
+            ("tags" Data..=) Prelude.<$> tags,
+            ("timeoutConfig" Data..=) Prelude.<$> timeoutConfig
+          ]
+      )
+
+instance Data.ToPath OpenTunnel where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery OpenTunnel where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newOpenTunnelResponse' smart constructor.
+data OpenTunnelResponse = OpenTunnelResponse'
+  { -- | The access token the destination local proxy uses to connect to IoT
+    -- Secure Tunneling.
+    destinationAccessToken :: Prelude.Maybe (Data.Sensitive Prelude.Text),
+    -- | The access token the source local proxy uses to connect to IoT Secure
+    -- Tunneling.
+    sourceAccessToken :: Prelude.Maybe (Data.Sensitive Prelude.Text),
+    -- | The Amazon Resource Name for the tunnel.
+    tunnelArn :: Prelude.Maybe Prelude.Text,
+    -- | A unique alpha-numeric tunnel ID.
+    tunnelId :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'OpenTunnelResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'destinationAccessToken', 'openTunnelResponse_destinationAccessToken' - The access token the destination local proxy uses to connect to IoT
+-- Secure Tunneling.
+--
+-- 'sourceAccessToken', 'openTunnelResponse_sourceAccessToken' - The access token the source local proxy uses to connect to IoT Secure
+-- Tunneling.
+--
+-- 'tunnelArn', 'openTunnelResponse_tunnelArn' - The Amazon Resource Name for the tunnel.
+--
+-- 'tunnelId', 'openTunnelResponse_tunnelId' - A unique alpha-numeric tunnel ID.
+--
+-- 'httpStatus', 'openTunnelResponse_httpStatus' - The response's http status code.
+newOpenTunnelResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  OpenTunnelResponse
+newOpenTunnelResponse pHttpStatus_ =
+  OpenTunnelResponse'
+    { destinationAccessToken =
+        Prelude.Nothing,
+      sourceAccessToken = Prelude.Nothing,
+      tunnelArn = Prelude.Nothing,
+      tunnelId = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The access token the destination local proxy uses to connect to IoT
+-- Secure Tunneling.
+openTunnelResponse_destinationAccessToken :: Lens.Lens' OpenTunnelResponse (Prelude.Maybe Prelude.Text)
+openTunnelResponse_destinationAccessToken = Lens.lens (\OpenTunnelResponse' {destinationAccessToken} -> destinationAccessToken) (\s@OpenTunnelResponse' {} a -> s {destinationAccessToken = a} :: OpenTunnelResponse) Prelude.. Lens.mapping Data._Sensitive
+
+-- | The access token the source local proxy uses to connect to IoT Secure
+-- Tunneling.
+openTunnelResponse_sourceAccessToken :: Lens.Lens' OpenTunnelResponse (Prelude.Maybe Prelude.Text)
+openTunnelResponse_sourceAccessToken = Lens.lens (\OpenTunnelResponse' {sourceAccessToken} -> sourceAccessToken) (\s@OpenTunnelResponse' {} a -> s {sourceAccessToken = a} :: OpenTunnelResponse) Prelude.. Lens.mapping Data._Sensitive
+
+-- | The Amazon Resource Name for the tunnel.
+openTunnelResponse_tunnelArn :: Lens.Lens' OpenTunnelResponse (Prelude.Maybe Prelude.Text)
+openTunnelResponse_tunnelArn = Lens.lens (\OpenTunnelResponse' {tunnelArn} -> tunnelArn) (\s@OpenTunnelResponse' {} a -> s {tunnelArn = a} :: OpenTunnelResponse)
+
+-- | A unique alpha-numeric tunnel ID.
+openTunnelResponse_tunnelId :: Lens.Lens' OpenTunnelResponse (Prelude.Maybe Prelude.Text)
+openTunnelResponse_tunnelId = Lens.lens (\OpenTunnelResponse' {tunnelId} -> tunnelId) (\s@OpenTunnelResponse' {} a -> s {tunnelId = a} :: OpenTunnelResponse)
+
+-- | The response's http status code.
+openTunnelResponse_httpStatus :: Lens.Lens' OpenTunnelResponse Prelude.Int
+openTunnelResponse_httpStatus = Lens.lens (\OpenTunnelResponse' {httpStatus} -> httpStatus) (\s@OpenTunnelResponse' {} a -> s {httpStatus = a} :: OpenTunnelResponse)
+
+instance Prelude.NFData OpenTunnelResponse where
+  rnf OpenTunnelResponse' {..} =
+    Prelude.rnf destinationAccessToken
+      `Prelude.seq` Prelude.rnf sourceAccessToken
+      `Prelude.seq` Prelude.rnf tunnelArn
+      `Prelude.seq` Prelude.rnf tunnelId
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/RotateTunnelAccessToken.hs b/gen/Amazonka/IoTSecureTunneling/RotateTunnelAccessToken.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/RotateTunnelAccessToken.hs
@@ -0,0 +1,249 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.RotateTunnelAccessToken
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Revokes the current client access token (CAT) and returns new CAT for
+-- clients to use when reconnecting to secure tunneling to access the same
+-- tunnel.
+--
+-- Requires permission to access the
+-- <https://docs.aws.amazon.com/service-authorization/latest/reference/list_awsiot.html#awsiot-actions-as-permissions RotateTunnelAccessToken>
+-- action.
+--
+-- Rotating the CAT doesn\'t extend the tunnel duration. For example, say
+-- the tunnel duration is 12 hours and the tunnel has already been open for
+-- 4 hours. When you rotate the access tokens, the new tokens that are
+-- generated can only be used for the remaining 8 hours.
+module Amazonka.IoTSecureTunneling.RotateTunnelAccessToken
+  ( -- * Creating a Request
+    RotateTunnelAccessToken (..),
+    newRotateTunnelAccessToken,
+
+    -- * Request Lenses
+    rotateTunnelAccessToken_destinationConfig,
+    rotateTunnelAccessToken_tunnelId,
+    rotateTunnelAccessToken_clientMode,
+
+    -- * Destructuring the Response
+    RotateTunnelAccessTokenResponse (..),
+    newRotateTunnelAccessTokenResponse,
+
+    -- * Response Lenses
+    rotateTunnelAccessTokenResponse_destinationAccessToken,
+    rotateTunnelAccessTokenResponse_sourceAccessToken,
+    rotateTunnelAccessTokenResponse_tunnelArn,
+    rotateTunnelAccessTokenResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newRotateTunnelAccessToken' smart constructor.
+data RotateTunnelAccessToken = RotateTunnelAccessToken'
+  { destinationConfig :: Prelude.Maybe DestinationConfig,
+    -- | The tunnel for which you want to rotate the access tokens.
+    tunnelId :: Prelude.Text,
+    -- | The mode of the client that will use the client token, which can be
+    -- either the source or destination, or both source and destination.
+    clientMode :: ClientMode
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RotateTunnelAccessToken' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'destinationConfig', 'rotateTunnelAccessToken_destinationConfig' - Undocumented member.
+--
+-- 'tunnelId', 'rotateTunnelAccessToken_tunnelId' - The tunnel for which you want to rotate the access tokens.
+--
+-- 'clientMode', 'rotateTunnelAccessToken_clientMode' - The mode of the client that will use the client token, which can be
+-- either the source or destination, or both source and destination.
+newRotateTunnelAccessToken ::
+  -- | 'tunnelId'
+  Prelude.Text ->
+  -- | 'clientMode'
+  ClientMode ->
+  RotateTunnelAccessToken
+newRotateTunnelAccessToken pTunnelId_ pClientMode_ =
+  RotateTunnelAccessToken'
+    { destinationConfig =
+        Prelude.Nothing,
+      tunnelId = pTunnelId_,
+      clientMode = pClientMode_
+    }
+
+-- | Undocumented member.
+rotateTunnelAccessToken_destinationConfig :: Lens.Lens' RotateTunnelAccessToken (Prelude.Maybe DestinationConfig)
+rotateTunnelAccessToken_destinationConfig = Lens.lens (\RotateTunnelAccessToken' {destinationConfig} -> destinationConfig) (\s@RotateTunnelAccessToken' {} a -> s {destinationConfig = a} :: RotateTunnelAccessToken)
+
+-- | The tunnel for which you want to rotate the access tokens.
+rotateTunnelAccessToken_tunnelId :: Lens.Lens' RotateTunnelAccessToken Prelude.Text
+rotateTunnelAccessToken_tunnelId = Lens.lens (\RotateTunnelAccessToken' {tunnelId} -> tunnelId) (\s@RotateTunnelAccessToken' {} a -> s {tunnelId = a} :: RotateTunnelAccessToken)
+
+-- | The mode of the client that will use the client token, which can be
+-- either the source or destination, or both source and destination.
+rotateTunnelAccessToken_clientMode :: Lens.Lens' RotateTunnelAccessToken ClientMode
+rotateTunnelAccessToken_clientMode = Lens.lens (\RotateTunnelAccessToken' {clientMode} -> clientMode) (\s@RotateTunnelAccessToken' {} a -> s {clientMode = a} :: RotateTunnelAccessToken)
+
+instance Core.AWSRequest RotateTunnelAccessToken where
+  type
+    AWSResponse RotateTunnelAccessToken =
+      RotateTunnelAccessTokenResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveJSON
+      ( \s h x ->
+          RotateTunnelAccessTokenResponse'
+            Prelude.<$> (x Data..?> "destinationAccessToken")
+            Prelude.<*> (x Data..?> "sourceAccessToken")
+            Prelude.<*> (x Data..?> "tunnelArn")
+            Prelude.<*> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable RotateTunnelAccessToken where
+  hashWithSalt _salt RotateTunnelAccessToken' {..} =
+    _salt
+      `Prelude.hashWithSalt` destinationConfig
+      `Prelude.hashWithSalt` tunnelId
+      `Prelude.hashWithSalt` clientMode
+
+instance Prelude.NFData RotateTunnelAccessToken where
+  rnf RotateTunnelAccessToken' {..} =
+    Prelude.rnf destinationConfig
+      `Prelude.seq` Prelude.rnf tunnelId
+      `Prelude.seq` Prelude.rnf clientMode
+
+instance Data.ToHeaders RotateTunnelAccessToken where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.RotateTunnelAccessToken" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON RotateTunnelAccessToken where
+  toJSON RotateTunnelAccessToken' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("destinationConfig" Data..=)
+              Prelude.<$> destinationConfig,
+            Prelude.Just ("tunnelId" Data..= tunnelId),
+            Prelude.Just ("clientMode" Data..= clientMode)
+          ]
+      )
+
+instance Data.ToPath RotateTunnelAccessToken where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery RotateTunnelAccessToken where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newRotateTunnelAccessTokenResponse' smart constructor.
+data RotateTunnelAccessTokenResponse = RotateTunnelAccessTokenResponse'
+  { -- | The client access token that the destination local proxy uses to connect
+    -- to IoT Secure Tunneling.
+    destinationAccessToken :: Prelude.Maybe (Data.Sensitive Prelude.Text),
+    -- | The client access token that the source local proxy uses to connect to
+    -- IoT Secure Tunneling.
+    sourceAccessToken :: Prelude.Maybe (Data.Sensitive Prelude.Text),
+    -- | The Amazon Resource Name for the tunnel.
+    tunnelArn :: Prelude.Maybe Prelude.Text,
+    -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'RotateTunnelAccessTokenResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'destinationAccessToken', 'rotateTunnelAccessTokenResponse_destinationAccessToken' - The client access token that the destination local proxy uses to connect
+-- to IoT Secure Tunneling.
+--
+-- 'sourceAccessToken', 'rotateTunnelAccessTokenResponse_sourceAccessToken' - The client access token that the source local proxy uses to connect to
+-- IoT Secure Tunneling.
+--
+-- 'tunnelArn', 'rotateTunnelAccessTokenResponse_tunnelArn' - The Amazon Resource Name for the tunnel.
+--
+-- 'httpStatus', 'rotateTunnelAccessTokenResponse_httpStatus' - The response's http status code.
+newRotateTunnelAccessTokenResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  RotateTunnelAccessTokenResponse
+newRotateTunnelAccessTokenResponse pHttpStatus_ =
+  RotateTunnelAccessTokenResponse'
+    { destinationAccessToken =
+        Prelude.Nothing,
+      sourceAccessToken = Prelude.Nothing,
+      tunnelArn = Prelude.Nothing,
+      httpStatus = pHttpStatus_
+    }
+
+-- | The client access token that the destination local proxy uses to connect
+-- to IoT Secure Tunneling.
+rotateTunnelAccessTokenResponse_destinationAccessToken :: Lens.Lens' RotateTunnelAccessTokenResponse (Prelude.Maybe Prelude.Text)
+rotateTunnelAccessTokenResponse_destinationAccessToken = Lens.lens (\RotateTunnelAccessTokenResponse' {destinationAccessToken} -> destinationAccessToken) (\s@RotateTunnelAccessTokenResponse' {} a -> s {destinationAccessToken = a} :: RotateTunnelAccessTokenResponse) Prelude.. Lens.mapping Data._Sensitive
+
+-- | The client access token that the source local proxy uses to connect to
+-- IoT Secure Tunneling.
+rotateTunnelAccessTokenResponse_sourceAccessToken :: Lens.Lens' RotateTunnelAccessTokenResponse (Prelude.Maybe Prelude.Text)
+rotateTunnelAccessTokenResponse_sourceAccessToken = Lens.lens (\RotateTunnelAccessTokenResponse' {sourceAccessToken} -> sourceAccessToken) (\s@RotateTunnelAccessTokenResponse' {} a -> s {sourceAccessToken = a} :: RotateTunnelAccessTokenResponse) Prelude.. Lens.mapping Data._Sensitive
+
+-- | The Amazon Resource Name for the tunnel.
+rotateTunnelAccessTokenResponse_tunnelArn :: Lens.Lens' RotateTunnelAccessTokenResponse (Prelude.Maybe Prelude.Text)
+rotateTunnelAccessTokenResponse_tunnelArn = Lens.lens (\RotateTunnelAccessTokenResponse' {tunnelArn} -> tunnelArn) (\s@RotateTunnelAccessTokenResponse' {} a -> s {tunnelArn = a} :: RotateTunnelAccessTokenResponse)
+
+-- | The response's http status code.
+rotateTunnelAccessTokenResponse_httpStatus :: Lens.Lens' RotateTunnelAccessTokenResponse Prelude.Int
+rotateTunnelAccessTokenResponse_httpStatus = Lens.lens (\RotateTunnelAccessTokenResponse' {httpStatus} -> httpStatus) (\s@RotateTunnelAccessTokenResponse' {} a -> s {httpStatus = a} :: RotateTunnelAccessTokenResponse)
+
+instance
+  Prelude.NFData
+    RotateTunnelAccessTokenResponse
+  where
+  rnf RotateTunnelAccessTokenResponse' {..} =
+    Prelude.rnf destinationAccessToken
+      `Prelude.seq` Prelude.rnf sourceAccessToken
+      `Prelude.seq` Prelude.rnf tunnelArn
+      `Prelude.seq` Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/TagResource.hs b/gen/Amazonka/IoTSecureTunneling/TagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/TagResource.hs
@@ -0,0 +1,170 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.TagResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- A resource tag.
+module Amazonka.IoTSecureTunneling.TagResource
+  ( -- * Creating a Request
+    TagResource (..),
+    newTagResource,
+
+    -- * Request Lenses
+    tagResource_resourceArn,
+    tagResource_tags,
+
+    -- * Destructuring the Response
+    TagResourceResponse (..),
+    newTagResourceResponse,
+
+    -- * Response Lenses
+    tagResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newTagResource' smart constructor.
+data TagResource = TagResource'
+  { -- | The ARN of the resource.
+    resourceArn :: Prelude.Text,
+    -- | The tags for the resource.
+    tags :: Prelude.NonEmpty Tag
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TagResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'tagResource_resourceArn' - The ARN of the resource.
+--
+-- 'tags', 'tagResource_tags' - The tags for the resource.
+newTagResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  -- | 'tags'
+  Prelude.NonEmpty Tag ->
+  TagResource
+newTagResource pResourceArn_ pTags_ =
+  TagResource'
+    { resourceArn = pResourceArn_,
+      tags = Lens.coerced Lens.# pTags_
+    }
+
+-- | The ARN of the resource.
+tagResource_resourceArn :: Lens.Lens' TagResource Prelude.Text
+tagResource_resourceArn = Lens.lens (\TagResource' {resourceArn} -> resourceArn) (\s@TagResource' {} a -> s {resourceArn = a} :: TagResource)
+
+-- | The tags for the resource.
+tagResource_tags :: Lens.Lens' TagResource (Prelude.NonEmpty Tag)
+tagResource_tags = Lens.lens (\TagResource' {tags} -> tags) (\s@TagResource' {} a -> s {tags = a} :: TagResource) Prelude.. Lens.coerced
+
+instance Core.AWSRequest TagResource where
+  type AWSResponse TagResource = TagResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          TagResourceResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable TagResource where
+  hashWithSalt _salt TagResource' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` tags
+
+instance Prelude.NFData TagResource where
+  rnf TagResource' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf tags
+
+instance Data.ToHeaders TagResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.TagResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON TagResource where
+  toJSON TagResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("resourceArn" Data..= resourceArn),
+            Prelude.Just ("tags" Data..= tags)
+          ]
+      )
+
+instance Data.ToPath TagResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery TagResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newTagResourceResponse' smart constructor.
+data TagResourceResponse = TagResourceResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TagResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'tagResourceResponse_httpStatus' - The response's http status code.
+newTagResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  TagResourceResponse
+newTagResourceResponse pHttpStatus_ =
+  TagResourceResponse' {httpStatus = pHttpStatus_}
+
+-- | The response's http status code.
+tagResourceResponse_httpStatus :: Lens.Lens' TagResourceResponse Prelude.Int
+tagResourceResponse_httpStatus = Lens.lens (\TagResourceResponse' {httpStatus} -> httpStatus) (\s@TagResourceResponse' {} a -> s {httpStatus = a} :: TagResourceResponse)
+
+instance Prelude.NFData TagResourceResponse where
+  rnf TagResourceResponse' {..} = Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/Types.hs b/gen/Amazonka/IoTSecureTunneling/Types.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types.hs
@@ -0,0 +1,180 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types
+  ( -- * Service Configuration
+    defaultService,
+
+    -- * Errors
+    _LimitExceededException,
+    _ResourceNotFoundException,
+
+    -- * ClientMode
+    ClientMode (..),
+
+    -- * ConnectionStatus
+    ConnectionStatus (..),
+
+    -- * TunnelStatus
+    TunnelStatus (..),
+
+    -- * ConnectionState
+    ConnectionState (..),
+    newConnectionState,
+    connectionState_lastUpdatedAt,
+    connectionState_status,
+
+    -- * DestinationConfig
+    DestinationConfig (..),
+    newDestinationConfig,
+    destinationConfig_thingName,
+    destinationConfig_services,
+
+    -- * Tag
+    Tag (..),
+    newTag,
+    tag_key,
+    tag_value,
+
+    -- * TimeoutConfig
+    TimeoutConfig (..),
+    newTimeoutConfig,
+    timeoutConfig_maxLifetimeTimeoutMinutes,
+
+    -- * Tunnel
+    Tunnel (..),
+    newTunnel,
+    tunnel_createdAt,
+    tunnel_description,
+    tunnel_destinationConfig,
+    tunnel_destinationConnectionState,
+    tunnel_lastUpdatedAt,
+    tunnel_sourceConnectionState,
+    tunnel_status,
+    tunnel_tags,
+    tunnel_timeoutConfig,
+    tunnel_tunnelArn,
+    tunnel_tunnelId,
+
+    -- * TunnelSummary
+    TunnelSummary (..),
+    newTunnelSummary,
+    tunnelSummary_createdAt,
+    tunnelSummary_description,
+    tunnelSummary_lastUpdatedAt,
+    tunnelSummary_status,
+    tunnelSummary_tunnelArn,
+    tunnelSummary_tunnelId,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import Amazonka.IoTSecureTunneling.Types.ClientMode
+import Amazonka.IoTSecureTunneling.Types.ConnectionState
+import Amazonka.IoTSecureTunneling.Types.ConnectionStatus
+import Amazonka.IoTSecureTunneling.Types.DestinationConfig
+import Amazonka.IoTSecureTunneling.Types.Tag
+import Amazonka.IoTSecureTunneling.Types.TimeoutConfig
+import Amazonka.IoTSecureTunneling.Types.Tunnel
+import Amazonka.IoTSecureTunneling.Types.TunnelStatus
+import Amazonka.IoTSecureTunneling.Types.TunnelSummary
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Sign.V4 as Sign
+
+-- | API version @2018-10-05@ of the Amazon IoT Secure Tunneling SDK configuration.
+defaultService :: Core.Service
+defaultService =
+  Core.Service
+    { Core.abbrev = "IoTSecureTunneling",
+      Core.signer = Sign.v4,
+      Core.endpointPrefix = "api.tunneling.iot",
+      Core.signingName = "IoTSecuredTunneling",
+      Core.version = "2018-10-05",
+      Core.s3AddressingStyle = Core.S3AddressingStyleAuto,
+      Core.endpoint = Core.defaultEndpoint defaultService,
+      Core.timeout = Prelude.Just 70,
+      Core.check = Core.statusSuccess,
+      Core.error =
+        Core.parseJSONError "IoTSecureTunneling",
+      Core.retry = retry
+    }
+  where
+    retry =
+      Core.Exponential
+        { Core.base = 5.0e-2,
+          Core.growth = 2,
+          Core.attempts = 5,
+          Core.check = check
+        }
+    check e
+      | Lens.has (Core.hasStatus 502) e =
+          Prelude.Just "bad_gateway"
+      | Lens.has (Core.hasStatus 504) e =
+          Prelude.Just "gateway_timeout"
+      | Lens.has (Core.hasStatus 500) e =
+          Prelude.Just "general_server_error"
+      | Lens.has (Core.hasStatus 509) e =
+          Prelude.Just "limit_exceeded"
+      | Lens.has
+          ( Core.hasCode "RequestThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "request_throttled_exception"
+      | Lens.has (Core.hasStatus 503) e =
+          Prelude.Just "service_unavailable"
+      | Lens.has
+          ( Core.hasCode "ThrottledException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttled_exception"
+      | Lens.has
+          ( Core.hasCode "Throttling"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling"
+      | Lens.has
+          ( Core.hasCode "ThrottlingException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throttling_exception"
+      | Lens.has
+          ( Core.hasCode
+              "ProvisionedThroughputExceededException"
+              Prelude.. Core.hasStatus 400
+          )
+          e =
+          Prelude.Just "throughput_exceeded"
+      | Lens.has (Core.hasStatus 429) e =
+          Prelude.Just "too_many_requests"
+      | Prelude.otherwise = Prelude.Nothing
+
+-- | Thrown when a tunnel limit is exceeded.
+_LimitExceededException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_LimitExceededException =
+  Core._MatchServiceError
+    defaultService
+    "LimitExceededException"
+
+-- | Thrown when an operation is attempted on a resource that does not exist.
+_ResourceNotFoundException :: (Core.AsError a) => Lens.Fold a Core.ServiceError
+_ResourceNotFoundException =
+  Core._MatchServiceError
+    defaultService
+    "ResourceNotFoundException"
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/ClientMode.hs b/gen/Amazonka/IoTSecureTunneling/Types/ClientMode.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/ClientMode.hs
@@ -0,0 +1,76 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.ClientMode
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.ClientMode
+  ( ClientMode
+      ( ..,
+        ClientMode_ALL,
+        ClientMode_DESTINATION,
+        ClientMode_SOURCE
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ClientMode = ClientMode'
+  { fromClientMode ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ClientMode_ALL :: ClientMode
+pattern ClientMode_ALL = ClientMode' "ALL"
+
+pattern ClientMode_DESTINATION :: ClientMode
+pattern ClientMode_DESTINATION = ClientMode' "DESTINATION"
+
+pattern ClientMode_SOURCE :: ClientMode
+pattern ClientMode_SOURCE = ClientMode' "SOURCE"
+
+{-# COMPLETE
+  ClientMode_ALL,
+  ClientMode_DESTINATION,
+  ClientMode_SOURCE,
+  ClientMode'
+  #-}
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/ConnectionState.hs b/gen/Amazonka/IoTSecureTunneling/Types/ConnectionState.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/ConnectionState.hs
@@ -0,0 +1,88 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.ConnectionState
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.ConnectionState where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types.ConnectionStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | The state of a connection.
+--
+-- /See:/ 'newConnectionState' smart constructor.
+data ConnectionState = ConnectionState'
+  { -- | The last time the connection status was updated.
+    lastUpdatedAt :: Prelude.Maybe Data.POSIX,
+    -- | The connection status of the tunnel. Valid values are @CONNECTED@ and
+    -- @DISCONNECTED@.
+    status :: Prelude.Maybe ConnectionStatus
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'ConnectionState' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'lastUpdatedAt', 'connectionState_lastUpdatedAt' - The last time the connection status was updated.
+--
+-- 'status', 'connectionState_status' - The connection status of the tunnel. Valid values are @CONNECTED@ and
+-- @DISCONNECTED@.
+newConnectionState ::
+  ConnectionState
+newConnectionState =
+  ConnectionState'
+    { lastUpdatedAt = Prelude.Nothing,
+      status = Prelude.Nothing
+    }
+
+-- | The last time the connection status was updated.
+connectionState_lastUpdatedAt :: Lens.Lens' ConnectionState (Prelude.Maybe Prelude.UTCTime)
+connectionState_lastUpdatedAt = Lens.lens (\ConnectionState' {lastUpdatedAt} -> lastUpdatedAt) (\s@ConnectionState' {} a -> s {lastUpdatedAt = a} :: ConnectionState) Prelude.. Lens.mapping Data._Time
+
+-- | The connection status of the tunnel. Valid values are @CONNECTED@ and
+-- @DISCONNECTED@.
+connectionState_status :: Lens.Lens' ConnectionState (Prelude.Maybe ConnectionStatus)
+connectionState_status = Lens.lens (\ConnectionState' {status} -> status) (\s@ConnectionState' {} a -> s {status = a} :: ConnectionState)
+
+instance Data.FromJSON ConnectionState where
+  parseJSON =
+    Data.withObject
+      "ConnectionState"
+      ( \x ->
+          ConnectionState'
+            Prelude.<$> (x Data..:? "lastUpdatedAt")
+            Prelude.<*> (x Data..:? "status")
+      )
+
+instance Prelude.Hashable ConnectionState where
+  hashWithSalt _salt ConnectionState' {..} =
+    _salt
+      `Prelude.hashWithSalt` lastUpdatedAt
+      `Prelude.hashWithSalt` status
+
+instance Prelude.NFData ConnectionState where
+  rnf ConnectionState' {..} =
+    Prelude.rnf lastUpdatedAt
+      `Prelude.seq` Prelude.rnf status
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/ConnectionStatus.hs b/gen/Amazonka/IoTSecureTunneling/Types/ConnectionStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/ConnectionStatus.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.ConnectionStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.ConnectionStatus
+  ( ConnectionStatus
+      ( ..,
+        ConnectionStatus_CONNECTED,
+        ConnectionStatus_DISCONNECTED
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype ConnectionStatus = ConnectionStatus'
+  { fromConnectionStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern ConnectionStatus_CONNECTED :: ConnectionStatus
+pattern ConnectionStatus_CONNECTED = ConnectionStatus' "CONNECTED"
+
+pattern ConnectionStatus_DISCONNECTED :: ConnectionStatus
+pattern ConnectionStatus_DISCONNECTED = ConnectionStatus' "DISCONNECTED"
+
+{-# COMPLETE
+  ConnectionStatus_CONNECTED,
+  ConnectionStatus_DISCONNECTED,
+  ConnectionStatus'
+  #-}
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/DestinationConfig.hs b/gen/Amazonka/IoTSecureTunneling/Types/DestinationConfig.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/DestinationConfig.hs
@@ -0,0 +1,107 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.DestinationConfig
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.DestinationConfig where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | The destination configuration.
+--
+-- /See:/ 'newDestinationConfig' smart constructor.
+data DestinationConfig = DestinationConfig'
+  { -- | The name of the IoT thing to which you want to connect.
+    thingName :: Prelude.Maybe Prelude.Text,
+    -- | A list of service names that identify the target application. The IoT
+    -- client running on the destination device reads this value and uses it to
+    -- look up a port or an IP address and a port. The IoT client instantiates
+    -- the local proxy, which uses this information to connect to the
+    -- destination application.
+    services :: Prelude.NonEmpty Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'DestinationConfig' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'thingName', 'destinationConfig_thingName' - The name of the IoT thing to which you want to connect.
+--
+-- 'services', 'destinationConfig_services' - A list of service names that identify the target application. The IoT
+-- client running on the destination device reads this value and uses it to
+-- look up a port or an IP address and a port. The IoT client instantiates
+-- the local proxy, which uses this information to connect to the
+-- destination application.
+newDestinationConfig ::
+  -- | 'services'
+  Prelude.NonEmpty Prelude.Text ->
+  DestinationConfig
+newDestinationConfig pServices_ =
+  DestinationConfig'
+    { thingName = Prelude.Nothing,
+      services = Lens.coerced Lens.# pServices_
+    }
+
+-- | The name of the IoT thing to which you want to connect.
+destinationConfig_thingName :: Lens.Lens' DestinationConfig (Prelude.Maybe Prelude.Text)
+destinationConfig_thingName = Lens.lens (\DestinationConfig' {thingName} -> thingName) (\s@DestinationConfig' {} a -> s {thingName = a} :: DestinationConfig)
+
+-- | A list of service names that identify the target application. The IoT
+-- client running on the destination device reads this value and uses it to
+-- look up a port or an IP address and a port. The IoT client instantiates
+-- the local proxy, which uses this information to connect to the
+-- destination application.
+destinationConfig_services :: Lens.Lens' DestinationConfig (Prelude.NonEmpty Prelude.Text)
+destinationConfig_services = Lens.lens (\DestinationConfig' {services} -> services) (\s@DestinationConfig' {} a -> s {services = a} :: DestinationConfig) Prelude.. Lens.coerced
+
+instance Data.FromJSON DestinationConfig where
+  parseJSON =
+    Data.withObject
+      "DestinationConfig"
+      ( \x ->
+          DestinationConfig'
+            Prelude.<$> (x Data..:? "thingName")
+            Prelude.<*> (x Data..: "services")
+      )
+
+instance Prelude.Hashable DestinationConfig where
+  hashWithSalt _salt DestinationConfig' {..} =
+    _salt
+      `Prelude.hashWithSalt` thingName
+      `Prelude.hashWithSalt` services
+
+instance Prelude.NFData DestinationConfig where
+  rnf DestinationConfig' {..} =
+    Prelude.rnf thingName
+      `Prelude.seq` Prelude.rnf services
+
+instance Data.ToJSON DestinationConfig where
+  toJSON DestinationConfig' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("thingName" Data..=) Prelude.<$> thingName,
+            Prelude.Just ("services" Data..= services)
+          ]
+      )
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/Tag.hs b/gen/Amazonka/IoTSecureTunneling/Types/Tag.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/Tag.hs
@@ -0,0 +1,94 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.Tag
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.Tag where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | An arbitary key\/value pair used to add searchable metadata to secure
+-- tunnel resources.
+--
+-- /See:/ 'newTag' smart constructor.
+data Tag = Tag'
+  { -- | The key of the tag.
+    key :: Prelude.Text,
+    -- | The value of the tag.
+    value :: Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Tag' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'key', 'tag_key' - The key of the tag.
+--
+-- 'value', 'tag_value' - The value of the tag.
+newTag ::
+  -- | 'key'
+  Prelude.Text ->
+  -- | 'value'
+  Prelude.Text ->
+  Tag
+newTag pKey_ pValue_ =
+  Tag' {key = pKey_, value = pValue_}
+
+-- | The key of the tag.
+tag_key :: Lens.Lens' Tag Prelude.Text
+tag_key = Lens.lens (\Tag' {key} -> key) (\s@Tag' {} a -> s {key = a} :: Tag)
+
+-- | The value of the tag.
+tag_value :: Lens.Lens' Tag Prelude.Text
+tag_value = Lens.lens (\Tag' {value} -> value) (\s@Tag' {} a -> s {value = a} :: Tag)
+
+instance Data.FromJSON Tag where
+  parseJSON =
+    Data.withObject
+      "Tag"
+      ( \x ->
+          Tag'
+            Prelude.<$> (x Data..: "key")
+            Prelude.<*> (x Data..: "value")
+      )
+
+instance Prelude.Hashable Tag where
+  hashWithSalt _salt Tag' {..} =
+    _salt
+      `Prelude.hashWithSalt` key
+      `Prelude.hashWithSalt` value
+
+instance Prelude.NFData Tag where
+  rnf Tag' {..} =
+    Prelude.rnf key `Prelude.seq` Prelude.rnf value
+
+instance Data.ToJSON Tag where
+  toJSON Tag' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("key" Data..= key),
+            Prelude.Just ("value" Data..= value)
+          ]
+      )
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/TimeoutConfig.hs b/gen/Amazonka/IoTSecureTunneling/Types/TimeoutConfig.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/TimeoutConfig.hs
@@ -0,0 +1,88 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.TimeoutConfig
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.TimeoutConfig where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+-- | Tunnel timeout configuration.
+--
+-- /See:/ 'newTimeoutConfig' smart constructor.
+data TimeoutConfig = TimeoutConfig'
+  { -- | The maximum amount of time (in minutes) a tunnel can remain open. If not
+    -- specified, maxLifetimeTimeoutMinutes defaults to 720 minutes. Valid
+    -- values are from 1 minute to 12 hours (720 minutes)
+    maxLifetimeTimeoutMinutes :: Prelude.Maybe Prelude.Natural
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TimeoutConfig' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'maxLifetimeTimeoutMinutes', 'timeoutConfig_maxLifetimeTimeoutMinutes' - The maximum amount of time (in minutes) a tunnel can remain open. If not
+-- specified, maxLifetimeTimeoutMinutes defaults to 720 minutes. Valid
+-- values are from 1 minute to 12 hours (720 minutes)
+newTimeoutConfig ::
+  TimeoutConfig
+newTimeoutConfig =
+  TimeoutConfig'
+    { maxLifetimeTimeoutMinutes =
+        Prelude.Nothing
+    }
+
+-- | The maximum amount of time (in minutes) a tunnel can remain open. If not
+-- specified, maxLifetimeTimeoutMinutes defaults to 720 minutes. Valid
+-- values are from 1 minute to 12 hours (720 minutes)
+timeoutConfig_maxLifetimeTimeoutMinutes :: Lens.Lens' TimeoutConfig (Prelude.Maybe Prelude.Natural)
+timeoutConfig_maxLifetimeTimeoutMinutes = Lens.lens (\TimeoutConfig' {maxLifetimeTimeoutMinutes} -> maxLifetimeTimeoutMinutes) (\s@TimeoutConfig' {} a -> s {maxLifetimeTimeoutMinutes = a} :: TimeoutConfig)
+
+instance Data.FromJSON TimeoutConfig where
+  parseJSON =
+    Data.withObject
+      "TimeoutConfig"
+      ( \x ->
+          TimeoutConfig'
+            Prelude.<$> (x Data..:? "maxLifetimeTimeoutMinutes")
+      )
+
+instance Prelude.Hashable TimeoutConfig where
+  hashWithSalt _salt TimeoutConfig' {..} =
+    _salt
+      `Prelude.hashWithSalt` maxLifetimeTimeoutMinutes
+
+instance Prelude.NFData TimeoutConfig where
+  rnf TimeoutConfig' {..} =
+    Prelude.rnf maxLifetimeTimeoutMinutes
+
+instance Data.ToJSON TimeoutConfig where
+  toJSON TimeoutConfig' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ ("maxLifetimeTimeoutMinutes" Data..=)
+              Prelude.<$> maxLifetimeTimeoutMinutes
+          ]
+      )
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/Tunnel.hs b/gen/Amazonka/IoTSecureTunneling/Types/Tunnel.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/Tunnel.hs
@@ -0,0 +1,203 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.Tunnel
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.Tunnel where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types.ConnectionState
+import Amazonka.IoTSecureTunneling.Types.DestinationConfig
+import Amazonka.IoTSecureTunneling.Types.Tag
+import Amazonka.IoTSecureTunneling.Types.TimeoutConfig
+import Amazonka.IoTSecureTunneling.Types.TunnelStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | A connection between a source computer and a destination device.
+--
+-- /See:/ 'newTunnel' smart constructor.
+data Tunnel = Tunnel'
+  { -- | The time when the tunnel was created.
+    createdAt :: Prelude.Maybe Data.POSIX,
+    -- | A description of the tunnel.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The destination configuration that specifies the thing name of the
+    -- destination device and a service name that the local proxy uses to
+    -- connect to the destination application.
+    destinationConfig :: Prelude.Maybe DestinationConfig,
+    -- | The connection state of the destination application.
+    destinationConnectionState :: Prelude.Maybe ConnectionState,
+    -- | The last time the tunnel was updated.
+    lastUpdatedAt :: Prelude.Maybe Data.POSIX,
+    -- | The connection state of the source application.
+    sourceConnectionState :: Prelude.Maybe ConnectionState,
+    -- | The status of a tunnel. Valid values are: Open and Closed.
+    status :: Prelude.Maybe TunnelStatus,
+    -- | A list of tag metadata associated with the secure tunnel.
+    tags :: Prelude.Maybe (Prelude.NonEmpty Tag),
+    -- | Timeout configuration for the tunnel.
+    timeoutConfig :: Prelude.Maybe TimeoutConfig,
+    -- | The Amazon Resource Name (ARN) of a tunnel.
+    tunnelArn :: Prelude.Maybe Prelude.Text,
+    -- | A unique alpha-numeric ID that identifies a tunnel.
+    tunnelId :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'Tunnel' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'createdAt', 'tunnel_createdAt' - The time when the tunnel was created.
+--
+-- 'description', 'tunnel_description' - A description of the tunnel.
+--
+-- 'destinationConfig', 'tunnel_destinationConfig' - The destination configuration that specifies the thing name of the
+-- destination device and a service name that the local proxy uses to
+-- connect to the destination application.
+--
+-- 'destinationConnectionState', 'tunnel_destinationConnectionState' - The connection state of the destination application.
+--
+-- 'lastUpdatedAt', 'tunnel_lastUpdatedAt' - The last time the tunnel was updated.
+--
+-- 'sourceConnectionState', 'tunnel_sourceConnectionState' - The connection state of the source application.
+--
+-- 'status', 'tunnel_status' - The status of a tunnel. Valid values are: Open and Closed.
+--
+-- 'tags', 'tunnel_tags' - A list of tag metadata associated with the secure tunnel.
+--
+-- 'timeoutConfig', 'tunnel_timeoutConfig' - Timeout configuration for the tunnel.
+--
+-- 'tunnelArn', 'tunnel_tunnelArn' - The Amazon Resource Name (ARN) of a tunnel.
+--
+-- 'tunnelId', 'tunnel_tunnelId' - A unique alpha-numeric ID that identifies a tunnel.
+newTunnel ::
+  Tunnel
+newTunnel =
+  Tunnel'
+    { createdAt = Prelude.Nothing,
+      description = Prelude.Nothing,
+      destinationConfig = Prelude.Nothing,
+      destinationConnectionState = Prelude.Nothing,
+      lastUpdatedAt = Prelude.Nothing,
+      sourceConnectionState = Prelude.Nothing,
+      status = Prelude.Nothing,
+      tags = Prelude.Nothing,
+      timeoutConfig = Prelude.Nothing,
+      tunnelArn = Prelude.Nothing,
+      tunnelId = Prelude.Nothing
+    }
+
+-- | The time when the tunnel was created.
+tunnel_createdAt :: Lens.Lens' Tunnel (Prelude.Maybe Prelude.UTCTime)
+tunnel_createdAt = Lens.lens (\Tunnel' {createdAt} -> createdAt) (\s@Tunnel' {} a -> s {createdAt = a} :: Tunnel) Prelude.. Lens.mapping Data._Time
+
+-- | A description of the tunnel.
+tunnel_description :: Lens.Lens' Tunnel (Prelude.Maybe Prelude.Text)
+tunnel_description = Lens.lens (\Tunnel' {description} -> description) (\s@Tunnel' {} a -> s {description = a} :: Tunnel)
+
+-- | The destination configuration that specifies the thing name of the
+-- destination device and a service name that the local proxy uses to
+-- connect to the destination application.
+tunnel_destinationConfig :: Lens.Lens' Tunnel (Prelude.Maybe DestinationConfig)
+tunnel_destinationConfig = Lens.lens (\Tunnel' {destinationConfig} -> destinationConfig) (\s@Tunnel' {} a -> s {destinationConfig = a} :: Tunnel)
+
+-- | The connection state of the destination application.
+tunnel_destinationConnectionState :: Lens.Lens' Tunnel (Prelude.Maybe ConnectionState)
+tunnel_destinationConnectionState = Lens.lens (\Tunnel' {destinationConnectionState} -> destinationConnectionState) (\s@Tunnel' {} a -> s {destinationConnectionState = a} :: Tunnel)
+
+-- | The last time the tunnel was updated.
+tunnel_lastUpdatedAt :: Lens.Lens' Tunnel (Prelude.Maybe Prelude.UTCTime)
+tunnel_lastUpdatedAt = Lens.lens (\Tunnel' {lastUpdatedAt} -> lastUpdatedAt) (\s@Tunnel' {} a -> s {lastUpdatedAt = a} :: Tunnel) Prelude.. Lens.mapping Data._Time
+
+-- | The connection state of the source application.
+tunnel_sourceConnectionState :: Lens.Lens' Tunnel (Prelude.Maybe ConnectionState)
+tunnel_sourceConnectionState = Lens.lens (\Tunnel' {sourceConnectionState} -> sourceConnectionState) (\s@Tunnel' {} a -> s {sourceConnectionState = a} :: Tunnel)
+
+-- | The status of a tunnel. Valid values are: Open and Closed.
+tunnel_status :: Lens.Lens' Tunnel (Prelude.Maybe TunnelStatus)
+tunnel_status = Lens.lens (\Tunnel' {status} -> status) (\s@Tunnel' {} a -> s {status = a} :: Tunnel)
+
+-- | A list of tag metadata associated with the secure tunnel.
+tunnel_tags :: Lens.Lens' Tunnel (Prelude.Maybe (Prelude.NonEmpty Tag))
+tunnel_tags = Lens.lens (\Tunnel' {tags} -> tags) (\s@Tunnel' {} a -> s {tags = a} :: Tunnel) Prelude.. Lens.mapping Lens.coerced
+
+-- | Timeout configuration for the tunnel.
+tunnel_timeoutConfig :: Lens.Lens' Tunnel (Prelude.Maybe TimeoutConfig)
+tunnel_timeoutConfig = Lens.lens (\Tunnel' {timeoutConfig} -> timeoutConfig) (\s@Tunnel' {} a -> s {timeoutConfig = a} :: Tunnel)
+
+-- | The Amazon Resource Name (ARN) of a tunnel.
+tunnel_tunnelArn :: Lens.Lens' Tunnel (Prelude.Maybe Prelude.Text)
+tunnel_tunnelArn = Lens.lens (\Tunnel' {tunnelArn} -> tunnelArn) (\s@Tunnel' {} a -> s {tunnelArn = a} :: Tunnel)
+
+-- | A unique alpha-numeric ID that identifies a tunnel.
+tunnel_tunnelId :: Lens.Lens' Tunnel (Prelude.Maybe Prelude.Text)
+tunnel_tunnelId = Lens.lens (\Tunnel' {tunnelId} -> tunnelId) (\s@Tunnel' {} a -> s {tunnelId = a} :: Tunnel)
+
+instance Data.FromJSON Tunnel where
+  parseJSON =
+    Data.withObject
+      "Tunnel"
+      ( \x ->
+          Tunnel'
+            Prelude.<$> (x Data..:? "createdAt")
+            Prelude.<*> (x Data..:? "description")
+            Prelude.<*> (x Data..:? "destinationConfig")
+            Prelude.<*> (x Data..:? "destinationConnectionState")
+            Prelude.<*> (x Data..:? "lastUpdatedAt")
+            Prelude.<*> (x Data..:? "sourceConnectionState")
+            Prelude.<*> (x Data..:? "status")
+            Prelude.<*> (x Data..:? "tags")
+            Prelude.<*> (x Data..:? "timeoutConfig")
+            Prelude.<*> (x Data..:? "tunnelArn")
+            Prelude.<*> (x Data..:? "tunnelId")
+      )
+
+instance Prelude.Hashable Tunnel where
+  hashWithSalt _salt Tunnel' {..} =
+    _salt
+      `Prelude.hashWithSalt` createdAt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` destinationConfig
+      `Prelude.hashWithSalt` destinationConnectionState
+      `Prelude.hashWithSalt` lastUpdatedAt
+      `Prelude.hashWithSalt` sourceConnectionState
+      `Prelude.hashWithSalt` status
+      `Prelude.hashWithSalt` tags
+      `Prelude.hashWithSalt` timeoutConfig
+      `Prelude.hashWithSalt` tunnelArn
+      `Prelude.hashWithSalt` tunnelId
+
+instance Prelude.NFData Tunnel where
+  rnf Tunnel' {..} =
+    Prelude.rnf createdAt
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf destinationConfig
+      `Prelude.seq` Prelude.rnf destinationConnectionState
+      `Prelude.seq` Prelude.rnf lastUpdatedAt
+      `Prelude.seq` Prelude.rnf sourceConnectionState
+      `Prelude.seq` Prelude.rnf status
+      `Prelude.seq` Prelude.rnf tags
+      `Prelude.seq` Prelude.rnf timeoutConfig
+      `Prelude.seq` Prelude.rnf tunnelArn
+      `Prelude.seq` Prelude.rnf tunnelId
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/TunnelStatus.hs b/gen/Amazonka/IoTSecureTunneling/Types/TunnelStatus.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/TunnelStatus.hs
@@ -0,0 +1,71 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE PatternSynonyms #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.TunnelStatus
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.TunnelStatus
+  ( TunnelStatus
+      ( ..,
+        TunnelStatus_CLOSED,
+        TunnelStatus_OPEN
+      ),
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Data as Data
+import qualified Amazonka.Prelude as Prelude
+
+newtype TunnelStatus = TunnelStatus'
+  { fromTunnelStatus ::
+      Data.Text
+  }
+  deriving stock
+    ( Prelude.Show,
+      Prelude.Read,
+      Prelude.Eq,
+      Prelude.Ord,
+      Prelude.Generic
+    )
+  deriving newtype
+    ( Prelude.Hashable,
+      Prelude.NFData,
+      Data.FromText,
+      Data.ToText,
+      Data.ToByteString,
+      Data.ToLog,
+      Data.ToHeader,
+      Data.ToQuery,
+      Data.FromJSON,
+      Data.FromJSONKey,
+      Data.ToJSON,
+      Data.ToJSONKey,
+      Data.FromXML,
+      Data.ToXML
+    )
+
+pattern TunnelStatus_CLOSED :: TunnelStatus
+pattern TunnelStatus_CLOSED = TunnelStatus' "CLOSED"
+
+pattern TunnelStatus_OPEN :: TunnelStatus
+pattern TunnelStatus_OPEN = TunnelStatus' "OPEN"
+
+{-# COMPLETE
+  TunnelStatus_CLOSED,
+  TunnelStatus_OPEN,
+  TunnelStatus'
+  #-}
diff --git a/gen/Amazonka/IoTSecureTunneling/Types/TunnelSummary.hs b/gen/Amazonka/IoTSecureTunneling/Types/TunnelSummary.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Types/TunnelSummary.hs
@@ -0,0 +1,133 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Types.TunnelSummary
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Types.TunnelSummary where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types.TunnelStatus
+import qualified Amazonka.Prelude as Prelude
+
+-- | Information about the tunnel.
+--
+-- /See:/ 'newTunnelSummary' smart constructor.
+data TunnelSummary = TunnelSummary'
+  { -- | The time the tunnel was created.
+    createdAt :: Prelude.Maybe Data.POSIX,
+    -- | A description of the tunnel.
+    description :: Prelude.Maybe Prelude.Text,
+    -- | The time the tunnel was last updated.
+    lastUpdatedAt :: Prelude.Maybe Data.POSIX,
+    -- | The status of a tunnel. Valid values are: Open and Closed.
+    status :: Prelude.Maybe TunnelStatus,
+    -- | The Amazon Resource Name of the tunnel.
+    tunnelArn :: Prelude.Maybe Prelude.Text,
+    -- | The unique alpha-numeric identifier for the tunnel.
+    tunnelId :: Prelude.Maybe Prelude.Text
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'TunnelSummary' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'createdAt', 'tunnelSummary_createdAt' - The time the tunnel was created.
+--
+-- 'description', 'tunnelSummary_description' - A description of the tunnel.
+--
+-- 'lastUpdatedAt', 'tunnelSummary_lastUpdatedAt' - The time the tunnel was last updated.
+--
+-- 'status', 'tunnelSummary_status' - The status of a tunnel. Valid values are: Open and Closed.
+--
+-- 'tunnelArn', 'tunnelSummary_tunnelArn' - The Amazon Resource Name of the tunnel.
+--
+-- 'tunnelId', 'tunnelSummary_tunnelId' - The unique alpha-numeric identifier for the tunnel.
+newTunnelSummary ::
+  TunnelSummary
+newTunnelSummary =
+  TunnelSummary'
+    { createdAt = Prelude.Nothing,
+      description = Prelude.Nothing,
+      lastUpdatedAt = Prelude.Nothing,
+      status = Prelude.Nothing,
+      tunnelArn = Prelude.Nothing,
+      tunnelId = Prelude.Nothing
+    }
+
+-- | The time the tunnel was created.
+tunnelSummary_createdAt :: Lens.Lens' TunnelSummary (Prelude.Maybe Prelude.UTCTime)
+tunnelSummary_createdAt = Lens.lens (\TunnelSummary' {createdAt} -> createdAt) (\s@TunnelSummary' {} a -> s {createdAt = a} :: TunnelSummary) Prelude.. Lens.mapping Data._Time
+
+-- | A description of the tunnel.
+tunnelSummary_description :: Lens.Lens' TunnelSummary (Prelude.Maybe Prelude.Text)
+tunnelSummary_description = Lens.lens (\TunnelSummary' {description} -> description) (\s@TunnelSummary' {} a -> s {description = a} :: TunnelSummary)
+
+-- | The time the tunnel was last updated.
+tunnelSummary_lastUpdatedAt :: Lens.Lens' TunnelSummary (Prelude.Maybe Prelude.UTCTime)
+tunnelSummary_lastUpdatedAt = Lens.lens (\TunnelSummary' {lastUpdatedAt} -> lastUpdatedAt) (\s@TunnelSummary' {} a -> s {lastUpdatedAt = a} :: TunnelSummary) Prelude.. Lens.mapping Data._Time
+
+-- | The status of a tunnel. Valid values are: Open and Closed.
+tunnelSummary_status :: Lens.Lens' TunnelSummary (Prelude.Maybe TunnelStatus)
+tunnelSummary_status = Lens.lens (\TunnelSummary' {status} -> status) (\s@TunnelSummary' {} a -> s {status = a} :: TunnelSummary)
+
+-- | The Amazon Resource Name of the tunnel.
+tunnelSummary_tunnelArn :: Lens.Lens' TunnelSummary (Prelude.Maybe Prelude.Text)
+tunnelSummary_tunnelArn = Lens.lens (\TunnelSummary' {tunnelArn} -> tunnelArn) (\s@TunnelSummary' {} a -> s {tunnelArn = a} :: TunnelSummary)
+
+-- | The unique alpha-numeric identifier for the tunnel.
+tunnelSummary_tunnelId :: Lens.Lens' TunnelSummary (Prelude.Maybe Prelude.Text)
+tunnelSummary_tunnelId = Lens.lens (\TunnelSummary' {tunnelId} -> tunnelId) (\s@TunnelSummary' {} a -> s {tunnelId = a} :: TunnelSummary)
+
+instance Data.FromJSON TunnelSummary where
+  parseJSON =
+    Data.withObject
+      "TunnelSummary"
+      ( \x ->
+          TunnelSummary'
+            Prelude.<$> (x Data..:? "createdAt")
+            Prelude.<*> (x Data..:? "description")
+            Prelude.<*> (x Data..:? "lastUpdatedAt")
+            Prelude.<*> (x Data..:? "status")
+            Prelude.<*> (x Data..:? "tunnelArn")
+            Prelude.<*> (x Data..:? "tunnelId")
+      )
+
+instance Prelude.Hashable TunnelSummary where
+  hashWithSalt _salt TunnelSummary' {..} =
+    _salt
+      `Prelude.hashWithSalt` createdAt
+      `Prelude.hashWithSalt` description
+      `Prelude.hashWithSalt` lastUpdatedAt
+      `Prelude.hashWithSalt` status
+      `Prelude.hashWithSalt` tunnelArn
+      `Prelude.hashWithSalt` tunnelId
+
+instance Prelude.NFData TunnelSummary where
+  rnf TunnelSummary' {..} =
+    Prelude.rnf createdAt
+      `Prelude.seq` Prelude.rnf description
+      `Prelude.seq` Prelude.rnf lastUpdatedAt
+      `Prelude.seq` Prelude.rnf status
+      `Prelude.seq` Prelude.rnf tunnelArn
+      `Prelude.seq` Prelude.rnf tunnelId
diff --git a/gen/Amazonka/IoTSecureTunneling/UntagResource.hs b/gen/Amazonka/IoTSecureTunneling/UntagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/UntagResource.hs
@@ -0,0 +1,171 @@
+{-# LANGUAGE DeriveGeneric #-}
+{-# LANGUAGE DuplicateRecordFields #-}
+{-# LANGUAGE NamedFieldPuns #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE RecordWildCards #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.UntagResource
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Removes a tag from a resource.
+module Amazonka.IoTSecureTunneling.UntagResource
+  ( -- * Creating a Request
+    UntagResource (..),
+    newUntagResource,
+
+    -- * Request Lenses
+    untagResource_resourceArn,
+    untagResource_tagKeys,
+
+    -- * Destructuring the Response
+    UntagResourceResponse (..),
+    newUntagResourceResponse,
+
+    -- * Response Lenses
+    untagResourceResponse_httpStatus,
+  )
+where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
+import qualified Amazonka.Request as Request
+import qualified Amazonka.Response as Response
+
+-- | /See:/ 'newUntagResource' smart constructor.
+data UntagResource = UntagResource'
+  { -- | The resource ARN.
+    resourceArn :: Prelude.Text,
+    -- | The keys of the tags to remove.
+    tagKeys :: [Prelude.Text]
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UntagResource' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'resourceArn', 'untagResource_resourceArn' - The resource ARN.
+--
+-- 'tagKeys', 'untagResource_tagKeys' - The keys of the tags to remove.
+newUntagResource ::
+  -- | 'resourceArn'
+  Prelude.Text ->
+  UntagResource
+newUntagResource pResourceArn_ =
+  UntagResource'
+    { resourceArn = pResourceArn_,
+      tagKeys = Prelude.mempty
+    }
+
+-- | The resource ARN.
+untagResource_resourceArn :: Lens.Lens' UntagResource Prelude.Text
+untagResource_resourceArn = Lens.lens (\UntagResource' {resourceArn} -> resourceArn) (\s@UntagResource' {} a -> s {resourceArn = a} :: UntagResource)
+
+-- | The keys of the tags to remove.
+untagResource_tagKeys :: Lens.Lens' UntagResource [Prelude.Text]
+untagResource_tagKeys = Lens.lens (\UntagResource' {tagKeys} -> tagKeys) (\s@UntagResource' {} a -> s {tagKeys = a} :: UntagResource) Prelude.. Lens.coerced
+
+instance Core.AWSRequest UntagResource where
+  type
+    AWSResponse UntagResource =
+      UntagResourceResponse
+  request overrides =
+    Request.postJSON (overrides defaultService)
+  response =
+    Response.receiveEmpty
+      ( \s h x ->
+          UntagResourceResponse'
+            Prelude.<$> (Prelude.pure (Prelude.fromEnum s))
+      )
+
+instance Prelude.Hashable UntagResource where
+  hashWithSalt _salt UntagResource' {..} =
+    _salt
+      `Prelude.hashWithSalt` resourceArn
+      `Prelude.hashWithSalt` tagKeys
+
+instance Prelude.NFData UntagResource where
+  rnf UntagResource' {..} =
+    Prelude.rnf resourceArn
+      `Prelude.seq` Prelude.rnf tagKeys
+
+instance Data.ToHeaders UntagResource where
+  toHeaders =
+    Prelude.const
+      ( Prelude.mconcat
+          [ "X-Amz-Target"
+              Data.=# ( "IoTSecuredTunneling.UntagResource" ::
+                          Prelude.ByteString
+                      ),
+            "Content-Type"
+              Data.=# ( "application/x-amz-json-1.1" ::
+                          Prelude.ByteString
+                      )
+          ]
+      )
+
+instance Data.ToJSON UntagResource where
+  toJSON UntagResource' {..} =
+    Data.object
+      ( Prelude.catMaybes
+          [ Prelude.Just ("resourceArn" Data..= resourceArn),
+            Prelude.Just ("tagKeys" Data..= tagKeys)
+          ]
+      )
+
+instance Data.ToPath UntagResource where
+  toPath = Prelude.const "/"
+
+instance Data.ToQuery UntagResource where
+  toQuery = Prelude.const Prelude.mempty
+
+-- | /See:/ 'newUntagResourceResponse' smart constructor.
+data UntagResourceResponse = UntagResourceResponse'
+  { -- | The response's http status code.
+    httpStatus :: Prelude.Int
+  }
+  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
+
+-- |
+-- Create a value of 'UntagResourceResponse' with all optional fields omitted.
+--
+-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
+--
+-- The following record fields are available, with the corresponding lenses provided
+-- for backwards compatibility:
+--
+-- 'httpStatus', 'untagResourceResponse_httpStatus' - The response's http status code.
+newUntagResourceResponse ::
+  -- | 'httpStatus'
+  Prelude.Int ->
+  UntagResourceResponse
+newUntagResourceResponse pHttpStatus_ =
+  UntagResourceResponse' {httpStatus = pHttpStatus_}
+
+-- | The response's http status code.
+untagResourceResponse_httpStatus :: Lens.Lens' UntagResourceResponse Prelude.Int
+untagResourceResponse_httpStatus = Lens.lens (\UntagResourceResponse' {httpStatus} -> httpStatus) (\s@UntagResourceResponse' {} a -> s {httpStatus = a} :: UntagResourceResponse)
+
+instance Prelude.NFData UntagResourceResponse where
+  rnf UntagResourceResponse' {..} =
+    Prelude.rnf httpStatus
diff --git a/gen/Amazonka/IoTSecureTunneling/Waiters.hs b/gen/Amazonka/IoTSecureTunneling/Waiters.hs
new file mode 100644
--- /dev/null
+++ b/gen/Amazonka/IoTSecureTunneling/Waiters.hs
@@ -0,0 +1,24 @@
+{-# LANGUAGE DisambiguateRecordFields #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE StrictData #-}
+{-# LANGUAGE TypeFamilies #-}
+{-# LANGUAGE NoImplicitPrelude #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Amazonka.IoTSecureTunneling.Waiters
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Amazonka.IoTSecureTunneling.Waiters where
+
+import qualified Amazonka.Core as Core
+import qualified Amazonka.Core.Lens.Internal as Lens
+import qualified Amazonka.Data as Data
+import Amazonka.IoTSecureTunneling.Lens
+import Amazonka.IoTSecureTunneling.Types
+import qualified Amazonka.Prelude as Prelude
diff --git a/src/.gitkeep b/src/.gitkeep
new file mode 100644
--- /dev/null
+++ b/src/.gitkeep
diff --git a/test/Main.hs b/test/Main.hs
new file mode 100644
--- /dev/null
+++ b/test/Main.hs
@@ -0,0 +1,23 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Main
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Main (main) where
+
+import Test.Amazonka.IoTSecureTunneling
+import Test.Amazonka.IoTSecureTunneling.Internal
+import Test.Tasty
+
+main :: IO ()
+main =
+  defaultMain $
+    testGroup
+      "IoTSecureTunneling"
+      [ testGroup "tests" tests,
+        testGroup "fixtures" fixtures
+      ]
diff --git a/test/Test/Amazonka/Gen/IoTSecureTunneling.hs b/test/Test/Amazonka/Gen/IoTSecureTunneling.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/Gen/IoTSecureTunneling.hs
@@ -0,0 +1,198 @@
+{-# OPTIONS_GHC -fno-warn-orphans #-}
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Test.Amazonka.Gen.IoTSecureTunneling
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.Gen.IoTSecureTunneling where
+
+import Amazonka.IoTSecureTunneling
+import qualified Data.Proxy as Proxy
+import Test.Amazonka.Fixture
+import Test.Amazonka.IoTSecureTunneling.Internal
+import Test.Amazonka.Prelude
+import Test.Tasty
+
+-- Auto-generated: the actual test selection needs to be manually placed into
+-- the top-level so that real test data can be incrementally added.
+--
+-- This commented snippet is what the entire set should look like:
+
+-- fixtures :: TestTree
+-- fixtures =
+--     [ testGroup "request"
+--         [ requestCloseTunnel $
+--             newCloseTunnel
+--
+--         , requestDescribeTunnel $
+--             newDescribeTunnel
+--
+--         , requestListTagsForResource $
+--             newListTagsForResource
+--
+--         , requestListTunnels $
+--             newListTunnels
+--
+--         , requestOpenTunnel $
+--             newOpenTunnel
+--
+--         , requestRotateTunnelAccessToken $
+--             newRotateTunnelAccessToken
+--
+--         , requestTagResource $
+--             newTagResource
+--
+--         , requestUntagResource $
+--             newUntagResource
+--
+--           ]
+
+--     , testGroup "response"
+--         [ responseCloseTunnel $
+--             newCloseTunnelResponse
+--
+--         , responseDescribeTunnel $
+--             newDescribeTunnelResponse
+--
+--         , responseListTagsForResource $
+--             newListTagsForResourceResponse
+--
+--         , responseListTunnels $
+--             newListTunnelsResponse
+--
+--         , responseOpenTunnel $
+--             newOpenTunnelResponse
+--
+--         , responseRotateTunnelAccessToken $
+--             newRotateTunnelAccessTokenResponse
+--
+--         , responseTagResource $
+--             newTagResourceResponse
+--
+--         , responseUntagResource $
+--             newUntagResourceResponse
+--
+--           ]
+--     ]
+
+-- Requests
+
+requestCloseTunnel :: CloseTunnel -> TestTree
+requestCloseTunnel =
+  req
+    "CloseTunnel"
+    "fixture/CloseTunnel.yaml"
+
+requestDescribeTunnel :: DescribeTunnel -> TestTree
+requestDescribeTunnel =
+  req
+    "DescribeTunnel"
+    "fixture/DescribeTunnel.yaml"
+
+requestListTagsForResource :: ListTagsForResource -> TestTree
+requestListTagsForResource =
+  req
+    "ListTagsForResource"
+    "fixture/ListTagsForResource.yaml"
+
+requestListTunnels :: ListTunnels -> TestTree
+requestListTunnels =
+  req
+    "ListTunnels"
+    "fixture/ListTunnels.yaml"
+
+requestOpenTunnel :: OpenTunnel -> TestTree
+requestOpenTunnel =
+  req
+    "OpenTunnel"
+    "fixture/OpenTunnel.yaml"
+
+requestRotateTunnelAccessToken :: RotateTunnelAccessToken -> TestTree
+requestRotateTunnelAccessToken =
+  req
+    "RotateTunnelAccessToken"
+    "fixture/RotateTunnelAccessToken.yaml"
+
+requestTagResource :: TagResource -> TestTree
+requestTagResource =
+  req
+    "TagResource"
+    "fixture/TagResource.yaml"
+
+requestUntagResource :: UntagResource -> TestTree
+requestUntagResource =
+  req
+    "UntagResource"
+    "fixture/UntagResource.yaml"
+
+-- Responses
+
+responseCloseTunnel :: CloseTunnelResponse -> TestTree
+responseCloseTunnel =
+  res
+    "CloseTunnelResponse"
+    "fixture/CloseTunnelResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy CloseTunnel)
+
+responseDescribeTunnel :: DescribeTunnelResponse -> TestTree
+responseDescribeTunnel =
+  res
+    "DescribeTunnelResponse"
+    "fixture/DescribeTunnelResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy DescribeTunnel)
+
+responseListTagsForResource :: ListTagsForResourceResponse -> TestTree
+responseListTagsForResource =
+  res
+    "ListTagsForResourceResponse"
+    "fixture/ListTagsForResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListTagsForResource)
+
+responseListTunnels :: ListTunnelsResponse -> TestTree
+responseListTunnels =
+  res
+    "ListTunnelsResponse"
+    "fixture/ListTunnelsResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy ListTunnels)
+
+responseOpenTunnel :: OpenTunnelResponse -> TestTree
+responseOpenTunnel =
+  res
+    "OpenTunnelResponse"
+    "fixture/OpenTunnelResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy OpenTunnel)
+
+responseRotateTunnelAccessToken :: RotateTunnelAccessTokenResponse -> TestTree
+responseRotateTunnelAccessToken =
+  res
+    "RotateTunnelAccessTokenResponse"
+    "fixture/RotateTunnelAccessTokenResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy RotateTunnelAccessToken)
+
+responseTagResource :: TagResourceResponse -> TestTree
+responseTagResource =
+  res
+    "TagResourceResponse"
+    "fixture/TagResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy TagResource)
+
+responseUntagResource :: UntagResourceResponse -> TestTree
+responseUntagResource =
+  res
+    "UntagResourceResponse"
+    "fixture/UntagResourceResponse.proto"
+    defaultService
+    (Proxy.Proxy :: Proxy.Proxy UntagResource)
diff --git a/test/Test/Amazonka/IoTSecureTunneling.hs b/test/Test/Amazonka/IoTSecureTunneling.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/IoTSecureTunneling.hs
@@ -0,0 +1,20 @@
+-- |
+-- Module      : Test.Amazonka.IoTSecureTunneling
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.IoTSecureTunneling
+  ( tests,
+    fixtures,
+  )
+where
+
+import Test.Tasty (TestTree)
+
+tests :: [TestTree]
+tests = []
+
+fixtures :: [TestTree]
+fixtures = []
diff --git a/test/Test/Amazonka/IoTSecureTunneling/Internal.hs b/test/Test/Amazonka/IoTSecureTunneling/Internal.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/Amazonka/IoTSecureTunneling/Internal.hs
@@ -0,0 +1,8 @@
+-- |
+-- Module      : Test.Amazonka.IoTSecureTunneling.Internal
+-- Copyright   : (c) 2013-2023 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+module Test.Amazonka.IoTSecureTunneling.Internal where
