amazonka-ecr-2.0: gen/Amazonka/ECR/Types/EncryptionConfiguration.hs
{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-- Derived from AWS service descriptions, licensed under Apache 2.0.
-- |
-- Module : Amazonka.ECR.Types.EncryptionConfiguration
-- Copyright : (c) 2013-2023 Brendan Hay
-- License : Mozilla Public License, v. 2.0.
-- Maintainer : Brendan Hay
-- Stability : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.ECR.Types.EncryptionConfiguration where
import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import Amazonka.ECR.Types.EncryptionType
import qualified Amazonka.Prelude as Prelude
-- | The encryption configuration for the repository. This determines how the
-- contents of your repository are encrypted at rest.
--
-- By default, when no encryption configuration is set or the @AES256@
-- encryption type is used, Amazon ECR uses server-side encryption with
-- Amazon S3-managed encryption keys which encrypts your data at rest using
-- an AES-256 encryption algorithm. This does not require any action on
-- your part.
--
-- For more control over the encryption of the contents of your repository,
-- you can use server-side encryption with Key Management Service key
-- stored in Key Management Service (KMS) to encrypt your images. For more
-- information, see
-- <https://docs.aws.amazon.com/AmazonECR/latest/userguide/encryption-at-rest.html Amazon ECR encryption at rest>
-- in the /Amazon Elastic Container Registry User Guide/.
--
-- /See:/ 'newEncryptionConfiguration' smart constructor.
data EncryptionConfiguration = EncryptionConfiguration'
{ -- | If you use the @KMS@ encryption type, specify the KMS key to use for
-- encryption. The alias, key ID, or full ARN of the KMS key can be
-- specified. The key must exist in the same Region as the repository. If
-- no key is specified, the default Amazon Web Services managed KMS key for
-- Amazon ECR will be used.
kmsKey :: Prelude.Maybe Prelude.Text,
-- | The encryption type to use.
--
-- If you use the @KMS@ encryption type, the contents of the repository
-- will be encrypted using server-side encryption with Key Management
-- Service key stored in KMS. When you use KMS to encrypt your data, you
-- can either use the default Amazon Web Services managed KMS key for
-- Amazon ECR, or specify your own KMS key, which you already created. For
-- more information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html Protecting data using server-side encryption with an KMS key stored in Key Management Service (SSE-KMS)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
--
-- If you use the @AES256@ encryption type, Amazon ECR uses server-side
-- encryption with Amazon S3-managed encryption keys which encrypts the
-- images in the repository using an AES-256 encryption algorithm. For more
-- information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
encryptionType :: EncryptionType
}
deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)
-- |
-- Create a value of 'EncryptionConfiguration' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'kmsKey', 'encryptionConfiguration_kmsKey' - If you use the @KMS@ encryption type, specify the KMS key to use for
-- encryption. The alias, key ID, or full ARN of the KMS key can be
-- specified. The key must exist in the same Region as the repository. If
-- no key is specified, the default Amazon Web Services managed KMS key for
-- Amazon ECR will be used.
--
-- 'encryptionType', 'encryptionConfiguration_encryptionType' - The encryption type to use.
--
-- If you use the @KMS@ encryption type, the contents of the repository
-- will be encrypted using server-side encryption with Key Management
-- Service key stored in KMS. When you use KMS to encrypt your data, you
-- can either use the default Amazon Web Services managed KMS key for
-- Amazon ECR, or specify your own KMS key, which you already created. For
-- more information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html Protecting data using server-side encryption with an KMS key stored in Key Management Service (SSE-KMS)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
--
-- If you use the @AES256@ encryption type, Amazon ECR uses server-side
-- encryption with Amazon S3-managed encryption keys which encrypts the
-- images in the repository using an AES-256 encryption algorithm. For more
-- information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
newEncryptionConfiguration ::
-- | 'encryptionType'
EncryptionType ->
EncryptionConfiguration
newEncryptionConfiguration pEncryptionType_ =
EncryptionConfiguration'
{ kmsKey = Prelude.Nothing,
encryptionType = pEncryptionType_
}
-- | If you use the @KMS@ encryption type, specify the KMS key to use for
-- encryption. The alias, key ID, or full ARN of the KMS key can be
-- specified. The key must exist in the same Region as the repository. If
-- no key is specified, the default Amazon Web Services managed KMS key for
-- Amazon ECR will be used.
encryptionConfiguration_kmsKey :: Lens.Lens' EncryptionConfiguration (Prelude.Maybe Prelude.Text)
encryptionConfiguration_kmsKey = Lens.lens (\EncryptionConfiguration' {kmsKey} -> kmsKey) (\s@EncryptionConfiguration' {} a -> s {kmsKey = a} :: EncryptionConfiguration)
-- | The encryption type to use.
--
-- If you use the @KMS@ encryption type, the contents of the repository
-- will be encrypted using server-side encryption with Key Management
-- Service key stored in KMS. When you use KMS to encrypt your data, you
-- can either use the default Amazon Web Services managed KMS key for
-- Amazon ECR, or specify your own KMS key, which you already created. For
-- more information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingKMSEncryption.html Protecting data using server-side encryption with an KMS key stored in Key Management Service (SSE-KMS)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
--
-- If you use the @AES256@ encryption type, Amazon ECR uses server-side
-- encryption with Amazon S3-managed encryption keys which encrypts the
-- images in the repository using an AES-256 encryption algorithm. For more
-- information, see
-- <https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html Protecting data using server-side encryption with Amazon S3-managed encryption keys (SSE-S3)>
-- in the /Amazon Simple Storage Service Console Developer Guide/.
encryptionConfiguration_encryptionType :: Lens.Lens' EncryptionConfiguration EncryptionType
encryptionConfiguration_encryptionType = Lens.lens (\EncryptionConfiguration' {encryptionType} -> encryptionType) (\s@EncryptionConfiguration' {} a -> s {encryptionType = a} :: EncryptionConfiguration)
instance Data.FromJSON EncryptionConfiguration where
parseJSON =
Data.withObject
"EncryptionConfiguration"
( \x ->
EncryptionConfiguration'
Prelude.<$> (x Data..:? "kmsKey")
Prelude.<*> (x Data..: "encryptionType")
)
instance Prelude.Hashable EncryptionConfiguration where
hashWithSalt _salt EncryptionConfiguration' {..} =
_salt
`Prelude.hashWithSalt` kmsKey
`Prelude.hashWithSalt` encryptionType
instance Prelude.NFData EncryptionConfiguration where
rnf EncryptionConfiguration' {..} =
Prelude.rnf kmsKey
`Prelude.seq` Prelude.rnf encryptionType
instance Data.ToJSON EncryptionConfiguration where
toJSON EncryptionConfiguration' {..} =
Data.object
( Prelude.catMaybes
[ ("kmsKey" Data..=) Prelude.<$> kmsKey,
Prelude.Just
("encryptionType" Data..= encryptionType)
]
)