diff --git a/LICENSE b/LICENSE
new file mode 100644
--- /dev/null
+++ b/LICENSE
@@ -0,0 +1,367 @@
+Mozilla Public License Version 2.0
+==================================
+
+1. Definitions
+--------------
+
+1.1. "Contributor"
+    means each individual or legal entity that creates, contributes to
+    the creation of, or owns Covered Software.
+
+1.2. "Contributor Version"
+    means the combination of the Contributions of others (if any) used
+    by a Contributor and that particular Contributor's Contribution.
+
+1.3. "Contribution"
+    means Covered Software of a particular Contributor.
+
+1.4. "Covered Software"
+    means Source Code Form to which the initial Contributor has attached
+    the notice in Exhibit A, the Executable Form of such Source Code
+    Form, and Modifications of such Source Code Form, in each case
+    including portions thereof.
+
+1.5. "Incompatible With Secondary Licenses"
+    means
+
+    (a) that the initial Contributor has attached the notice described
+        in Exhibit B to the Covered Software; or
+
+    (b) that the Covered Software was made available under the terms of
+        version 1.1 or earlier of the License, but not also under the
+        terms of a Secondary License.
+
+1.6. "Executable Form"
+    means any form of the work other than Source Code Form.
+
+1.7. "Larger Work"
+    means a work that combines Covered Software with other material, in
+    a separate file or files, that is not Covered Software.
+
+1.8. "License"
+    means this document.
+
+1.9. "Licensable"
+    means having the right to grant, to the maximum extent possible,
+    whether at the time of the initial grant or subsequently, any and
+    all of the rights conveyed by this License.
+
+1.10. "Modifications"
+    means any of the following:
+
+    (a) any file in Source Code Form that results from an addition to,
+        deletion from, or modification of the contents of Covered
+        Software; or
+
+    (b) any new file in Source Code Form that contains any Covered
+        Software.
+
+1.11. "Patent Claims" of a Contributor
+    means any patent claim(s), including without limitation, method,
+    process, and apparatus claims, in any patent Licensable by such
+    Contributor that would be infringed, but for the grant of the
+    License, by the making, using, selling, offering for sale, having
+    made, import, or transfer of either its Contributions or its
+    Contributor Version.
+
+1.12. "Secondary License"
+    means either the GNU General Public License, Version 2.0, the GNU
+    Lesser General Public License, Version 2.1, the GNU Affero General
+    Public License, Version 3.0, or any later versions of those
+    licenses.
+
+1.13. "Source Code Form"
+    means the form of the work preferred for making modifications.
+
+1.14. "You" (or "Your")
+    means an individual or a legal entity exercising rights under this
+    License. For legal entities, "You" includes any entity that
+    controls, is controlled by, or is under common control with You. For
+    purposes of this definition, "control" means (a) the power, direct
+    or indirect, to cause the direction or management of such entity,
+    whether by contract or otherwise, or (b) ownership of more than
+    fifty percent (50%) of the outstanding shares or beneficial
+    ownership of such entity.
+
+2. License Grants and Conditions
+--------------------------------
+
+2.1. Grants
+
+Each Contributor hereby grants You a world-wide, royalty-free,
+non-exclusive license:
+
+(a) under intellectual property rights (other than patent or trademark)
+    Licensable by such Contributor to use, reproduce, make available,
+    modify, display, perform, distribute, and otherwise exploit its
+    Contributions, either on an unmodified basis, with Modifications, or
+    as part of a Larger Work; and
+
+(b) under Patent Claims of such Contributor to make, use, sell, offer
+    for sale, have made, import, and otherwise transfer either its
+    Contributions or its Contributor Version.
+
+2.2. Effective Date
+
+The licenses granted in Section 2.1 with respect to any Contribution
+become effective for each Contribution on the date the Contributor first
+distributes such Contribution.
+
+2.3. Limitations on Grant Scope
+
+The licenses granted in this Section 2 are the only rights granted under
+this License. No additional rights or licenses will be implied from the
+distribution or licensing of Covered Software under this License.
+Notwithstanding Section 2.1(b) above, no patent license is granted by a
+Contributor:
+
+(a) for any code that a Contributor has removed from Covered Software;
+    or
+
+(b) for infringements caused by: (i) Your and any other third party's
+    modifications of Covered Software, or (ii) the combination of its
+    Contributions with other software (except as part of its Contributor
+    Version); or
+
+(c) under Patent Claims infringed by Covered Software in the absence of
+    its Contributions.
+
+This License does not grant any rights in the trademarks, service marks,
+or logos of any Contributor (except as may be necessary to comply with
+the notice requirements in Section 3.4).
+
+2.4. Subsequent Licenses
+
+No Contributor makes additional grants as a result of Your choice to
+distribute the Covered Software under a subsequent version of this
+License (see Section 10.2) or under the terms of a Secondary License (if
+permitted under the terms of Section 3.3).
+
+2.5. Representation
+
+Each Contributor represents that the Contributor believes its
+Contributions are its original creation(s) or it has sufficient rights
+to grant the rights to its Contributions conveyed by this License.
+
+2.6. Fair Use
+
+This License is not intended to limit any rights You have under
+applicable copyright doctrines of fair use, fair dealing, or other
+equivalents.
+
+2.7. Conditions
+
+Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted
+in Section 2.1.
+
+3. Responsibilities
+-------------------
+
+3.1. Distribution of Source Form
+
+All distribution of Covered Software in Source Code Form, including any
+Modifications that You create or to which You contribute, must be under
+the terms of this License. You must inform recipients that the Source
+Code Form of the Covered Software is governed by the terms of this
+License, and how they can obtain a copy of this License. You may not
+attempt to alter or restrict the recipients' rights in the Source Code
+Form.
+
+3.2. Distribution of Executable Form
+
+If You distribute Covered Software in Executable Form then:
+
+(a) such Covered Software must also be made available in Source Code
+    Form, as described in Section 3.1, and You must inform recipients of
+    the Executable Form how they can obtain a copy of such Source Code
+    Form by reasonable means in a timely manner, at a charge no more
+    than the cost of distribution to the recipient; and
+
+(b) You may distribute such Executable Form under the terms of this
+    License, or sublicense it under different terms, provided that the
+    license for the Executable Form does not attempt to limit or alter
+    the recipients' rights in the Source Code Form under this License.
+
+3.3. Distribution of a Larger Work
+
+You may create and distribute a Larger Work under terms of Your choice,
+provided that You also comply with the requirements of this License for
+the Covered Software. If the Larger Work is a combination of Covered
+Software with a work governed by one or more Secondary Licenses, and the
+Covered Software is not Incompatible With Secondary Licenses, this
+License permits You to additionally distribute such Covered Software
+under the terms of such Secondary License(s), so that the recipient of
+the Larger Work may, at their option, further distribute the Covered
+Software under the terms of either this License or such Secondary
+License(s).
+
+3.4. Notices
+
+You may not remove or alter the substance of any license notices
+(including copyright notices, patent notices, disclaimers of warranty,
+or limitations of liability) contained within the Source Code Form of
+the Covered Software, except that You may alter any license notices to
+the extent required to remedy known factual inaccuracies.
+
+3.5. Application of Additional Terms
+
+You may choose to offer, and to charge a fee for, warranty, support,
+indemnity or liability obligations to one or more recipients of Covered
+Software. However, You may do so only on Your own behalf, and not on
+behalf of any Contributor. You must make it absolutely clear that any
+such warranty, support, indemnity, or liability obligation is offered by
+You alone, and You hereby agree to indemnify every Contributor for any
+liability incurred by such Contributor as a result of warranty, support,
+indemnity or liability terms You offer. You may include additional
+disclaimers of warranty and limitations of liability specific to any
+jurisdiction.
+
+4. Inability to Comply Due to Statute or Regulation
+---------------------------------------------------
+
+If it is impossible for You to comply with any of the terms of this
+License with respect to some or all of the Covered Software due to
+statute, judicial order, or regulation then You must: (a) comply with
+the terms of this License to the maximum extent possible; and (b)
+describe the limitations and the code they affect. Such description must
+be placed in a text file included with all distributions of the Covered
+Software under this License. Except to the extent prohibited by statute
+or regulation, such description must be sufficiently detailed for a
+recipient of ordinary skill to be able to understand it.
+
+5. Termination
+--------------
+
+5.1. The rights granted under this License will terminate automatically
+if You fail to comply with any of its terms. However, if You become
+compliant, then the rights granted under this License from a particular
+Contributor are reinstated (a) provisionally, unless and until such
+Contributor explicitly and finally terminates Your grants, and (b) on an
+ongoing basis, if such Contributor fails to notify You of the
+non-compliance by some reasonable means prior to 60 days after You have
+come back into compliance. Moreover, Your grants from a particular
+Contributor are reinstated on an ongoing basis if such Contributor
+notifies You of the non-compliance by some reasonable means, this is the
+first time You have received notice of non-compliance with this License
+from such Contributor, and You become compliant prior to 30 days after
+Your receipt of the notice.
+
+5.2. If You initiate litigation against any entity by asserting a patent
+infringement claim (excluding declaratory judgment actions,
+counter-claims, and cross-claims) alleging that a Contributor Version
+directly or indirectly infringes any patent, then the rights granted to
+You by any and all Contributors for the Covered Software under Section
+2.1 of this License shall terminate.
+
+5.3. In the event of termination under Sections 5.1 or 5.2 above, all
+end user license agreements (excluding distributors and resellers) which
+have been validly granted by You or Your distributors under this License
+prior to termination shall survive termination.
+
+************************************************************************
+*                                                                      *
+*  6. Disclaimer of Warranty                                           *
+*  -------------------------                                           *
+*                                                                      *
+*  Covered Software is provided under this License on an "as is"       *
+*  basis, without warranty of any kind, either expressed, implied, or  *
+*  statutory, including, without limitation, warranties that the       *
+*  Covered Software is free of defects, merchantable, fit for a        *
+*  particular purpose or non-infringing. The entire risk as to the     *
+*  quality and performance of the Covered Software is with You.        *
+*  Should any Covered Software prove defective in any respect, You     *
+*  (not any Contributor) assume the cost of any necessary servicing,   *
+*  repair, or correction. This disclaimer of warranty constitutes an   *
+*  essential part of this License. No use of any Covered Software is   *
+*  authorized under this License except under this disclaimer.         *
+*                                                                      *
+************************************************************************
+
+************************************************************************
+*                                                                      *
+*  7. Limitation of Liability                                          *
+*  --------------------------                                          *
+*                                                                      *
+*  Under no circumstances and under no legal theory, whether tort      *
+*  (including negligence), contract, or otherwise, shall any           *
+*  Contributor, or anyone who distributes Covered Software as          *
+*  permitted above, be liable to You for any direct, indirect,         *
+*  special, incidental, or consequential damages of any character      *
+*  including, without limitation, damages for lost profits, loss of    *
+*  goodwill, work stoppage, computer failure or malfunction, or any    *
+*  and all other commercial damages or losses, even if such party      *
+*  shall have been informed of the possibility of such damages. This   *
+*  limitation of liability shall not apply to liability for death or   *
+*  personal injury resulting from such party's negligence to the       *
+*  extent applicable law prohibits such limitation. Some               *
+*  jurisdictions do not allow the exclusion or limitation of           *
+*  incidental or consequential damages, so this exclusion and          *
+*  limitation may not apply to You.                                    *
+*                                                                      *
+************************************************************************
+
+8. Litigation
+-------------
+
+Any litigation relating to this License may be brought only in the
+courts of a jurisdiction where the defendant maintains its principal
+place of business and such litigation shall be governed by laws of that
+jurisdiction, without reference to its conflict-of-law provisions.
+Nothing in this Section shall prevent a party's ability to bring
+cross-claims or counter-claims.
+
+9. Miscellaneous
+----------------
+
+This License represents the complete agreement concerning the subject
+matter hereof. If any provision of this License is held to be
+unenforceable, such provision shall be reformed only to the extent
+necessary to make it enforceable. Any law or regulation which provides
+that the language of a contract shall be construed against the drafter
+shall not be used to construe this License against a Contributor.
+
+10. Versions of the License
+---------------------------
+
+10.1. New Versions
+
+Mozilla Foundation is the license steward. Except as provided in Section
+10.3, no one other than the license steward has the right to modify or
+publish new versions of this License. Each version will be given a
+distinguishing version number.
+
+10.2. Effect of New Versions
+
+You may distribute the Covered Software under the terms of the version
+of the License under which You originally received the Covered Software,
+or under the terms of any subsequent version published by the license
+steward.
+
+10.3. Modified Versions
+
+If you create software not governed by this License, and you want to
+create a new license for such software, you may create and use a
+modified version of this License if you rename the license and remove
+any references to the name of the license steward (except to note that
+such modified license differs from this License).
+
+10.4. Distributing Source Code Form that is Incompatible With Secondary
+Licenses
+
+If You choose to distribute Source Code Form that is Incompatible With
+Secondary Licenses under the terms of this version of the License, the
+notice described in Exhibit B of this License must be attached.
+
+Exhibit A - Source Code Form License Notice
+-------------------------------------------
+
+  This Source Code Form is subject to the terms of the Mozilla Public
+  License, v. 2.0. If a copy of the MPL was not distributed with this
+  file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+If it is not possible or desirable to put the notice in a particular
+file, then You may include the notice in a location (such as a LICENSE
+file in a relevant directory) where a recipient would be likely to look
+for such a notice.
+
+You may add additional accurate notices of copyright ownership.
diff --git a/README.md b/README.md
new file mode 100644
--- /dev/null
+++ b/README.md
@@ -0,0 +1,45 @@
+# Amazon Secrets Manager SDK
+
+* [Version](#version)
+* [Description](#description)
+* [Contribute](#contribute)
+* [Licence](#licence)
+
+
+## Version
+
+`1.6.0`
+
+
+## Description
+
+Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-secretsmanager)
+and the [AWS API Reference](https://aws.amazon.com/documentation/).
+
+The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),
+which provides mechanisms for specifying AuthN/AuthZ information, sending requests,
+and receiving responses.
+
+Lenses are used for constructing and manipulating types,
+due to the depth of nesting of AWS types and transparency regarding
+de/serialisation into more palatable Haskell values.
+The provided lenses should be compatible with any of the major lens libraries
+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).
+
+See [Network.AWS.SecretsManager](http://hackage.haskell.org/package/amazonka-secretsmanager/docs/Network-AWS-SecretsManager.html)
+or [the AWS documentation](https://aws.amazon.com/documentation/) to get started.
+
+
+## Contribute
+
+For any problems, comments, or feedback please create an issue [here on GitHub](https://github.com/brendanhay/amazonka/issues).
+
+> _Note:_ this library is an auto-generated Haskell package. Please see `amazonka-gen` for more information.
+
+
+## Licence
+
+`amazonka-secretsmanager` is released under the [Mozilla Public License Version 2.0](http://www.mozilla.org/MPL/).
+
+Parts of the code are derived from AWS service descriptions, licensed under Apache 2.0.
+Source files subject to this contain an additional licensing clause in their header.
diff --git a/Setup.hs b/Setup.hs
new file mode 100644
--- /dev/null
+++ b/Setup.hs
@@ -0,0 +1,2 @@
+import           Distribution.Simple
+main = defaultMain
diff --git a/amazonka-secretsmanager.cabal b/amazonka-secretsmanager.cabal
new file mode 100644
--- /dev/null
+++ b/amazonka-secretsmanager.cabal
@@ -0,0 +1,100 @@
+name:                  amazonka-secretsmanager
+version:               1.6.0
+synopsis:              Amazon Secrets Manager SDK.
+homepage:              https://github.com/brendanhay/amazonka
+bug-reports:           https://github.com/brendanhay/amazonka/issues
+license:               MPL-2.0
+license-file:          LICENSE
+author:                Brendan Hay
+maintainer:            Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+copyright:             Copyright (c) 2013-2018 Brendan Hay
+category:              Network, AWS, Cloud, Distributed Computing
+build-type:            Simple
+cabal-version:         >= 1.10
+extra-source-files:    README.md fixture/*.yaml fixture/*.proto src/.gitkeep
+description:
+    The types from this library are intended to be used with
+    <http://hackage.haskell.org/package/amazonka amazonka>, which provides
+    mechanisms for specifying AuthN/AuthZ information, sending requests,
+    and receiving responses.
+    .
+    Lenses are used for constructing and manipulating types,
+    due to the depth of nesting of AWS types and transparency regarding
+    de/serialisation into more palatable Haskell values.
+    The provided lenses should be compatible with any of the major lens libraries
+    such as <http://hackage.haskell.org/package/lens lens> or
+    <http://hackage.haskell.org/package/lens-family-core lens-family-core>.
+    .
+    See "Network.AWS.SecretsManager" or <https://aws.amazon.com/documentation/ the AWS documentation>
+    to get started.
+
+source-repository head
+    type:              git
+    location:          git://github.com/brendanhay/amazonka.git
+    subdir:            amazonka-secretsmanager
+
+library
+    default-language:  Haskell2010
+    hs-source-dirs:    src gen
+
+    ghc-options:
+        -Wall
+        -fwarn-incomplete-uni-patterns
+        -fwarn-incomplete-record-updates
+        -funbox-strict-fields
+
+    exposed-modules:
+          Network.AWS.SecretsManager
+        , Network.AWS.SecretsManager.CancelRotateSecret
+        , Network.AWS.SecretsManager.CreateSecret
+        , Network.AWS.SecretsManager.DeleteSecret
+        , Network.AWS.SecretsManager.DescribeSecret
+        , Network.AWS.SecretsManager.GetRandomPassword
+        , Network.AWS.SecretsManager.GetSecretValue
+        , Network.AWS.SecretsManager.ListSecretVersionIds
+        , Network.AWS.SecretsManager.ListSecrets
+        , Network.AWS.SecretsManager.PutSecretValue
+        , Network.AWS.SecretsManager.RestoreSecret
+        , Network.AWS.SecretsManager.RotateSecret
+        , Network.AWS.SecretsManager.TagResource
+        , Network.AWS.SecretsManager.Types
+        , Network.AWS.SecretsManager.UntagResource
+        , Network.AWS.SecretsManager.UpdateSecret
+        , Network.AWS.SecretsManager.UpdateSecretVersionStage
+        , Network.AWS.SecretsManager.Waiters
+
+    other-modules:
+          Network.AWS.SecretsManager.Types.Product
+        , Network.AWS.SecretsManager.Types.Sum
+
+    build-depends:
+          amazonka-core == 1.6.0.*
+        , base          >= 4.7     && < 5
+
+test-suite amazonka-secretsmanager-test
+    type:              exitcode-stdio-1.0
+    default-language:  Haskell2010
+    hs-source-dirs:    test
+    main-is:           Main.hs
+
+    ghc-options:       -Wall -threaded
+
+    -- This section is encoded by the template and any modules added by
+    -- hand outside these namespaces will not correctly be added to the
+    -- distribution package.
+    other-modules:
+          Test.AWS.SecretsManager
+        , Test.AWS.Gen.SecretsManager
+        , Test.AWS.SecretsManager.Internal
+
+    build-depends:
+          amazonka-core == 1.6.0.*
+        , amazonka-test == 1.6.0.*
+        , amazonka-secretsmanager
+        , base
+        , bytestring
+        , tasty
+        , tasty-hunit
+        , text
+        , time
+        , unordered-containers
diff --git a/fixture/CancelRotateSecret.yaml b/fixture/CancelRotateSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CancelRotateSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CancelRotateSecretResponse.proto b/fixture/CancelRotateSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CancelRotateSecretResponse.proto
diff --git a/fixture/CreateSecret.yaml b/fixture/CreateSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/CreateSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/CreateSecretResponse.proto b/fixture/CreateSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/CreateSecretResponse.proto
diff --git a/fixture/DeleteSecret.yaml b/fixture/DeleteSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DeleteSecretResponse.proto b/fixture/DeleteSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DeleteSecretResponse.proto
diff --git a/fixture/DescribeSecret.yaml b/fixture/DescribeSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/DescribeSecretResponse.proto b/fixture/DescribeSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/DescribeSecretResponse.proto
diff --git a/fixture/GetRandomPassword.yaml b/fixture/GetRandomPassword.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/GetRandomPassword.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetRandomPasswordResponse.proto b/fixture/GetRandomPasswordResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/GetRandomPasswordResponse.proto
diff --git a/fixture/GetSecretValue.yaml b/fixture/GetSecretValue.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/GetSecretValue.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/GetSecretValueResponse.proto b/fixture/GetSecretValueResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/GetSecretValueResponse.proto
diff --git a/fixture/ListSecretVersionIds.yaml b/fixture/ListSecretVersionIds.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListSecretVersionIds.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListSecretVersionIdsResponse.proto b/fixture/ListSecretVersionIdsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListSecretVersionIdsResponse.proto
diff --git a/fixture/ListSecrets.yaml b/fixture/ListSecrets.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/ListSecrets.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/ListSecretsResponse.proto b/fixture/ListSecretsResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/ListSecretsResponse.proto
diff --git a/fixture/PutSecretValue.yaml b/fixture/PutSecretValue.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/PutSecretValue.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/PutSecretValueResponse.proto b/fixture/PutSecretValueResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/PutSecretValueResponse.proto
diff --git a/fixture/RestoreSecret.yaml b/fixture/RestoreSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/RestoreSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/RestoreSecretResponse.proto b/fixture/RestoreSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/RestoreSecretResponse.proto
diff --git a/fixture/RotateSecret.yaml b/fixture/RotateSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/RotateSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/RotateSecretResponse.proto b/fixture/RotateSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/RotateSecretResponse.proto
diff --git a/fixture/TagResource.yaml b/fixture/TagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/TagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/TagResourceResponse.proto b/fixture/TagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/TagResourceResponse.proto
diff --git a/fixture/UntagResource.yaml b/fixture/UntagResource.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResource.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UntagResourceResponse.proto b/fixture/UntagResourceResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UntagResourceResponse.proto
diff --git a/fixture/UpdateSecret.yaml b/fixture/UpdateSecret.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSecret.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateSecretResponse.proto b/fixture/UpdateSecretResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSecretResponse.proto
diff --git a/fixture/UpdateSecretVersionStage.yaml b/fixture/UpdateSecretVersionStage.yaml
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSecretVersionStage.yaml
@@ -0,0 +1,10 @@
+---
+method: POST
+headers:
+  Authorization:         AWS4-HMAC-SHA256 Credential=access/20091028/us-east-1/secretsmanager/aws4_request, SignedHeaders=content-type;host;x-amz-content-sha256;x-amz-date, Signature=?
+  Host:                  secretsmanager.us-east-1.amazonaws.com
+  Content-Type:          application/x-www-form-urlencoded; charset=utf-8
+  X-Amz-Content-SHA256:  abcdef
+  X-Amz-Date:            20091028T223200Z
+body:
+  ''
diff --git a/fixture/UpdateSecretVersionStageResponse.proto b/fixture/UpdateSecretVersionStageResponse.proto
new file mode 100644
--- /dev/null
+++ b/fixture/UpdateSecretVersionStageResponse.proto
diff --git a/gen/Network/AWS/SecretsManager.hs b/gen/Network/AWS/SecretsManager.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager.hs
@@ -0,0 +1,214 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports    #-}
+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- __AWS Secrets Manager API Reference__
+--
+-- AWS Secrets Manager is a web service that enables you to store, manage, and retrieve, secrets.
+--
+-- This guide provides descriptions of the Secrets Manager API. For more information about using this service, see the <http://docs.aws.amazon.com/secretsmanager/latest/userguide/introduction.html AWS Secrets Manager User Guide> .
+--
+-- __API Version__
+--
+-- This version of the Secrets Manager API Reference documents the Secrets Manager API version 2017-10-17.
+--
+-- We recommend that you use the AWS SDKs to make programmatic API calls to Secrets Manager. However, you also can use the Secrets Manager HTTP Query API to make direct calls to the Secrets Manager web service. To learn more about the Secrets Manager HTTP Query API, see <http://docs.aws.amazon.com/secretsmanager/latest/userguide/query-requests.html Making Query Requests> in the /AWS Secrets Manager User Guide/ .
+--
+-- Secrets Manager supports GET and POST requests for all actions. That is, the API doesn't require you to use GET for some actions and POST for others. However, GET requests are subject to the limitation size of a URL. Therefore, for operations that require larger sizes, use a POST request.
+--
+-- __Support and Feedback for AWS Secrets Manager__
+--
+-- We welcome your feedback. Send your comments to <mailto:awssecretsmanager-feedback@amazon.com awssecretsmanager-feedback@amazon.com> , or post your feedback and questions in the <http://forums.aws.amazon.com/forum.jspa?forumID=296 AWS Secrets Manager Discussion Forum> . For more information about the AWS Discussion Forums, see <http://forums.aws.amazon.com/help.jspa Forums Help> .
+--
+-- __How examples are presented__
+--
+-- The JSON that AWS Secrets Manager expects as your request parameters and that the service returns as a response to HTTP query requests are single, long strings without line breaks or white space formatting. The JSON shown in the examples is formatted with both line breaks and white space to improve readability. When example input parameters would also result in long strings that extend beyond the screen, we insert line breaks to enhance readability. You should always submit the input as a single JSON text string.
+--
+-- __Logging API Requests__
+--
+-- AWS Secrets Manager supports AWS CloudTrail, a service that records AWS API calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information that's collected by AWS CloudTrail, you can determine which requests were successfully made to Secrets Manager, who made the request, when it was made, and so on. For more about AWS Secrets Manager and its support for AWS CloudTrail, see <http://docs.aws.amazon.com/secretsmanager/latest/userguide/monitoring.html#monitoring_cloudtrail Logging AWS Secrets Manager Events with AWS CloudTrail> in the /AWS Secrets Manager User Guide/ . To learn more about CloudTrail, including how to turn it on and find your log files, see the <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide> .
+--
+module Network.AWS.SecretsManager
+    (
+    -- * Service Configuration
+      secretsManager
+
+    -- * Errors
+    -- $errors
+
+    -- ** MalformedPolicyDocumentException
+    , _MalformedPolicyDocumentException
+
+    -- ** InvalidParameterException
+    , _InvalidParameterException
+
+    -- ** InvalidRequestException
+    , _InvalidRequestException
+
+    -- ** DecryptionFailure
+    , _DecryptionFailure
+
+    -- ** EncryptionFailure
+    , _EncryptionFailure
+
+    -- ** InvalidNextTokenException
+    , _InvalidNextTokenException
+
+    -- ** InternalServiceError
+    , _InternalServiceError
+
+    -- ** ResourceExistsException
+    , _ResourceExistsException
+
+    -- ** ResourceNotFoundException
+    , _ResourceNotFoundException
+
+    -- ** LimitExceededException
+    , _LimitExceededException
+
+    -- * Waiters
+    -- $waiters
+
+    -- * Operations
+    -- $operations
+
+    -- ** DeleteSecret
+    , module Network.AWS.SecretsManager.DeleteSecret
+
+    -- ** ListSecrets
+    , module Network.AWS.SecretsManager.ListSecrets
+
+    -- ** UpdateSecret
+    , module Network.AWS.SecretsManager.UpdateSecret
+
+    -- ** RotateSecret
+    , module Network.AWS.SecretsManager.RotateSecret
+
+    -- ** CreateSecret
+    , module Network.AWS.SecretsManager.CreateSecret
+
+    -- ** GetSecretValue
+    , module Network.AWS.SecretsManager.GetSecretValue
+
+    -- ** DescribeSecret
+    , module Network.AWS.SecretsManager.DescribeSecret
+
+    -- ** RestoreSecret
+    , module Network.AWS.SecretsManager.RestoreSecret
+
+    -- ** CancelRotateSecret
+    , module Network.AWS.SecretsManager.CancelRotateSecret
+
+    -- ** PutSecretValue
+    , module Network.AWS.SecretsManager.PutSecretValue
+
+    -- ** GetRandomPassword
+    , module Network.AWS.SecretsManager.GetRandomPassword
+
+    -- ** ListSecretVersionIds
+    , module Network.AWS.SecretsManager.ListSecretVersionIds
+
+    -- ** TagResource
+    , module Network.AWS.SecretsManager.TagResource
+
+    -- ** UntagResource
+    , module Network.AWS.SecretsManager.UntagResource
+
+    -- ** UpdateSecretVersionStage
+    , module Network.AWS.SecretsManager.UpdateSecretVersionStage
+
+    -- * Types
+
+    -- ** RotationRulesType
+    , RotationRulesType
+    , rotationRulesType
+    , rrtAutomaticallyAfterDays
+
+    -- ** SecretListEntry
+    , SecretListEntry
+    , secretListEntry
+    , sleLastChangedDate
+    , sleARN
+    , sleSecretVersionsToStages
+    , sleRotationRules
+    , sleDeletedDate
+    , sleRotationEnabled
+    , sleKMSKeyId
+    , sleName
+    , sleLastRotatedDate
+    , sleLastAccessedDate
+    , sleDescription
+    , sleRotationLambdaARN
+    , sleTags
+
+    -- ** SecretVersionsListEntry
+    , SecretVersionsListEntry
+    , secretVersionsListEntry
+    , svleVersionId
+    , svleVersionStages
+    , svleCreatedDate
+    , svleLastAccessedDate
+
+    -- ** Tag
+    , Tag
+    , tag
+    , tagValue
+    , tagKey
+    ) where
+
+import Network.AWS.SecretsManager.CancelRotateSecret
+import Network.AWS.SecretsManager.CreateSecret
+import Network.AWS.SecretsManager.DeleteSecret
+import Network.AWS.SecretsManager.DescribeSecret
+import Network.AWS.SecretsManager.GetRandomPassword
+import Network.AWS.SecretsManager.GetSecretValue
+import Network.AWS.SecretsManager.ListSecrets
+import Network.AWS.SecretsManager.ListSecretVersionIds
+import Network.AWS.SecretsManager.PutSecretValue
+import Network.AWS.SecretsManager.RestoreSecret
+import Network.AWS.SecretsManager.RotateSecret
+import Network.AWS.SecretsManager.TagResource
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.UntagResource
+import Network.AWS.SecretsManager.UpdateSecret
+import Network.AWS.SecretsManager.UpdateSecretVersionStage
+import Network.AWS.SecretsManager.Waiters
+
+{- $errors
+Error matchers are designed for use with the functions provided by
+<http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.
+This allows catching (and rethrowing) service specific errors returned
+by 'SecretsManager'.
+-}
+
+{- $operations
+Some AWS operations return results that are incomplete and require subsequent
+requests in order to obtain the entire result set. The process of sending
+subsequent requests to continue where a previous request left off is called
+pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to
+1000 objects at a time, and you must send subsequent requests with the
+appropriate Marker in order to retrieve the next page of results.
+
+Operations that have an 'AWSPager' instance can transparently perform subsequent
+requests, correctly setting Markers and other request facets to iterate through
+the entire result set of a truncated API operation. Operations which support
+this have an additional note in the documentation.
+
+Many operations have the ability to filter results on the server side. See the
+individual operation parameters for details.
+-}
+
+{- $waiters
+Waiters poll by repeatedly sending a request until some remote success condition
+configured by the 'Wait' specification is fulfilled. The 'Wait' specification
+determines how many attempts should be made, in addition to delay and retry strategies.
+-}
diff --git a/gen/Network/AWS/SecretsManager/CancelRotateSecret.hs b/gen/Network/AWS/SecretsManager/CancelRotateSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/CancelRotateSecret.hs
@@ -0,0 +1,186 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.CancelRotateSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Disables automatic scheduled rotation and cancels the rotation of a secret if one is currently in progress.
+--
+--
+-- To re-enable scheduled rotation, call 'RotateSecret' with @AutomaticallyRotateAfterDays@ set to a value greater than 0. This will immediately rotate your secret and then enable the automatic schedule.
+--
+-- To successfully start a rotation, the staging label @AWSPENDING@ must be in one of the following states:
+--
+--     * Not be attached to any version at all
+--
+--     * Attached to the same version as the staging label @AWSCURRENT@
+--
+--
+--
+-- If the staging label @AWSPENDING@ is attached to a different version than the version with @AWSCURRENT@ then the attempt to rotate fails.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:CancelRotateSecret
+--
+--
+--
+-- __Related operations__
+--
+--     * To configure rotation for a secret or to manually trigger a rotation, use 'RotateSecret' .
+--
+--     * To get the rotation configuration details for a secret, use 'DescribeSecret' .
+--
+--     * To list all of the currently available secrets, use 'ListSecrets' .
+--
+--     * To list all of the versions currently associated with a secret, use 'ListSecretVersionIds' .
+--
+--
+--
+module Network.AWS.SecretsManager.CancelRotateSecret
+    (
+    -- * Creating a Request
+      cancelRotateSecret
+    , CancelRotateSecret
+    -- * Request Lenses
+    , crsSecretId
+
+    -- * Destructuring the Response
+    , cancelRotateSecretResponse
+    , CancelRotateSecretResponse
+    -- * Response Lenses
+    , crsrsVersionId
+    , crsrsARN
+    , crsrsName
+    , crsrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'cancelRotateSecret' smart constructor.
+newtype CancelRotateSecret = CancelRotateSecret'
+  { _crsSecretId :: Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'CancelRotateSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'crsSecretId' - Specifies the secret for which you want to cancel a rotation request. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+cancelRotateSecret
+    :: Text -- ^ 'crsSecretId'
+    -> CancelRotateSecret
+cancelRotateSecret pSecretId_ = CancelRotateSecret' {_crsSecretId = pSecretId_}
+
+
+-- | Specifies the secret for which you want to cancel a rotation request. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+crsSecretId :: Lens' CancelRotateSecret Text
+crsSecretId = lens _crsSecretId (\ s a -> s{_crsSecretId = a})
+
+instance AWSRequest CancelRotateSecret where
+        type Rs CancelRotateSecret =
+             CancelRotateSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 CancelRotateSecretResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable CancelRotateSecret where
+
+instance NFData CancelRotateSecret where
+
+instance ToHeaders CancelRotateSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.CancelRotateSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON CancelRotateSecret where
+        toJSON CancelRotateSecret'{..}
+          = object
+              (catMaybes [Just ("SecretId" .= _crsSecretId)])
+
+instance ToPath CancelRotateSecret where
+        toPath = const "/"
+
+instance ToQuery CancelRotateSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'cancelRotateSecretResponse' smart constructor.
+data CancelRotateSecretResponse = CancelRotateSecretResponse'
+  { _crsrsVersionId      :: !(Maybe Text)
+  , _crsrsARN            :: !(Maybe Text)
+  , _crsrsName           :: !(Maybe Text)
+  , _crsrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'CancelRotateSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'crsrsVersionId' - The unique identifier of the version of the secret that was created during the rotation. This version might not be complete, and should be evaluated for possible deletion. At the very least, you should remove the @VersionStage@ value @AWSPENDING@ to enable this version to be deleted. Failing to clean up a cancelled rotation can block you from successfully starting future rotations.
+--
+-- * 'crsrsARN' - The ARN of the secret for which rotation was canceled.
+--
+-- * 'crsrsName' - The friendly name of the secret for which rotation was canceled.
+--
+-- * 'crsrsResponseStatus' - -- | The response status code.
+cancelRotateSecretResponse
+    :: Int -- ^ 'crsrsResponseStatus'
+    -> CancelRotateSecretResponse
+cancelRotateSecretResponse pResponseStatus_ =
+  CancelRotateSecretResponse'
+    { _crsrsVersionId = Nothing
+    , _crsrsARN = Nothing
+    , _crsrsName = Nothing
+    , _crsrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The unique identifier of the version of the secret that was created during the rotation. This version might not be complete, and should be evaluated for possible deletion. At the very least, you should remove the @VersionStage@ value @AWSPENDING@ to enable this version to be deleted. Failing to clean up a cancelled rotation can block you from successfully starting future rotations.
+crsrsVersionId :: Lens' CancelRotateSecretResponse (Maybe Text)
+crsrsVersionId = lens _crsrsVersionId (\ s a -> s{_crsrsVersionId = a})
+
+-- | The ARN of the secret for which rotation was canceled.
+crsrsARN :: Lens' CancelRotateSecretResponse (Maybe Text)
+crsrsARN = lens _crsrsARN (\ s a -> s{_crsrsARN = a})
+
+-- | The friendly name of the secret for which rotation was canceled.
+crsrsName :: Lens' CancelRotateSecretResponse (Maybe Text)
+crsrsName = lens _crsrsName (\ s a -> s{_crsrsName = a})
+
+-- | -- | The response status code.
+crsrsResponseStatus :: Lens' CancelRotateSecretResponse Int
+crsrsResponseStatus = lens _crsrsResponseStatus (\ s a -> s{_crsrsResponseStatus = a})
+
+instance NFData CancelRotateSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/CreateSecret.hs b/gen/Network/AWS/SecretsManager/CreateSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/CreateSecret.hs
@@ -0,0 +1,250 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.CreateSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Creates a new secret. A secret in Secrets Manager consists of both the protected secret data and the important information needed to manage the secret.
+--
+--
+-- Secrets Manager stores the encrypted secret data in one of a collection of "versions" associated with the secret. Each version contains a copy of the encrypted secret data. Each version is associated with one or more "staging labels" that identify where the version is in the rotation cycle. The @SecretVersionsToStages@ field of the secret contains the mapping of staging labels to the active versions of the secret. Versions without a staging label are considered deprecated and are not included in the list.
+--
+-- You provide the secret data to be encrypted by putting text in either the @SecretString@ parameter or binary data in the @SecretBinary@ parameter, but not both. If you include @SecretString@ or @SecretBinary@ then Secrets Manager also creates an initial secret version and automatically attaches the staging label @AWSCURRENT@ to the new version.
+--
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:CreateSecret
+--
+--     * kms:GenerateDataKey - needed only if you use a customer-created KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
+--
+--     * kms:Decrypt - needed only if you use a customer-created KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
+--
+--
+--
+-- __Related operations__
+--
+--     * To delete a secret, use 'DeleteSecret' .
+--
+--     * To modify an existing secret, use 'UpdateSecret' .
+--
+--     * To create a new version of a secret, use 'PutSecretValue' .
+--
+--     * To retrieve the encrypted secure string and secure binary values, use 'GetSecretValue' .
+--
+--     * To retrieve all other details for a secret, use 'DescribeSecret' . This does not include the encrypted secure string and secure binary values.
+--
+--     * To retrieve the list of secret versions associated with the current secret, use 'DescribeSecret' and examine the @SecretVersionsToStages@ response value.
+--
+--
+--
+module Network.AWS.SecretsManager.CreateSecret
+    (
+    -- * Creating a Request
+      createSecret
+    , CreateSecret
+    -- * Request Lenses
+    , csSecretBinary
+    , csKMSKeyId
+    , csSecretString
+    , csClientRequestToken
+    , csDescription
+    , csTags
+    , csName
+
+    -- * Destructuring the Response
+    , createSecretResponse
+    , CreateSecretResponse
+    -- * Response Lenses
+    , csrsVersionId
+    , csrsARN
+    , csrsName
+    , csrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'createSecret' smart constructor.
+data CreateSecret = CreateSecret'
+  { _csSecretBinary       :: !(Maybe (Sensitive Base64))
+  , _csKMSKeyId           :: !(Maybe Text)
+  , _csSecretString       :: !(Maybe (Sensitive Text))
+  , _csClientRequestToken :: !(Maybe Text)
+  , _csDescription        :: !(Maybe Text)
+  , _csTags               :: !(Maybe [Tag])
+  , _csName               :: !Text
+  } deriving (Eq, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'CreateSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'csSecretBinary' - (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. This parameter is not available using the Secrets Manager console. It can be accessed only by using the AWS CLI or one of the AWS SDKs.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+--
+-- * 'csKMSKeyId' - (Optional) Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the @SecretString@ or @SecretBinary@ values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named @aws/secretsmanager@ ). If a KMS CMK with that name doesn't yet exist, then Secrets Manager creates it for you automatically the first time it needs to encrypt a version's @SecretString@ or @SecretBinary@ fields. /Important:/ You can use the account's default CMK to encrypt and decrypt only if you call this operation using credentials from the same account that owns the secret. If the secret is in a different account, then you must create a custom CMK and specify the ARN in this field.
+--
+-- * 'csSecretString' - (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. If you create a secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For example: @[{"Key":"username","Value":"bob"},{"Key":"password","Value":"abc123xyz456"}]@  If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.
+--
+-- * 'csClientRequestToken' - (Optional) If you include @SecretString@ or @SecretBinary@ , then an initial version is created as part of the secret, and this parameter specifies a unique identifier for the new version.  This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness of your versions within the specified secret.      * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as those in the request, then the request is ignored (the operation is idempotent).     * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from those in the request then the request fails because you cannot modify an existing version. Instead, use 'PutSecretValue' to create a new version. This value becomes the @SecretVersionId@ of the new version.
+--
+-- * 'csDescription' - (Optional) Specifies a user-provided description of the secret.
+--
+-- * 'csTags' - (Optional) Specifies a list of user-defined tags that are attached to the secret. Each tag is a "Key" and "Value" pair of strings. This operation only appends tags to the existing list of tags. To remove tags, you must use 'UntagResource' . /Important:/     * Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc".     * If you check tags in IAM policy @Condition@ elements as part of your security strategy, then adding or removing a tag can change permissions. If the successful completion of this operation would result in you losing your permissions for this secret, then this operation is blocked and returns an @Access Denied@ error. This parameter requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For example: @[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]@  If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.  The following basic restrictions apply to tags:     * Maximum number of tags per secret—50     * Maximum key length—127 Unicode characters in UTF-8     * Maximum value length—255 Unicode characters in UTF-8     * Tag keys and values are case sensitive.     * Do not use the @aws:@ prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.     * If your tagging schema will be used across multiple services and resources, remember that other services might have restrictions on allowed characters. Generally allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
+--
+-- * 'csName' - Specifies the friendly name of the new secret.
+createSecret
+    :: Text -- ^ 'csName'
+    -> CreateSecret
+createSecret pName_ =
+  CreateSecret'
+    { _csSecretBinary = Nothing
+    , _csKMSKeyId = Nothing
+    , _csSecretString = Nothing
+    , _csClientRequestToken = Nothing
+    , _csDescription = Nothing
+    , _csTags = Nothing
+    , _csName = pName_
+    }
+
+
+-- | (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. This parameter is not available using the Secrets Manager console. It can be accessed only by using the AWS CLI or one of the AWS SDKs.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+csSecretBinary :: Lens' CreateSecret (Maybe ByteString)
+csSecretBinary = lens _csSecretBinary (\ s a -> s{_csSecretBinary = a}) . mapping (_Sensitive . _Base64)
+
+-- | (Optional) Specifies the ARN or alias of the AWS KMS customer master key (CMK) to be used to encrypt the @SecretString@ or @SecretBinary@ values in the versions stored in this secret. If you don't specify this value, then Secrets Manager defaults to using the AWS account's default CMK (the one named @aws/secretsmanager@ ). If a KMS CMK with that name doesn't yet exist, then Secrets Manager creates it for you automatically the first time it needs to encrypt a version's @SecretString@ or @SecretBinary@ fields. /Important:/ You can use the account's default CMK to encrypt and decrypt only if you call this operation using credentials from the same account that owns the secret. If the secret is in a different account, then you must create a custom CMK and specify the ARN in this field.
+csKMSKeyId :: Lens' CreateSecret (Maybe Text)
+csKMSKeyId = lens _csKMSKeyId (\ s a -> s{_csKMSKeyId = a})
+
+-- | (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. If you create a secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For example: @[{"Key":"username","Value":"bob"},{"Key":"password","Value":"abc123xyz456"}]@  If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.
+csSecretString :: Lens' CreateSecret (Maybe Text)
+csSecretString = lens _csSecretString (\ s a -> s{_csSecretString = a}) . mapping _Sensitive
+
+-- | (Optional) If you include @SecretString@ or @SecretBinary@ , then an initial version is created as part of the secret, and this parameter specifies a unique identifier for the new version.  This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during a rotation. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness of your versions within the specified secret.      * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as those in the request, then the request is ignored (the operation is idempotent).     * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from those in the request then the request fails because you cannot modify an existing version. Instead, use 'PutSecretValue' to create a new version. This value becomes the @SecretVersionId@ of the new version.
+csClientRequestToken :: Lens' CreateSecret (Maybe Text)
+csClientRequestToken = lens _csClientRequestToken (\ s a -> s{_csClientRequestToken = a})
+
+-- | (Optional) Specifies a user-provided description of the secret.
+csDescription :: Lens' CreateSecret (Maybe Text)
+csDescription = lens _csDescription (\ s a -> s{_csDescription = a})
+
+-- | (Optional) Specifies a list of user-defined tags that are attached to the secret. Each tag is a "Key" and "Value" pair of strings. This operation only appends tags to the existing list of tags. To remove tags, you must use 'UntagResource' . /Important:/     * Secrets Manager tag key names are case sensitive. A tag with the key "ABC" is a different tag from one with key "abc".     * If you check tags in IAM policy @Condition@ elements as part of your security strategy, then adding or removing a tag can change permissions. If the successful completion of this operation would result in you losing your permissions for this secret, then this operation is blocked and returns an @Access Denied@ error. This parameter requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For example: @[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]@  If your command-line tool or SDK requires quotation marks around the parameter, you should use single quotes to avoid confusion with the double quotes required in the JSON text.  The following basic restrictions apply to tags:     * Maximum number of tags per secret—50     * Maximum key length—127 Unicode characters in UTF-8     * Maximum value length—255 Unicode characters in UTF-8     * Tag keys and values are case sensitive.     * Do not use the @aws:@ prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.     * If your tagging schema will be used across multiple services and resources, remember that other services might have restrictions on allowed characters. Generally allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
+csTags :: Lens' CreateSecret [Tag]
+csTags = lens _csTags (\ s a -> s{_csTags = a}) . _Default . _Coerce
+
+-- | Specifies the friendly name of the new secret.
+csName :: Lens' CreateSecret Text
+csName = lens _csName (\ s a -> s{_csName = a})
+
+instance AWSRequest CreateSecret where
+        type Rs CreateSecret = CreateSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 CreateSecretResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable CreateSecret where
+
+instance NFData CreateSecret where
+
+instance ToHeaders CreateSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.CreateSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON CreateSecret where
+        toJSON CreateSecret'{..}
+          = object
+              (catMaybes
+                 [("SecretBinary" .=) <$> _csSecretBinary,
+                  ("KmsKeyId" .=) <$> _csKMSKeyId,
+                  ("SecretString" .=) <$> _csSecretString,
+                  ("ClientRequestToken" .=) <$> _csClientRequestToken,
+                  ("Description" .=) <$> _csDescription,
+                  ("Tags" .=) <$> _csTags, Just ("Name" .= _csName)])
+
+instance ToPath CreateSecret where
+        toPath = const "/"
+
+instance ToQuery CreateSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'createSecretResponse' smart constructor.
+data CreateSecretResponse = CreateSecretResponse'
+  { _csrsVersionId      :: !(Maybe Text)
+  , _csrsARN            :: !(Maybe Text)
+  , _csrsName           :: !(Maybe Text)
+  , _csrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'CreateSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'csrsVersionId' - The unique identifier that's associated with the version of the secret you just created.
+--
+-- * 'csrsARN' - The Amazon Resource Name (ARN) of the secret that you just created.
+--
+-- * 'csrsName' - The friendly name of the secret that you just created.
+--
+-- * 'csrsResponseStatus' - -- | The response status code.
+createSecretResponse
+    :: Int -- ^ 'csrsResponseStatus'
+    -> CreateSecretResponse
+createSecretResponse pResponseStatus_ =
+  CreateSecretResponse'
+    { _csrsVersionId = Nothing
+    , _csrsARN = Nothing
+    , _csrsName = Nothing
+    , _csrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The unique identifier that's associated with the version of the secret you just created.
+csrsVersionId :: Lens' CreateSecretResponse (Maybe Text)
+csrsVersionId = lens _csrsVersionId (\ s a -> s{_csrsVersionId = a})
+
+-- | The Amazon Resource Name (ARN) of the secret that you just created.
+csrsARN :: Lens' CreateSecretResponse (Maybe Text)
+csrsARN = lens _csrsARN (\ s a -> s{_csrsARN = a})
+
+-- | The friendly name of the secret that you just created.
+csrsName :: Lens' CreateSecretResponse (Maybe Text)
+csrsName = lens _csrsName (\ s a -> s{_csrsName = a})
+
+-- | -- | The response status code.
+csrsResponseStatus :: Lens' CreateSecretResponse Int
+csrsResponseStatus = lens _csrsResponseStatus (\ s a -> s{_csrsResponseStatus = a})
+
+instance NFData CreateSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/DeleteSecret.hs b/gen/Network/AWS/SecretsManager/DeleteSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/DeleteSecret.hs
@@ -0,0 +1,185 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.DeleteSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Deletes an entire secret and all of its versions. You can optionally include a recovery window during which you can restore the secret. If you don't specify a recovery window value, the operation defaults to 30 days. Secrets Manager attaches a @DeletionDate@ stamp to the secret that specifies the end of the recovery window. At the end of the recovery window, Secrets Manager deletes the secret permanently.
+--
+--
+-- At any time before recovery window ends, you can use 'RestoreSecret' to remove the @DeletionDate@ and cancel the deletion of the secret.
+--
+-- You cannot access the encrypted secret information in any secret that is scheduled for deletion. If you need to access that information, you must cancel the deletion with 'RestoreSecret' and then retrieve the information.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:DeleteSecret
+--
+--
+--
+-- __Related operations__
+--
+--     * To create a secret, use 'CreateSecret' .
+--
+--     * To cancel deletion of a version of a secret before the recovery window has expired, use 'RestoreSecret' .
+--
+--
+--
+module Network.AWS.SecretsManager.DeleteSecret
+    (
+    -- * Creating a Request
+      deleteSecret
+    , DeleteSecret
+    -- * Request Lenses
+    , dsRecoveryWindowInDays
+    , dsSecretId
+
+    -- * Destructuring the Response
+    , deleteSecretResponse
+    , DeleteSecretResponse
+    -- * Response Lenses
+    , dsrsARN
+    , dsrsName
+    , dsrsDeletionDate
+    , dsrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'deleteSecret' smart constructor.
+data DeleteSecret = DeleteSecret'
+  { _dsRecoveryWindowInDays :: !(Maybe Integer)
+  , _dsSecretId             :: !Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'DeleteSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'dsRecoveryWindowInDays' - (Optional) Specifies the number of days that Secrets Manager waits before it can delete the secret. This value can range from 7 to 30 days. The default value is 30.
+--
+-- * 'dsSecretId' - Specifies the secret that you want to delete. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+deleteSecret
+    :: Text -- ^ 'dsSecretId'
+    -> DeleteSecret
+deleteSecret pSecretId_ =
+  DeleteSecret' {_dsRecoveryWindowInDays = Nothing, _dsSecretId = pSecretId_}
+
+
+-- | (Optional) Specifies the number of days that Secrets Manager waits before it can delete the secret. This value can range from 7 to 30 days. The default value is 30.
+dsRecoveryWindowInDays :: Lens' DeleteSecret (Maybe Integer)
+dsRecoveryWindowInDays = lens _dsRecoveryWindowInDays (\ s a -> s{_dsRecoveryWindowInDays = a})
+
+-- | Specifies the secret that you want to delete. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+dsSecretId :: Lens' DeleteSecret Text
+dsSecretId = lens _dsSecretId (\ s a -> s{_dsSecretId = a})
+
+instance AWSRequest DeleteSecret where
+        type Rs DeleteSecret = DeleteSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 DeleteSecretResponse' <$>
+                   (x .?> "ARN") <*> (x .?> "Name") <*>
+                     (x .?> "DeletionDate")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable DeleteSecret where
+
+instance NFData DeleteSecret where
+
+instance ToHeaders DeleteSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.DeleteSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON DeleteSecret where
+        toJSON DeleteSecret'{..}
+          = object
+              (catMaybes
+                 [("RecoveryWindowInDays" .=) <$>
+                    _dsRecoveryWindowInDays,
+                  Just ("SecretId" .= _dsSecretId)])
+
+instance ToPath DeleteSecret where
+        toPath = const "/"
+
+instance ToQuery DeleteSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'deleteSecretResponse' smart constructor.
+data DeleteSecretResponse = DeleteSecretResponse'
+  { _dsrsARN            :: !(Maybe Text)
+  , _dsrsName           :: !(Maybe Text)
+  , _dsrsDeletionDate   :: !(Maybe POSIX)
+  , _dsrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'DeleteSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'dsrsARN' - The ARN of the secret that is now scheduled for deletion.
+--
+-- * 'dsrsName' - The friendly name of the secret that is now scheduled for deletion.
+--
+-- * 'dsrsDeletionDate' - The date and time after which this secret can be deleted by Secrets Manager and can no longer be restored. This value is the date and time of the delete request plus the number of days specified in @RecoveryWindowInDays@ .
+--
+-- * 'dsrsResponseStatus' - -- | The response status code.
+deleteSecretResponse
+    :: Int -- ^ 'dsrsResponseStatus'
+    -> DeleteSecretResponse
+deleteSecretResponse pResponseStatus_ =
+  DeleteSecretResponse'
+    { _dsrsARN = Nothing
+    , _dsrsName = Nothing
+    , _dsrsDeletionDate = Nothing
+    , _dsrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The ARN of the secret that is now scheduled for deletion.
+dsrsARN :: Lens' DeleteSecretResponse (Maybe Text)
+dsrsARN = lens _dsrsARN (\ s a -> s{_dsrsARN = a})
+
+-- | The friendly name of the secret that is now scheduled for deletion.
+dsrsName :: Lens' DeleteSecretResponse (Maybe Text)
+dsrsName = lens _dsrsName (\ s a -> s{_dsrsName = a})
+
+-- | The date and time after which this secret can be deleted by Secrets Manager and can no longer be restored. This value is the date and time of the delete request plus the number of days specified in @RecoveryWindowInDays@ .
+dsrsDeletionDate :: Lens' DeleteSecretResponse (Maybe UTCTime)
+dsrsDeletionDate = lens _dsrsDeletionDate (\ s a -> s{_dsrsDeletionDate = a}) . mapping _Time
+
+-- | -- | The response status code.
+dsrsResponseStatus :: Lens' DeleteSecretResponse Int
+dsrsResponseStatus = lens _dsrsResponseStatus (\ s a -> s{_dsrsResponseStatus = a})
+
+instance NFData DeleteSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/DescribeSecret.hs b/gen/Network/AWS/SecretsManager/DescribeSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/DescribeSecret.hs
@@ -0,0 +1,273 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.DescribeSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the details of a secret. It does not include the encrypted fields. Only those fields that are populated with a value are returned in the response.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:DescribeSecret
+--
+--
+--
+-- __Related operations__
+--
+--     * To create a secret, use 'CreateSecret' .
+--
+--     * To modify a secret, use 'UpdateSecret' .
+--
+--     * To retrieve the encrypted secret information in a version of the secret, use 'GetSecretValue' .
+--
+--     * To list all of the secrets in the AWS account, use 'ListSecrets' .
+--
+--
+--
+module Network.AWS.SecretsManager.DescribeSecret
+    (
+    -- * Creating a Request
+      describeSecret
+    , DescribeSecret
+    -- * Request Lenses
+    , dSecretId
+
+    -- * Destructuring the Response
+    , describeSecretResponse
+    , DescribeSecretResponse
+    -- * Response Lenses
+    , drsLastChangedDate
+    , drsARN
+    , drsRotationRules
+    , drsDeletedDate
+    , drsRotationEnabled
+    , drsKMSKeyId
+    , drsName
+    , drsVersionIdsToStages
+    , drsLastRotatedDate
+    , drsLastAccessedDate
+    , drsDescription
+    , drsRotationLambdaARN
+    , drsTags
+    , drsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'describeSecret' smart constructor.
+newtype DescribeSecret = DescribeSecret'
+  { _dSecretId :: Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'DescribeSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'dSecretId' - The identifier of the secret whose details you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+describeSecret
+    :: Text -- ^ 'dSecretId'
+    -> DescribeSecret
+describeSecret pSecretId_ = DescribeSecret' {_dSecretId = pSecretId_}
+
+
+-- | The identifier of the secret whose details you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+dSecretId :: Lens' DescribeSecret Text
+dSecretId = lens _dSecretId (\ s a -> s{_dSecretId = a})
+
+instance AWSRequest DescribeSecret where
+        type Rs DescribeSecret = DescribeSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 DescribeSecretResponse' <$>
+                   (x .?> "LastChangedDate") <*> (x .?> "ARN") <*>
+                     (x .?> "RotationRules")
+                     <*> (x .?> "DeletedDate")
+                     <*> (x .?> "RotationEnabled")
+                     <*> (x .?> "KmsKeyId")
+                     <*> (x .?> "Name")
+                     <*> (x .?> "VersionIdsToStages" .!@ mempty)
+                     <*> (x .?> "LastRotatedDate")
+                     <*> (x .?> "LastAccessedDate")
+                     <*> (x .?> "Description")
+                     <*> (x .?> "RotationLambdaARN")
+                     <*> (x .?> "Tags" .!@ mempty)
+                     <*> (pure (fromEnum s)))
+
+instance Hashable DescribeSecret where
+
+instance NFData DescribeSecret where
+
+instance ToHeaders DescribeSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.DescribeSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON DescribeSecret where
+        toJSON DescribeSecret'{..}
+          = object
+              (catMaybes [Just ("SecretId" .= _dSecretId)])
+
+instance ToPath DescribeSecret where
+        toPath = const "/"
+
+instance ToQuery DescribeSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'describeSecretResponse' smart constructor.
+data DescribeSecretResponse = DescribeSecretResponse'
+  { _drsLastChangedDate    :: !(Maybe POSIX)
+  , _drsARN                :: !(Maybe Text)
+  , _drsRotationRules      :: !(Maybe RotationRulesType)
+  , _drsDeletedDate        :: !(Maybe POSIX)
+  , _drsRotationEnabled    :: !(Maybe Bool)
+  , _drsKMSKeyId           :: !(Maybe Text)
+  , _drsName               :: !(Maybe Text)
+  , _drsVersionIdsToStages :: !(Maybe (Map Text (List1 Text)))
+  , _drsLastRotatedDate    :: !(Maybe POSIX)
+  , _drsLastAccessedDate   :: !(Maybe POSIX)
+  , _drsDescription        :: !(Maybe Text)
+  , _drsRotationLambdaARN  :: !(Maybe Text)
+  , _drsTags               :: !(Maybe [Tag])
+  , _drsResponseStatus     :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'DescribeSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'drsLastChangedDate' - The last date and time that this secret was modified in any way.
+--
+-- * 'drsARN' - The ARN of the secret.
+--
+-- * 'drsRotationRules' - A structure that contains the rotation configuration for this secret.
+--
+-- * 'drsDeletedDate' - This value exists if the secret is scheduled for deletion. Some time after the specified date and time, Secrets Manager deletes the secret and all of its versions. If a secret is scheduled for deletion, then its details, including the encrypted secret information, is not accessible. To cancel a scheduled deletion and restore access, use 'RestoreSecret' .
+--
+-- * 'drsRotationEnabled' - Specifies whether automatic rotation is enabled for this secret. To enable rotation, use 'RotateSecret' with @AutomaticallyRotateAfterDays@ set to a value greater than 0. To disable rotation, use 'CancelRotateSecret' .
+--
+-- * 'drsKMSKeyId' - The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the @SecretString@ or @SecretBinary@ fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK (the one named @awssecretsmanager@ ) for this account.
+--
+-- * 'drsName' - The user-provided friendly name of the secret.
+--
+-- * 'drsVersionIdsToStages' - A list of all of the currently assigned @VersionStage@ staging labels and the @SecretVersionId@ that each is attached to. Staging labels are used to keep track of the different versions during the rotation process.
+--
+-- * 'drsLastRotatedDate' - The last date and time that the Secrets Manager rotation process for this secret was invoked.
+--
+-- * 'drsLastAccessedDate' - The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
+--
+-- * 'drsDescription' - The user-provided description of the secret.
+--
+-- * 'drsRotationLambdaARN' - The ARN of a Lambda function that's invoked by Secrets Manager to rotate the secret either automatically per the schedule or manually by a call to @RotateSecret@ .
+--
+-- * 'drsTags' - The list of user-defined tags that are associated with the secret. To add tags to a secret, use 'TagResource' . To remove tags, use 'UntagResource' .
+--
+-- * 'drsResponseStatus' - -- | The response status code.
+describeSecretResponse
+    :: Int -- ^ 'drsResponseStatus'
+    -> DescribeSecretResponse
+describeSecretResponse pResponseStatus_ =
+  DescribeSecretResponse'
+    { _drsLastChangedDate = Nothing
+    , _drsARN = Nothing
+    , _drsRotationRules = Nothing
+    , _drsDeletedDate = Nothing
+    , _drsRotationEnabled = Nothing
+    , _drsKMSKeyId = Nothing
+    , _drsName = Nothing
+    , _drsVersionIdsToStages = Nothing
+    , _drsLastRotatedDate = Nothing
+    , _drsLastAccessedDate = Nothing
+    , _drsDescription = Nothing
+    , _drsRotationLambdaARN = Nothing
+    , _drsTags = Nothing
+    , _drsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The last date and time that this secret was modified in any way.
+drsLastChangedDate :: Lens' DescribeSecretResponse (Maybe UTCTime)
+drsLastChangedDate = lens _drsLastChangedDate (\ s a -> s{_drsLastChangedDate = a}) . mapping _Time
+
+-- | The ARN of the secret.
+drsARN :: Lens' DescribeSecretResponse (Maybe Text)
+drsARN = lens _drsARN (\ s a -> s{_drsARN = a})
+
+-- | A structure that contains the rotation configuration for this secret.
+drsRotationRules :: Lens' DescribeSecretResponse (Maybe RotationRulesType)
+drsRotationRules = lens _drsRotationRules (\ s a -> s{_drsRotationRules = a})
+
+-- | This value exists if the secret is scheduled for deletion. Some time after the specified date and time, Secrets Manager deletes the secret and all of its versions. If a secret is scheduled for deletion, then its details, including the encrypted secret information, is not accessible. To cancel a scheduled deletion and restore access, use 'RestoreSecret' .
+drsDeletedDate :: Lens' DescribeSecretResponse (Maybe UTCTime)
+drsDeletedDate = lens _drsDeletedDate (\ s a -> s{_drsDeletedDate = a}) . mapping _Time
+
+-- | Specifies whether automatic rotation is enabled for this secret. To enable rotation, use 'RotateSecret' with @AutomaticallyRotateAfterDays@ set to a value greater than 0. To disable rotation, use 'CancelRotateSecret' .
+drsRotationEnabled :: Lens' DescribeSecretResponse (Maybe Bool)
+drsRotationEnabled = lens _drsRotationEnabled (\ s a -> s{_drsRotationEnabled = a})
+
+-- | The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the @SecretString@ or @SecretBinary@ fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK (the one named @awssecretsmanager@ ) for this account.
+drsKMSKeyId :: Lens' DescribeSecretResponse (Maybe Text)
+drsKMSKeyId = lens _drsKMSKeyId (\ s a -> s{_drsKMSKeyId = a})
+
+-- | The user-provided friendly name of the secret.
+drsName :: Lens' DescribeSecretResponse (Maybe Text)
+drsName = lens _drsName (\ s a -> s{_drsName = a})
+
+-- | A list of all of the currently assigned @VersionStage@ staging labels and the @SecretVersionId@ that each is attached to. Staging labels are used to keep track of the different versions during the rotation process.
+drsVersionIdsToStages :: Lens' DescribeSecretResponse (HashMap Text (NonEmpty Text))
+drsVersionIdsToStages = lens _drsVersionIdsToStages (\ s a -> s{_drsVersionIdsToStages = a}) . _Default . _Map
+
+-- | The last date and time that the Secrets Manager rotation process for this secret was invoked.
+drsLastRotatedDate :: Lens' DescribeSecretResponse (Maybe UTCTime)
+drsLastRotatedDate = lens _drsLastRotatedDate (\ s a -> s{_drsLastRotatedDate = a}) . mapping _Time
+
+-- | The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
+drsLastAccessedDate :: Lens' DescribeSecretResponse (Maybe UTCTime)
+drsLastAccessedDate = lens _drsLastAccessedDate (\ s a -> s{_drsLastAccessedDate = a}) . mapping _Time
+
+-- | The user-provided description of the secret.
+drsDescription :: Lens' DescribeSecretResponse (Maybe Text)
+drsDescription = lens _drsDescription (\ s a -> s{_drsDescription = a})
+
+-- | The ARN of a Lambda function that's invoked by Secrets Manager to rotate the secret either automatically per the schedule or manually by a call to @RotateSecret@ .
+drsRotationLambdaARN :: Lens' DescribeSecretResponse (Maybe Text)
+drsRotationLambdaARN = lens _drsRotationLambdaARN (\ s a -> s{_drsRotationLambdaARN = a})
+
+-- | The list of user-defined tags that are associated with the secret. To add tags to a secret, use 'TagResource' . To remove tags, use 'UntagResource' .
+drsTags :: Lens' DescribeSecretResponse [Tag]
+drsTags = lens _drsTags (\ s a -> s{_drsTags = a}) . _Default . _Coerce
+
+-- | -- | The response status code.
+drsResponseStatus :: Lens' DescribeSecretResponse Int
+drsResponseStatus = lens _drsResponseStatus (\ s a -> s{_drsResponseStatus = a})
+
+instance NFData DescribeSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/GetRandomPassword.hs b/gen/Network/AWS/SecretsManager/GetRandomPassword.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/GetRandomPassword.hs
@@ -0,0 +1,213 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.GetRandomPassword
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Generates a random password of the specified complexity. This operation is intended for use in the Lambda rotation function. Per best practice, we recommend that you specify the maximum length and include every character type that the system you are generating a password for can support.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:GetRandomPassword
+--
+--
+--
+module Network.AWS.SecretsManager.GetRandomPassword
+    (
+    -- * Creating a Request
+      getRandomPassword
+    , GetRandomPassword
+    -- * Request Lenses
+    , grpIncludeSpace
+    , grpExcludeNumbers
+    , grpExcludeLowercase
+    , grpExcludeCharacters
+    , grpExcludePunctuation
+    , grpRequireEachIncludedType
+    , grpExcludeUppercase
+    , grpPasswordLength
+
+    -- * Destructuring the Response
+    , getRandomPasswordResponse
+    , GetRandomPasswordResponse
+    -- * Response Lenses
+    , grprsRandomPassword
+    , grprsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'getRandomPassword' smart constructor.
+data GetRandomPassword = GetRandomPassword'
+  { _grpIncludeSpace            :: !(Maybe Bool)
+  , _grpExcludeNumbers          :: !(Maybe Bool)
+  , _grpExcludeLowercase        :: !(Maybe Bool)
+  , _grpExcludeCharacters       :: !(Maybe Text)
+  , _grpExcludePunctuation      :: !(Maybe Bool)
+  , _grpRequireEachIncludedType :: !(Maybe Bool)
+  , _grpExcludeUppercase        :: !(Maybe Bool)
+  , _grpPasswordLength          :: !(Maybe Nat)
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'GetRandomPassword' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'grpIncludeSpace' - Specifies that the generated password can include the space character. The default if you do not include this switch parameter is that the space character is not included.
+--
+-- * 'grpExcludeNumbers' - Specifies that the generated password should not include digits. The default if you do not include this switch parameter is that digits can be included.
+--
+-- * 'grpExcludeLowercase' - Specifies that the generated password should not include lowercase letters. The default if you do not include this switch parameter is that lowercase letters can be included.
+--
+-- * 'grpExcludeCharacters' - A string that includes characters that should not be included in the generated password. The default is that all characters from the included sets can be used.
+--
+-- * 'grpExcludePunctuation' - Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included.
+--
+-- * 'grpRequireEachIncludedType' - A boolean value that specifies whether the generated password must include at least one of every allowed character type. The default value is @True@ and the operation requires at least one of every character type.
+--
+-- * 'grpExcludeUppercase' - Specifies that the generated password should not include uppercase letters. The default if you do not include this switch parameter is that uppercase letters can be included.
+--
+-- * 'grpPasswordLength' - The desired length of the generated password. The default value if you do not include this parameter is 32 characters.
+getRandomPassword
+    :: GetRandomPassword
+getRandomPassword =
+  GetRandomPassword'
+    { _grpIncludeSpace = Nothing
+    , _grpExcludeNumbers = Nothing
+    , _grpExcludeLowercase = Nothing
+    , _grpExcludeCharacters = Nothing
+    , _grpExcludePunctuation = Nothing
+    , _grpRequireEachIncludedType = Nothing
+    , _grpExcludeUppercase = Nothing
+    , _grpPasswordLength = Nothing
+    }
+
+
+-- | Specifies that the generated password can include the space character. The default if you do not include this switch parameter is that the space character is not included.
+grpIncludeSpace :: Lens' GetRandomPassword (Maybe Bool)
+grpIncludeSpace = lens _grpIncludeSpace (\ s a -> s{_grpIncludeSpace = a})
+
+-- | Specifies that the generated password should not include digits. The default if you do not include this switch parameter is that digits can be included.
+grpExcludeNumbers :: Lens' GetRandomPassword (Maybe Bool)
+grpExcludeNumbers = lens _grpExcludeNumbers (\ s a -> s{_grpExcludeNumbers = a})
+
+-- | Specifies that the generated password should not include lowercase letters. The default if you do not include this switch parameter is that lowercase letters can be included.
+grpExcludeLowercase :: Lens' GetRandomPassword (Maybe Bool)
+grpExcludeLowercase = lens _grpExcludeLowercase (\ s a -> s{_grpExcludeLowercase = a})
+
+-- | A string that includes characters that should not be included in the generated password. The default is that all characters from the included sets can be used.
+grpExcludeCharacters :: Lens' GetRandomPassword (Maybe Text)
+grpExcludeCharacters = lens _grpExcludeCharacters (\ s a -> s{_grpExcludeCharacters = a})
+
+-- | Specifies that the generated password should not include punctuation characters. The default if you do not include this switch parameter is that punctuation characters can be included.
+grpExcludePunctuation :: Lens' GetRandomPassword (Maybe Bool)
+grpExcludePunctuation = lens _grpExcludePunctuation (\ s a -> s{_grpExcludePunctuation = a})
+
+-- | A boolean value that specifies whether the generated password must include at least one of every allowed character type. The default value is @True@ and the operation requires at least one of every character type.
+grpRequireEachIncludedType :: Lens' GetRandomPassword (Maybe Bool)
+grpRequireEachIncludedType = lens _grpRequireEachIncludedType (\ s a -> s{_grpRequireEachIncludedType = a})
+
+-- | Specifies that the generated password should not include uppercase letters. The default if you do not include this switch parameter is that uppercase letters can be included.
+grpExcludeUppercase :: Lens' GetRandomPassword (Maybe Bool)
+grpExcludeUppercase = lens _grpExcludeUppercase (\ s a -> s{_grpExcludeUppercase = a})
+
+-- | The desired length of the generated password. The default value if you do not include this parameter is 32 characters.
+grpPasswordLength :: Lens' GetRandomPassword (Maybe Natural)
+grpPasswordLength = lens _grpPasswordLength (\ s a -> s{_grpPasswordLength = a}) . mapping _Nat
+
+instance AWSRequest GetRandomPassword where
+        type Rs GetRandomPassword = GetRandomPasswordResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 GetRandomPasswordResponse' <$>
+                   (x .?> "RandomPassword") <*> (pure (fromEnum s)))
+
+instance Hashable GetRandomPassword where
+
+instance NFData GetRandomPassword where
+
+instance ToHeaders GetRandomPassword where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.GetRandomPassword" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON GetRandomPassword where
+        toJSON GetRandomPassword'{..}
+          = object
+              (catMaybes
+                 [("IncludeSpace" .=) <$> _grpIncludeSpace,
+                  ("ExcludeNumbers" .=) <$> _grpExcludeNumbers,
+                  ("ExcludeLowercase" .=) <$> _grpExcludeLowercase,
+                  ("ExcludeCharacters" .=) <$> _grpExcludeCharacters,
+                  ("ExcludePunctuation" .=) <$> _grpExcludePunctuation,
+                  ("RequireEachIncludedType" .=) <$>
+                    _grpRequireEachIncludedType,
+                  ("ExcludeUppercase" .=) <$> _grpExcludeUppercase,
+                  ("PasswordLength" .=) <$> _grpPasswordLength])
+
+instance ToPath GetRandomPassword where
+        toPath = const "/"
+
+instance ToQuery GetRandomPassword where
+        toQuery = const mempty
+
+-- | /See:/ 'getRandomPasswordResponse' smart constructor.
+data GetRandomPasswordResponse = GetRandomPasswordResponse'
+  { _grprsRandomPassword :: !(Maybe Text)
+  , _grprsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'GetRandomPasswordResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'grprsRandomPassword' - A string with the generated password.
+--
+-- * 'grprsResponseStatus' - -- | The response status code.
+getRandomPasswordResponse
+    :: Int -- ^ 'grprsResponseStatus'
+    -> GetRandomPasswordResponse
+getRandomPasswordResponse pResponseStatus_ =
+  GetRandomPasswordResponse'
+    {_grprsRandomPassword = Nothing, _grprsResponseStatus = pResponseStatus_}
+
+
+-- | A string with the generated password.
+grprsRandomPassword :: Lens' GetRandomPasswordResponse (Maybe Text)
+grprsRandomPassword = lens _grprsRandomPassword (\ s a -> s{_grprsRandomPassword = a})
+
+-- | -- | The response status code.
+grprsResponseStatus :: Lens' GetRandomPasswordResponse Int
+grprsResponseStatus = lens _grprsResponseStatus (\ s a -> s{_grprsResponseStatus = a})
+
+instance NFData GetRandomPasswordResponse where
diff --git a/gen/Network/AWS/SecretsManager/GetSecretValue.hs b/gen/Network/AWS/SecretsManager/GetSecretValue.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/GetSecretValue.hs
@@ -0,0 +1,235 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.GetSecretValue
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Retrieves the contents of the encrypted fields @SecretString@ or @SecretBinary@ from the specified version of a secret, whichever contains content.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:GetSecretValue
+--
+--     * kms:Decrypt - required only if you use a customer-created KMS key to encrypt the secret. You do not need this permission to use the account's default AWS managed CMK for Secrets Manager.
+--
+--
+--
+-- __Related operations__
+--
+--     * To create a new version of the secret with different encrypted information, use 'PutSecretValue' .
+--
+--     * To retrieve the non-encrypted details for the secret, use 'DescribeSecret' .
+--
+--
+--
+module Network.AWS.SecretsManager.GetSecretValue
+    (
+    -- * Creating a Request
+      getSecretValue
+    , GetSecretValue
+    -- * Request Lenses
+    , gsvVersionId
+    , gsvVersionStage
+    , gsvSecretId
+
+    -- * Destructuring the Response
+    , getSecretValueResponse
+    , GetSecretValueResponse
+    -- * Response Lenses
+    , gsvrsVersionId
+    , gsvrsARN
+    , gsvrsVersionStages
+    , gsvrsSecretBinary
+    , gsvrsCreatedDate
+    , gsvrsName
+    , gsvrsSecretString
+    , gsvrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'getSecretValue' smart constructor.
+data GetSecretValue = GetSecretValue'
+  { _gsvVersionId    :: !(Maybe Text)
+  , _gsvVersionStage :: !(Maybe Text)
+  , _gsvSecretId     :: !Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'GetSecretValue' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'gsvVersionId' - Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify this parameter then don't specify @VersionStage@ . If you don't specify either a @VersionStage@ or @SecretVersionId@ then the default is to perform the operation on the version with the @VersionStage@ value of @AWSCURRENT@ . This value is typically a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value with 32 hexadecimal digits.
+--
+-- * 'gsvVersionStage' - Specifies the secret version that you want to retrieve by the staging label attached to the version. Staging labels are used to keep track of different versions during the rotation process. If you use this parameter then don't specify @SecretVersionId@ . If you don't specify either a @VersionStage@ or @SecretVersionId@ , then the default is to perform the operation on the version with the @VersionStage@ value of @AWSCURRENT@ .
+--
+-- * 'gsvSecretId' - Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+getSecretValue
+    :: Text -- ^ 'gsvSecretId'
+    -> GetSecretValue
+getSecretValue pSecretId_ =
+  GetSecretValue'
+    { _gsvVersionId = Nothing
+    , _gsvVersionStage = Nothing
+    , _gsvSecretId = pSecretId_
+    }
+
+
+-- | Specifies the unique identifier of the version of the secret that you want to retrieve. If you specify this parameter then don't specify @VersionStage@ . If you don't specify either a @VersionStage@ or @SecretVersionId@ then the default is to perform the operation on the version with the @VersionStage@ value of @AWSCURRENT@ . This value is typically a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value with 32 hexadecimal digits.
+gsvVersionId :: Lens' GetSecretValue (Maybe Text)
+gsvVersionId = lens _gsvVersionId (\ s a -> s{_gsvVersionId = a})
+
+-- | Specifies the secret version that you want to retrieve by the staging label attached to the version. Staging labels are used to keep track of different versions during the rotation process. If you use this parameter then don't specify @SecretVersionId@ . If you don't specify either a @VersionStage@ or @SecretVersionId@ , then the default is to perform the operation on the version with the @VersionStage@ value of @AWSCURRENT@ .
+gsvVersionStage :: Lens' GetSecretValue (Maybe Text)
+gsvVersionStage = lens _gsvVersionStage (\ s a -> s{_gsvVersionStage = a})
+
+-- | Specifies the secret containing the version that you want to retrieve. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+gsvSecretId :: Lens' GetSecretValue Text
+gsvSecretId = lens _gsvSecretId (\ s a -> s{_gsvSecretId = a})
+
+instance AWSRequest GetSecretValue where
+        type Rs GetSecretValue = GetSecretValueResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 GetSecretValueResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "VersionStages")
+                     <*> (x .?> "SecretBinary")
+                     <*> (x .?> "CreatedDate")
+                     <*> (x .?> "Name")
+                     <*> (x .?> "SecretString")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable GetSecretValue where
+
+instance NFData GetSecretValue where
+
+instance ToHeaders GetSecretValue where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.GetSecretValue" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON GetSecretValue where
+        toJSON GetSecretValue'{..}
+          = object
+              (catMaybes
+                 [("VersionId" .=) <$> _gsvVersionId,
+                  ("VersionStage" .=) <$> _gsvVersionStage,
+                  Just ("SecretId" .= _gsvSecretId)])
+
+instance ToPath GetSecretValue where
+        toPath = const "/"
+
+instance ToQuery GetSecretValue where
+        toQuery = const mempty
+
+-- | /See:/ 'getSecretValueResponse' smart constructor.
+data GetSecretValueResponse = GetSecretValueResponse'
+  { _gsvrsVersionId      :: !(Maybe Text)
+  , _gsvrsARN            :: !(Maybe Text)
+  , _gsvrsVersionStages  :: !(Maybe (List1 Text))
+  , _gsvrsSecretBinary   :: !(Maybe (Sensitive Base64))
+  , _gsvrsCreatedDate    :: !(Maybe POSIX)
+  , _gsvrsName           :: !(Maybe Text)
+  , _gsvrsSecretString   :: !(Maybe (Sensitive Text))
+  , _gsvrsResponseStatus :: !Int
+  } deriving (Eq, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'GetSecretValueResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'gsvrsVersionId' - The unique identifier of this version of the secret.
+--
+-- * 'gsvrsARN' - The ARN of the secret.
+--
+-- * 'gsvrsVersionStages' - A list of all of the staging labels currently attached to this version of the secret.
+--
+-- * 'gsvrsSecretBinary' - The decrypted part of the protected secret information that was originally provided as binary data in the form of a byte array. The response parameter represents the binary data as a <https://tools.ietf.org/html/rfc4648#section-4 base64-encoded> string. This parameter is not used if the secret is created by the Secrets Manager console. If you store custom information in this field of the secret, then you must code your Lambda rotation function to parse and interpret whatever you store in the @SecretString@ or @SecretBinary@ fields.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+--
+-- * 'gsvrsCreatedDate' - The date and time that this version of the secret was created.
+--
+-- * 'gsvrsName' - The friendly name of the secret.
+--
+-- * 'gsvrsSecretString' - The decrypted part of the protected secret information that was originally provided as a string. If you create this secret by using the Secrets Manager console then only the @SecretString@ parameter contains data. Secrets Manager stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse. If you store custom information in the secret by using the 'CreateSecret' , 'UpdateSecret' , or 'PutSecretValue' API operations instead of the Secrets Manager console, or by using the __Other secret type__ in the console, then you must code your Lambda rotation function to parse and interpret those values.
+--
+-- * 'gsvrsResponseStatus' - -- | The response status code.
+getSecretValueResponse
+    :: Int -- ^ 'gsvrsResponseStatus'
+    -> GetSecretValueResponse
+getSecretValueResponse pResponseStatus_ =
+  GetSecretValueResponse'
+    { _gsvrsVersionId = Nothing
+    , _gsvrsARN = Nothing
+    , _gsvrsVersionStages = Nothing
+    , _gsvrsSecretBinary = Nothing
+    , _gsvrsCreatedDate = Nothing
+    , _gsvrsName = Nothing
+    , _gsvrsSecretString = Nothing
+    , _gsvrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The unique identifier of this version of the secret.
+gsvrsVersionId :: Lens' GetSecretValueResponse (Maybe Text)
+gsvrsVersionId = lens _gsvrsVersionId (\ s a -> s{_gsvrsVersionId = a})
+
+-- | The ARN of the secret.
+gsvrsARN :: Lens' GetSecretValueResponse (Maybe Text)
+gsvrsARN = lens _gsvrsARN (\ s a -> s{_gsvrsARN = a})
+
+-- | A list of all of the staging labels currently attached to this version of the secret.
+gsvrsVersionStages :: Lens' GetSecretValueResponse (Maybe (NonEmpty Text))
+gsvrsVersionStages = lens _gsvrsVersionStages (\ s a -> s{_gsvrsVersionStages = a}) . mapping _List1
+
+-- | The decrypted part of the protected secret information that was originally provided as binary data in the form of a byte array. The response parameter represents the binary data as a <https://tools.ietf.org/html/rfc4648#section-4 base64-encoded> string. This parameter is not used if the secret is created by the Secrets Manager console. If you store custom information in this field of the secret, then you must code your Lambda rotation function to parse and interpret whatever you store in the @SecretString@ or @SecretBinary@ fields.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+gsvrsSecretBinary :: Lens' GetSecretValueResponse (Maybe ByteString)
+gsvrsSecretBinary = lens _gsvrsSecretBinary (\ s a -> s{_gsvrsSecretBinary = a}) . mapping (_Sensitive . _Base64)
+
+-- | The date and time that this version of the secret was created.
+gsvrsCreatedDate :: Lens' GetSecretValueResponse (Maybe UTCTime)
+gsvrsCreatedDate = lens _gsvrsCreatedDate (\ s a -> s{_gsvrsCreatedDate = a}) . mapping _Time
+
+-- | The friendly name of the secret.
+gsvrsName :: Lens' GetSecretValueResponse (Maybe Text)
+gsvrsName = lens _gsvrsName (\ s a -> s{_gsvrsName = a})
+
+-- | The decrypted part of the protected secret information that was originally provided as a string. If you create this secret by using the Secrets Manager console then only the @SecretString@ parameter contains data. Secrets Manager stores the information as a JSON structure of key/value pairs that the Lambda rotation function knows how to parse. If you store custom information in the secret by using the 'CreateSecret' , 'UpdateSecret' , or 'PutSecretValue' API operations instead of the Secrets Manager console, or by using the __Other secret type__ in the console, then you must code your Lambda rotation function to parse and interpret those values.
+gsvrsSecretString :: Lens' GetSecretValueResponse (Maybe Text)
+gsvrsSecretString = lens _gsvrsSecretString (\ s a -> s{_gsvrsSecretString = a}) . mapping _Sensitive
+
+-- | -- | The response status code.
+gsvrsResponseStatus :: Lens' GetSecretValueResponse Int
+gsvrsResponseStatus = lens _gsvrsResponseStatus (\ s a -> s{_gsvrsResponseStatus = a})
+
+instance NFData GetSecretValueResponse where
diff --git a/gen/Network/AWS/SecretsManager/ListSecretVersionIds.hs b/gen/Network/AWS/SecretsManager/ListSecretVersionIds.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/ListSecretVersionIds.hs
@@ -0,0 +1,213 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.ListSecretVersionIds
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Lists all of the versions attached to the specified secret. The output does not include the @SecretString@ or @SecretBinary@ fields. By default, the list includes only versions that have at least one staging label in @VersionStage@ attached.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:ListSecretVersionIds
+--
+--
+--
+-- __Related operations__
+--
+--     * To list the secrets in an account, use 'ListSecrets' .
+--
+--
+--
+module Network.AWS.SecretsManager.ListSecretVersionIds
+    (
+    -- * Creating a Request
+      listSecretVersionIds
+    , ListSecretVersionIds
+    -- * Request Lenses
+    , lsviNextToken
+    , lsviIncludeDeprecated
+    , lsviMaxResults
+    , lsviSecretId
+
+    -- * Destructuring the Response
+    , listSecretVersionIdsResponse
+    , ListSecretVersionIdsResponse
+    -- * Response Lenses
+    , lsvirsARN
+    , lsvirsVersions
+    , lsvirsNextToken
+    , lsvirsName
+    , lsvirsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'listSecretVersionIds' smart constructor.
+data ListSecretVersionIds = ListSecretVersionIds'
+  { _lsviNextToken         :: !(Maybe Text)
+  , _lsviIncludeDeprecated :: !(Maybe Bool)
+  , _lsviMaxResults        :: !(Maybe Nat)
+  , _lsviSecretId          :: !Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'ListSecretVersionIds' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'lsviNextToken' - (Optional) Use this parameter in a request if you receive a @NextToken@ response in a previous request that indicates that there's more output available. In a subsequent call, set it to the value of the previous call's @NextToken@ response to indicate where the output should continue from.
+--
+-- * 'lsviIncludeDeprecated' - (Optional) Specifies that you want the results to include versions that do not have any staging labels attached to them. Such versions are considered deprecated and are subject to deletion by Secrets Manager as needed.
+--
+-- * 'lsviMaxResults' - (Optional) Limits the number of results that you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the @NextToken@ response element is present and has a value (isn't null). Include that value as the @NextToken@ request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check @NextToken@ after every operation to ensure that you receive all of the results.
+--
+-- * 'lsviSecretId' - The identifier for the secret containing the versions you want to list. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+listSecretVersionIds
+    :: Text -- ^ 'lsviSecretId'
+    -> ListSecretVersionIds
+listSecretVersionIds pSecretId_ =
+  ListSecretVersionIds'
+    { _lsviNextToken = Nothing
+    , _lsviIncludeDeprecated = Nothing
+    , _lsviMaxResults = Nothing
+    , _lsviSecretId = pSecretId_
+    }
+
+
+-- | (Optional) Use this parameter in a request if you receive a @NextToken@ response in a previous request that indicates that there's more output available. In a subsequent call, set it to the value of the previous call's @NextToken@ response to indicate where the output should continue from.
+lsviNextToken :: Lens' ListSecretVersionIds (Maybe Text)
+lsviNextToken = lens _lsviNextToken (\ s a -> s{_lsviNextToken = a})
+
+-- | (Optional) Specifies that you want the results to include versions that do not have any staging labels attached to them. Such versions are considered deprecated and are subject to deletion by Secrets Manager as needed.
+lsviIncludeDeprecated :: Lens' ListSecretVersionIds (Maybe Bool)
+lsviIncludeDeprecated = lens _lsviIncludeDeprecated (\ s a -> s{_lsviIncludeDeprecated = a})
+
+-- | (Optional) Limits the number of results that you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the @NextToken@ response element is present and has a value (isn't null). Include that value as the @NextToken@ request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check @NextToken@ after every operation to ensure that you receive all of the results.
+lsviMaxResults :: Lens' ListSecretVersionIds (Maybe Natural)
+lsviMaxResults = lens _lsviMaxResults (\ s a -> s{_lsviMaxResults = a}) . mapping _Nat
+
+-- | The identifier for the secret containing the versions you want to list. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+lsviSecretId :: Lens' ListSecretVersionIds Text
+lsviSecretId = lens _lsviSecretId (\ s a -> s{_lsviSecretId = a})
+
+instance AWSRequest ListSecretVersionIds where
+        type Rs ListSecretVersionIds =
+             ListSecretVersionIdsResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 ListSecretVersionIdsResponse' <$>
+                   (x .?> "ARN") <*> (x .?> "Versions" .!@ mempty) <*>
+                     (x .?> "NextToken")
+                     <*> (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable ListSecretVersionIds where
+
+instance NFData ListSecretVersionIds where
+
+instance ToHeaders ListSecretVersionIds where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.ListSecretVersionIds" ::
+                       ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON ListSecretVersionIds where
+        toJSON ListSecretVersionIds'{..}
+          = object
+              (catMaybes
+                 [("NextToken" .=) <$> _lsviNextToken,
+                  ("IncludeDeprecated" .=) <$> _lsviIncludeDeprecated,
+                  ("MaxResults" .=) <$> _lsviMaxResults,
+                  Just ("SecretId" .= _lsviSecretId)])
+
+instance ToPath ListSecretVersionIds where
+        toPath = const "/"
+
+instance ToQuery ListSecretVersionIds where
+        toQuery = const mempty
+
+-- | /See:/ 'listSecretVersionIdsResponse' smart constructor.
+data ListSecretVersionIdsResponse = ListSecretVersionIdsResponse'
+  { _lsvirsARN            :: !(Maybe Text)
+  , _lsvirsVersions       :: !(Maybe [SecretVersionsListEntry])
+  , _lsvirsNextToken      :: !(Maybe Text)
+  , _lsvirsName           :: !(Maybe Text)
+  , _lsvirsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'ListSecretVersionIdsResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'lsvirsARN' - The Amazon Resource Name (ARN) for the secret.
+--
+-- * 'lsvirsVersions' - The list of the currently available versions of the specified secret.
+--
+-- * 'lsvirsNextToken' - If present in the response, this value indicates that there's more output available than what's included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the @NextToken@ request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the @NextToken@ response element comes back empty (as @null@ ).
+--
+-- * 'lsvirsName' - The friendly name of the secret.
+--
+-- * 'lsvirsResponseStatus' - -- | The response status code.
+listSecretVersionIdsResponse
+    :: Int -- ^ 'lsvirsResponseStatus'
+    -> ListSecretVersionIdsResponse
+listSecretVersionIdsResponse pResponseStatus_ =
+  ListSecretVersionIdsResponse'
+    { _lsvirsARN = Nothing
+    , _lsvirsVersions = Nothing
+    , _lsvirsNextToken = Nothing
+    , _lsvirsName = Nothing
+    , _lsvirsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The Amazon Resource Name (ARN) for the secret.
+lsvirsARN :: Lens' ListSecretVersionIdsResponse (Maybe Text)
+lsvirsARN = lens _lsvirsARN (\ s a -> s{_lsvirsARN = a})
+
+-- | The list of the currently available versions of the specified secret.
+lsvirsVersions :: Lens' ListSecretVersionIdsResponse [SecretVersionsListEntry]
+lsvirsVersions = lens _lsvirsVersions (\ s a -> s{_lsvirsVersions = a}) . _Default . _Coerce
+
+-- | If present in the response, this value indicates that there's more output available than what's included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the @NextToken@ request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the @NextToken@ response element comes back empty (as @null@ ).
+lsvirsNextToken :: Lens' ListSecretVersionIdsResponse (Maybe Text)
+lsvirsNextToken = lens _lsvirsNextToken (\ s a -> s{_lsvirsNextToken = a})
+
+-- | The friendly name of the secret.
+lsvirsName :: Lens' ListSecretVersionIdsResponse (Maybe Text)
+lsvirsName = lens _lsvirsName (\ s a -> s{_lsvirsName = a})
+
+-- | -- | The response status code.
+lsvirsResponseStatus :: Lens' ListSecretVersionIdsResponse Int
+lsvirsResponseStatus = lens _lsvirsResponseStatus (\ s a -> s{_lsvirsResponseStatus = a})
+
+instance NFData ListSecretVersionIdsResponse where
diff --git a/gen/Network/AWS/SecretsManager/ListSecrets.hs b/gen/Network/AWS/SecretsManager/ListSecrets.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/ListSecrets.hs
@@ -0,0 +1,167 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.ListSecrets
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Lists all of the secrets that are stored by Secrets Manager in the AWS account. To list the versions currently stored for a specific secret, use 'ListSecretVersionIds' . The encrypted fields @SecretString@ and @SecretBinary@ are not included in the output. To get that information, call the 'GetSecretValue' operation.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:ListSecrets
+--
+--
+--
+-- __Related operations__
+--
+--     * To list the versions attached to a secret, use 'ListSecretVersionIds' .
+--
+--
+--
+module Network.AWS.SecretsManager.ListSecrets
+    (
+    -- * Creating a Request
+      listSecrets
+    , ListSecrets
+    -- * Request Lenses
+    , lsNextToken
+    , lsMaxResults
+
+    -- * Destructuring the Response
+    , listSecretsResponse
+    , ListSecretsResponse
+    -- * Response Lenses
+    , lsrsNextToken
+    , lsrsSecretList
+    , lsrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'listSecrets' smart constructor.
+data ListSecrets = ListSecrets'
+  { _lsNextToken  :: !(Maybe Text)
+  , _lsMaxResults :: !(Maybe Nat)
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'ListSecrets' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'lsNextToken' - (Optional) Use this parameter in a request if you receive a @NextToken@ response in a previous request that indicates that there's more output available. In a subsequent call, set it to the value of the previous call's @NextToken@ response to indicate where the output should continue from.
+--
+-- * 'lsMaxResults' - (Optional) Limits the number of results that you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the @NextToken@ response element is present and has a value (isn't null). Include that value as the @NextToken@ request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check @NextToken@ after every operation to ensure that you receive all of the results.
+listSecrets
+    :: ListSecrets
+listSecrets = ListSecrets' {_lsNextToken = Nothing, _lsMaxResults = Nothing}
+
+
+-- | (Optional) Use this parameter in a request if you receive a @NextToken@ response in a previous request that indicates that there's more output available. In a subsequent call, set it to the value of the previous call's @NextToken@ response to indicate where the output should continue from.
+lsNextToken :: Lens' ListSecrets (Maybe Text)
+lsNextToken = lens _lsNextToken (\ s a -> s{_lsNextToken = a})
+
+-- | (Optional) Limits the number of results that you want to include in the response. If you don't include this parameter, it defaults to a value that's specific to the operation. If additional items exist beyond the maximum you specify, the @NextToken@ response element is present and has a value (isn't null). Include that value as the @NextToken@ request parameter in the next call to the operation to get the next part of the results. Note that Secrets Manager might return fewer results than the maximum even when there are more results available. You should check @NextToken@ after every operation to ensure that you receive all of the results.
+lsMaxResults :: Lens' ListSecrets (Maybe Natural)
+lsMaxResults = lens _lsMaxResults (\ s a -> s{_lsMaxResults = a}) . mapping _Nat
+
+instance AWSRequest ListSecrets where
+        type Rs ListSecrets = ListSecretsResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 ListSecretsResponse' <$>
+                   (x .?> "NextToken") <*>
+                     (x .?> "SecretList" .!@ mempty)
+                     <*> (pure (fromEnum s)))
+
+instance Hashable ListSecrets where
+
+instance NFData ListSecrets where
+
+instance ToHeaders ListSecrets where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.ListSecrets" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON ListSecrets where
+        toJSON ListSecrets'{..}
+          = object
+              (catMaybes
+                 [("NextToken" .=) <$> _lsNextToken,
+                  ("MaxResults" .=) <$> _lsMaxResults])
+
+instance ToPath ListSecrets where
+        toPath = const "/"
+
+instance ToQuery ListSecrets where
+        toQuery = const mempty
+
+-- | /See:/ 'listSecretsResponse' smart constructor.
+data ListSecretsResponse = ListSecretsResponse'
+  { _lsrsNextToken      :: !(Maybe Text)
+  , _lsrsSecretList     :: !(Maybe [SecretListEntry])
+  , _lsrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'ListSecretsResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'lsrsNextToken' - If present in the response, this value indicates that there's more output available than what's included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the @NextToken@ request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the @NextToken@ response element comes back empty (as @null@ ).
+--
+-- * 'lsrsSecretList' - A list of the secrets in the account.
+--
+-- * 'lsrsResponseStatus' - -- | The response status code.
+listSecretsResponse
+    :: Int -- ^ 'lsrsResponseStatus'
+    -> ListSecretsResponse
+listSecretsResponse pResponseStatus_ =
+  ListSecretsResponse'
+    { _lsrsNextToken = Nothing
+    , _lsrsSecretList = Nothing
+    , _lsrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | If present in the response, this value indicates that there's more output available than what's included in the current response. This can occur even when the response includes no values at all, such as when you ask for a filtered view of a very long list. Use this value in the @NextToken@ request parameter in a subsequent call to the operation to continue processing and get the next part of the output. You should repeat this until the @NextToken@ response element comes back empty (as @null@ ).
+lsrsNextToken :: Lens' ListSecretsResponse (Maybe Text)
+lsrsNextToken = lens _lsrsNextToken (\ s a -> s{_lsrsNextToken = a})
+
+-- | A list of the secrets in the account.
+lsrsSecretList :: Lens' ListSecretsResponse [SecretListEntry]
+lsrsSecretList = lens _lsrsSecretList (\ s a -> s{_lsrsSecretList = a}) . _Default . _Coerce
+
+-- | -- | The response status code.
+lsrsResponseStatus :: Lens' ListSecretsResponse Int
+lsrsResponseStatus = lens _lsrsResponseStatus (\ s a -> s{_lsrsResponseStatus = a})
+
+instance NFData ListSecretsResponse where
diff --git a/gen/Network/AWS/SecretsManager/PutSecretValue.hs b/gen/Network/AWS/SecretsManager/PutSecretValue.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/PutSecretValue.hs
@@ -0,0 +1,241 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.PutSecretValue
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Stores a new encrypted secret value in the specified secret. To do this, the operation creates a new version and attaches it to the secret. The version can contain a new @SecretString@ value or a new @SecretBinary@ value. You can also specify the staging labels that are initially attached to the new version.
+--
+--
+--     * If this operation creates the first version for the secret then Secrets Manager automatically attaches the staging label @AWSCURRENT@ to the new version.
+--
+--     * If another version of this secret already exists, then this operation does not automatically move any staging labels other than those that you explicitly specify in the @VersionStages@ parameter.
+--
+--     * If this operation moves the staging label @AWSCURRENT@ from another version to this version (because you included it in the @StagingLabels@ parameter) then Secrets Manager also automatically moves the staging label @AWSPREVIOUS@ to the version that @AWSCURRENT@ was removed from.
+--
+--     * This operation is idempotent. If a version with a @SecretVersionId@ with the same value as the @ClientRequestToken@ parameter already exists and you specify the same secret data, the operation succeeds but does nothing. However, if the secret data is different, then the operation fails because you cannot modify an existing version; you can only create new ones.
+--
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:PutSecretValue
+--
+--     * kms:GenerateDataKey - needed only if you use a customer-created KMS key to encrypt the secret. You do not need this permission to use the account's AWS managed CMK for Secrets Manager.
+--
+--     * kms:Encrypt - needed only if you use a customer-created KMS key to encrypt the secret. You do not need this permission to use the account's AWS managed CMK for Secrets Manager.
+--
+--
+--
+-- __Related operations__
+--
+--     * To retrieve the encrypted value you store in the version of a secret, use 'GetSecretValue' .
+--
+--     * To create a secret, use 'CreateSecret' .
+--
+--     * To get the details for a secret, use 'DescribeSecret' .
+--
+--     * To list the versions attached to a secret, use 'ListSecretVersionIds' .
+--
+--
+--
+module Network.AWS.SecretsManager.PutSecretValue
+    (
+    -- * Creating a Request
+      putSecretValue
+    , PutSecretValue
+    -- * Request Lenses
+    , psvVersionStages
+    , psvSecretBinary
+    , psvSecretString
+    , psvClientRequestToken
+    , psvSecretId
+
+    -- * Destructuring the Response
+    , putSecretValueResponse
+    , PutSecretValueResponse
+    -- * Response Lenses
+    , psvrsVersionId
+    , psvrsARN
+    , psvrsVersionStages
+    , psvrsName
+    , psvrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'putSecretValue' smart constructor.
+data PutSecretValue = PutSecretValue'
+  { _psvVersionStages      :: !(Maybe (List1 Text))
+  , _psvSecretBinary       :: !(Maybe (Sensitive Base64))
+  , _psvSecretString       :: !(Maybe (Sensitive Text))
+  , _psvClientRequestToken :: !(Maybe Text)
+  , _psvSecretId           :: !Text
+  } deriving (Eq, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'PutSecretValue' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'psvVersionStages' - (Optional) Specifies a list of staging labels that are attached to this version of the secret. These staging labels are used to track the versions through the rotation process by the Lambda rotation function. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value for @VersionStages@ then Secrets Manager automatically moves the staging label @AWSCURRENT@ to this new version.
+--
+-- * 'psvSecretBinary' - (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. This parameter is not accessible if the secret using the Secrets Manager console.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+--
+-- * 'psvSecretString' - (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. If you create this secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the default Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+--
+-- * 'psvClientRequestToken' - (Optional) Specifies a unique identifier for the new version of the secret.  This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the Lambda rotation function's processing. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.      * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ or @SecretBinary@ values are the same as those in the request then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from those in the request then the request fails because you cannot modify an existing secret version. You can only create new versions to store new secret values. This value becomes the @SecretVersionId@ of the new version.
+--
+-- * 'psvSecretId' - Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
+putSecretValue
+    :: Text -- ^ 'psvSecretId'
+    -> PutSecretValue
+putSecretValue pSecretId_ =
+  PutSecretValue'
+    { _psvVersionStages = Nothing
+    , _psvSecretBinary = Nothing
+    , _psvSecretString = Nothing
+    , _psvClientRequestToken = Nothing
+    , _psvSecretId = pSecretId_
+    }
+
+
+-- | (Optional) Specifies a list of staging labels that are attached to this version of the secret. These staging labels are used to track the versions through the rotation process by the Lambda rotation function. A staging label must be unique to a single version of the secret. If you specify a staging label that's already associated with a different version of the same secret then that staging label is automatically removed from the other version and attached to this version. If you do not specify a value for @VersionStages@ then Secrets Manager automatically moves the staging label @AWSCURRENT@ to this new version.
+psvVersionStages :: Lens' PutSecretValue (Maybe (NonEmpty Text))
+psvVersionStages = lens _psvVersionStages (\ s a -> s{_psvVersionStages = a}) . mapping _List1
+
+-- | (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. This parameter is not accessible if the secret using the Secrets Manager console.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+psvSecretBinary :: Lens' PutSecretValue (Maybe ByteString)
+psvSecretBinary = lens _psvSecretBinary (\ s a -> s{_psvSecretBinary = a}) . mapping (_Sensitive . _Base64)
+
+-- | (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretString@ or @SecretBinary@ must have a value, but not both. They cannot both be empty. If you create this secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the default Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+psvSecretString :: Lens' PutSecretValue (Maybe Text)
+psvSecretString = lens _psvSecretString (\ s a -> s{_psvSecretString = a}) . mapping _Sensitive
+
+-- | (Optional) Specifies a unique identifier for the new version of the secret.  This value helps ensure idempotency. Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the Lambda rotation function's processing. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.      * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ or @SecretBinary@ values are the same as those in the request then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from those in the request then the request fails because you cannot modify an existing secret version. You can only create new versions to store new secret values. This value becomes the @SecretVersionId@ of the new version.
+psvClientRequestToken :: Lens' PutSecretValue (Maybe Text)
+psvClientRequestToken = lens _psvClientRequestToken (\ s a -> s{_psvClientRequestToken = a})
+
+-- | Specifies the secret to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret. The secret must already exist.
+psvSecretId :: Lens' PutSecretValue Text
+psvSecretId = lens _psvSecretId (\ s a -> s{_psvSecretId = a})
+
+instance AWSRequest PutSecretValue where
+        type Rs PutSecretValue = PutSecretValueResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 PutSecretValueResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "VersionStages")
+                     <*> (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable PutSecretValue where
+
+instance NFData PutSecretValue where
+
+instance ToHeaders PutSecretValue where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.PutSecretValue" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON PutSecretValue where
+        toJSON PutSecretValue'{..}
+          = object
+              (catMaybes
+                 [("VersionStages" .=) <$> _psvVersionStages,
+                  ("SecretBinary" .=) <$> _psvSecretBinary,
+                  ("SecretString" .=) <$> _psvSecretString,
+                  ("ClientRequestToken" .=) <$> _psvClientRequestToken,
+                  Just ("SecretId" .= _psvSecretId)])
+
+instance ToPath PutSecretValue where
+        toPath = const "/"
+
+instance ToQuery PutSecretValue where
+        toQuery = const mempty
+
+-- | /See:/ 'putSecretValueResponse' smart constructor.
+data PutSecretValueResponse = PutSecretValueResponse'
+  { _psvrsVersionId      :: !(Maybe Text)
+  , _psvrsARN            :: !(Maybe Text)
+  , _psvrsVersionStages  :: !(Maybe (List1 Text))
+  , _psvrsName           :: !(Maybe Text)
+  , _psvrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'PutSecretValueResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'psvrsVersionId' - The unique identifier of the version of the secret you just created or updated.
+--
+-- * 'psvrsARN' - The Amazon Resource Name (ARN) for the secret for which you just created a version.
+--
+-- * 'psvrsVersionStages' - The list of staging labels that are currently attached to this version of the secret. Staging labels are used to track a version as it progresses through the secret rotation process.
+--
+-- * 'psvrsName' - The friendly name of the secret for which you just created or updated a version.
+--
+-- * 'psvrsResponseStatus' - -- | The response status code.
+putSecretValueResponse
+    :: Int -- ^ 'psvrsResponseStatus'
+    -> PutSecretValueResponse
+putSecretValueResponse pResponseStatus_ =
+  PutSecretValueResponse'
+    { _psvrsVersionId = Nothing
+    , _psvrsARN = Nothing
+    , _psvrsVersionStages = Nothing
+    , _psvrsName = Nothing
+    , _psvrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The unique identifier of the version of the secret you just created or updated.
+psvrsVersionId :: Lens' PutSecretValueResponse (Maybe Text)
+psvrsVersionId = lens _psvrsVersionId (\ s a -> s{_psvrsVersionId = a})
+
+-- | The Amazon Resource Name (ARN) for the secret for which you just created a version.
+psvrsARN :: Lens' PutSecretValueResponse (Maybe Text)
+psvrsARN = lens _psvrsARN (\ s a -> s{_psvrsARN = a})
+
+-- | The list of staging labels that are currently attached to this version of the secret. Staging labels are used to track a version as it progresses through the secret rotation process.
+psvrsVersionStages :: Lens' PutSecretValueResponse (Maybe (NonEmpty Text))
+psvrsVersionStages = lens _psvrsVersionStages (\ s a -> s{_psvrsVersionStages = a}) . mapping _List1
+
+-- | The friendly name of the secret for which you just created or updated a version.
+psvrsName :: Lens' PutSecretValueResponse (Maybe Text)
+psvrsName = lens _psvrsName (\ s a -> s{_psvrsName = a})
+
+-- | -- | The response status code.
+psvrsResponseStatus :: Lens' PutSecretValueResponse Int
+psvrsResponseStatus = lens _psvrsResponseStatus (\ s a -> s{_psvrsResponseStatus = a})
+
+instance NFData PutSecretValueResponse where
diff --git a/gen/Network/AWS/SecretsManager/RestoreSecret.hs b/gen/Network/AWS/SecretsManager/RestoreSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/RestoreSecret.hs
@@ -0,0 +1,157 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.RestoreSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Cancels the scheduled deletion of a secret by removing the @DeletedDate@ time stamp. This makes the secret accessible to query once again.
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:RestoreSecret
+--
+--
+--
+-- __Related operations__
+--
+--     * To delete a secret, use 'DeleteSecret' .
+--
+--
+--
+module Network.AWS.SecretsManager.RestoreSecret
+    (
+    -- * Creating a Request
+      restoreSecret
+    , RestoreSecret
+    -- * Request Lenses
+    , rSecretId
+
+    -- * Destructuring the Response
+    , restoreSecretResponse
+    , RestoreSecretResponse
+    -- * Response Lenses
+    , rrsARN
+    , rrsName
+    , rrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'restoreSecret' smart constructor.
+newtype RestoreSecret = RestoreSecret'
+  { _rSecretId :: Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'RestoreSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'rSecretId' - Specifies the secret that you want to restore from a previously scheduled deletion. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+restoreSecret
+    :: Text -- ^ 'rSecretId'
+    -> RestoreSecret
+restoreSecret pSecretId_ = RestoreSecret' {_rSecretId = pSecretId_}
+
+
+-- | Specifies the secret that you want to restore from a previously scheduled deletion. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+rSecretId :: Lens' RestoreSecret Text
+rSecretId = lens _rSecretId (\ s a -> s{_rSecretId = a})
+
+instance AWSRequest RestoreSecret where
+        type Rs RestoreSecret = RestoreSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 RestoreSecretResponse' <$>
+                   (x .?> "ARN") <*> (x .?> "Name") <*>
+                     (pure (fromEnum s)))
+
+instance Hashable RestoreSecret where
+
+instance NFData RestoreSecret where
+
+instance ToHeaders RestoreSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.RestoreSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON RestoreSecret where
+        toJSON RestoreSecret'{..}
+          = object
+              (catMaybes [Just ("SecretId" .= _rSecretId)])
+
+instance ToPath RestoreSecret where
+        toPath = const "/"
+
+instance ToQuery RestoreSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'restoreSecretResponse' smart constructor.
+data RestoreSecretResponse = RestoreSecretResponse'
+  { _rrsARN            :: !(Maybe Text)
+  , _rrsName           :: !(Maybe Text)
+  , _rrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'RestoreSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'rrsARN' - The ARN of the secret that was restored.
+--
+-- * 'rrsName' - The friendly name of the secret that was restored.
+--
+-- * 'rrsResponseStatus' - -- | The response status code.
+restoreSecretResponse
+    :: Int -- ^ 'rrsResponseStatus'
+    -> RestoreSecretResponse
+restoreSecretResponse pResponseStatus_ =
+  RestoreSecretResponse'
+    { _rrsARN = Nothing
+    , _rrsName = Nothing
+    , _rrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The ARN of the secret that was restored.
+rrsARN :: Lens' RestoreSecretResponse (Maybe Text)
+rrsARN = lens _rrsARN (\ s a -> s{_rrsARN = a})
+
+-- | The friendly name of the secret that was restored.
+rrsName :: Lens' RestoreSecretResponse (Maybe Text)
+rrsName = lens _rrsName (\ s a -> s{_rrsName = a})
+
+-- | -- | The response status code.
+rrsResponseStatus :: Lens' RestoreSecretResponse Int
+rrsResponseStatus = lens _rrsResponseStatus (\ s a -> s{_rrsResponseStatus = a})
+
+instance NFData RestoreSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/RotateSecret.hs b/gen/Network/AWS/SecretsManager/RotateSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/RotateSecret.hs
@@ -0,0 +1,221 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.RotateSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Configures and starts the asynchronous process of rotating this secret. If you include the configuration parameters, the operation sets those values for the secret and then immediately starts a rotation. If you do not include the configuration parameters, the operation starts a rotation with the values already stored in the secret. After the rotation completes, the protected service and its clients all use the new version of the secret.
+--
+--
+-- This required configuration information includes the ARN of an AWS Lambda function and the time between scheduled rotations. The Lambda rotation function creates a new version of the secret and creates or updates the credentials on the protected service to match. After testing the new credentials, the function marks the new secret with the staging label @AWSCURRENT@ so that your clients all immediately begin to use the new version. For more information about rotating secrets and how to configure a Lambda function to rotate the secrets for your protected service, see <http://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html Rotating Secrets in AWS Secrets Manager> in the /AWS Secrets Manager User Guide/ .
+--
+-- The rotation function must end with the versions of the secret in one of two states:
+--
+--     * The @AWSPENDING@ and @AWSCURRENT@ staging labels are attached to the same version of the secret, or
+--
+--     * The @AWSPENDING@ staging label is not attached to any version of the secret.
+--
+--
+--
+-- If instead the @AWSPENDING@ staging label is present but is not attached to the same version as @AWSCURRENT@ then any later invocation of @RotateSecret@ assumes that a previous rotation request is still in progress and returns an error.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:RotateSecret
+--
+--     * lambda:InvokeFunction (on the function specified in the secret's metadata)
+--
+--
+--
+-- __Related operations__
+--
+--     * To list the secrets in your account, use 'ListSecrets' .
+--
+--     * To get the details for a version of a secret, use 'DescribeSecret' .
+--
+--     * To create a new version of a secret, use 'CreateSecret' .
+--
+--     * To attach staging labels to or remove staging labels from a version of a secret, use 'UpdateSecretVersionStage' .
+--
+--
+--
+module Network.AWS.SecretsManager.RotateSecret
+    (
+    -- * Creating a Request
+      rotateSecret
+    , RotateSecret
+    -- * Request Lenses
+    , rsRotationRules
+    , rsClientRequestToken
+    , rsRotationLambdaARN
+    , rsSecretId
+
+    -- * Destructuring the Response
+    , rotateSecretResponse
+    , RotateSecretResponse
+    -- * Response Lenses
+    , rsrsVersionId
+    , rsrsARN
+    , rsrsName
+    , rsrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'rotateSecret' smart constructor.
+data RotateSecret = RotateSecret'
+  { _rsRotationRules      :: !(Maybe RotationRulesType)
+  , _rsClientRequestToken :: !(Maybe Text)
+  , _rsRotationLambdaARN  :: !(Maybe Text)
+  , _rsSecretId           :: !Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'RotateSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'rsRotationRules' - A structure that defines the rotation configuration for this secret.
+--
+-- * 'rsClientRequestToken' - (Optional) Specifies a unique identifier for the new version of the secret that helps ensure idempotency.  If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that in the request for this parameter. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a @ClientRequestToken@ yourself for new versions and include that value in the request. You only need to specify your own value if you are implementing your own retry logic and want to ensure that a given secret is not created twice. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.  Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the function's processing.     * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as the request, then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from the request then an error occurs because you cannot modify an existing secret value. This value becomes the @SecretVersionId@ of the new version.
+--
+-- * 'rsRotationLambdaARN' - (Optional) Specifies the ARN of the Lambda function that can rotate the secret.
+--
+-- * 'rsSecretId' - Specifies the secret that you want to rotate. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+rotateSecret
+    :: Text -- ^ 'rsSecretId'
+    -> RotateSecret
+rotateSecret pSecretId_ =
+  RotateSecret'
+    { _rsRotationRules = Nothing
+    , _rsClientRequestToken = Nothing
+    , _rsRotationLambdaARN = Nothing
+    , _rsSecretId = pSecretId_
+    }
+
+
+-- | A structure that defines the rotation configuration for this secret.
+rsRotationRules :: Lens' RotateSecret (Maybe RotationRulesType)
+rsRotationRules = lens _rsRotationRules (\ s a -> s{_rsRotationRules = a})
+
+-- | (Optional) Specifies a unique identifier for the new version of the secret that helps ensure idempotency.  If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that in the request for this parameter. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a @ClientRequestToken@ yourself for new versions and include that value in the request. You only need to specify your own value if you are implementing your own retry logic and want to ensure that a given secret is not created twice. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.  Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the function's processing.     * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as the request, then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from the request then an error occurs because you cannot modify an existing secret value. This value becomes the @SecretVersionId@ of the new version.
+rsClientRequestToken :: Lens' RotateSecret (Maybe Text)
+rsClientRequestToken = lens _rsClientRequestToken (\ s a -> s{_rsClientRequestToken = a})
+
+-- | (Optional) Specifies the ARN of the Lambda function that can rotate the secret.
+rsRotationLambdaARN :: Lens' RotateSecret (Maybe Text)
+rsRotationLambdaARN = lens _rsRotationLambdaARN (\ s a -> s{_rsRotationLambdaARN = a})
+
+-- | Specifies the secret that you want to rotate. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+rsSecretId :: Lens' RotateSecret Text
+rsSecretId = lens _rsSecretId (\ s a -> s{_rsSecretId = a})
+
+instance AWSRequest RotateSecret where
+        type Rs RotateSecret = RotateSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 RotateSecretResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable RotateSecret where
+
+instance NFData RotateSecret where
+
+instance ToHeaders RotateSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.RotateSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON RotateSecret where
+        toJSON RotateSecret'{..}
+          = object
+              (catMaybes
+                 [("RotationRules" .=) <$> _rsRotationRules,
+                  ("ClientRequestToken" .=) <$> _rsClientRequestToken,
+                  ("RotationLambdaARN" .=) <$> _rsRotationLambdaARN,
+                  Just ("SecretId" .= _rsSecretId)])
+
+instance ToPath RotateSecret where
+        toPath = const "/"
+
+instance ToQuery RotateSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'rotateSecretResponse' smart constructor.
+data RotateSecretResponse = RotateSecretResponse'
+  { _rsrsVersionId      :: !(Maybe Text)
+  , _rsrsARN            :: !(Maybe Text)
+  , _rsrsName           :: !(Maybe Text)
+  , _rsrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'RotateSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'rsrsVersionId' - The ID of the new version of the secret created by the rotation started by this request.
+--
+-- * 'rsrsARN' - The ARN of the secret.
+--
+-- * 'rsrsName' - The friendly name of the secret.
+--
+-- * 'rsrsResponseStatus' - -- | The response status code.
+rotateSecretResponse
+    :: Int -- ^ 'rsrsResponseStatus'
+    -> RotateSecretResponse
+rotateSecretResponse pResponseStatus_ =
+  RotateSecretResponse'
+    { _rsrsVersionId = Nothing
+    , _rsrsARN = Nothing
+    , _rsrsName = Nothing
+    , _rsrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The ID of the new version of the secret created by the rotation started by this request.
+rsrsVersionId :: Lens' RotateSecretResponse (Maybe Text)
+rsrsVersionId = lens _rsrsVersionId (\ s a -> s{_rsrsVersionId = a})
+
+-- | The ARN of the secret.
+rsrsARN :: Lens' RotateSecretResponse (Maybe Text)
+rsrsARN = lens _rsrsARN (\ s a -> s{_rsrsARN = a})
+
+-- | The friendly name of the secret.
+rsrsName :: Lens' RotateSecretResponse (Maybe Text)
+rsrsName = lens _rsrsName (\ s a -> s{_rsrsName = a})
+
+-- | -- | The response status code.
+rsrsResponseStatus :: Lens' RotateSecretResponse Int
+rsrsResponseStatus = lens _rsrsResponseStatus (\ s a -> s{_rsrsResponseStatus = a})
+
+instance NFData RotateSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/TagResource.hs b/gen/Network/AWS/SecretsManager/TagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/TagResource.hs
@@ -0,0 +1,152 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.TagResource
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Attaches one or more tags, each consisting of a key name and a value, to the specified secret. Tags are part of the secret's overall metadata, and are not associated with any specific version of the secret. This operation only appends tags to the existing list of tags. To remove tags, you must use 'UntagResource' .
+--
+--
+-- The following basic restrictions apply to tags:
+--
+--     * Maximum number of tags per secret—50
+--
+--     * Maximum key length—127 Unicode characters in UTF-8
+--
+--     * Maximum value length—255 Unicode characters in UTF-8
+--
+--     * Tag keys and values are case sensitive.
+--
+--     * Do not use the @aws:@ prefix in your tag names or values because it is reserved for AWS use. You can't edit or delete tag names or values with this prefix. Tags with this prefix do not count against your tags per secret limit.
+--
+--     * If your tagging schema will be used across multiple services and resources, remember that other services might have restrictions on allowed characters. Generally allowed characters are: letters, spaces, and numbers representable in UTF-8, plus the following special characters: + - = . _ : / @.
+--
+--
+--
+-- /Important:/ If you use tags as part of your security strategy, then adding or removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:TagResource
+--
+--
+--
+-- __Related operations__
+--
+--     * To remove one or more tags from the collection attached to a secret, use 'UntagResource' .
+--
+--     * To view the list of tags attached to a secret, use 'DescribeSecret' .
+--
+--
+--
+module Network.AWS.SecretsManager.TagResource
+    (
+    -- * Creating a Request
+      tagResource
+    , TagResource
+    -- * Request Lenses
+    , trSecretId
+    , trTags
+
+    -- * Destructuring the Response
+    , tagResourceResponse
+    , TagResourceResponse
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'tagResource' smart constructor.
+data TagResource = TagResource'
+  { _trSecretId :: !Text
+  , _trTags     :: ![Tag]
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'TagResource' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'trSecretId' - The identifier for the secret that you want to attach tags to. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+--
+-- * 'trTags' - The tags to attach to the secret. Each element in the list consists of a @Key@ and a @Value@ . This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For the AWS CLI, you can also use the syntax: @--Tags Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]@
+tagResource
+    :: Text -- ^ 'trSecretId'
+    -> TagResource
+tagResource pSecretId_ =
+  TagResource' {_trSecretId = pSecretId_, _trTags = mempty}
+
+
+-- | The identifier for the secret that you want to attach tags to. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+trSecretId :: Lens' TagResource Text
+trSecretId = lens _trSecretId (\ s a -> s{_trSecretId = a})
+
+-- | The tags to attach to the secret. Each element in the list consists of a @Key@ and a @Value@ . This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ . For the AWS CLI, you can also use the syntax: @--Tags Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]@
+trTags :: Lens' TagResource [Tag]
+trTags = lens _trTags (\ s a -> s{_trTags = a}) . _Coerce
+
+instance AWSRequest TagResource where
+        type Rs TagResource = TagResourceResponse
+        request = postJSON secretsManager
+        response = receiveNull TagResourceResponse'
+
+instance Hashable TagResource where
+
+instance NFData TagResource where
+
+instance ToHeaders TagResource where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.TagResource" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON TagResource where
+        toJSON TagResource'{..}
+          = object
+              (catMaybes
+                 [Just ("SecretId" .= _trSecretId),
+                  Just ("Tags" .= _trTags)])
+
+instance ToPath TagResource where
+        toPath = const "/"
+
+instance ToQuery TagResource where
+        toQuery = const mempty
+
+-- | /See:/ 'tagResourceResponse' smart constructor.
+data TagResourceResponse =
+  TagResourceResponse'
+  deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'TagResourceResponse' with the minimum fields required to make a request.
+--
+tagResourceResponse
+    :: TagResourceResponse
+tagResourceResponse = TagResourceResponse'
+
+
+instance NFData TagResourceResponse where
diff --git a/gen/Network/AWS/SecretsManager/Types.hs b/gen/Network/AWS/SecretsManager/Types.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/Types.hs
@@ -0,0 +1,187 @@
+{-# LANGUAGE OverloadedStrings #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.Types
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.SecretsManager.Types
+    (
+    -- * Service Configuration
+      secretsManager
+
+    -- * Errors
+    , _MalformedPolicyDocumentException
+    , _InvalidParameterException
+    , _InvalidRequestException
+    , _DecryptionFailure
+    , _EncryptionFailure
+    , _InvalidNextTokenException
+    , _InternalServiceError
+    , _ResourceExistsException
+    , _ResourceNotFoundException
+    , _LimitExceededException
+
+    -- * RotationRulesType
+    , RotationRulesType
+    , rotationRulesType
+    , rrtAutomaticallyAfterDays
+
+    -- * SecretListEntry
+    , SecretListEntry
+    , secretListEntry
+    , sleLastChangedDate
+    , sleARN
+    , sleSecretVersionsToStages
+    , sleRotationRules
+    , sleDeletedDate
+    , sleRotationEnabled
+    , sleKMSKeyId
+    , sleName
+    , sleLastRotatedDate
+    , sleLastAccessedDate
+    , sleDescription
+    , sleRotationLambdaARN
+    , sleTags
+
+    -- * SecretVersionsListEntry
+    , SecretVersionsListEntry
+    , secretVersionsListEntry
+    , svleVersionId
+    , svleVersionStages
+    , svleCreatedDate
+    , svleLastAccessedDate
+
+    -- * Tag
+    , Tag
+    , tag
+    , tagValue
+    , tagKey
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.SecretsManager.Types.Product
+import Network.AWS.SecretsManager.Types.Sum
+import Network.AWS.Sign.V4
+
+-- | API version @2017-10-17@ of the Amazon Secrets Manager SDK configuration.
+secretsManager :: Service
+secretsManager =
+  Service
+    { _svcAbbrev = "SecretsManager"
+    , _svcSigner = v4
+    , _svcPrefix = "secretsmanager"
+    , _svcVersion = "2017-10-17"
+    , _svcEndpoint = defaultEndpoint secretsManager
+    , _svcTimeout = Just 70
+    , _svcCheck = statusSuccess
+    , _svcError = parseJSONError "SecretsManager"
+    , _svcRetry = retry
+    }
+  where
+    retry =
+      Exponential
+        { _retryBase = 5.0e-2
+        , _retryGrowth = 2
+        , _retryAttempts = 5
+        , _retryCheck = check
+        }
+    check e
+      | has (hasCode "ThrottledException" . hasStatus 400) e =
+        Just "throttled_exception"
+      | has (hasStatus 429) e = Just "too_many_requests"
+      | has (hasCode "ThrottlingException" . hasStatus 400) e =
+        Just "throttling_exception"
+      | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"
+      | has (hasStatus 504) e = Just "gateway_timeout"
+      | has (hasCode "RequestThrottledException" . hasStatus 400) e =
+        Just "request_throttled_exception"
+      | has (hasStatus 502) e = Just "bad_gateway"
+      | has (hasStatus 503) e = Just "service_unavailable"
+      | has (hasStatus 500) e = Just "general_server_error"
+      | has (hasStatus 509) e = Just "limit_exceeded"
+      | otherwise = Nothing
+
+
+-- | The policy document that you provided isn't valid.
+--
+--
+_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+_MalformedPolicyDocumentException =
+  _MatchServiceError secretsManager "MalformedPolicyDocumentException"
+
+
+-- | You provided an invalid value for a parameter.
+--
+--
+_InvalidParameterException :: AsError a => Getting (First ServiceError) a ServiceError
+_InvalidParameterException =
+  _MatchServiceError secretsManager "InvalidParameterException"
+
+
+-- | You provided a parameter value that is not valid for the current state of the resource. For example, if you try to enable rotation on a secret, you must already have a Lambda function ARN configured or included as a parameter in this call.
+--
+--
+_InvalidRequestException :: AsError a => Getting (First ServiceError) a ServiceError
+_InvalidRequestException =
+  _MatchServiceError secretsManager "InvalidRequestException"
+
+
+-- | Secrets Manager can't decrypt the protected secret text using the provided KMS key.
+--
+--
+_DecryptionFailure :: AsError a => Getting (First ServiceError) a ServiceError
+_DecryptionFailure = _MatchServiceError secretsManager "DecryptionFailure"
+
+
+-- | Secrets Manager can't encrypt the protected secret text using the provided KMS key. Check that the customer master key (CMK) is available, enabled, and not in an invalid state. For more information, see <http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html How Key State Affects Use of a Customer Master Key> .
+--
+--
+_EncryptionFailure :: AsError a => Getting (First ServiceError) a ServiceError
+_EncryptionFailure = _MatchServiceError secretsManager "EncryptionFailure"
+
+
+-- | You provided an invalid @NextToken@ value.
+--
+--
+_InvalidNextTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+_InvalidNextTokenException =
+  _MatchServiceError secretsManager "InvalidNextTokenException"
+
+
+-- | An error occurred on the server side.
+--
+--
+_InternalServiceError :: AsError a => Getting (First ServiceError) a ServiceError
+_InternalServiceError = _MatchServiceError secretsManager "InternalServiceError"
+
+
+-- | A resource with the ID you requested already exists.
+--
+--
+_ResourceExistsException :: AsError a => Getting (First ServiceError) a ServiceError
+_ResourceExistsException =
+  _MatchServiceError secretsManager "ResourceExistsException"
+
+
+-- | We can't find the resource that you asked for.
+--
+--
+_ResourceNotFoundException :: AsError a => Getting (First ServiceError) a ServiceError
+_ResourceNotFoundException =
+  _MatchServiceError secretsManager "ResourceNotFoundException"
+
+
+-- | The request failed because it would exceed one of the Secrets Manager internal limits.
+--
+--
+_LimitExceededException :: AsError a => Getting (First ServiceError) a ServiceError
+_LimitExceededException =
+  _MatchServiceError secretsManager "LimitExceededException"
+
diff --git a/gen/Network/AWS/SecretsManager/Types/Product.hs b/gen/Network/AWS/SecretsManager/Types/Product.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/Types/Product.hs
@@ -0,0 +1,319 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.Types.Product
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.SecretsManager.Types.Product where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.SecretsManager.Types.Sum
+
+-- | A structure that defines the rotation configuration for the secret.
+--
+--
+--
+-- /See:/ 'rotationRulesType' smart constructor.
+newtype RotationRulesType = RotationRulesType'
+  { _rrtAutomaticallyAfterDays :: Maybe Nat
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'RotationRulesType' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'rrtAutomaticallyAfterDays' - Specifies the number of days between automatic scheduled rotations of the secret.
+rotationRulesType
+    :: RotationRulesType
+rotationRulesType = RotationRulesType' {_rrtAutomaticallyAfterDays = Nothing}
+
+
+-- | Specifies the number of days between automatic scheduled rotations of the secret.
+rrtAutomaticallyAfterDays :: Lens' RotationRulesType (Maybe Natural)
+rrtAutomaticallyAfterDays = lens _rrtAutomaticallyAfterDays (\ s a -> s{_rrtAutomaticallyAfterDays = a}) . mapping _Nat
+
+instance FromJSON RotationRulesType where
+        parseJSON
+          = withObject "RotationRulesType"
+              (\ x ->
+                 RotationRulesType' <$>
+                   (x .:? "AutomaticallyAfterDays"))
+
+instance Hashable RotationRulesType where
+
+instance NFData RotationRulesType where
+
+instance ToJSON RotationRulesType where
+        toJSON RotationRulesType'{..}
+          = object
+              (catMaybes
+                 [("AutomaticallyAfterDays" .=) <$>
+                    _rrtAutomaticallyAfterDays])
+
+-- | A structure that contains the details about a secret. It does not include the encrypted @SecretString@ and @SecretBinary@ values. To get those values, use the 'GetSecretValue' operation.
+--
+--
+--
+-- /See:/ 'secretListEntry' smart constructor.
+data SecretListEntry = SecretListEntry'
+  { _sleLastChangedDate        :: !(Maybe POSIX)
+  , _sleARN                    :: !(Maybe Text)
+  , _sleSecretVersionsToStages :: !(Maybe (Map Text (List1 Text)))
+  , _sleRotationRules          :: !(Maybe RotationRulesType)
+  , _sleDeletedDate            :: !(Maybe POSIX)
+  , _sleRotationEnabled        :: !(Maybe Bool)
+  , _sleKMSKeyId               :: !(Maybe Text)
+  , _sleName                   :: !(Maybe Text)
+  , _sleLastRotatedDate        :: !(Maybe POSIX)
+  , _sleLastAccessedDate       :: !(Maybe POSIX)
+  , _sleDescription            :: !(Maybe Text)
+  , _sleRotationLambdaARN      :: !(Maybe Text)
+  , _sleTags                   :: !(Maybe [Tag])
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'SecretListEntry' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'sleLastChangedDate' - The last date and time that this secret was modified in any way.
+--
+-- * 'sleARN' - The Amazon Resource Name (ARN) of the secret. For more information about ARNs in Secrets Manager, see <http://docs.aws.amazon.com/http:/docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-resources Policy Resources> in the /AWS Secrets Manager User Guide/ .
+--
+-- * 'sleSecretVersionsToStages' - A list of all of the currently assigned @SecretVersionStage@ staging labels and the @SecretVersionId@ that each is attached to. Staging labels are used to keep track of the different versions during the rotation process.
+--
+-- * 'sleRotationRules' - A structure that defines the rotation configuration for the secret.
+--
+-- * 'sleDeletedDate' - The date and time on which this secret was deleted. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the @RecoveryWindowInDays@ parameter of the 'DeleteSecret' operation.
+--
+-- * 'sleRotationEnabled' - Indicated whether automatic, scheduled rotation is enabled for this secret.
+--
+-- * 'sleKMSKeyId' - The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the @SecretString@ and @SecretBinary@ fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK (the one named @awssecretsmanager@ ) for this account.
+--
+-- * 'sleName' - The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, @/prod/databases/dbserver1@ could represent the secret for a server named @dbserver1@ in the folder @databases@ in the folder @prod@ .
+--
+-- * 'sleLastRotatedDate' - The last date and time that the rotation process for this secret was invoked.
+--
+-- * 'sleLastAccessedDate' - The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
+--
+-- * 'sleDescription' - The user-provided description of the secret.
+--
+-- * 'sleRotationLambdaARN' - The ARN of an AWS Lambda function that's invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to 'RotateSecret' .
+--
+-- * 'sleTags' - The list of user-defined tags that are associated with the secret. To add tags to a secret, use 'TagResource' . To remove tags, use 'UntagResource' .
+secretListEntry
+    :: SecretListEntry
+secretListEntry =
+  SecretListEntry'
+    { _sleLastChangedDate = Nothing
+    , _sleARN = Nothing
+    , _sleSecretVersionsToStages = Nothing
+    , _sleRotationRules = Nothing
+    , _sleDeletedDate = Nothing
+    , _sleRotationEnabled = Nothing
+    , _sleKMSKeyId = Nothing
+    , _sleName = Nothing
+    , _sleLastRotatedDate = Nothing
+    , _sleLastAccessedDate = Nothing
+    , _sleDescription = Nothing
+    , _sleRotationLambdaARN = Nothing
+    , _sleTags = Nothing
+    }
+
+
+-- | The last date and time that this secret was modified in any way.
+sleLastChangedDate :: Lens' SecretListEntry (Maybe UTCTime)
+sleLastChangedDate = lens _sleLastChangedDate (\ s a -> s{_sleLastChangedDate = a}) . mapping _Time
+
+-- | The Amazon Resource Name (ARN) of the secret. For more information about ARNs in Secrets Manager, see <http://docs.aws.amazon.com/http:/docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-resources Policy Resources> in the /AWS Secrets Manager User Guide/ .
+sleARN :: Lens' SecretListEntry (Maybe Text)
+sleARN = lens _sleARN (\ s a -> s{_sleARN = a})
+
+-- | A list of all of the currently assigned @SecretVersionStage@ staging labels and the @SecretVersionId@ that each is attached to. Staging labels are used to keep track of the different versions during the rotation process.
+sleSecretVersionsToStages :: Lens' SecretListEntry (HashMap Text (NonEmpty Text))
+sleSecretVersionsToStages = lens _sleSecretVersionsToStages (\ s a -> s{_sleSecretVersionsToStages = a}) . _Default . _Map
+
+-- | A structure that defines the rotation configuration for the secret.
+sleRotationRules :: Lens' SecretListEntry (Maybe RotationRulesType)
+sleRotationRules = lens _sleRotationRules (\ s a -> s{_sleRotationRules = a})
+
+-- | The date and time on which this secret was deleted. Not present on active secrets. The secret can be recovered until the number of days in the recovery window has passed, as specified in the @RecoveryWindowInDays@ parameter of the 'DeleteSecret' operation.
+sleDeletedDate :: Lens' SecretListEntry (Maybe UTCTime)
+sleDeletedDate = lens _sleDeletedDate (\ s a -> s{_sleDeletedDate = a}) . mapping _Time
+
+-- | Indicated whether automatic, scheduled rotation is enabled for this secret.
+sleRotationEnabled :: Lens' SecretListEntry (Maybe Bool)
+sleRotationEnabled = lens _sleRotationEnabled (\ s a -> s{_sleRotationEnabled = a})
+
+-- | The ARN or alias of the AWS KMS customer master key (CMK) that's used to encrypt the @SecretString@ and @SecretBinary@ fields in each version of the secret. If you don't provide a key, then Secrets Manager defaults to encrypting the secret fields with the default KMS CMK (the one named @awssecretsmanager@ ) for this account.
+sleKMSKeyId :: Lens' SecretListEntry (Maybe Text)
+sleKMSKeyId = lens _sleKMSKeyId (\ s a -> s{_sleKMSKeyId = a})
+
+-- | The friendly name of the secret. You can use forward slashes in the name to represent a path hierarchy. For example, @/prod/databases/dbserver1@ could represent the secret for a server named @dbserver1@ in the folder @databases@ in the folder @prod@ .
+sleName :: Lens' SecretListEntry (Maybe Text)
+sleName = lens _sleName (\ s a -> s{_sleName = a})
+
+-- | The last date and time that the rotation process for this secret was invoked.
+sleLastRotatedDate :: Lens' SecretListEntry (Maybe UTCTime)
+sleLastRotatedDate = lens _sleLastRotatedDate (\ s a -> s{_sleLastRotatedDate = a}) . mapping _Time
+
+-- | The last date that this secret was accessed. This value is truncated to midnight of the date and therefore shows only the date, not the time.
+sleLastAccessedDate :: Lens' SecretListEntry (Maybe UTCTime)
+sleLastAccessedDate = lens _sleLastAccessedDate (\ s a -> s{_sleLastAccessedDate = a}) . mapping _Time
+
+-- | The user-provided description of the secret.
+sleDescription :: Lens' SecretListEntry (Maybe Text)
+sleDescription = lens _sleDescription (\ s a -> s{_sleDescription = a})
+
+-- | The ARN of an AWS Lambda function that's invoked by Secrets Manager to rotate and expire the secret either automatically per the schedule or manually by a call to 'RotateSecret' .
+sleRotationLambdaARN :: Lens' SecretListEntry (Maybe Text)
+sleRotationLambdaARN = lens _sleRotationLambdaARN (\ s a -> s{_sleRotationLambdaARN = a})
+
+-- | The list of user-defined tags that are associated with the secret. To add tags to a secret, use 'TagResource' . To remove tags, use 'UntagResource' .
+sleTags :: Lens' SecretListEntry [Tag]
+sleTags = lens _sleTags (\ s a -> s{_sleTags = a}) . _Default . _Coerce
+
+instance FromJSON SecretListEntry where
+        parseJSON
+          = withObject "SecretListEntry"
+              (\ x ->
+                 SecretListEntry' <$>
+                   (x .:? "LastChangedDate") <*> (x .:? "ARN") <*>
+                     (x .:? "SecretVersionsToStages" .!= mempty)
+                     <*> (x .:? "RotationRules")
+                     <*> (x .:? "DeletedDate")
+                     <*> (x .:? "RotationEnabled")
+                     <*> (x .:? "KmsKeyId")
+                     <*> (x .:? "Name")
+                     <*> (x .:? "LastRotatedDate")
+                     <*> (x .:? "LastAccessedDate")
+                     <*> (x .:? "Description")
+                     <*> (x .:? "RotationLambdaARN")
+                     <*> (x .:? "Tags" .!= mempty))
+
+instance Hashable SecretListEntry where
+
+instance NFData SecretListEntry where
+
+-- | A structure that contains information about one version of a secret.
+--
+--
+--
+-- /See:/ 'secretVersionsListEntry' smart constructor.
+data SecretVersionsListEntry = SecretVersionsListEntry'
+  { _svleVersionId        :: !(Maybe Text)
+  , _svleVersionStages    :: !(Maybe (List1 Text))
+  , _svleCreatedDate      :: !(Maybe POSIX)
+  , _svleLastAccessedDate :: !(Maybe POSIX)
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'SecretVersionsListEntry' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'svleVersionId' - The unique version identifier of this version of the secret.
+--
+-- * 'svleVersionStages' - An array of staging labels that are currently associated with this version of the secret.
+--
+-- * 'svleCreatedDate' - The date and time this version of the secret was created.
+--
+-- * 'svleLastAccessedDate' - The date that this version of the secret was last accessed. Note that the resolution of this field is at the date level and does not include the time.
+secretVersionsListEntry
+    :: SecretVersionsListEntry
+secretVersionsListEntry =
+  SecretVersionsListEntry'
+    { _svleVersionId = Nothing
+    , _svleVersionStages = Nothing
+    , _svleCreatedDate = Nothing
+    , _svleLastAccessedDate = Nothing
+    }
+
+
+-- | The unique version identifier of this version of the secret.
+svleVersionId :: Lens' SecretVersionsListEntry (Maybe Text)
+svleVersionId = lens _svleVersionId (\ s a -> s{_svleVersionId = a})
+
+-- | An array of staging labels that are currently associated with this version of the secret.
+svleVersionStages :: Lens' SecretVersionsListEntry (Maybe (NonEmpty Text))
+svleVersionStages = lens _svleVersionStages (\ s a -> s{_svleVersionStages = a}) . mapping _List1
+
+-- | The date and time this version of the secret was created.
+svleCreatedDate :: Lens' SecretVersionsListEntry (Maybe UTCTime)
+svleCreatedDate = lens _svleCreatedDate (\ s a -> s{_svleCreatedDate = a}) . mapping _Time
+
+-- | The date that this version of the secret was last accessed. Note that the resolution of this field is at the date level and does not include the time.
+svleLastAccessedDate :: Lens' SecretVersionsListEntry (Maybe UTCTime)
+svleLastAccessedDate = lens _svleLastAccessedDate (\ s a -> s{_svleLastAccessedDate = a}) . mapping _Time
+
+instance FromJSON SecretVersionsListEntry where
+        parseJSON
+          = withObject "SecretVersionsListEntry"
+              (\ x ->
+                 SecretVersionsListEntry' <$>
+                   (x .:? "VersionId") <*> (x .:? "VersionStages") <*>
+                     (x .:? "CreatedDate")
+                     <*> (x .:? "LastAccessedDate"))
+
+instance Hashable SecretVersionsListEntry where
+
+instance NFData SecretVersionsListEntry where
+
+-- | A structure that contains information about a tag.
+--
+--
+--
+-- /See:/ 'tag' smart constructor.
+data Tag = Tag'
+  { _tagValue :: !(Maybe Text)
+  , _tagKey   :: !(Maybe Text)
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'Tag' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'tagValue' - The string value that's associated with the key of the tag.
+--
+-- * 'tagKey' - The key identifier, or name, of the tag.
+tag
+    :: Tag
+tag = Tag' {_tagValue = Nothing, _tagKey = Nothing}
+
+
+-- | The string value that's associated with the key of the tag.
+tagValue :: Lens' Tag (Maybe Text)
+tagValue = lens _tagValue (\ s a -> s{_tagValue = a})
+
+-- | The key identifier, or name, of the tag.
+tagKey :: Lens' Tag (Maybe Text)
+tagKey = lens _tagKey (\ s a -> s{_tagKey = a})
+
+instance FromJSON Tag where
+        parseJSON
+          = withObject "Tag"
+              (\ x -> Tag' <$> (x .:? "Value") <*> (x .:? "Key"))
+
+instance Hashable Tag where
+
+instance NFData Tag where
+
+instance ToJSON Tag where
+        toJSON Tag'{..}
+          = object
+              (catMaybes
+                 [("Value" .=) <$> _tagValue, ("Key" .=) <$> _tagKey])
diff --git a/gen/Network/AWS/SecretsManager/Types/Sum.hs b/gen/Network/AWS/SecretsManager/Types/Sum.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/Types/Sum.hs
@@ -0,0 +1,20 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE LambdaCase         #-}
+{-# LANGUAGE OverloadedStrings  #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.Types.Sum
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.SecretsManager.Types.Sum where
+
+import Network.AWS.Prelude
diff --git a/gen/Network/AWS/SecretsManager/UntagResource.hs b/gen/Network/AWS/SecretsManager/UntagResource.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/UntagResource.hs
@@ -0,0 +1,138 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.UntagResource
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Removes one or more tags from the specified secret.
+--
+--
+-- This operation is idempotent. If a requested tag is not attached to the secret, no error is returned and the secret metadata is unchanged.
+--
+-- /Important:/ If you use tags as part of your security strategy, then removing a tag can change permissions. If successfully completing this operation would result in you losing your permissions for this secret, then the operation is blocked and returns an Access Denied error.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:UntagResource
+--
+--
+--
+-- __Related operations__
+--
+--     * To add one or more tags to the collection attached to a secret, use 'TagResource' .
+--
+--     * To view the list of tags attached to a secret, use 'DescribeSecret' .
+--
+--
+--
+module Network.AWS.SecretsManager.UntagResource
+    (
+    -- * Creating a Request
+      untagResource
+    , UntagResource
+    -- * Request Lenses
+    , urSecretId
+    , urTagKeys
+
+    -- * Destructuring the Response
+    , untagResourceResponse
+    , UntagResourceResponse
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'untagResource' smart constructor.
+data UntagResource = UntagResource'
+  { _urSecretId :: !Text
+  , _urTagKeys  :: ![Text]
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UntagResource' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'urSecretId' - The identifier for the secret that you want to remove tags from. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+--
+-- * 'urTagKeys' - A list of tag key names to remove from the secret. You don't specify the value. Both the key and its associated value are removed. This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+untagResource
+    :: Text -- ^ 'urSecretId'
+    -> UntagResource
+untagResource pSecretId_ =
+  UntagResource' {_urSecretId = pSecretId_, _urTagKeys = mempty}
+
+
+-- | The identifier for the secret that you want to remove tags from. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+urSecretId :: Lens' UntagResource Text
+urSecretId = lens _urSecretId (\ s a -> s{_urSecretId = a})
+
+-- | A list of tag key names to remove from the secret. You don't specify the value. Both the key and its associated value are removed. This parameter to the API requires a JSON text string argument. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+urTagKeys :: Lens' UntagResource [Text]
+urTagKeys = lens _urTagKeys (\ s a -> s{_urTagKeys = a}) . _Coerce
+
+instance AWSRequest UntagResource where
+        type Rs UntagResource = UntagResourceResponse
+        request = postJSON secretsManager
+        response = receiveNull UntagResourceResponse'
+
+instance Hashable UntagResource where
+
+instance NFData UntagResource where
+
+instance ToHeaders UntagResource where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.UntagResource" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON UntagResource where
+        toJSON UntagResource'{..}
+          = object
+              (catMaybes
+                 [Just ("SecretId" .= _urSecretId),
+                  Just ("TagKeys" .= _urTagKeys)])
+
+instance ToPath UntagResource where
+        toPath = const "/"
+
+instance ToQuery UntagResource where
+        toQuery = const mempty
+
+-- | /See:/ 'untagResourceResponse' smart constructor.
+data UntagResourceResponse =
+  UntagResourceResponse'
+  deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UntagResourceResponse' with the minimum fields required to make a request.
+--
+untagResourceResponse
+    :: UntagResourceResponse
+untagResourceResponse = UntagResourceResponse'
+
+
+instance NFData UntagResourceResponse where
diff --git a/gen/Network/AWS/SecretsManager/UpdateSecret.hs b/gen/Network/AWS/SecretsManager/UpdateSecret.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/UpdateSecret.hs
@@ -0,0 +1,239 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.UpdateSecret
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Modifies many of the details of a secret. If you include a @ClientRequestToken@ and either @SecretString@ or @SecretBinary@ then it also creates a new version attached to the secret.
+--
+--
+-- To modify the rotation configuration of a secret, use 'RotateSecret' instead.
+--
+--     * If a version with a @SecretVersionId@ with the same value as the @ClientRequestToken@ parameter already exists, the operation generates an error. You cannot modify an existing version, you can only create new ones.
+--
+--     * If you include @SecretString@ or @SecretBinary@ to create a new secret version, Secrets Manager automatically attaches the staging label @AWSCURRENT@ to the new version.
+--
+--
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:UpdateSecret
+--
+--     * kms:GenerateDataKey - needed only if you use a custom KMS key to encrypt the secret. You do not need this permission to use the account's AWS managed CMK for Secrets Manager.
+--
+--     * kms:Decrypt - needed only if you use a custom KMS key to encrypt the secret. You do not need this permission to use the account's AWS managed CMK for Secrets Manager.
+--
+--
+--
+-- __Related operations__
+--
+--     * To create a new secret, use 'CreateSecret' .
+--
+--     * To add only a new version to an existing secret, use 'PutSecretValue' .
+--
+--     * To get the details for a secret, use 'DescribeSecret' .
+--
+--     * To list the versions contained in a secret, use 'ListSecretVersionIds' .
+--
+--
+--
+module Network.AWS.SecretsManager.UpdateSecret
+    (
+    -- * Creating a Request
+      updateSecret
+    , UpdateSecret
+    -- * Request Lenses
+    , usSecretBinary
+    , usKMSKeyId
+    , usSecretString
+    , usClientRequestToken
+    , usDescription
+    , usSecretId
+
+    -- * Destructuring the Response
+    , updateSecretResponse
+    , UpdateSecretResponse
+    -- * Response Lenses
+    , usrsVersionId
+    , usrsARN
+    , usrsName
+    , usrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'updateSecret' smart constructor.
+data UpdateSecret = UpdateSecret'
+  { _usSecretBinary       :: !(Maybe (Sensitive Base64))
+  , _usKMSKeyId           :: !(Maybe Text)
+  , _usSecretString       :: !(Maybe (Sensitive Text))
+  , _usClientRequestToken :: !(Maybe Text)
+  , _usDescription        :: !(Maybe Text)
+  , _usSecretId           :: !Text
+  } deriving (Eq, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UpdateSecret' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'usSecretBinary' - (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. This parameter is not accessible using the Secrets Manager console.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+--
+-- * 'usKMSKeyId' - (Optional) Specifies the ARN or alias of the KMS customer master key (CMK) to be used to encrypt the protected text in the versions of this secret. If you don't specify this value, then Secrets Manager defaults to using the default CMK in the account (the one named @aws/secretsmanager@ ). If a KMS CMK with that name doesn't exist, then Secrets Manager creates it for you automatically the first time it needs to encrypt a version's @Plaintext@ or @PlaintextString@ fields. /Important:/ You can only use the account's default CMK to encrypt and decrypt if you call this operation using credentials from the same account that owns the secret. If the secret is in a different account, then you must create a custom CMK and provide the ARN in this field.
+--
+-- * 'usSecretString' - (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. If you create this secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the default Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+--
+-- * 'usClientRequestToken' - (Optional) If you want to add a new version to the secret, this parameter specifies a unique identifier for the new version that helps ensure idempotency.  If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that in the request. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a @ClientRequestToken@ yourself for new versions and include that value in the request. You typically only need to interact with this value if you implement your own retry logic and want to ensure that a given secret is not created twice. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.  Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the Lambda rotation function's processing.     * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as those in the request then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from the request then an error occurs because you cannot modify an existing secret value. This value becomes the @SecretVersionId@ of the new version.
+--
+-- * 'usDescription' - (Optional) Specifies a user-provided description of the secret.
+--
+-- * 'usSecretId' - Specifies the secret that you want to update or to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+updateSecret
+    :: Text -- ^ 'usSecretId'
+    -> UpdateSecret
+updateSecret pSecretId_ =
+  UpdateSecret'
+    { _usSecretBinary = Nothing
+    , _usKMSKeyId = Nothing
+    , _usSecretString = Nothing
+    , _usClientRequestToken = Nothing
+    , _usDescription = Nothing
+    , _usSecretId = pSecretId_
+    }
+
+
+-- | (Optional) Specifies binary data that you want to encrypt and store in the new version of the secret. To use this parameter in the command-line tools, we recommend that you store your binary data in a file and then use the appropriate technique for your tool to pass the contents of the file as a parameter. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. This parameter is not accessible using the Secrets Manager console.-- /Note:/ This 'Lens' automatically encodes and decodes Base64 data. The underlying isomorphism will encode to Base64 representation during serialisation, and decode from Base64 representation during deserialisation. This 'Lens' accepts and returns only raw unencoded data.
+usSecretBinary :: Lens' UpdateSecret (Maybe ByteString)
+usSecretBinary = lens _usSecretBinary (\ s a -> s{_usSecretBinary = a}) . mapping (_Sensitive . _Base64)
+
+-- | (Optional) Specifies the ARN or alias of the KMS customer master key (CMK) to be used to encrypt the protected text in the versions of this secret. If you don't specify this value, then Secrets Manager defaults to using the default CMK in the account (the one named @aws/secretsmanager@ ). If a KMS CMK with that name doesn't exist, then Secrets Manager creates it for you automatically the first time it needs to encrypt a version's @Plaintext@ or @PlaintextString@ fields. /Important:/ You can only use the account's default CMK to encrypt and decrypt if you call this operation using credentials from the same account that owns the secret. If the secret is in a different account, then you must create a custom CMK and provide the ARN in this field.
+usKMSKeyId :: Lens' UpdateSecret (Maybe Text)
+usKMSKeyId = lens _usKMSKeyId (\ s a -> s{_usKMSKeyId = a})
+
+-- | (Optional) Specifies text data that you want to encrypt and store in this new version of the secret. Either @SecretBinary@ or @SecretString@ must have a value, but not both. They cannot both be empty. If you create this secret by using the Secrets Manager console then Secrets Manager puts the protected secret text in only the @SecretString@ parameter. The Secrets Manager console stores the information as a JSON structure of key/value pairs that the default Lambda rotation function knows how to parse. For storing multiple values, we recommend that you use a JSON text string argument and specify key/value pairs. For information on how to format a JSON parameter for the various command line tool environments, see <http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json Using JSON for Parameters> in the /AWS CLI User Guide/ .
+usSecretString :: Lens' UpdateSecret (Maybe Text)
+usSecretString = lens _usSecretString (\ s a -> s{_usSecretString = a}) . mapping _Sensitive
+
+-- | (Optional) If you want to add a new version to the secret, this parameter specifies a unique identifier for the new version that helps ensure idempotency.  If you use the AWS CLI or one of the AWS SDK to call this operation, then you can leave this parameter empty. The CLI or SDK generates a random UUID for you and includes that in the request. If you don't use the SDK and instead generate a raw HTTP request to the Secrets Manager service endpoint, then you must generate a @ClientRequestToken@ yourself for new versions and include that value in the request. You typically only need to interact with this value if you implement your own retry logic and want to ensure that a given secret is not created twice. We recommend that you generate a <https://wikipedia.org/wiki/Universally_unique_identifier UUID-type> value to ensure uniqueness within the specified secret.  Secrets Manager uses this value to prevent the accidental creation of duplicate versions if there are failures and retries during the Lambda rotation function's processing.     * If the @ClientRequestToken@ value isn't already associated with a version of the secret then a new version of the secret is created.      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are the same as those in the request then the request is ignored (the operation is idempotent).      * If a version with this value already exists and that version's @SecretString@ and @SecretBinary@ values are different from the request then an error occurs because you cannot modify an existing secret value. This value becomes the @SecretVersionId@ of the new version.
+usClientRequestToken :: Lens' UpdateSecret (Maybe Text)
+usClientRequestToken = lens _usClientRequestToken (\ s a -> s{_usClientRequestToken = a})
+
+-- | (Optional) Specifies a user-provided description of the secret.
+usDescription :: Lens' UpdateSecret (Maybe Text)
+usDescription = lens _usDescription (\ s a -> s{_usDescription = a})
+
+-- | Specifies the secret that you want to update or to which you want to add a new version. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+usSecretId :: Lens' UpdateSecret Text
+usSecretId = lens _usSecretId (\ s a -> s{_usSecretId = a})
+
+instance AWSRequest UpdateSecret where
+        type Rs UpdateSecret = UpdateSecretResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 UpdateSecretResponse' <$>
+                   (x .?> "VersionId") <*> (x .?> "ARN") <*>
+                     (x .?> "Name")
+                     <*> (pure (fromEnum s)))
+
+instance Hashable UpdateSecret where
+
+instance NFData UpdateSecret where
+
+instance ToHeaders UpdateSecret where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.UpdateSecret" :: ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON UpdateSecret where
+        toJSON UpdateSecret'{..}
+          = object
+              (catMaybes
+                 [("SecretBinary" .=) <$> _usSecretBinary,
+                  ("KmsKeyId" .=) <$> _usKMSKeyId,
+                  ("SecretString" .=) <$> _usSecretString,
+                  ("ClientRequestToken" .=) <$> _usClientRequestToken,
+                  ("Description" .=) <$> _usDescription,
+                  Just ("SecretId" .= _usSecretId)])
+
+instance ToPath UpdateSecret where
+        toPath = const "/"
+
+instance ToQuery UpdateSecret where
+        toQuery = const mempty
+
+-- | /See:/ 'updateSecretResponse' smart constructor.
+data UpdateSecretResponse = UpdateSecretResponse'
+  { _usrsVersionId      :: !(Maybe Text)
+  , _usrsARN            :: !(Maybe Text)
+  , _usrsName           :: !(Maybe Text)
+  , _usrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UpdateSecretResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'usrsVersionId' - If a version of the secret was created or updated by this operation, then its unique identifier is returned.
+--
+-- * 'usrsARN' - The ARN of this secret.
+--
+-- * 'usrsName' - The friendly name of this secret.
+--
+-- * 'usrsResponseStatus' - -- | The response status code.
+updateSecretResponse
+    :: Int -- ^ 'usrsResponseStatus'
+    -> UpdateSecretResponse
+updateSecretResponse pResponseStatus_ =
+  UpdateSecretResponse'
+    { _usrsVersionId = Nothing
+    , _usrsARN = Nothing
+    , _usrsName = Nothing
+    , _usrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | If a version of the secret was created or updated by this operation, then its unique identifier is returned.
+usrsVersionId :: Lens' UpdateSecretResponse (Maybe Text)
+usrsVersionId = lens _usrsVersionId (\ s a -> s{_usrsVersionId = a})
+
+-- | The ARN of this secret.
+usrsARN :: Lens' UpdateSecretResponse (Maybe Text)
+usrsARN = lens _usrsARN (\ s a -> s{_usrsARN = a})
+
+-- | The friendly name of this secret.
+usrsName :: Lens' UpdateSecretResponse (Maybe Text)
+usrsName = lens _usrsName (\ s a -> s{_usrsName = a})
+
+-- | -- | The response status code.
+usrsResponseStatus :: Lens' UpdateSecretResponse Int
+usrsResponseStatus = lens _usrsResponseStatus (\ s a -> s{_usrsResponseStatus = a})
+
+instance NFData UpdateSecretResponse where
diff --git a/gen/Network/AWS/SecretsManager/UpdateSecretVersionStage.hs b/gen/Network/AWS/SecretsManager/UpdateSecretVersionStage.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/UpdateSecretVersionStage.hs
@@ -0,0 +1,202 @@
+{-# LANGUAGE DeriveDataTypeable #-}
+{-# LANGUAGE DeriveGeneric      #-}
+{-# LANGUAGE OverloadedStrings  #-}
+{-# LANGUAGE RecordWildCards    #-}
+{-# LANGUAGE TypeFamilies       #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}
+{-# OPTIONS_GHC -fno-warn-unused-matches #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.UpdateSecretVersionStage
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+-- Modifies the staging labels attached to a version of a secret. Staging labels are used to track a version as it progresses through the secret rotation process. You can attach a staging label to only one version of a secret at a time. If a staging label to be added is already attached to another version, then it is moved--removed from the other version first and then attached to this one. For more information about staging labels, see <http://docs.aws.amazon.com/secretsmanager/latest/userguide/terms-concepts.html#term_staging-label Staging Labels> in the /AWS Secrets Manager User Guide/ .
+--
+--
+-- The staging labels that you specify in the @VersionStage@ parameter are added to the existing list of staging labels--they don't replace it.
+--
+-- You can move the @AWSCURRENT@ staging label to this version by including it in this call.
+--
+-- If this action results in the last label being removed from a version, then the version is considered to be 'deprecated' and can be deleted by Secrets Manager.
+--
+-- __Minimum permissions__
+--
+-- To run this command, you must have the following permissions:
+--
+--     * secretsmanager:UpdateSecretVersionStage
+--
+--
+--
+-- __Related operations__
+--
+--     * To get the list of staging labels that are currently associated with a version of a secret, use @'DescribeSecret' @ and examine the @SecretVersionsToStages@ response value.
+--
+--
+--
+module Network.AWS.SecretsManager.UpdateSecretVersionStage
+    (
+    -- * Creating a Request
+      updateSecretVersionStage
+    , UpdateSecretVersionStage
+    -- * Request Lenses
+    , usvsRemoveFromVersionId
+    , usvsMoveToVersionId
+    , usvsSecretId
+    , usvsVersionStage
+
+    -- * Destructuring the Response
+    , updateSecretVersionStageResponse
+    , UpdateSecretVersionStageResponse
+    -- * Response Lenses
+    , usvsrsARN
+    , usvsrsName
+    , usvsrsResponseStatus
+    ) where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.Request
+import Network.AWS.Response
+import Network.AWS.SecretsManager.Types
+import Network.AWS.SecretsManager.Types.Product
+
+-- | /See:/ 'updateSecretVersionStage' smart constructor.
+data UpdateSecretVersionStage = UpdateSecretVersionStage'
+  { _usvsRemoveFromVersionId :: !(Maybe Text)
+  , _usvsMoveToVersionId     :: !(Maybe Text)
+  , _usvsSecretId            :: !Text
+  , _usvsVersionStage        :: !Text
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UpdateSecretVersionStage' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'usvsRemoveFromVersionId' - (Optional) Specifies the secret version ID of the version that the staging labels are to be removed from. If you want to move a label to a new version, you do not have to explicitly remove it with this parameter. Adding a label using the @MoveToVersionId@ parameter automatically removes it from the old version. However, if you do include both the "MoveTo" and "RemoveFrom" parameters, then the move is successful only if the staging labels are actually present on the "RemoveFrom" version. If a staging label was on a different version than "RemoveFrom", then the request fails.
+--
+-- * 'usvsMoveToVersionId' - (Optional) The secret version ID that you want to add the staging labels to. If any of the staging labels are already attached to a different version of the secret, then they are removed from that version before adding them to this version.
+--
+-- * 'usvsSecretId' - Specifies the secret with the version whose list of staging labels you want to modify. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+--
+-- * 'usvsVersionStage' - The list of staging labels to add to this version.
+updateSecretVersionStage
+    :: Text -- ^ 'usvsSecretId'
+    -> Text -- ^ 'usvsVersionStage'
+    -> UpdateSecretVersionStage
+updateSecretVersionStage pSecretId_ pVersionStage_ =
+  UpdateSecretVersionStage'
+    { _usvsRemoveFromVersionId = Nothing
+    , _usvsMoveToVersionId = Nothing
+    , _usvsSecretId = pSecretId_
+    , _usvsVersionStage = pVersionStage_
+    }
+
+
+-- | (Optional) Specifies the secret version ID of the version that the staging labels are to be removed from. If you want to move a label to a new version, you do not have to explicitly remove it with this parameter. Adding a label using the @MoveToVersionId@ parameter automatically removes it from the old version. However, if you do include both the "MoveTo" and "RemoveFrom" parameters, then the move is successful only if the staging labels are actually present on the "RemoveFrom" version. If a staging label was on a different version than "RemoveFrom", then the request fails.
+usvsRemoveFromVersionId :: Lens' UpdateSecretVersionStage (Maybe Text)
+usvsRemoveFromVersionId = lens _usvsRemoveFromVersionId (\ s a -> s{_usvsRemoveFromVersionId = a})
+
+-- | (Optional) The secret version ID that you want to add the staging labels to. If any of the staging labels are already attached to a different version of the secret, then they are removed from that version before adding them to this version.
+usvsMoveToVersionId :: Lens' UpdateSecretVersionStage (Maybe Text)
+usvsMoveToVersionId = lens _usvsMoveToVersionId (\ s a -> s{_usvsMoveToVersionId = a})
+
+-- | Specifies the secret with the version whose list of staging labels you want to modify. You can specify either the Amazon Resource Name (ARN) or the friendly name of the secret.
+usvsSecretId :: Lens' UpdateSecretVersionStage Text
+usvsSecretId = lens _usvsSecretId (\ s a -> s{_usvsSecretId = a})
+
+-- | The list of staging labels to add to this version.
+usvsVersionStage :: Lens' UpdateSecretVersionStage Text
+usvsVersionStage = lens _usvsVersionStage (\ s a -> s{_usvsVersionStage = a})
+
+instance AWSRequest UpdateSecretVersionStage where
+        type Rs UpdateSecretVersionStage =
+             UpdateSecretVersionStageResponse
+        request = postJSON secretsManager
+        response
+          = receiveJSON
+              (\ s h x ->
+                 UpdateSecretVersionStageResponse' <$>
+                   (x .?> "ARN") <*> (x .?> "Name") <*>
+                     (pure (fromEnum s)))
+
+instance Hashable UpdateSecretVersionStage where
+
+instance NFData UpdateSecretVersionStage where
+
+instance ToHeaders UpdateSecretVersionStage where
+        toHeaders
+          = const
+              (mconcat
+                 ["X-Amz-Target" =#
+                    ("secretsmanager.UpdateSecretVersionStage" ::
+                       ByteString),
+                  "Content-Type" =#
+                    ("application/x-amz-json-1.1" :: ByteString)])
+
+instance ToJSON UpdateSecretVersionStage where
+        toJSON UpdateSecretVersionStage'{..}
+          = object
+              (catMaybes
+                 [("RemoveFromVersionId" .=) <$>
+                    _usvsRemoveFromVersionId,
+                  ("MoveToVersionId" .=) <$> _usvsMoveToVersionId,
+                  Just ("SecretId" .= _usvsSecretId),
+                  Just ("VersionStage" .= _usvsVersionStage)])
+
+instance ToPath UpdateSecretVersionStage where
+        toPath = const "/"
+
+instance ToQuery UpdateSecretVersionStage where
+        toQuery = const mempty
+
+-- | /See:/ 'updateSecretVersionStageResponse' smart constructor.
+data UpdateSecretVersionStageResponse = UpdateSecretVersionStageResponse'
+  { _usvsrsARN            :: !(Maybe Text)
+  , _usvsrsName           :: !(Maybe Text)
+  , _usvsrsResponseStatus :: !Int
+  } deriving (Eq, Read, Show, Data, Typeable, Generic)
+
+
+-- | Creates a value of 'UpdateSecretVersionStageResponse' with the minimum fields required to make a request.
+--
+-- Use one of the following lenses to modify other fields as desired:
+--
+-- * 'usvsrsARN' - The ARN of the secret with the staging labels that were modified.
+--
+-- * 'usvsrsName' - The friendly name of the secret with the staging labels that were modified.
+--
+-- * 'usvsrsResponseStatus' - -- | The response status code.
+updateSecretVersionStageResponse
+    :: Int -- ^ 'usvsrsResponseStatus'
+    -> UpdateSecretVersionStageResponse
+updateSecretVersionStageResponse pResponseStatus_ =
+  UpdateSecretVersionStageResponse'
+    { _usvsrsARN = Nothing
+    , _usvsrsName = Nothing
+    , _usvsrsResponseStatus = pResponseStatus_
+    }
+
+
+-- | The ARN of the secret with the staging labels that were modified.
+usvsrsARN :: Lens' UpdateSecretVersionStageResponse (Maybe Text)
+usvsrsARN = lens _usvsrsARN (\ s a -> s{_usvsrsARN = a})
+
+-- | The friendly name of the secret with the staging labels that were modified.
+usvsrsName :: Lens' UpdateSecretVersionStageResponse (Maybe Text)
+usvsrsName = lens _usvsrsName (\ s a -> s{_usvsrsName = a})
+
+-- | -- | The response status code.
+usvsrsResponseStatus :: Lens' UpdateSecretVersionStageResponse Int
+usvsrsResponseStatus = lens _usvsrsResponseStatus (\ s a -> s{_usvsrsResponseStatus = a})
+
+instance NFData UpdateSecretVersionStageResponse
+         where
diff --git a/gen/Network/AWS/SecretsManager/Waiters.hs b/gen/Network/AWS/SecretsManager/Waiters.hs
new file mode 100644
--- /dev/null
+++ b/gen/Network/AWS/SecretsManager/Waiters.hs
@@ -0,0 +1,21 @@
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE TypeFamilies      #-}
+
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Network.AWS.SecretsManager.Waiters
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Network.AWS.SecretsManager.Waiters where
+
+import Network.AWS.Lens
+import Network.AWS.Prelude
+import Network.AWS.SecretsManager.Types
+import Network.AWS.Waiter
diff --git a/src/.gitkeep b/src/.gitkeep
new file mode 100644
--- /dev/null
+++ b/src/.gitkeep
diff --git a/test/Main.hs b/test/Main.hs
new file mode 100644
--- /dev/null
+++ b/test/Main.hs
@@ -0,0 +1,21 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+
+-- |
+-- Module      : Main
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Main (main) where
+
+import Test.Tasty
+import Test.AWS.SecretsManager
+import Test.AWS.SecretsManager.Internal
+
+main :: IO ()
+main = defaultMain $ testGroup "SecretsManager"
+    [ testGroup "tests"    tests
+    , testGroup "fixtures" fixtures
+    ]
diff --git a/test/Test/AWS/Gen/SecretsManager.hs b/test/Test/AWS/Gen/SecretsManager.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/Gen/SecretsManager.hs
@@ -0,0 +1,309 @@
+{-# OPTIONS_GHC -fno-warn-unused-imports #-}
+{-# OPTIONS_GHC -fno-warn-orphans        #-}
+
+-- Derived from AWS service descriptions, licensed under Apache 2.0.
+
+-- |
+-- Module      : Test.AWS.Gen.SecretsManager
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Test.AWS.Gen.SecretsManager where
+
+import Data.Proxy
+import Network.AWS.SecretsManager
+import Test.AWS.Fixture
+import Test.AWS.Prelude
+import Test.AWS.SecretsManager.Internal
+import Test.Tasty
+
+-- Auto-generated: the actual test selection needs to be manually placed into
+-- the top-level so that real test data can be incrementally added.
+--
+-- This commented snippet is what the entire set should look like:
+
+-- fixtures :: TestTree
+-- fixtures =
+--     [ testGroup "request"
+--         [ requestDeleteSecret $
+--             deleteSecret
+--
+--         , requestListSecrets $
+--             listSecrets
+--
+--         , requestUpdateSecret $
+--             updateSecret
+--
+--         , requestRotateSecret $
+--             rotateSecret
+--
+--         , requestCreateSecret $
+--             createSecret
+--
+--         , requestGetSecretValue $
+--             getSecretValue
+--
+--         , requestDescribeSecret $
+--             describeSecret
+--
+--         , requestRestoreSecret $
+--             restoreSecret
+--
+--         , requestCancelRotateSecret $
+--             cancelRotateSecret
+--
+--         , requestPutSecretValue $
+--             putSecretValue
+--
+--         , requestGetRandomPassword $
+--             getRandomPassword
+--
+--         , requestListSecretVersionIds $
+--             listSecretVersionIds
+--
+--         , requestTagResource $
+--             tagResource
+--
+--         , requestUntagResource $
+--             untagResource
+--
+--         , requestUpdateSecretVersionStage $
+--             updateSecretVersionStage
+--
+--           ]
+
+--     , testGroup "response"
+--         [ responseDeleteSecret $
+--             deleteSecretResponse
+--
+--         , responseListSecrets $
+--             listSecretsResponse
+--
+--         , responseUpdateSecret $
+--             updateSecretResponse
+--
+--         , responseRotateSecret $
+--             rotateSecretResponse
+--
+--         , responseCreateSecret $
+--             createSecretResponse
+--
+--         , responseGetSecretValue $
+--             getSecretValueResponse
+--
+--         , responseDescribeSecret $
+--             describeSecretResponse
+--
+--         , responseRestoreSecret $
+--             restoreSecretResponse
+--
+--         , responseCancelRotateSecret $
+--             cancelRotateSecretResponse
+--
+--         , responsePutSecretValue $
+--             putSecretValueResponse
+--
+--         , responseGetRandomPassword $
+--             getRandomPasswordResponse
+--
+--         , responseListSecretVersionIds $
+--             listSecretVersionIdsResponse
+--
+--         , responseTagResource $
+--             tagResourceResponse
+--
+--         , responseUntagResource $
+--             untagResourceResponse
+--
+--         , responseUpdateSecretVersionStage $
+--             updateSecretVersionStageResponse
+--
+--           ]
+--     ]
+
+-- Requests
+
+requestDeleteSecret :: DeleteSecret -> TestTree
+requestDeleteSecret = req
+    "DeleteSecret"
+    "fixture/DeleteSecret.yaml"
+
+requestListSecrets :: ListSecrets -> TestTree
+requestListSecrets = req
+    "ListSecrets"
+    "fixture/ListSecrets.yaml"
+
+requestUpdateSecret :: UpdateSecret -> TestTree
+requestUpdateSecret = req
+    "UpdateSecret"
+    "fixture/UpdateSecret.yaml"
+
+requestRotateSecret :: RotateSecret -> TestTree
+requestRotateSecret = req
+    "RotateSecret"
+    "fixture/RotateSecret.yaml"
+
+requestCreateSecret :: CreateSecret -> TestTree
+requestCreateSecret = req
+    "CreateSecret"
+    "fixture/CreateSecret.yaml"
+
+requestGetSecretValue :: GetSecretValue -> TestTree
+requestGetSecretValue = req
+    "GetSecretValue"
+    "fixture/GetSecretValue.yaml"
+
+requestDescribeSecret :: DescribeSecret -> TestTree
+requestDescribeSecret = req
+    "DescribeSecret"
+    "fixture/DescribeSecret.yaml"
+
+requestRestoreSecret :: RestoreSecret -> TestTree
+requestRestoreSecret = req
+    "RestoreSecret"
+    "fixture/RestoreSecret.yaml"
+
+requestCancelRotateSecret :: CancelRotateSecret -> TestTree
+requestCancelRotateSecret = req
+    "CancelRotateSecret"
+    "fixture/CancelRotateSecret.yaml"
+
+requestPutSecretValue :: PutSecretValue -> TestTree
+requestPutSecretValue = req
+    "PutSecretValue"
+    "fixture/PutSecretValue.yaml"
+
+requestGetRandomPassword :: GetRandomPassword -> TestTree
+requestGetRandomPassword = req
+    "GetRandomPassword"
+    "fixture/GetRandomPassword.yaml"
+
+requestListSecretVersionIds :: ListSecretVersionIds -> TestTree
+requestListSecretVersionIds = req
+    "ListSecretVersionIds"
+    "fixture/ListSecretVersionIds.yaml"
+
+requestTagResource :: TagResource -> TestTree
+requestTagResource = req
+    "TagResource"
+    "fixture/TagResource.yaml"
+
+requestUntagResource :: UntagResource -> TestTree
+requestUntagResource = req
+    "UntagResource"
+    "fixture/UntagResource.yaml"
+
+requestUpdateSecretVersionStage :: UpdateSecretVersionStage -> TestTree
+requestUpdateSecretVersionStage = req
+    "UpdateSecretVersionStage"
+    "fixture/UpdateSecretVersionStage.yaml"
+
+-- Responses
+
+responseDeleteSecret :: DeleteSecretResponse -> TestTree
+responseDeleteSecret = res
+    "DeleteSecretResponse"
+    "fixture/DeleteSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy DeleteSecret)
+
+responseListSecrets :: ListSecretsResponse -> TestTree
+responseListSecrets = res
+    "ListSecretsResponse"
+    "fixture/ListSecretsResponse.proto"
+    secretsManager
+    (Proxy :: Proxy ListSecrets)
+
+responseUpdateSecret :: UpdateSecretResponse -> TestTree
+responseUpdateSecret = res
+    "UpdateSecretResponse"
+    "fixture/UpdateSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy UpdateSecret)
+
+responseRotateSecret :: RotateSecretResponse -> TestTree
+responseRotateSecret = res
+    "RotateSecretResponse"
+    "fixture/RotateSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy RotateSecret)
+
+responseCreateSecret :: CreateSecretResponse -> TestTree
+responseCreateSecret = res
+    "CreateSecretResponse"
+    "fixture/CreateSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy CreateSecret)
+
+responseGetSecretValue :: GetSecretValueResponse -> TestTree
+responseGetSecretValue = res
+    "GetSecretValueResponse"
+    "fixture/GetSecretValueResponse.proto"
+    secretsManager
+    (Proxy :: Proxy GetSecretValue)
+
+responseDescribeSecret :: DescribeSecretResponse -> TestTree
+responseDescribeSecret = res
+    "DescribeSecretResponse"
+    "fixture/DescribeSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy DescribeSecret)
+
+responseRestoreSecret :: RestoreSecretResponse -> TestTree
+responseRestoreSecret = res
+    "RestoreSecretResponse"
+    "fixture/RestoreSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy RestoreSecret)
+
+responseCancelRotateSecret :: CancelRotateSecretResponse -> TestTree
+responseCancelRotateSecret = res
+    "CancelRotateSecretResponse"
+    "fixture/CancelRotateSecretResponse.proto"
+    secretsManager
+    (Proxy :: Proxy CancelRotateSecret)
+
+responsePutSecretValue :: PutSecretValueResponse -> TestTree
+responsePutSecretValue = res
+    "PutSecretValueResponse"
+    "fixture/PutSecretValueResponse.proto"
+    secretsManager
+    (Proxy :: Proxy PutSecretValue)
+
+responseGetRandomPassword :: GetRandomPasswordResponse -> TestTree
+responseGetRandomPassword = res
+    "GetRandomPasswordResponse"
+    "fixture/GetRandomPasswordResponse.proto"
+    secretsManager
+    (Proxy :: Proxy GetRandomPassword)
+
+responseListSecretVersionIds :: ListSecretVersionIdsResponse -> TestTree
+responseListSecretVersionIds = res
+    "ListSecretVersionIdsResponse"
+    "fixture/ListSecretVersionIdsResponse.proto"
+    secretsManager
+    (Proxy :: Proxy ListSecretVersionIds)
+
+responseTagResource :: TagResourceResponse -> TestTree
+responseTagResource = res
+    "TagResourceResponse"
+    "fixture/TagResourceResponse.proto"
+    secretsManager
+    (Proxy :: Proxy TagResource)
+
+responseUntagResource :: UntagResourceResponse -> TestTree
+responseUntagResource = res
+    "UntagResourceResponse"
+    "fixture/UntagResourceResponse.proto"
+    secretsManager
+    (Proxy :: Proxy UntagResource)
+
+responseUpdateSecretVersionStage :: UpdateSecretVersionStageResponse -> TestTree
+responseUpdateSecretVersionStage = res
+    "UpdateSecretVersionStageResponse"
+    "fixture/UpdateSecretVersionStageResponse.proto"
+    secretsManager
+    (Proxy :: Proxy UpdateSecretVersionStage)
diff --git a/test/Test/AWS/SecretsManager.hs b/test/Test/AWS/SecretsManager.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/SecretsManager.hs
@@ -0,0 +1,20 @@
+-- |
+-- Module      : Test.AWS.SecretsManager
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Test.AWS.SecretsManager
+    ( tests
+    , fixtures
+    ) where
+
+import Test.Tasty (TestTree)
+
+tests :: [TestTree]
+tests = []
+
+fixtures :: [TestTree]
+fixtures = []
diff --git a/test/Test/AWS/SecretsManager/Internal.hs b/test/Test/AWS/SecretsManager/Internal.hs
new file mode 100644
--- /dev/null
+++ b/test/Test/AWS/SecretsManager/Internal.hs
@@ -0,0 +1,9 @@
+-- |
+-- Module      : Test.AWS.SecretsManager.Internal
+-- Copyright   : (c) 2013-2018 Brendan Hay
+-- License     : Mozilla Public License, v. 2.0.
+-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
+-- Stability   : auto-generated
+-- Portability : non-portable (GHC extensions)
+--
+module Test.AWS.SecretsManager.Internal where
