amazonka-iam-1.3.4: gen/Network/AWS/IAM/SimulateCustomPolicy.hs
{-# LANGUAGE DeriveDataTypeable #-}
{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE TypeFamilies #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}
-- Derived from AWS service descriptions, licensed under Apache 2.0.
-- |
-- Module : Network.AWS.IAM.SimulateCustomPolicy
-- Copyright : (c) 2013-2015 Brendan Hay
-- License : Mozilla Public License, v. 2.0.
-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>
-- Stability : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Simulate how a set of IAM policies and optionally a resource-based
-- policy works with a list of API actions and AWS resources to determine
-- the policies\' effective permissions. The policies are provided as
-- strings.
--
-- The simulation does not perform the API actions; it only checks the
-- authorization to determine if the simulated policies allow or deny the
-- actions.
--
-- If you want to simulate existing policies attached to an IAM user,
-- group, or role, use SimulatePrincipalPolicy instead.
--
-- Context keys are variables maintained by AWS and its services that
-- provide details about the context of an API query request. You can use
-- the 'Condition' element of an IAM policy to evaluate context keys. To
-- get the list of context keys that the policies require for correct
-- simulation, use GetContextKeysForCustomPolicy.
--
-- If the output is long, you can use 'MaxItems' and 'Marker' parameters to
-- paginate the results.
--
-- /See:/ <http://docs.aws.amazon.com/IAM/latest/APIReference/API_SimulateCustomPolicy.html AWS API Reference> for SimulateCustomPolicy.
module Network.AWS.IAM.SimulateCustomPolicy
(
-- * Creating a Request
simulateCustomPolicy
, SimulateCustomPolicy
-- * Request Lenses
, scpResourcePolicy
, scpCallerARN
, scpResourceARNs
, scpMarker
, scpMaxItems
, scpContextEntries
, scpResourceOwner
, scpPolicyInputList
, scpActionNames
-- * Destructuring the Response
, simulatePolicyResponse
, SimulatePolicyResponse
-- * Response Lenses
, spEvaluationResults
, spMarker
, spIsTruncated
) where
import Network.AWS.IAM.Types
import Network.AWS.IAM.Types.Product
import Network.AWS.Prelude
import Network.AWS.Request
import Network.AWS.Response
-- | /See:/ 'simulateCustomPolicy' smart constructor.
data SimulateCustomPolicy = SimulateCustomPolicy'
{ _scpResourcePolicy :: !(Maybe Text)
, _scpCallerARN :: !(Maybe Text)
, _scpResourceARNs :: !(Maybe [Text])
, _scpMarker :: !(Maybe Text)
, _scpMaxItems :: !(Maybe Nat)
, _scpContextEntries :: !(Maybe [ContextEntry])
, _scpResourceOwner :: !(Maybe Text)
, _scpPolicyInputList :: ![Text]
, _scpActionNames :: ![Text]
} deriving (Eq,Read,Show,Data,Typeable,Generic)
-- | Creates a value of 'SimulateCustomPolicy' with the minimum fields required to make a request.
--
-- Use one of the following lenses to modify other fields as desired:
--
-- * 'scpResourcePolicy'
--
-- * 'scpCallerARN'
--
-- * 'scpResourceARNs'
--
-- * 'scpMarker'
--
-- * 'scpMaxItems'
--
-- * 'scpContextEntries'
--
-- * 'scpResourceOwner'
--
-- * 'scpPolicyInputList'
--
-- * 'scpActionNames'
simulateCustomPolicy
:: SimulateCustomPolicy
simulateCustomPolicy =
SimulateCustomPolicy'
{ _scpResourcePolicy = Nothing
, _scpCallerARN = Nothing
, _scpResourceARNs = Nothing
, _scpMarker = Nothing
, _scpMaxItems = Nothing
, _scpContextEntries = Nothing
, _scpResourceOwner = Nothing
, _scpPolicyInputList = mempty
, _scpActionNames = mempty
}
-- | A resource-based policy to include in the simulation provided as a
-- string. Each resource in the simulation is treated as if it had this
-- policy attached. You can include only one resource-based policy in a
-- simulation.
scpResourcePolicy :: Lens' SimulateCustomPolicy (Maybe Text)
scpResourcePolicy = lens _scpResourcePolicy (\ s a -> s{_scpResourcePolicy = a});
-- | The ARN of the user that you want to use as the simulated caller of the
-- APIs. 'CallerArn' is required if you include a 'ResourcePolicy' so that
-- the policy\'s 'Principal' element has a value to use in evaluating the
-- policy.
--
-- You can specify only the ARN of an IAM user. You cannot specify the ARN
-- of an assumed role, federated user, or a service principal.
scpCallerARN :: Lens' SimulateCustomPolicy (Maybe Text)
scpCallerARN = lens _scpCallerARN (\ s a -> s{_scpCallerARN = a});
-- | A list of ARNs of AWS resources to include in the simulation. If this
-- parameter is not provided then the value defaults to '*' (all
-- resources). Each API in the 'ActionNames' parameter is evaluated for
-- each resource in this list. The simulation determines the access result
-- (allowed or denied) of each combination and reports it in the response.
--
-- The simulation does not automatically retrieve policies for the
-- specified resources. If you want to include a resource policy in the
-- simulation, then you must include the policy as a string in the
-- 'ResourcePolicy' parameter.
--
-- If you include a 'ResourcePolicy', then it must be applicable to all of
-- the resources included in the simulation or you receive an invalid input
-- error.
scpResourceARNs :: Lens' SimulateCustomPolicy [Text]
scpResourceARNs = lens _scpResourceARNs (\ s a -> s{_scpResourceARNs = a}) . _Default . _Coerce;
-- | Use this parameter only when paginating results and only after you
-- receive a response indicating that the results are truncated. Set it to
-- the value of the 'Marker' element in the response that you received to
-- indicate where the next call should start.
scpMarker :: Lens' SimulateCustomPolicy (Maybe Text)
scpMarker = lens _scpMarker (\ s a -> s{_scpMarker = a});
-- | Use this only when paginating results to indicate the maximum number of
-- items you want in the response. If additional items exist beyond the
-- maximum you specify, the 'IsTruncated' response element is 'true'.
--
-- This parameter is optional. If you do not include it, it defaults to
-- 100. Note that IAM might return fewer results, even when there are more
-- results available. In that case, the 'IsTruncated' response element
-- returns 'true' and 'Marker' contains a value to include in the
-- subsequent call that tells the service where to continue from.
scpMaxItems :: Lens' SimulateCustomPolicy (Maybe Natural)
scpMaxItems = lens _scpMaxItems (\ s a -> s{_scpMaxItems = a}) . mapping _Nat;
-- | A list of context keys and corresponding values for the simulation to
-- use. Whenever a context key is evaluated by a 'Condition' element in one
-- of the simulated IAM permission policies, the corresponding value is
-- supplied.
scpContextEntries :: Lens' SimulateCustomPolicy [ContextEntry]
scpContextEntries = lens _scpContextEntries (\ s a -> s{_scpContextEntries = a}) . _Default . _Coerce;
-- | An AWS account ID that specifies the owner of any simulated resource
-- that does not identify its owner in the resource ARN, such as an S3
-- bucket or object. If 'ResourceOwner' is specified, it is also used as
-- the account owner of any 'ResourcePolicy' included in the simulation. If
-- the 'ResourceOwner' parameter is not specified, then the owner of the
-- resources and the resource policy defaults to the account of the
-- identity provided in 'CallerArn'. This parameter is required only if you
-- specify a resource-based policy and account that owns the resource is
-- different from the account that owns the simulated calling user
-- 'CallerArn'.
scpResourceOwner :: Lens' SimulateCustomPolicy (Maybe Text)
scpResourceOwner = lens _scpResourceOwner (\ s a -> s{_scpResourceOwner = a});
-- | A list of policy documents to include in the simulation. Each document
-- is specified as a string containing the complete, valid JSON text of an
-- IAM policy. Do not include any resource-based policies in this
-- parameter. Any resource-based policy must be submitted with the
-- 'ResourcePolicy' parameter. The policies cannot be \"scope-down\"
-- policies, such as you could include in a call to
-- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_GetFederationToken.html GetFederationToken>
-- or one of the
-- <http://docs.aws.amazon.com/IAM/latest/APIReference/API_AssumeRole.html AssumeRole>
-- APIs to restrict what a user can do while using the temporary
-- credentials.
scpPolicyInputList :: Lens' SimulateCustomPolicy [Text]
scpPolicyInputList = lens _scpPolicyInputList (\ s a -> s{_scpPolicyInputList = a}) . _Coerce;
-- | A list of names of API actions to evaluate in the simulation. Each
-- action is evaluated against each resource. Each action must include the
-- service identifier, such as 'iam:CreateUser'.
scpActionNames :: Lens' SimulateCustomPolicy [Text]
scpActionNames = lens _scpActionNames (\ s a -> s{_scpActionNames = a}) . _Coerce;
instance AWSRequest SimulateCustomPolicy where
type Rs SimulateCustomPolicy = SimulatePolicyResponse
request = postQuery iAM
response
= receiveXMLWrapper "SimulateCustomPolicyResult"
(\ s h x -> parseXML x)
instance ToHeaders SimulateCustomPolicy where
toHeaders = const mempty
instance ToPath SimulateCustomPolicy where
toPath = const "/"
instance ToQuery SimulateCustomPolicy where
toQuery SimulateCustomPolicy'{..}
= mconcat
["Action" =: ("SimulateCustomPolicy" :: ByteString),
"Version" =: ("2010-05-08" :: ByteString),
"ResourcePolicy" =: _scpResourcePolicy,
"CallerArn" =: _scpCallerARN,
"ResourceArns" =:
toQuery (toQueryList "member" <$> _scpResourceARNs),
"Marker" =: _scpMarker, "MaxItems" =: _scpMaxItems,
"ContextEntries" =:
toQuery
(toQueryList "member" <$> _scpContextEntries),
"ResourceOwner" =: _scpResourceOwner,
"PolicyInputList" =:
toQueryList "member" _scpPolicyInputList,
"ActionNames" =:
toQueryList "member" _scpActionNames]