packages feed

amazonka-kinesis-firehose-2.0: gen/Amazonka/Firehose/Types/DeliveryStreamEncryptionConfigurationInput.hs

{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput
-- Copyright   : (c) 2013-2023 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput where

import qualified Amazonka.Core as Core
import qualified Amazonka.Core.Lens.Internal as Lens
import qualified Amazonka.Data as Data
import Amazonka.Firehose.Types.KeyType
import qualified Amazonka.Prelude as Prelude

-- | Specifies the type and Amazon Resource Name (ARN) of the CMK to use for
-- Server-Side Encryption (SSE).
--
-- /See:/ 'newDeliveryStreamEncryptionConfigurationInput' smart constructor.
data DeliveryStreamEncryptionConfigurationInput = DeliveryStreamEncryptionConfigurationInput'
  { -- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
    -- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
    -- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
    -- service-account CMK.
    keyARN :: Prelude.Maybe Prelude.Text,
    -- | Indicates the type of customer master key (CMK) to use for encryption.
    -- The default setting is @Amazon Web Services_OWNED_CMK@. For more
    -- information about CMKs, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
    -- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
    -- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
    -- invokes the Amazon KMS operation
    -- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
    -- to create a grant that allows the Kinesis Data Firehose service to use
    -- the customer managed CMK to perform encryption and decryption. Kinesis
    -- Data Firehose manages that grant.
    --
    -- When you invoke StartDeliveryStreamEncryption to change the CMK for a
    -- delivery stream that is encrypted with a customer managed CMK, Kinesis
    -- Data Firehose schedules the grant it had on the old CMK for retirement.
    --
    -- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
    -- delivery streams. If a CreateDeliveryStream or
    -- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
    -- Firehose throws a @LimitExceededException@.
    --
    -- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
    -- Firehose doesn\'t support asymmetric CMKs. For information about
    -- symmetric and asymmetric CMKs, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
    -- in the Amazon Web Services Key Management Service developer guide.
    keyType :: KeyType
  }
  deriving (Prelude.Eq, Prelude.Read, Prelude.Show, Prelude.Generic)

-- |
-- Create a value of 'DeliveryStreamEncryptionConfigurationInput' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'keyARN', 'deliveryStreamEncryptionConfigurationInput_keyARN' - If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
-- service-account CMK.
--
-- 'keyType', 'deliveryStreamEncryptionConfigurationInput_keyType' - Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @Amazon Web Services_OWNED_CMK@. For more
-- information about CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the Amazon Web Services Key Management Service developer guide.
newDeliveryStreamEncryptionConfigurationInput ::
  -- | 'keyType'
  KeyType ->
  DeliveryStreamEncryptionConfigurationInput
newDeliveryStreamEncryptionConfigurationInput
  pKeyType_ =
    DeliveryStreamEncryptionConfigurationInput'
      { keyARN =
          Prelude.Nothing,
        keyType = pKeyType_
      }

-- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @Amazon Web Services_OWNED_CMK@, Kinesis Data Firehose uses a
-- service-account CMK.
deliveryStreamEncryptionConfigurationInput_keyARN :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput (Prelude.Maybe Prelude.Text)
deliveryStreamEncryptionConfigurationInput_keyARN = Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {keyARN} -> keyARN) (\s@DeliveryStreamEncryptionConfigurationInput' {} a -> s {keyARN = a} :: DeliveryStreamEncryptionConfigurationInput)

-- | Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @Amazon Web Services_OWNED_CMK@. For more
-- information about CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the Amazon Web Services Key Management Service developer guide.
deliveryStreamEncryptionConfigurationInput_keyType :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput KeyType
deliveryStreamEncryptionConfigurationInput_keyType = Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {keyType} -> keyType) (\s@DeliveryStreamEncryptionConfigurationInput' {} a -> s {keyType = a} :: DeliveryStreamEncryptionConfigurationInput)

instance
  Prelude.Hashable
    DeliveryStreamEncryptionConfigurationInput
  where
  hashWithSalt
    _salt
    DeliveryStreamEncryptionConfigurationInput' {..} =
      _salt
        `Prelude.hashWithSalt` keyARN
        `Prelude.hashWithSalt` keyType

instance
  Prelude.NFData
    DeliveryStreamEncryptionConfigurationInput
  where
  rnf DeliveryStreamEncryptionConfigurationInput' {..} =
    Prelude.rnf keyARN
      `Prelude.seq` Prelude.rnf keyType

instance
  Data.ToJSON
    DeliveryStreamEncryptionConfigurationInput
  where
  toJSON
    DeliveryStreamEncryptionConfigurationInput' {..} =
      Data.object
        ( Prelude.catMaybes
            [ ("KeyARN" Data..=) Prelude.<$> keyARN,
              Prelude.Just ("KeyType" Data..= keyType)
            ]
        )