From f5dd8e769fd5abbbf7465895e3b0f0a182c0de33 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Thu, 17 Jun 2021 09:46:32 +0200 Subject: [PATCH] rebase: update github.com/aws/aws-sdk-go to latest version Signed-off-by: Niels de Vos --- go.mod | 2 +- go.sum | 4 +- .../aws/aws-sdk-go/aws/endpoints/defaults.go | 88 +- .../github.com/aws/aws-sdk-go/aws/version.go | 2 +- .../aws/aws-sdk-go/service/ec2/api.go | 1267 ++++++++++++- .../aws/aws-sdk-go/service/kms/api.go | 1614 ++++++++++++++--- vendor/modules.txt | 2 +- 7 files changed, 2607 insertions(+), 372 deletions(-) diff --git a/go.mod b/go.mod index 1913bff58..d7eeb74fe 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/ceph/ceph-csi go 1.16 require ( - github.com/aws/aws-sdk-go v1.38.54 + github.com/aws/aws-sdk-go v1.38.63 github.com/ceph/go-ceph v0.10.0 github.com/container-storage-interface/spec v1.5.0 github.com/csi-addons/replication-lib-utils v0.2.0 diff --git a/go.sum b/go.sum index a4d5b720d..6c051fe43 100644 --- a/go.sum +++ b/go.sum @@ -141,8 +141,8 @@ github.com/aws/aws-sdk-go v1.27.0/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN github.com/aws/aws-sdk-go v1.28.2/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= -github.com/aws/aws-sdk-go v1.38.54 h1:fsiNnyso3kIWmUdCSYZt/4oodinY6O6biM1CJMsdYpc= -github.com/aws/aws-sdk-go v1.38.54/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.38.63 h1:BqPxe0sujTRTbir6OWj0f1VmeJcAIv7ZhTCAhaU1zmE= +github.com/aws/aws-sdk-go v1.38.63/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= github.com/aws/aws-sdk-go-v2 v0.18.0/go.mod h1:JWVYvqSMppoMJC0x5wdwiImzgXTI9FuZwxzkQq9wy+g= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= github.com/bazelbuild/bazel-gazelle v0.18.2/go.mod h1:D0ehMSbS+vesFsLGiD6JXu3mVEzOlfUl8wNnq+x/9p0= diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index 9d1266d5d..fc4988738 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -32,6 +32,7 @@ const ( EuWest1RegionID = "eu-west-1" // Europe (Ireland). EuWest2RegionID = "eu-west-2" // Europe (London). EuWest3RegionID = "eu-west-3" // Europe (Paris). + InAmazon1RegionID = "in-amazon-1" // India (Begumpet). MeSouth1RegionID = "me-south-1" // Middle East (Bahrain). SaEast1RegionID = "sa-east-1" // South America (Sao Paulo). UsEast1RegionID = "us-east-1" // US East (N. Virginia). @@ -100,7 +101,7 @@ var awsPartition = partition{ DNSSuffix: "amazonaws.com", RegionRegex: regionRegex{ Regexp: func() *regexp.Regexp { - reg, _ := regexp.Compile("^(us|eu|ap|sa|ca|me|af)\\-\\w+\\-\\d+$") + reg, _ := regexp.Compile("^(us|eu|ap|sa|ca|me|af|in)\\-\\w+\\-\\d+$") return reg }(), }, @@ -155,6 +156,9 @@ var awsPartition = partition{ "eu-west-3": region{ Description: "Europe (Paris)", }, + "in-amazon-1": region{ + Description: "India (Begumpet)", + }, "me-south-1": region{ Description: "Middle East (Bahrain)", }, @@ -1615,11 +1619,12 @@ var awsPartition = partition{ Region: "us-west-2", }, }, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "cognito-idp": service{ @@ -1660,11 +1665,12 @@ var awsPartition = partition{ Region: "us-west-2", }, }, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "cognito-sync": service{ @@ -6845,9 +6851,15 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, + "in-amazon-1": endpoint{ + Hostname: "sts.ap-south-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-south-1", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, "us-east-1-fips": endpoint{ Hostname: "sts-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -7171,6 +7183,12 @@ var awsPartition = partition{ Region: "ap-northeast-2", }, }, + "ap-northeast-3": endpoint{ + Hostname: "waf-regional.ap-northeast-3.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-northeast-3", + }, + }, "ap-south-1": endpoint{ Hostname: "waf-regional.ap-south-1.amazonaws.com", CredentialScope: credentialScope{ @@ -7255,6 +7273,12 @@ var awsPartition = partition{ Region: "ap-northeast-2", }, }, + "fips-ap-northeast-3": endpoint{ + Hostname: "waf-regional-fips.ap-northeast-3.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-northeast-3", + }, + }, "fips-ap-south-1": endpoint{ Hostname: "waf-regional-fips.ap-south-1.amazonaws.com", CredentialScope: credentialScope{ @@ -8391,6 +8415,42 @@ var awscnPartition = partition{ }, }, }, + "transfer": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, + "waf-regional": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{ + Hostname: "waf-regional.cn-north-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-north-1", + }, + }, + "cn-northwest-1": endpoint{ + Hostname: "waf-regional.cn-northwest-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-northwest-1", + }, + }, + "fips-cn-north-1": endpoint{ + Hostname: "waf-regional-fips.cn-north-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-north-1", + }, + }, + "fips-cn-northwest-1": endpoint{ + Hostname: "waf-regional-fips.cn-northwest-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-northwest-1", + }, + }, + }, + }, "workspaces": service{ Endpoints: endpoints{ diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go index 572b480d2..f31a01db9 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.38.54" +const SDKVersion = "1.38.63" diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go index 4e8d63f28..425ed0792 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go @@ -515,19 +515,20 @@ func (c *EC2) AdvertiseByoipCidrRequest(input *AdvertiseByoipCidrInput) (req *re // AdvertiseByoipCidr API operation for Amazon Elastic Compute Cloud. // // Advertises an IPv4 or IPv6 address range that is provisioned for use with -// your AWS resources through bring your own IP addresses (BYOIP). +// your Amazon Web Services resources through bring your own IP addresses (BYOIP). // // You can perform this operation at most once every 10 seconds, even if you // specify different address ranges each time. // // We recommend that you stop advertising the BYOIP CIDR from other locations -// when you advertise it from AWS. To minimize down time, you can configure -// your AWS resources to use an address from a BYOIP CIDR before it is advertised, -// and then simultaneously stop advertising it from the current location and -// start advertising it through AWS. +// when you advertise it from Amazon Web Services. To minimize down time, you +// can configure your Amazon Web Services resources to use an address from a +// BYOIP CIDR before it is advertised, and then simultaneously stop advertising +// it from the current location and start advertising it through Amazon Web +// Services. // // It can take a few minutes before traffic to the specified addresses starts -// routing to AWS because of BGP propagation delays. +// routing to Amazon Web Services because of BGP propagation delays. // // To stop advertising the BYOIP CIDR, use WithdrawByoipCidr. // @@ -603,22 +604,22 @@ func (c *EC2) AllocateAddressRequest(input *AllocateAddressInput) (req *request. // AllocateAddress API operation for Amazon Elastic Compute Cloud. // -// Allocates an Elastic IP address to your AWS account. After you allocate the -// Elastic IP address you can associate it with an instance or network interface. -// After you release an Elastic IP address, it is released to the IP address -// pool and can be allocated to a different AWS account. +// Allocates an Elastic IP address to your account. After you allocate the Elastic +// IP address you can associate it with an instance or network interface. After +// you release an Elastic IP address, it is released to the IP address pool +// and can be allocated to a different account. // -// You can allocate an Elastic IP address from an address pool owned by AWS -// or from an address pool created from a public IPv4 address range that you -// have brought to AWS for use with your AWS resources using bring your own -// IP addresses (BYOIP). For more information, see Bring Your Own IP Addresses -// (BYOIP) (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) +// You can allocate an Elastic IP address from an address pool owned by Amazon +// Web Services or from an address pool created from a public IPv4 address range +// that you have brought to Amazon Web Services for use with your Amazon Web +// Services resources using bring your own IP addresses (BYOIP). For more information, +// see Bring Your Own IP Addresses (BYOIP) (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) // in the Amazon Elastic Compute Cloud User Guide. // // [EC2-VPC] If you release an Elastic IP address, you might be able to recover // it. You cannot recover an Elastic IP address that you released after it is -// allocated to another AWS account. You cannot recover an Elastic IP address -// for EC2-Classic. To attempt to recover an Elastic IP address that you released, +// allocated to another account. You cannot recover an Elastic IP address for +// EC2-Classic. To attempt to recover an Elastic IP address that you released, // specify it in this operation. // // An Elastic IP address is for use either in the EC2-Classic platform or in @@ -1743,6 +1744,88 @@ func (c *EC2) AssociateTransitGatewayRouteTableWithContext(ctx aws.Context, inpu return out, req.Send() } +const opAssociateTrunkInterface = "AssociateTrunkInterface" + +// AssociateTrunkInterfaceRequest generates a "aws/request.Request" representing the +// client's request for the AssociateTrunkInterface operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AssociateTrunkInterface for more information on using the AssociateTrunkInterface +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AssociateTrunkInterfaceRequest method. +// req, resp := client.AssociateTrunkInterfaceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AssociateTrunkInterface +func (c *EC2) AssociateTrunkInterfaceRequest(input *AssociateTrunkInterfaceInput) (req *request.Request, output *AssociateTrunkInterfaceOutput) { + op := &request.Operation{ + Name: opAssociateTrunkInterface, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AssociateTrunkInterfaceInput{} + } + + output = &AssociateTrunkInterfaceOutput{} + req = c.newRequest(op, input, output) + return +} + +// AssociateTrunkInterface API operation for Amazon Elastic Compute Cloud. +// +// Associates a branch network interface with a trunk network interface. +// +// Before you create the association, run the create-network-interface (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) +// command and set --interface-type to trunk. You must also create a network +// interface for each branch network interface that you want to associate with +// the trunk network interface. +// +// For more information, see Network interface trunking (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eni-trunking.html) +// in the Amazon Elastic Compute Cloud User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation AssociateTrunkInterface for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AssociateTrunkInterface +func (c *EC2) AssociateTrunkInterface(input *AssociateTrunkInterfaceInput) (*AssociateTrunkInterfaceOutput, error) { + req, out := c.AssociateTrunkInterfaceRequest(input) + return out, req.Send() +} + +// AssociateTrunkInterfaceWithContext is the same as AssociateTrunkInterface with the addition of +// the ability to pass a context and additional request options. +// +// See AssociateTrunkInterface for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) AssociateTrunkInterfaceWithContext(ctx aws.Context, input *AssociateTrunkInterfaceInput, opts ...request.Option) (*AssociateTrunkInterfaceOutput, error) { + req, out := c.AssociateTrunkInterfaceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opAssociateVpcCidrBlock = "AssociateVpcCidrBlock" // AssociateVpcCidrBlockRequest generates a "aws/request.Request" representing the @@ -5336,12 +5419,22 @@ func (c *EC2) CreateNatGatewayRequest(input *CreateNatGatewayInput) (req *reques // CreateNatGateway API operation for Amazon Elastic Compute Cloud. // -// Creates a NAT gateway in the specified public subnet. This action creates -// a network interface in the specified subnet with a private IP address from -// the IP address range of the subnet. Internet-bound traffic from a private -// subnet can be routed to the NAT gateway, therefore enabling instances in -// the private subnet to connect to the internet. For more information, see -// NAT Gateways (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) +// Creates a NAT gateway in the specified subnet. This action creates a network +// interface in the specified subnet with a private IP address from the IP address +// range of the subnet. You can create either a public NAT gateway or a private +// NAT gateway. +// +// With a public NAT gateway, internet-bound traffic from a private subnet can +// be routed to the NAT gateway, so that instances in a private subnet can connect +// to the internet. +// +// With a private NAT gateway, private communication is routed across VPCs and +// on-premises networks through a transit gateway or virtual private gateway. +// Common use cases include running large workloads behind a small pool of allowlisted +// IPv4 addresses, preserving private IPv4 addresses, and communicating between +// overlapping networks. +// +// For more information, see NAT Gateways (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -5741,11 +5834,11 @@ func (c *EC2) CreateNetworkInterfacePermissionRequest(input *CreateNetworkInterf // CreateNetworkInterfacePermission API operation for Amazon Elastic Compute Cloud. // -// Grants an AWS-authorized account permission to attach the specified network -// interface to an instance in their account. +// Grants an Amazon Web Services-authorized account permission to attach the +// specified network interface to an instance in their account. // -// You can grant permission to a single AWS account only, and only one account -// at a time. +// You can grant permission to a single account only, and only one account at +// a time. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -10031,9 +10124,10 @@ func (c *EC2) DeleteNatGatewayRequest(input *DeleteNatGatewayInput) (req *reques // DeleteNatGateway API operation for Amazon Elastic Compute Cloud. // -// Deletes the specified NAT gateway. Deleting a NAT gateway disassociates its -// Elastic IP address, but does not release the address from your account. Deleting -// a NAT gateway does not delete any NAT gateway routes in your route tables. +// Deletes the specified NAT gateway. Deleting a public NAT gateway disassociates +// its Elastic IP address, but does not release the address from your account. +// Deleting a NAT gateway does not delete any NAT gateway routes in your route +// tables. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -12961,8 +13055,8 @@ func (c *EC2) DeprovisionByoipCidrRequest(input *DeprovisionByoipCidrInput) (req // DeprovisionByoipCidr API operation for Amazon Elastic Compute Cloud. // // Releases the specified address range that you provisioned for use with your -// AWS resources through bring your own IP addresses (BYOIP) and deletes the -// corresponding address pool. +// Amazon Web Services resources through bring your own IP addresses (BYOIP) +// and deletes the corresponding address pool. // // Before you can release an address range, you must stop advertising it using // WithdrawByoipCidr and you must not have any IP addresses allocated from its @@ -17507,8 +17601,8 @@ func (c *EC2) DescribeImagesRequest(input *DescribeImagesInput) (req *request.Re // // Recently deregistered images appear in the returned results for a short interval // and then return empty results. After all instances that reference a deregistered -// AMI are terminated, specifying the ID of the image results in an error indicating -// that the AMI ID cannot be found. +// AMI are terminated, specifying the ID of the image will eventually return +// an error indicating that the AMI ID cannot be found. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -20136,7 +20230,8 @@ func (c *EC2) DescribeManagedPrefixListsRequest(input *DescribeManagedPrefixList // DescribeManagedPrefixLists API operation for Amazon Elastic Compute Cloud. // -// Describes your managed prefix lists and any AWS-managed prefix lists. +// Describes your managed prefix lists and any Amazon Web Services-managed prefix +// lists. // // To view the entries for your prefix list, use GetManagedPrefixListEntries. // @@ -21350,9 +21445,9 @@ func (c *EC2) DescribePrefixListsRequest(input *DescribePrefixListsInput) (req * // DescribePrefixLists API operation for Amazon Elastic Compute Cloud. // -// Describes available AWS services in a prefix list format, which includes -// the prefix list name and prefix list ID of the service and the IP address -// range for the service. +// Describes available Amazon Web Services services in a prefix list format, +// which includes the prefix list name and prefix list ID of the service and +// the IP address range for the service. // // We recommend that you use DescribeManagedPrefixLists instead. // @@ -25930,6 +26025,80 @@ func (c *EC2) DescribeTransitGatewaysPagesWithContext(ctx aws.Context, input *De return p.Err() } +const opDescribeTrunkInterfaceAssociations = "DescribeTrunkInterfaceAssociations" + +// DescribeTrunkInterfaceAssociationsRequest generates a "aws/request.Request" representing the +// client's request for the DescribeTrunkInterfaceAssociations operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeTrunkInterfaceAssociations for more information on using the DescribeTrunkInterfaceAssociations +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeTrunkInterfaceAssociationsRequest method. +// req, resp := client.DescribeTrunkInterfaceAssociationsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTrunkInterfaceAssociations +func (c *EC2) DescribeTrunkInterfaceAssociationsRequest(input *DescribeTrunkInterfaceAssociationsInput) (req *request.Request, output *DescribeTrunkInterfaceAssociationsOutput) { + op := &request.Operation{ + Name: opDescribeTrunkInterfaceAssociations, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DescribeTrunkInterfaceAssociationsInput{} + } + + output = &DescribeTrunkInterfaceAssociationsOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeTrunkInterfaceAssociations API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more network interface trunk associations. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeTrunkInterfaceAssociations for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeTrunkInterfaceAssociations +func (c *EC2) DescribeTrunkInterfaceAssociations(input *DescribeTrunkInterfaceAssociationsInput) (*DescribeTrunkInterfaceAssociationsOutput, error) { + req, out := c.DescribeTrunkInterfaceAssociationsRequest(input) + return out, req.Send() +} + +// DescribeTrunkInterfaceAssociationsWithContext is the same as DescribeTrunkInterfaceAssociations with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeTrunkInterfaceAssociations for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTrunkInterfaceAssociationsWithContext(ctx aws.Context, input *DescribeTrunkInterfaceAssociationsInput, opts ...request.Option) (*DescribeTrunkInterfaceAssociationsOutput, error) { + req, out := c.DescribeTrunkInterfaceAssociationsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDescribeVolumeAttribute = "DescribeVolumeAttribute" // DescribeVolumeAttributeRequest generates a "aws/request.Request" representing the @@ -28464,6 +28633,83 @@ func (c *EC2) DisableFastSnapshotRestoresWithContext(ctx aws.Context, input *Dis return out, req.Send() } +const opDisableImageDeprecation = "DisableImageDeprecation" + +// DisableImageDeprecationRequest generates a "aws/request.Request" representing the +// client's request for the DisableImageDeprecation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisableImageDeprecation for more information on using the DisableImageDeprecation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisableImageDeprecationRequest method. +// req, resp := client.DisableImageDeprecationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisableImageDeprecation +func (c *EC2) DisableImageDeprecationRequest(input *DisableImageDeprecationInput) (req *request.Request, output *DisableImageDeprecationOutput) { + op := &request.Operation{ + Name: opDisableImageDeprecation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisableImageDeprecationInput{} + } + + output = &DisableImageDeprecationOutput{} + req = c.newRequest(op, input, output) + return +} + +// DisableImageDeprecation API operation for Amazon Elastic Compute Cloud. +// +// Cancels the deprecation of the specified AMI. +// +// For more information, see Deprecate an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html) +// in the Amazon Elastic Compute Cloud User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DisableImageDeprecation for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisableImageDeprecation +func (c *EC2) DisableImageDeprecation(input *DisableImageDeprecationInput) (*DisableImageDeprecationOutput, error) { + req, out := c.DisableImageDeprecationRequest(input) + return out, req.Send() +} + +// DisableImageDeprecationWithContext is the same as DisableImageDeprecation with the addition of +// the ability to pass a context and additional request options. +// +// See DisableImageDeprecation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DisableImageDeprecationWithContext(ctx aws.Context, input *DisableImageDeprecationInput, opts ...request.Option) (*DisableImageDeprecationOutput, error) { + req, out := c.DisableImageDeprecationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDisableSerialConsoleAccess = "DisableSerialConsoleAccess" // DisableSerialConsoleAccessRequest generates a "aws/request.Request" representing the @@ -29475,6 +29721,81 @@ func (c *EC2) DisassociateTransitGatewayRouteTableWithContext(ctx aws.Context, i return out, req.Send() } +const opDisassociateTrunkInterface = "DisassociateTrunkInterface" + +// DisassociateTrunkInterfaceRequest generates a "aws/request.Request" representing the +// client's request for the DisassociateTrunkInterface operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisassociateTrunkInterface for more information on using the DisassociateTrunkInterface +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisassociateTrunkInterfaceRequest method. +// req, resp := client.DisassociateTrunkInterfaceRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisassociateTrunkInterface +func (c *EC2) DisassociateTrunkInterfaceRequest(input *DisassociateTrunkInterfaceInput) (req *request.Request, output *DisassociateTrunkInterfaceOutput) { + op := &request.Operation{ + Name: opDisassociateTrunkInterface, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisassociateTrunkInterfaceInput{} + } + + output = &DisassociateTrunkInterfaceOutput{} + req = c.newRequest(op, input, output) + return +} + +// DisassociateTrunkInterface API operation for Amazon Elastic Compute Cloud. +// +// Removes an association between a branch network interface with a trunk network +// interface. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DisassociateTrunkInterface for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisassociateTrunkInterface +func (c *EC2) DisassociateTrunkInterface(input *DisassociateTrunkInterfaceInput) (*DisassociateTrunkInterfaceOutput, error) { + req, out := c.DisassociateTrunkInterfaceRequest(input) + return out, req.Send() +} + +// DisassociateTrunkInterfaceWithContext is the same as DisassociateTrunkInterface with the addition of +// the ability to pass a context and additional request options. +// +// See DisassociateTrunkInterface for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DisassociateTrunkInterfaceWithContext(ctx aws.Context, input *DisassociateTrunkInterfaceInput, opts ...request.Option) (*DisassociateTrunkInterfaceOutput, error) { + req, out := c.DisassociateTrunkInterfaceRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDisassociateVpcCidrBlock = "DisassociateVpcCidrBlock" // DisassociateVpcCidrBlockRequest generates a "aws/request.Request" representing the @@ -29727,6 +30048,83 @@ func (c *EC2) EnableFastSnapshotRestoresWithContext(ctx aws.Context, input *Enab return out, req.Send() } +const opEnableImageDeprecation = "EnableImageDeprecation" + +// EnableImageDeprecationRequest generates a "aws/request.Request" representing the +// client's request for the EnableImageDeprecation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See EnableImageDeprecation for more information on using the EnableImageDeprecation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the EnableImageDeprecationRequest method. +// req, resp := client.EnableImageDeprecationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableImageDeprecation +func (c *EC2) EnableImageDeprecationRequest(input *EnableImageDeprecationInput) (req *request.Request, output *EnableImageDeprecationOutput) { + op := &request.Operation{ + Name: opEnableImageDeprecation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &EnableImageDeprecationInput{} + } + + output = &EnableImageDeprecationOutput{} + req = c.newRequest(op, input, output) + return +} + +// EnableImageDeprecation API operation for Amazon Elastic Compute Cloud. +// +// Enables deprecation of the specified AMI at the specified date and time. +// +// For more information, see Deprecate an AMI (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ami-deprecate.html) +// in the Amazon Elastic Compute Cloud User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation EnableImageDeprecation for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/EnableImageDeprecation +func (c *EC2) EnableImageDeprecation(input *EnableImageDeprecationInput) (*EnableImageDeprecationOutput, error) { + req, out := c.EnableImageDeprecationRequest(input) + return out, req.Send() +} + +// EnableImageDeprecationWithContext is the same as EnableImageDeprecation with the addition of +// the ability to pass a context and additional request options. +// +// See EnableImageDeprecation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) EnableImageDeprecationWithContext(ctx aws.Context, input *EnableImageDeprecationInput, opts ...request.Option) (*EnableImageDeprecationOutput, error) { + req, out := c.EnableImageDeprecationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opEnableSerialConsoleAccess = "EnableSerialConsoleAccess" // EnableSerialConsoleAccessRequest generates a "aws/request.Request" representing the @@ -37167,16 +37565,16 @@ func (c *EC2) ProvisionByoipCidrRequest(input *ProvisionByoipCidrInput) (req *re // ProvisionByoipCidr API operation for Amazon Elastic Compute Cloud. // -// Provisions an IPv4 or IPv6 address range for use with your AWS resources -// through bring your own IP addresses (BYOIP) and creates a corresponding address -// pool. After the address range is provisioned, it is ready to be advertised +// Provisions an IPv4 or IPv6 address range for use with your Amazon Web Services +// resources through bring your own IP addresses (BYOIP) and creates a corresponding +// address pool. After the address range is provisioned, it is ready to be advertised // using AdvertiseByoipCidr. // -// AWS verifies that you own the address range and are authorized to advertise -// it. You must ensure that the address range is registered to you and that -// you created an RPKI ROA to authorize Amazon ASNs 16509 and 14618 to advertise -// the address range. For more information, see Bring Your Own IP Addresses -// (BYOIP) (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) +// Amazon Web Services verifies that you own the address range and are authorized +// to advertise it. You must ensure that the address range is registered to +// you and that you created an RPKI ROA to authorize Amazon ASNs 16509 and 14618 +// to advertise the address range. For more information, see Bring your own +// IP addresses (BYOIP) (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html) // in the Amazon Elastic Compute Cloud User Guide. // // Provisioning an address range is an asynchronous operation, so the call returns @@ -38349,7 +38747,7 @@ func (c *EC2) ReleaseAddressRequest(input *ReleaseAddressInput) (req *request.Re // Be sure to update your DNS records and any servers or devices that communicate // with the address. If you attempt to release an Elastic IP address that you // already released, you'll get an AuthFailure error if the address is already -// allocated to another AWS account. +// allocated to another account. // // [EC2-VPC] After you release an Elastic IP address for use in a VPC, you might // be able to recover it. For more information, see AllocateAddress. @@ -41771,7 +42169,7 @@ func (c *EC2) WithdrawByoipCidrRequest(input *WithdrawByoipCidrInput) (req *requ // specify different address ranges each time. // // It can take a few minutes before traffic to the specified addresses stops -// routing to AWS because of BGP propagation delays. +// routing to Amazon Web Services because of BGP propagation delays. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -42461,7 +42859,7 @@ type Address struct { // The ID of the network interface. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` - // The ID of the AWS account that owns the network interface. + // The ID of the account that owns the network interface. NetworkInterfaceOwnerId *string `locationName:"networkInterfaceOwnerId" type:"string"` // The private IP address associated with the Elastic IP address. @@ -42797,8 +43195,8 @@ func (s *AllocateAddressInput) SetTagSpecifications(v []*TagSpecification) *Allo type AllocateAddressOutput struct { _ struct{} `type:"structure"` - // [EC2-VPC] The ID that AWS assigns to represent the allocation of the Elastic - // IP address for use with instances in a VPC. + // [EC2-VPC] The ID that Amazon Web Services assigns to represent the allocation + // of the Elastic IP address for use with instances in a VPC. AllocationId *string `locationName:"allocationId" type:"string"` // The carrier IP address. This option is only available for network interfaces @@ -44694,6 +45092,132 @@ func (s *AssociateTransitGatewayRouteTableOutput) SetAssociation(v *TransitGatew return s } +type AssociateTrunkInterfaceInput struct { + _ struct{} `type:"structure"` + + // The ID of the branch network interface. + // + // BranchInterfaceId is a required field + BranchInterfaceId *string `type:"string" required:"true"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + ClientToken *string `type:"string" idempotencyToken:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The application key. This applies to the GRE protocol. + GreKey *int64 `type:"integer"` + + // The ID of the trunk network interface. + // + // TrunkInterfaceId is a required field + TrunkInterfaceId *string `type:"string" required:"true"` + + // The ID of the VLAN. This applies to the VLAN protocol. + VlanId *int64 `type:"integer"` +} + +// String returns the string representation +func (s AssociateTrunkInterfaceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssociateTrunkInterfaceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AssociateTrunkInterfaceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AssociateTrunkInterfaceInput"} + if s.BranchInterfaceId == nil { + invalidParams.Add(request.NewErrParamRequired("BranchInterfaceId")) + } + if s.TrunkInterfaceId == nil { + invalidParams.Add(request.NewErrParamRequired("TrunkInterfaceId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBranchInterfaceId sets the BranchInterfaceId field's value. +func (s *AssociateTrunkInterfaceInput) SetBranchInterfaceId(v string) *AssociateTrunkInterfaceInput { + s.BranchInterfaceId = &v + return s +} + +// SetClientToken sets the ClientToken field's value. +func (s *AssociateTrunkInterfaceInput) SetClientToken(v string) *AssociateTrunkInterfaceInput { + s.ClientToken = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *AssociateTrunkInterfaceInput) SetDryRun(v bool) *AssociateTrunkInterfaceInput { + s.DryRun = &v + return s +} + +// SetGreKey sets the GreKey field's value. +func (s *AssociateTrunkInterfaceInput) SetGreKey(v int64) *AssociateTrunkInterfaceInput { + s.GreKey = &v + return s +} + +// SetTrunkInterfaceId sets the TrunkInterfaceId field's value. +func (s *AssociateTrunkInterfaceInput) SetTrunkInterfaceId(v string) *AssociateTrunkInterfaceInput { + s.TrunkInterfaceId = &v + return s +} + +// SetVlanId sets the VlanId field's value. +func (s *AssociateTrunkInterfaceInput) SetVlanId(v int64) *AssociateTrunkInterfaceInput { + s.VlanId = &v + return s +} + +type AssociateTrunkInterfaceOutput struct { + _ struct{} `type:"structure"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + ClientToken *string `locationName:"clientToken" type:"string"` + + // Information about the association between the trunk network interface and + // branch network interface. + InterfaceAssociation *TrunkInterfaceAssociation `locationName:"interfaceAssociation" type:"structure"` +} + +// String returns the string representation +func (s AssociateTrunkInterfaceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssociateTrunkInterfaceOutput) GoString() string { + return s.String() +} + +// SetClientToken sets the ClientToken field's value. +func (s *AssociateTrunkInterfaceOutput) SetClientToken(v string) *AssociateTrunkInterfaceOutput { + s.ClientToken = &v + return s +} + +// SetInterfaceAssociation sets the InterfaceAssociation field's value. +func (s *AssociateTrunkInterfaceOutput) SetInterfaceAssociation(v *TrunkInterfaceAssociation) *AssociateTrunkInterfaceOutput { + s.InterfaceAssociation = v + return s +} + type AssociateVpcCidrBlockInput struct { _ struct{} `type:"structure"` @@ -46519,7 +47043,7 @@ func (s *BundleTaskError) SetMessage(v string) *BundleTaskError { } // Information about an address range that is provisioned for use with your -// AWS resources through bring your own IP addresses (BYOIP). +// Amazon Web Services resources through bring your own IP addresses (BYOIP). type ByoipCidr struct { _ struct{} `type:"structure"` @@ -47952,9 +48476,8 @@ func (s *CertificateAuthenticationRequest) SetClientRootCertificateChainArn(v st } // Provides authorization for Amazon to bring a specific IP address range to -// a specific AWS account using bring your own IP addresses (BYOIP). For more -// information, see Prepare to Bring Your Address Range to Your AWS Account -// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip) +// a specific account using bring your own IP addresses (BYOIP). For more information, +// see Configuring your BYOIP address range (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip) // in the Amazon Elastic Compute Cloud User Guide. type CidrAuthorizationContext struct { _ struct{} `type:"structure"` @@ -53066,12 +53589,11 @@ func (s *CreateManagedPrefixListOutput) SetPrefixList(v *ManagedPrefixList) *Cre type CreateNatGatewayInput struct { _ struct{} `type:"structure"` - // The allocation ID of an Elastic IP address to associate with the NAT gateway. - // If the Elastic IP address is associated with another resource, you must first - // disassociate it. - // - // AllocationId is a required field - AllocationId *string `type:"string" required:"true"` + // [Public NAT gateways only] The allocation ID of an Elastic IP address to + // associate with the NAT gateway. You cannot specify an Elastic IP address + // with a private NAT gateway. If the Elastic IP address is associated with + // another resource, you must first disassociate it. + AllocationId *string `type:"string"` // Unique, case-sensitive identifier that you provide to ensure the idempotency // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). @@ -53079,6 +53601,10 @@ type CreateNatGatewayInput struct { // Constraint: Maximum 64 ASCII characters. ClientToken *string `type:"string" idempotencyToken:"true"` + // Indicates whether the NAT gateway supports public or private connectivity. + // The default is public connectivity. + ConnectivityType *string `type:"string" enum:"ConnectivityType"` + // Checks whether you have the required permissions for the action, without // actually making the request, and provides an error response. If you have // the required permissions, the error response is DryRunOperation. Otherwise, @@ -53107,9 +53633,6 @@ func (s CreateNatGatewayInput) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *CreateNatGatewayInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "CreateNatGatewayInput"} - if s.AllocationId == nil { - invalidParams.Add(request.NewErrParamRequired("AllocationId")) - } if s.SubnetId == nil { invalidParams.Add(request.NewErrParamRequired("SubnetId")) } @@ -53132,6 +53655,12 @@ func (s *CreateNatGatewayInput) SetClientToken(v string) *CreateNatGatewayInput return s } +// SetConnectivityType sets the ConnectivityType field's value. +func (s *CreateNatGatewayInput) SetConnectivityType(v string) *CreateNatGatewayInput { + s.ConnectivityType = &v + return s +} + // SetDryRun sets the DryRun field's value. func (s *CreateNatGatewayInput) SetDryRun(v bool) *CreateNatGatewayInput { s.DryRun = &v @@ -53608,7 +54137,10 @@ type CreateNetworkInterfaceInput struct { // Indicates the type of network interface. To create an Elastic Fabric Adapter // (EFA), specify efa. For more information, see Elastic Fabric Adapter (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html) - // in the Amazon Elastic Compute Cloud User Guide. + // in the Amazon Elastic Compute Cloud User Guide. To create a trunk network + // interface, specify efa. For more information, see Network interface trunking + // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eni-trunking.html) in + // the Amazon Elastic Compute Cloud User Guide. InterfaceType *string `type:"string" enum:"NetworkInterfaceCreationType"` // The number of IPv6 addresses to assign to a network interface. Amazon EC2 @@ -53785,10 +54317,10 @@ func (s *CreateNetworkInterfaceOutput) SetNetworkInterface(v *NetworkInterface) type CreateNetworkInterfacePermissionInput struct { _ struct{} `type:"structure"` - // The AWS account ID. + // The account ID. AwsAccountId *string `type:"string"` - // The AWS service. Currently not supported. + // The Amazon Web Service. Currently not supported. AwsService *string `type:"string"` // Checks whether you have the required permissions for the action, without @@ -63211,12 +63743,12 @@ type DescribeAddressesInput struct { // if any. // // * network-border-group - A unique set of Availability Zones, Local Zones, - // or Wavelength Zones from where AWS advertises IP addresses. + // or Wavelength Zones from where Amazon Web Services advertises IP addresses. // // * network-interface-id - [EC2-VPC] The ID of the network interface that // the address is associated with, if any. // - // * network-interface-owner-id - The AWS account ID of the owner. + // * network-interface-owner-id - The account ID of the owner. // // * private-ip-address - [EC2-VPC] The private IP address associated with // the Elastic IP address. @@ -67434,6 +67966,14 @@ type DescribeImagesInput struct { // Default: Describes all images available to you. ImageIds []*string `locationName:"ImageId" locationNameList:"ImageId" type:"list"` + // If true, all deprecated AMIs are included in the response. If false, no deprecated + // AMIs are included in the response. If no value is specified, the default + // value is false. + // + // If you are the AMI owner, all deprecated AMIs appear in the response regardless + // of the value (true or false) that you set for this parameter. + IncludeDeprecated *bool `type:"boolean"` + // Scopes the results to images with the specified owners. You can specify a // combination of AWS account IDs, self, amazon, and aws-marketplace. If you // omit this parameter, the results include all images for which you have launch @@ -67475,6 +68015,12 @@ func (s *DescribeImagesInput) SetImageIds(v []*string) *DescribeImagesInput { return s } +// SetIncludeDeprecated sets the IncludeDeprecated field's value. +func (s *DescribeImagesInput) SetIncludeDeprecated(v bool) *DescribeImagesInput { + s.IncludeDeprecated = &v + return s +} + // SetOwners sets the Owners field's value. func (s *DescribeImagesInput) SetOwners(v []*string) *DescribeImagesInput { s.Owners = v @@ -71222,9 +71768,9 @@ type DescribeNetworkInterfacePermissionsInput struct { // * network-interface-permission.network-interface-id - The ID of the network // interface. // - // * network-interface-permission.aws-account-id - The AWS account ID. + // * network-interface-permission.aws-account-id - The account ID. // - // * network-interface-permission.aws-service - The AWS service. + // * network-interface-permission.aws-service - The Amazon Web Service. // // * network-interface-permission.permission - The type of permission (INSTANCE-ATTACH // | EIP-ASSOCIATE). @@ -71397,19 +71943,19 @@ type DescribeNetworkInterfacesInput struct { // // * network-interface-id - The ID of the network interface. // - // * owner-id - The AWS account ID of the network interface owner. + // * owner-id - The account ID of the network interface owner. // // * private-ip-address - The private IPv4 address or addresses of the network // interface. // // * private-dns-name - The private DNS name of the network interface (IPv4). // - // * requester-id - The alias or AWS account ID of the principal or service - // that created the network interface. + // * requester-id - The alias or account ID of the principal or service that + // created the network interface. // // * requester-managed - Indicates whether the network interface is being - // managed by an AWS service (for example, AWS Management Console, Auto Scaling, - // and so on). + // managed by an Amazon Web Service (for example, Management Console, Auto + // Scaling, and so on). // // * source-dest-check - Indicates whether the network interface performs // source/destination checking. A value of true means checking is enabled, @@ -76348,6 +76894,120 @@ func (s *DescribeTransitGatewaysOutput) SetTransitGateways(v []*TransitGateway) return s } +type DescribeTrunkInterfaceAssociationsInput struct { + _ struct{} `type:"structure"` + + // The IDs of the associations. + AssociationIds []*string `locationName:"AssociationId" locationNameList:"item" type:"list"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. + // + // * gre-key - The ID of a trunk interface association. + // + // * interface-protocol - The interface protocol. Valid values are VLAN and + // GRE. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"5" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` +} + +// String returns the string representation +func (s DescribeTrunkInterfaceAssociationsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTrunkInterfaceAssociationsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeTrunkInterfaceAssociationsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeTrunkInterfaceAssociationsInput"} + if s.MaxResults != nil && *s.MaxResults < 5 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAssociationIds sets the AssociationIds field's value. +func (s *DescribeTrunkInterfaceAssociationsInput) SetAssociationIds(v []*string) *DescribeTrunkInterfaceAssociationsInput { + s.AssociationIds = v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeTrunkInterfaceAssociationsInput) SetDryRun(v bool) *DescribeTrunkInterfaceAssociationsInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeTrunkInterfaceAssociationsInput) SetFilters(v []*Filter) *DescribeTrunkInterfaceAssociationsInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeTrunkInterfaceAssociationsInput) SetMaxResults(v int64) *DescribeTrunkInterfaceAssociationsInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTrunkInterfaceAssociationsInput) SetNextToken(v string) *DescribeTrunkInterfaceAssociationsInput { + s.NextToken = &v + return s +} + +type DescribeTrunkInterfaceAssociationsOutput struct { + _ struct{} `type:"structure"` + + // Information about the trunk associations. + InterfaceAssociations []*TrunkInterfaceAssociation `locationName:"interfaceAssociationSet" locationNameList:"item" type:"list"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s DescribeTrunkInterfaceAssociationsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeTrunkInterfaceAssociationsOutput) GoString() string { + return s.String() +} + +// SetInterfaceAssociations sets the InterfaceAssociations field's value. +func (s *DescribeTrunkInterfaceAssociationsOutput) SetInterfaceAssociations(v []*TrunkInterfaceAssociation) *DescribeTrunkInterfaceAssociationsOutput { + s.InterfaceAssociations = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeTrunkInterfaceAssociationsOutput) SetNextToken(v string) *DescribeTrunkInterfaceAssociationsOutput { + s.NextToken = &v + return s +} + type DescribeVolumeAttributeInput struct { _ struct{} `type:"structure"` @@ -79269,6 +79929,79 @@ func (s *DisableFastSnapshotRestoresOutput) SetUnsuccessful(v []*DisableFastSnap return s } +type DisableImageDeprecationInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the AMI. + // + // ImageId is a required field + ImageId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DisableImageDeprecationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableImageDeprecationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisableImageDeprecationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisableImageDeprecationInput"} + if s.ImageId == nil { + invalidParams.Add(request.NewErrParamRequired("ImageId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DisableImageDeprecationInput) SetDryRun(v bool) *DisableImageDeprecationInput { + s.DryRun = &v + return s +} + +// SetImageId sets the ImageId field's value. +func (s *DisableImageDeprecationInput) SetImageId(v string) *DisableImageDeprecationInput { + s.ImageId = &v + return s +} + +type DisableImageDeprecationOutput struct { + _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, it returns an error. + Return *bool `locationName:"return" type:"boolean"` +} + +// String returns the string representation +func (s DisableImageDeprecationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisableImageDeprecationOutput) GoString() string { + return s.String() +} + +// SetReturn sets the Return field's value. +func (s *DisableImageDeprecationOutput) SetReturn(v bool) *DisableImageDeprecationOutput { + s.Return = &v + return s +} + type DisableSerialConsoleAccessInput struct { _ struct{} `type:"structure"` @@ -80201,6 +80934,99 @@ func (s *DisassociateTransitGatewayRouteTableOutput) SetAssociation(v *TransitGa return s } +type DisassociateTrunkInterfaceInput struct { + _ struct{} `type:"structure"` + + // The ID ofthe association + // + // AssociationId is a required field + AssociationId *string `type:"string" required:"true"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + ClientToken *string `type:"string" idempotencyToken:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` +} + +// String returns the string representation +func (s DisassociateTrunkInterfaceInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisassociateTrunkInterfaceInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisassociateTrunkInterfaceInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisassociateTrunkInterfaceInput"} + if s.AssociationId == nil { + invalidParams.Add(request.NewErrParamRequired("AssociationId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAssociationId sets the AssociationId field's value. +func (s *DisassociateTrunkInterfaceInput) SetAssociationId(v string) *DisassociateTrunkInterfaceInput { + s.AssociationId = &v + return s +} + +// SetClientToken sets the ClientToken field's value. +func (s *DisassociateTrunkInterfaceInput) SetClientToken(v string) *DisassociateTrunkInterfaceInput { + s.ClientToken = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *DisassociateTrunkInterfaceInput) SetDryRun(v bool) *DisassociateTrunkInterfaceInput { + s.DryRun = &v + return s +} + +type DisassociateTrunkInterfaceOutput struct { + _ struct{} `type:"structure"` + + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + ClientToken *string `locationName:"clientToken" type:"string"` + + // Returns true if the request succeeds; otherwise, it returns an error. + Return *bool `locationName:"return" type:"boolean"` +} + +// String returns the string representation +func (s DisassociateTrunkInterfaceOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisassociateTrunkInterfaceOutput) GoString() string { + return s.String() +} + +// SetClientToken sets the ClientToken field's value. +func (s *DisassociateTrunkInterfaceOutput) SetClientToken(v string) *DisassociateTrunkInterfaceOutput { + s.ClientToken = &v + return s +} + +// SetReturn sets the Return field's value. +func (s *DisassociateTrunkInterfaceOutput) SetReturn(v bool) *DisassociateTrunkInterfaceOutput { + s.Return = &v + return s +} + type DisassociateVpcCidrBlockInput struct { _ struct{} `type:"structure"` @@ -81748,6 +82574,98 @@ func (s *EnableFastSnapshotRestoresOutput) SetUnsuccessful(v []*EnableFastSnapsh return s } +type EnableImageDeprecationInput struct { + _ struct{} `type:"structure"` + + // The date and time to deprecate the AMI, in UTC, in the following format: + // YYYY-MM-DDTHH:MM:SSZ. If you specify a value for seconds, Amazon EC2 rounds + // the seconds to the nearest minute. + // + // You can’t specify a date in the past. The upper limit for DeprecateAt is + // 10 years from now. + // + // DeprecateAt is a required field + DeprecateAt *time.Time `type:"timestamp" required:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the AMI. + // + // ImageId is a required field + ImageId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s EnableImageDeprecationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableImageDeprecationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *EnableImageDeprecationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "EnableImageDeprecationInput"} + if s.DeprecateAt == nil { + invalidParams.Add(request.NewErrParamRequired("DeprecateAt")) + } + if s.ImageId == nil { + invalidParams.Add(request.NewErrParamRequired("ImageId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDeprecateAt sets the DeprecateAt field's value. +func (s *EnableImageDeprecationInput) SetDeprecateAt(v time.Time) *EnableImageDeprecationInput { + s.DeprecateAt = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *EnableImageDeprecationInput) SetDryRun(v bool) *EnableImageDeprecationInput { + s.DryRun = &v + return s +} + +// SetImageId sets the ImageId field's value. +func (s *EnableImageDeprecationInput) SetImageId(v string) *EnableImageDeprecationInput { + s.ImageId = &v + return s +} + +type EnableImageDeprecationOutput struct { + _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, it returns an error. + Return *bool `locationName:"return" type:"boolean"` +} + +// String returns the string representation +func (s EnableImageDeprecationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s EnableImageDeprecationOutput) GoString() string { + return s.String() +} + +// SetReturn sets the Return field's value. +func (s *EnableImageDeprecationOutput) SetReturn(v bool) *EnableImageDeprecationOutput { + s.Return = &v + return s +} + type EnableSerialConsoleAccessInput struct { _ struct{} `type:"structure"` @@ -88436,6 +89354,11 @@ type Image struct { // The date and time the image was created. CreationDate *string `locationName:"creationDate" type:"string"` + // The date and time to deprecate the AMI, in UTC, in the following format: + // YYYY-MM-DDTHH:MM:SSZ. If you specified a value for seconds, Amazon EC2 rounds + // the seconds to the nearest minute. + DeprecationTime *string `locationName:"deprecationTime" type:"string"` + // The description of the AMI that was provided during image creation. Description *string `locationName:"description" type:"string"` @@ -88555,6 +89478,12 @@ func (s *Image) SetCreationDate(v string) *Image { return s } +// SetDeprecationTime sets the DeprecationTime field's value. +func (s *Image) SetDeprecationTime(v string) *Image { + s.DeprecationTime = &v + return s +} + // SetDescription sets the Description field's value. func (s *Image) SetDescription(v string) *Image { s.Description = &v @@ -91412,7 +92341,7 @@ type InstanceNetworkInterface struct { // Describes the type of network interface. // - // Valid values: interface | efa + // Valid values: interface | efa | trunk InterfaceType *string `locationName:"interfaceType" type:"string"` // One or more IPv6 addresses associated with the network interface. @@ -91424,7 +92353,7 @@ type InstanceNetworkInterface struct { // The ID of the network interface. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` - // The ID of the AWS account that created the network interface. + // The ID of the account that created the network interface. OwnerId *string `locationName:"ownerId" type:"string"` // The private DNS name. @@ -91683,7 +92612,8 @@ type InstanceNetworkInterfaceSpecification struct { // // You can only assign a carrier IP address to a network interface that is in // a subnet in a Wavelength Zone. For more information about carrier IP addresses, - // see Carrier IP addresses in the AWS Wavelength Developer Guide. + // see Carrier IP addresses in the Amazon Web Services Wavelength Developer + // Guide. AssociateCarrierIpAddress *bool `type:"boolean"` // Indicates whether to assign a public IPv4 address to an instance you launch @@ -91719,8 +92649,6 @@ type InstanceNetworkInterfaceSpecification struct { // see Elastic Fabric Adapter (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/efa.html) // in the Amazon Elastic Compute Cloud User Guide. // - // If you are not creating an EFA, specify interface or omit this parameter. - // // Valid values: interface | efa InterfaceType *string `type:"string"` @@ -101997,6 +102925,9 @@ func (s *MovingAddressStatus) SetPublicIp(v string) *MovingAddressStatus { type NatGateway struct { _ struct{} `type:"structure"` + // Indicates whether the NAT gateway supports public or private connectivity. + ConnectivityType *string `locationName:"connectivityType" type:"string" enum:"ConnectivityType"` + // The date and time the NAT gateway was created. CreateTime *time.Time `locationName:"createTime" type:"timestamp"` @@ -102081,6 +103012,12 @@ func (s NatGateway) GoString() string { return s.String() } +// SetConnectivityType sets the ConnectivityType field's value. +func (s *NatGateway) SetConnectivityType(v string) *NatGateway { + s.ConnectivityType = &v + return s +} + // SetCreateTime sets the CreateTime field's value. func (s *NatGateway) SetCreateTime(v time.Time) *NatGateway { s.CreateTime = &v @@ -102151,17 +103088,18 @@ func (s *NatGateway) SetVpcId(v string) *NatGateway { type NatGatewayAddress struct { _ struct{} `type:"structure"` - // The allocation ID of the Elastic IP address that's associated with the NAT - // gateway. + // [Public NAT gateway only] The allocation ID of the Elastic IP address that's + // associated with the NAT gateway. AllocationId *string `locationName:"allocationId" type:"string"` // The ID of the network interface associated with the NAT gateway. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` - // The private IP address associated with the Elastic IP address. + // The private IP address associated with the NAT gateway. PrivateIp *string `locationName:"privateIp" type:"string"` - // The Elastic IP address associated with the NAT gateway. + // [Public NAT gateway only] The Elastic IP address associated with the NAT + // gateway. PublicIp *string `locationName:"publicIp" type:"string"` } @@ -102838,7 +103776,7 @@ type NetworkInterface struct { // The Amazon Resource Name (ARN) of the Outpost. OutpostArn *string `locationName:"outpostArn" type:"string"` - // The AWS account ID of the owner of the network interface. + // The account ID of the owner of the network interface. OwnerId *string `locationName:"ownerId" type:"string"` // The private DNS name. @@ -102850,11 +103788,11 @@ type NetworkInterface struct { // The private IPv4 addresses associated with the network interface. PrivateIpAddresses []*NetworkInterfacePrivateIpAddress `locationName:"privateIpAddressesSet" locationNameList:"item" type:"list"` - // The alias or AWS account ID of the principal or service that created the - // network interface. + // The alias or account ID of the principal or service that created the network + // interface. RequesterId *string `locationName:"requesterId" type:"string"` - // Indicates whether the network interface is being managed by AWS. + // Indicates whether the network interface is being managed by Amazon Web Services. RequesterManaged *bool `locationName:"requesterManaged" type:"boolean"` // Indicates whether source/destination checking is enabled. @@ -103111,7 +104049,7 @@ type NetworkInterfaceAttachment struct { // The ID of the instance. InstanceId *string `locationName:"instanceId" type:"string"` - // The AWS account ID of the owner of the instance. + // The account ID of the owner of the instance. InstanceOwnerId *string `locationName:"instanceOwnerId" type:"string"` // The index of the network card. @@ -103240,10 +104178,10 @@ func (s *NetworkInterfaceIpv6Address) SetIpv6Address(v string) *NetworkInterface type NetworkInterfacePermission struct { _ struct{} `type:"structure"` - // The AWS account ID. + // The account ID. AwsAccountId *string `locationName:"awsAccountId" type:"string"` - // The AWS service. + // The Amazon Web Service. AwsService *string `locationName:"awsService" type:"string"` // The ID of the network interface. @@ -104488,11 +105426,11 @@ func (s *PortRange) SetTo(v int64) *PortRange { return s } -// Describes prefixes for AWS services. +// Describes prefixes for Amazon Web Services services. type PrefixList struct { _ struct{} `type:"structure"` - // The IP address range of the AWS service. + // The IP address range of the Amazon Web Service. Cidrs []*string `locationName:"cidrSet" locationNameList:"item" type:"list"` // The ID of the prefix. @@ -105256,7 +106194,7 @@ type PublicIpv4Pool struct { // The name of the location from which the address pool is advertised. A network // border group is a unique set of Availability Zones or Local Zones from where - // AWS advertises public IP addresses. + // Amazon Web Services advertises public IP addresses. NetworkBorderGroup *string `locationName:"networkBorderGroup" type:"string"` // The address ranges. @@ -120642,6 +121580,85 @@ func (s *TransitGatewayVpcAttachmentOptions) SetIpv6Support(v string) *TransitGa return s } +// Information about an association between a branch network interface with +// a trunk network interface. +type TrunkInterfaceAssociation struct { + _ struct{} `type:"structure"` + + // The ID of the association. + AssociationId *string `locationName:"associationId" type:"string"` + + // The ID of the branch network interface. + BranchInterfaceId *string `locationName:"branchInterfaceId" type:"string"` + + // The application key when you use the GRE protocol. + GreKey *int64 `locationName:"greKey" type:"integer"` + + // The interface protocol. Valid values are VLAN and GRE. + InterfaceProtocol *string `locationName:"interfaceProtocol" type:"string" enum:"InterfaceProtocolType"` + + // The tags. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The ID of the trunk network interface. + TrunkInterfaceId *string `locationName:"trunkInterfaceId" type:"string"` + + // The ID of the VLAN when you use the VLAN protocol. + VlanId *int64 `locationName:"vlanId" type:"integer"` +} + +// String returns the string representation +func (s TrunkInterfaceAssociation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s TrunkInterfaceAssociation) GoString() string { + return s.String() +} + +// SetAssociationId sets the AssociationId field's value. +func (s *TrunkInterfaceAssociation) SetAssociationId(v string) *TrunkInterfaceAssociation { + s.AssociationId = &v + return s +} + +// SetBranchInterfaceId sets the BranchInterfaceId field's value. +func (s *TrunkInterfaceAssociation) SetBranchInterfaceId(v string) *TrunkInterfaceAssociation { + s.BranchInterfaceId = &v + return s +} + +// SetGreKey sets the GreKey field's value. +func (s *TrunkInterfaceAssociation) SetGreKey(v int64) *TrunkInterfaceAssociation { + s.GreKey = &v + return s +} + +// SetInterfaceProtocol sets the InterfaceProtocol field's value. +func (s *TrunkInterfaceAssociation) SetInterfaceProtocol(v string) *TrunkInterfaceAssociation { + s.InterfaceProtocol = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *TrunkInterfaceAssociation) SetTags(v []*Tag) *TrunkInterfaceAssociation { + s.Tags = v + return s +} + +// SetTrunkInterfaceId sets the TrunkInterfaceId field's value. +func (s *TrunkInterfaceAssociation) SetTrunkInterfaceId(v string) *TrunkInterfaceAssociation { + s.TrunkInterfaceId = &v + return s +} + +// SetVlanId sets the VlanId field's value. +func (s *TrunkInterfaceAssociation) SetVlanId(v int64) *TrunkInterfaceAssociation { + s.VlanId = &v + return s +} + // The VPN tunnel options. type TunnelOption struct { _ struct{} `type:"structure"` @@ -124966,6 +125983,22 @@ func ConnectionNotificationType_Values() []string { } } +const ( + // ConnectivityTypePrivate is a ConnectivityType enum value + ConnectivityTypePrivate = "private" + + // ConnectivityTypePublic is a ConnectivityType enum value + ConnectivityTypePublic = "public" +) + +// ConnectivityType_Values returns all elements of the ConnectivityType enum +func ConnectivityType_Values() []string { + return []string{ + ConnectivityTypePrivate, + ConnectivityTypePublic, + } +} + const ( // ContainerFormatOva is a ContainerFormat enum value ContainerFormatOva = "ova" @@ -127209,6 +128242,9 @@ const ( // InstanceTypeM5dn24xlarge is a InstanceType enum value InstanceTypeM5dn24xlarge = "m5dn.24xlarge" + // InstanceTypeM5dnMetal is a InstanceType enum value + InstanceTypeM5dnMetal = "m5dn.metal" + // InstanceTypeM5nLarge is a InstanceType enum value InstanceTypeM5nLarge = "m5n.large" @@ -127233,6 +128269,9 @@ const ( // InstanceTypeM5n24xlarge is a InstanceType enum value InstanceTypeM5n24xlarge = "m5n.24xlarge" + // InstanceTypeM5nMetal is a InstanceType enum value + InstanceTypeM5nMetal = "m5n.metal" + // InstanceTypeR5dnLarge is a InstanceType enum value InstanceTypeR5dnLarge = "r5dn.large" @@ -127257,6 +128296,9 @@ const ( // InstanceTypeR5dn24xlarge is a InstanceType enum value InstanceTypeR5dn24xlarge = "r5dn.24xlarge" + // InstanceTypeR5dnMetal is a InstanceType enum value + InstanceTypeR5dnMetal = "r5dn.metal" + // InstanceTypeR5nLarge is a InstanceType enum value InstanceTypeR5nLarge = "r5n.large" @@ -127281,6 +128323,9 @@ const ( // InstanceTypeR5n24xlarge is a InstanceType enum value InstanceTypeR5n24xlarge = "r5n.24xlarge" + // InstanceTypeR5nMetal is a InstanceType enum value + InstanceTypeR5nMetal = "r5n.metal" + // InstanceTypeInf1Xlarge is a InstanceType enum value InstanceTypeInf1Xlarge = "inf1.xlarge" @@ -127727,6 +128772,7 @@ func InstanceType_Values() []string { InstanceTypeM5dn12xlarge, InstanceTypeM5dn16xlarge, InstanceTypeM5dn24xlarge, + InstanceTypeM5dnMetal, InstanceTypeM5nLarge, InstanceTypeM5nXlarge, InstanceTypeM5n2xlarge, @@ -127735,6 +128781,7 @@ func InstanceType_Values() []string { InstanceTypeM5n12xlarge, InstanceTypeM5n16xlarge, InstanceTypeM5n24xlarge, + InstanceTypeM5nMetal, InstanceTypeR5dnLarge, InstanceTypeR5dnXlarge, InstanceTypeR5dn2xlarge, @@ -127743,6 +128790,7 @@ func InstanceType_Values() []string { InstanceTypeR5dn12xlarge, InstanceTypeR5dn16xlarge, InstanceTypeR5dn24xlarge, + InstanceTypeR5dnMetal, InstanceTypeR5nLarge, InstanceTypeR5nXlarge, InstanceTypeR5n2xlarge, @@ -127751,6 +128799,7 @@ func InstanceType_Values() []string { InstanceTypeR5n12xlarge, InstanceTypeR5n16xlarge, InstanceTypeR5n24xlarge, + InstanceTypeR5nMetal, InstanceTypeInf1Xlarge, InstanceTypeInf12xlarge, InstanceTypeInf16xlarge, @@ -127818,6 +128867,22 @@ func InterfacePermissionType_Values() []string { } } +const ( + // InterfaceProtocolTypeVlan is a InterfaceProtocolType enum value + InterfaceProtocolTypeVlan = "VLAN" + + // InterfaceProtocolTypeGre is a InterfaceProtocolType enum value + InterfaceProtocolTypeGre = "GRE" +) + +// InterfaceProtocolType_Values returns all elements of the InterfaceProtocolType enum +func InterfaceProtocolType_Values() []string { + return []string{ + InterfaceProtocolTypeVlan, + InterfaceProtocolTypeGre, + } +} + const ( // Ipv6SupportValueEnable is a Ipv6SupportValue enum value Ipv6SupportValueEnable = "enable" @@ -128197,12 +129262,20 @@ func NetworkInterfaceAttribute_Values() []string { const ( // NetworkInterfaceCreationTypeEfa is a NetworkInterfaceCreationType enum value NetworkInterfaceCreationTypeEfa = "efa" + + // NetworkInterfaceCreationTypeBranch is a NetworkInterfaceCreationType enum value + NetworkInterfaceCreationTypeBranch = "branch" + + // NetworkInterfaceCreationTypeTrunk is a NetworkInterfaceCreationType enum value + NetworkInterfaceCreationTypeTrunk = "trunk" ) // NetworkInterfaceCreationType_Values returns all elements of the NetworkInterfaceCreationType enum func NetworkInterfaceCreationType_Values() []string { return []string{ NetworkInterfaceCreationTypeEfa, + NetworkInterfaceCreationTypeBranch, + NetworkInterfaceCreationTypeTrunk, } } @@ -128267,6 +129340,9 @@ const ( // NetworkInterfaceTypeEfa is a NetworkInterfaceType enum value NetworkInterfaceTypeEfa = "efa" + + // NetworkInterfaceTypeTrunk is a NetworkInterfaceType enum value + NetworkInterfaceTypeTrunk = "trunk" ) // NetworkInterfaceType_Values returns all elements of the NetworkInterfaceType enum @@ -128275,6 +129351,7 @@ func NetworkInterfaceType_Values() []string { NetworkInterfaceTypeInterface, NetworkInterfaceTypeNatGateway, NetworkInterfaceTypeEfa, + NetworkInterfaceTypeTrunk, } } diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go index 0a9db87ab..1f3b5eae7 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go @@ -65,7 +65,7 @@ func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *requ // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -374,17 +374,20 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, // CreateAlias API operation for AWS Key Management Service. // -// Creates a friendly name for a customer master key (CMK). You can use an alias -// to identify a CMK in the AWS KMS console, in the DescribeKey operation and -// in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), -// such as Encrypt and GenerateDataKey. +// Creates a friendly name for a customer master key (CMK). // -// You can also change the CMK that's associated with the alias (UpdateAlias) -// or delete the alias (DeleteAlias) at any time. These operations don't affect -// the underlying CMK. +// Adding, deleting, or updating an alias can allow or deny permission to the +// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the AWS Key Management Service Developer Guide. +// +// You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey +// operation and in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), +// such as Encrypt and GenerateDataKey. You can also change the CMK that's associated +// with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. +// These operations don't affect the underlying CMK. // // You can associate the alias with any customer managed CMK in the same AWS -// Region. Each alias is associated with only on CMK at a time, but a CMK can +// Region. Each alias is associated with only one CMK at a time, but a CMK can // have multiple aliases. A valid CMK is required. You can't create an alias // without a CMK. // @@ -397,7 +400,7 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, // use the ListAliases operation. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on an alias in a @@ -715,36 +718,36 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, // CreateGrant API operation for AWS Key Management Service. // -// Adds a grant to a customer master key (CMK). The grant allows the grantee -// principal to use the CMK when the conditions specified in the grant are met. -// When setting permissions, grants are an alternative to key policies. +// Adds a grant to a customer master key (CMK). // -// To create a grant that allows a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) -// only when the request includes a particular encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context), -// use the Constraints parameter. For details, see GrantConstraints. +// A grant is a policy instrument that allows AWS principals to use AWS KMS +// customer master keys (CMKs) in cryptographic operations. It also can allow +// them to view a CMK (DescribeKey) and create and manage grants. When authorizing +// access to a CMK, grants are considered along with key policies and IAM policies. +// Grants are often used for temporary permissions because you can create one, +// use its permissions, and delete it without changing your key policies or +// IAM policies. // -// You can create grants on symmetric and asymmetric CMKs. However, if the grant -// allows an operation that the CMK does not support, CreateGrant fails with -// a ValidationException. +// For detailed information about grants, including grant terminology, see Using +// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide . For examples of working +// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // -// * Grants for symmetric CMKs cannot allow operations that are not supported -// for symmetric CMKs, including Sign, Verify, and GetPublicKey. (There are -// limited exceptions to this rule for legacy operations, but you should -// not create a grant for an operation that AWS KMS does not support.) +// The CreateGrant operation returns a GrantToken and a GrantId. // -// * Grants for asymmetric CMKs cannot allow operations that are not supported -// for asymmetric CMKs, including operations that generate data keys (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKey) -// or data key pairs (https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyPair), -// or operations related to automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html), -// imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), -// or CMKs in custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// * When you create, retire, or revoke a grant, there might be a brief delay, +// usually less than five minutes, until the grant is available throughout +// AWS KMS. This state is known as eventual consistency. Once the grant has +// achieved eventual consistency, the grantee principal can use the permissions +// in the grant without identifying the grant. However, to use the permissions +// in the grant immediately, use the GrantToken that CreateGrant returns. +// For details, see Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html) +// in the AWS Key Management Service Developer Guide . // -// * Grants for asymmetric CMKs with a KeyUsage of ENCRYPT_DECRYPT cannot -// allow the Sign or Verify operations. Grants for asymmetric CMKs with a -// KeyUsage of SIGN_VERIFY cannot allow the Encrypt or Decrypt operations. -// -// * Grants for asymmetric CMKs cannot include an encryption context grant -// constraint. An encryption context is not supported on asymmetric CMKs. +// * The CreateGrant operation also returns a GrantId. You can use the GrantId +// and a key identifier to identify the grant in the RetireGrant and RevokeGrant +// operations. To find the grant ID, use the ListGrants or ListRetirableGrants +// operations. // // For information about symmetric and asymmetric CMKs, see Using Symmetric // and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) @@ -753,7 +756,7 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, // in the AWS Key Management Service Developer Guide . // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation on a CMK in a different @@ -920,7 +923,29 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values // for symmetric CMKs. // -// Imported Key Material +// Multi-Region primary keys +// +// Imported key material +// +// To create a multi-Region primary key in the local AWS Region, use the MultiRegion +// parameter with a value of True. To create a multi-Region replica key, that +// is, a CMK with the same key ID and key material as a primary key, but in +// a different AWS Region, use the ReplicateKey operation. To change a replica +// key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegion +// operation. +// +// This operation supports multi-Region keys, an AWS KMS feature that lets you +// create multiple interoperable CMKs in different AWS Regions. Because these +// CMKs have the same key ID, key material, and other metadata, you can use +// them to encrypt data in one AWS Region and decrypt it in a different AWS +// Region without making a cross-Region call or exposing the plaintext data. +// For more information about multi-Region keys, see Using multi-Region keys +// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the AWS Key Management Service Developer Guide. +// +// You can create symmetric and asymmetric multi-Region keys and multi-Region +// keys with imported key material. You cannot create multi-Region keys in a +// custom key store. // // To import your own key material, begin by creating a symmetric CMK with no // key material. To do this, use the Origin parameter of CreateKey with a value @@ -931,7 +956,14 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // in the AWS Key Management Service Developer Guide . You cannot import the // key material into an asymmetric CMK. // -// Custom Key Stores +// To create a multi-Region primary key with imported key material, use the +// Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion +// parameter with a value of True. To create replicas of the multi-Region primary +// key, use the ReplicateKey operation. For more information about multi-Region +// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the AWS Key Management Service Developer Guide. +// +// Custom key store // // To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), // use the CustomKeyStoreId parameter to specify the custom key store. You must @@ -939,8 +971,9 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // cluster that is associated with the custom key store must have at least two // active HSMs in different Availability Zones in the AWS Region. // -// You cannot create an asymmetric CMK in a custom key store. For information -// about custom key stores in AWS KMS see Using Custom Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// You cannot create an asymmetric CMK or a multi-Region CMK in a custom key +// store. For information about custom key stores in AWS KMS see Using Custom +// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) // in the AWS Key Management Service Developer Guide . // // Cross-account use: No. You cannot use this operation to create a CMK in a @@ -1166,7 +1199,7 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different @@ -1321,6 +1354,10 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, // // Deletes the specified alias. // +// Adding, deleting, or updating an alias can allow or deny permission to the +// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the AWS Key Management Service Developer Guide. +// // Because an alias is not a property of a CMK, you can delete and change the // aliases of a CMK without affecting the CMK. Also, aliases do not appear in // the response from the DescribeKey operation. To get the aliases of all CMKs, @@ -1615,7 +1652,7 @@ func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialI // the same key material into the CMK. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -1733,14 +1770,14 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput // DescribeCustomKeyStores API operation for AWS Key Management Service. // // Gets information about custom key stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// in the account and region. +// in the account and Region. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) // feature in AWS KMS, which combines the convenience and extensive integration // of AWS KMS with the isolation and control of a single-tenant key store. // // By default, this operation returns information about all custom key stores -// in the account and region. To get only information about a particular custom +// in the account and Region. To get only information about a particular custom // key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter // (but not both). // @@ -1790,6 +1827,10 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput // The request was rejected because AWS KMS cannot find a custom key store with // the specified key store name or ID. // +// * InvalidMarkerException +// The request was rejected because the marker that specifies where pagination +// should next begin is not valid. +// // * InternalException // The request was rejected because an internal exception occurred. The request // can be retried. @@ -2009,12 +2050,12 @@ func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, o // Sets the state of a customer master key (CMK) to disabled. This change temporarily // prevents use of the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects the Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For more information about how key state affects the use of a CMK, see Key +// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide . // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -2127,11 +2168,15 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re // Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) // for the specified symmetric customer master key (CMK). // -// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported -// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// To enable or disable automatic rotation of a set of related multi-Region +// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), +// set the property on the primary key. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -2398,7 +2443,7 @@ func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, out // you to use the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -2516,11 +2561,15 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ // Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) // for the specified symmetric customer master key (CMK). // -// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported -// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// To enable or disable automatic rotation of a set of related multi-Region +// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), +// set the property on the primary key. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -2697,7 +2746,7 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -2860,7 +2909,7 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // How to use your data key @@ -3062,7 +3111,7 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -3234,7 +3283,7 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -3418,7 +3467,7 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -3565,9 +3614,8 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re // key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), // specify the custom key store ID. // -// For more information about entropy and random number generation, see the -// AWS Key Management Service Cryptographic Details (https://d0.awsstatic.com/whitepapers/KMS-Cryptographic-Details.pdf) -// whitepaper. +// For more information about entropy and random number generation, see AWS +// Key Management Service Cryptographic Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/). // // Required permissions: kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -3789,12 +3837,16 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req // material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) // is enabled for the specified customer master key (CMK). // -// You cannot enable automatic rotation of asymmetric CMKs, CMKs with imported -// key material, or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). -// The key rotation status for these CMKs is always false. +// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// To enable or disable automatic rotation of a set of related multi-Region +// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), +// set the property on the primary key. The key rotation status for these CMKs +// is always false. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // * Disabled: The key rotation status does not change when you disable a @@ -3941,7 +3993,7 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) // send another GetParametersForImport request. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -4097,7 +4149,7 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // errors, such as using the wrong signing algorithm in a verification operation. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -4280,7 +4332,7 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -5145,6 +5197,10 @@ func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *reques // // Related operations: // +// * CreateKey +// +// * ReplicateKey +// // * TagResource // // * UntagResource @@ -5239,8 +5295,10 @@ func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req * // ListRetirableGrants API operation for AWS Key Management Service. // -// Returns all grants in which the specified principal is the RetiringPrincipal -// in the grant. +// Returns information about all grants in the AWS account and Region that have +// the specified retiring principal. For more information about grants, see +// Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide . // // You can specify any principal in your AWS account. The grants that are returned // include grants for CMKs in your AWS account and other AWS accounts. @@ -5542,7 +5600,7 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // does not include configurable fields. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. The source CMK and destination CMK can be in different @@ -5663,6 +5721,198 @@ func (c *KMS) ReEncryptWithContext(ctx aws.Context, input *ReEncryptInput, opts return out, req.Send() } +const opReplicateKey = "ReplicateKey" + +// ReplicateKeyRequest generates a "aws/request.Request" representing the +// client's request for the ReplicateKey operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ReplicateKey for more information on using the ReplicateKey +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ReplicateKeyRequest method. +// req, resp := client.ReplicateKeyRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey +func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Request, output *ReplicateKeyOutput) { + op := &request.Operation{ + Name: opReplicateKey, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ReplicateKeyInput{} + } + + output = &ReplicateKeyOutput{} + req = c.newRequest(op, input, output) + return +} + +// ReplicateKey API operation for AWS Key Management Service. +// +// Replicates a multi-Region key into the specified Region. This operation creates +// a multi-Region replica key based on a multi-Region primary key in a different +// Region of the same AWS partition. You can create multiple replicas of a primary +// key, but each must be in a different Region. To create a multi-Region primary +// key, use the CreateKey operation. +// +// This operation supports multi-Region keys, an AWS KMS feature that lets you +// create multiple interoperable CMKs in different AWS Regions. Because these +// CMKs have the same key ID, key material, and other metadata, you can use +// them to encrypt data in one AWS Region and decrypt it in a different AWS +// Region without making a cross-Region call or exposing the plaintext data. +// For more information about multi-Region keys, see Using multi-Region keys +// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the AWS Key Management Service Developer Guide. +// +// A replica key is a fully-functional CMK that can be used independently of +// its primary and peer replica keys. A primary key and its replica keys share +// properties that make them interoperable. They have the same key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) +// and key material. They also have the same key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec), +// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage), +// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin), +// and automatic key rotation status (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). +// AWS KMS automatically synchronizes these shared properties among related +// multi-Region keys. All other properties of a replica key can differ, including +// its key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), +// tags (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html), +// aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html), +// and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). +// AWS KMS pricing and quotas for CMKs apply to each primary key and replica +// key. +// +// When this operation completes, the new replica key has a transient key state +// of Creating. This key state changes to Enabled (or PendingImport) after a +// few seconds when the process of creating the new replica key is complete. +// While the key state is Creating, you can manage key, but you cannot yet use +// it in cryptographic operations. If you are creating and using the replica +// key programmatically, retry on KMSInvalidStateException or call DescribeKey +// to check its KeyState value before using it. For details about the Creating +// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// The AWS CloudTrail log of a ReplicateKey operation records a ReplicateKey +// operation in the primary key's Region and a CreateKey operation in the replica +// key's Region. +// +// If you replicate a multi-Region primary key with imported key material, the +// replica key is created with no key material. You must import the same key +// material that you imported into the primary key. For details, see Importing +// key material into multi-Region keys (kms/latest/developerguide/multi-region-keys-import.html) +// in the AWS Key Management Service Developer Guide. +// +// To convert a replica key to a primary key, use the UpdatePrimaryRegion operation. +// +// ReplicateKey uses different default values for the KeyPolicy and Tags parameters +// than those used in the AWS KMS console. For details, see the parameter descriptions. +// +// Cross-account use: No. You cannot use this operation to create a CMK in a +// different AWS account. +// +// Required permissions: +// +// * kms:ReplicateKey on the primary CMK (in the primary CMK's Region). Include +// this permission in the primary CMK's key policy. +// +// * kms:CreateKey in an IAM policy in the replica Region. +// +// * To use the Tags parameter, kms:TagResource in an IAM policy in the replica +// Region. +// +// Related operations +// +// * CreateKey +// +// * UpdatePrimaryRegion +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation ReplicateKey for usage and error information. +// +// Returned Error Types: +// * AlreadyExistsException +// The request was rejected because it attempted to create a resource that already +// exists. +// +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * LimitExceededException +// The request was rejected because a quota was exceeded. For more information, +// see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) +// in the AWS Key Management Service Developer Guide. +// +// * MalformedPolicyDocumentException +// The request was rejected because the specified policy is not syntactically +// or semantically correct. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * TagException +// The request was rejected because one or more tags are not valid. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReplicateKey +func (c *KMS) ReplicateKey(input *ReplicateKeyInput) (*ReplicateKeyOutput, error) { + req, out := c.ReplicateKeyRequest(input) + return out, req.Send() +} + +// ReplicateKeyWithContext is the same as ReplicateKey with the addition of +// the ability to pass a context and additional request options. +// +// See ReplicateKey for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) ReplicateKeyWithContext(ctx aws.Context, input *ReplicateKeyInput, opts ...request.Option) (*ReplicateKeyOutput, error) { + req, out := c.ReplicateKeyRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opRetireGrant = "RetireGrant" // RetireGrantRequest generates a "aws/request.Request" representing the @@ -5708,29 +5958,28 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, // RetireGrant API operation for AWS Key Management Service. // -// Retires a grant. To clean up, you can retire a grant when you're done using -// it. You should revoke a grant when you intend to actively deny operations -// that depend on it. The following are permitted to call this API: +// Deletes a grant. Typically, you retire a grant when you no longer need its +// permissions. To identify the grant to retire, use a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token), +// or both the grant ID and a key identifier (key ID or key ARN) of the customer +// master key (CMK). The CreateGrant operation returns both values. // -// * The AWS account (root user) under which the grant was created +// This operation can be called by the retiring principal for a grant, by the +// grantee principal if the grant allows the RetireGrant operation, and by the +// AWS account (root user) in which the grant is created. It can also be called +// by principals to whom permission for retiring a grant is delegated. For details, +// see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) +// in the AWS Key Management Service Developer Guide. // -// * The RetiringPrincipal, if present in the grant -// -// * The GranteePrincipal, if RetireGrant is an operation specified in the -// grant -// -// You must identify the grant to retire by its grant token or by a combination -// of the grant ID and the Amazon Resource Name (ARN) of the customer master -// key (CMK). A grant token is a unique variable-length base64-encoded string. -// A grant ID is a 64 character unique identifier of a grant. The CreateGrant -// operation returns both. +// For detailed information about grants, including grant terminology, see Using +// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the AWS Key Management Service Developer Guide . For examples of working +// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // // Cross-account use: Yes. You can retire a grant on a CMK in a different AWS // account. // -// Required permissions:: Permission to retire a grant is specified in the grant. -// You cannot control access to this operation in a policy. For more information, -// see Using grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// Required permissions::Permission to retire a grant is determined primarily +// by the grant. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) // in the AWS Key Management Service Developer Guide. // // Related operations: @@ -5848,14 +6097,22 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, // RevokeGrant API operation for AWS Key Management Service. // -// Revokes the specified grant for the specified customer master key (CMK). -// You can revoke a grant to actively deny operations that depend on it. +// Deletes the specified grant. You revoke a grant to terminate the permissions +// that the grant allows. For more information, see Retiring and revoking grants +// (https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete) +// in the AWS Key Management Service Developer Guide . +// +// When you create, retire, or revoke a grant, there might be a brief delay, +// usually less than five minutes, until the grant is available throughout AWS +// KMS. This state is known as eventual consistency. For details, see Eventual +// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) +// in the AWS Key Management Service Developer Guide . // // Cross-account use: Yes. To perform this operation on a CMK in a different // AWS account, specify the key ARN in the value of the KeyId parameter. // // Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) +// (key policy). // // Related operations: // @@ -5968,18 +6225,20 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req * // ScheduleKeyDeletion API operation for AWS Key Management Service. // -// Schedules the deletion of a customer master key (CMK). You may provide a -// waiting period, specified in days, before deletion occurs. If you do not -// provide a waiting period, the default period of 30 days is used. When this -// operation is successful, the key state of the CMK changes to PendingDeletion. +// Schedules the deletion of a customer master key (CMK). By default, AWS KMS +// applies a waiting period of 30 days, but you can specify a waiting period +// of 7-30 days. When this operation is successful, the key state of the CMK +// changes to PendingDeletion and the key can't be used in any cryptographic +// operations. It remains in this state for the duration of the waiting period. // Before the waiting period ends, you can use CancelKeyDeletion to cancel the -// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK -// and all AWS KMS data associated with it, including all aliases that refer -// to it. +// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK, +// its key material, and all AWS KMS data associated with it, including all +// aliases that refer to it. // // Deleting a CMK is a destructive and potentially dangerous operation. When // a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. -// To prevent the use of a CMK without deleting it, use DisableKey. +// (The only exception is a multi-Region replica key.) To prevent the use of +// a CMK without deleting it, use DisableKey. // // If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), // when the waiting period expires, ScheduleKeyDeletion deletes the CMK from @@ -5988,19 +6247,29 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req * // delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) // from the cluster and its backups. // +// You can schedule the deletion of a multi-Region primary key and its replica +// keys at any time. However, AWS KMS will not delete a multi-Region primary +// key with existing replica keys. If you schedule the deletion of a primary +// key with replicas, its key state changes to PendingReplicaDeletion and it +// cannot be replicated or used in cryptographic operations. This status can +// continue indefinitely. When the last of its replicas keys is deleted (not +// just scheduled), the key state of the primary key changes to PendingDeletion +// and its waiting period (PendingWindowInDays) begins. For details, see Deleting +// multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) +// in the AWS Key Management Service Developer Guide. +// // For more information about scheduling a CMK for deletion, see Deleting Customer // Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) // in the AWS Key Management Service Developer Guide. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different // AWS account. // -// Required permissions: kms:ScheduleKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (key policy) +// Required permissions: kms:ScheduleKeyDeletion (key policy) // // Related operations // @@ -6142,7 +6411,7 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // the public key to verify the signature outside of AWS KMS. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -6275,24 +6544,31 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, // // Adds or edits tags on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). // -// Each tag consists of a tag key and a tag value, both of which are case-sensitive -// strings. The tag value can be an empty (null) string. +// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, +// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the AWS Key Management Service Developer Guide. // -// To add a tag, specify a new tag key and a tag value. To edit a tag, specify -// an existing tag key and a new tag value. +// Each tag consists of a tag key and a tag value, both of which are case-sensitive +// strings. The tag value can be an empty (null) string. To add a tag, specify +// a new tag key and a tag value. To edit a tag, specify an existing tag key +// and a new tag value. // // You can use this operation to tag a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk), // but you cannot tag an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk), // an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), -// or an alias. +// a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept), +// or an alias (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept). // +// You can also add tags to a CMK while creating it (CreateKey) or replicating +// it (ReplicateKey). +// +// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). // For general information about tags, including the format and syntax, see // Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) -// in the Amazon Web Services General Reference. For information about using -// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// in the Amazon Web Services General Reference. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -6303,10 +6579,14 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, // // Related operations // -// * UntagResource +// * CreateKey // // * ListResourceTags // +// * ReplicateKey +// +// * UntagResource +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -6413,18 +6693,22 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ // Deletes tags from a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). // To delete a tag, specify the tag key and the CMK. // +// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, +// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the AWS Key Management Service Developer Guide. +// // When it succeeds, the UntagResource operation doesn't return any output. // Also, if the specified tag key isn't found on the CMK, it doesn't throw an // exception or return a response. To confirm that the operation worked, use // the ListResourceTags operation. // +// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). // For general information about tags, including the format and syntax, see // Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) -// in the Amazon Web Services General Reference. For information about using -// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// in the Amazon Web Services General Reference. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -6435,10 +6719,14 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ // // Related operations // -// * TagResource +// * CreateKey // // * ListResourceTags // +// * ReplicateKey +// +// * TagResource +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -6540,7 +6828,11 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, // Associates an existing AWS KMS alias with a different customer master key // (CMK). Each alias is associated with only one CMK at a time, although a CMK // can have multiple aliases. The alias and the CMK must be in the same AWS -// account and region. +// account and Region. +// +// Adding, deleting, or updating an alias can allow or deny permission to the +// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the AWS Key Management Service Developer Guide. // // The current and new CMK must be the same type (both symmetric or both asymmetric), // and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This @@ -6557,7 +6849,7 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, // of all CMKs in the account, use the ListAliases operation. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -6907,7 +7199,7 @@ func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req // of a CMK, use DescribeKey. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a CMK in a different @@ -6976,6 +7268,177 @@ func (c *KMS) UpdateKeyDescriptionWithContext(ctx aws.Context, input *UpdateKeyD return out, req.Send() } +const opUpdatePrimaryRegion = "UpdatePrimaryRegion" + +// UpdatePrimaryRegionRequest generates a "aws/request.Request" representing the +// client's request for the UpdatePrimaryRegion operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See UpdatePrimaryRegion for more information on using the UpdatePrimaryRegion +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the UpdatePrimaryRegionRequest method. +// req, resp := client.UpdatePrimaryRegionRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion +func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req *request.Request, output *UpdatePrimaryRegionOutput) { + op := &request.Operation{ + Name: opUpdatePrimaryRegion, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &UpdatePrimaryRegionInput{} + } + + output = &UpdatePrimaryRegionOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// UpdatePrimaryRegion API operation for AWS Key Management Service. +// +// Changes the primary key of a multi-Region key. +// +// This operation changes the replica key in the specified Region to a primary +// key and changes the former primary key to a replica key. For example, suppose +// you have a primary key in us-east-1 and a replica key in eu-west-2. If you +// run UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2, the primary +// key is now the key in eu-west-2, and the key in us-east-1 becomes a replica +// key. For details, see +// +// This operation supports multi-Region keys, an AWS KMS feature that lets you +// create multiple interoperable CMKs in different AWS Regions. Because these +// CMKs have the same key ID, key material, and other metadata, you can use +// them to encrypt data in one AWS Region and decrypt it in a different AWS +// Region without making a cross-Region call or exposing the plaintext data. +// For more information about multi-Region keys, see Using multi-Region keys +// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the AWS Key Management Service Developer Guide. +// +// The primary key of a multi-Region key is the source for properties that are +// always shared by primary and replica keys, including the key material, key +// ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id), +// key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec), +// key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage), +// key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin), +// and automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). +// It's the only key that can be replicated. You cannot delete the primary key +// (https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) +// until all replicas are deleted. +// +// The key ID and primary Region that you specify uniquely identify the replica +// key that will become the primary key. The primary Region must already have +// a replica key. This operation does not create a CMK in the specified Region. +// To find the replica keys, use the DescribeKey operation on the primary key +// or any replica key. To create a replica key, use the ReplicateKey operation. +// +// You can run this operation while using the affected multi-Region keys in +// cryptographic operations. This operation should not delay, interrupt, or +// cause failures in cryptographic operations. +// +// Even after this operation completes, the process of updating the primary +// Region might still be in progress for a few more seconds. Operations such +// as DescribeKey might display both the old and new primary keys as replicas. +// The old and new primary keys have a transient key state of Updating. The +// original key state is restored when the update is complete. While the key +// state is Updating, you can use the keys in cryptographic operations, but +// you cannot replicate the new primary key or perform certain management operations, +// such as enabling or disabling these keys. For details about the Updating +// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide. +// +// This operation does not return any output. To verify that primary key is +// changed, use the DescribeKey operation. +// +// Cross-account use: No. You cannot use this operation in a different AWS account. +// +// Required permissions: +// +// * kms:UpdatePrimaryRegion on the current primary CMK (in the primary CMK's +// Region). Include this permission primary CMK's key policy. +// +// * kms:UpdatePrimaryRegion on the current replica CMK (in the replica CMK's +// Region). Include this permission in the replica CMK's key policy. +// +// Related operations +// +// * CreateKey +// +// * ReplicateKey +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for AWS Key Management Service's +// API operation UpdatePrimaryRegion for usage and error information. +// +// Returned Error Types: +// * DisabledException +// The request was rejected because the specified CMK is not enabled. +// +// * InvalidArnException +// The request was rejected because a specified ARN, or an ARN in a key policy, +// is not valid. +// +// * InvalidStateException +// The request was rejected because the state of the specified resource is not +// valid for this request. +// +// For more information about how key state affects the use of a CMK, see How +// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the AWS Key Management Service Developer Guide . +// +// * InternalException +// The request was rejected because an internal exception occurred. The request +// can be retried. +// +// * NotFoundException +// The request was rejected because the specified entity or resource could not +// be found. +// +// * UnsupportedOperationException +// The request was rejected because a specified parameter is not supported or +// a specified resource is not valid for this operation. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdatePrimaryRegion +func (c *KMS) UpdatePrimaryRegion(input *UpdatePrimaryRegionInput) (*UpdatePrimaryRegionOutput, error) { + req, out := c.UpdatePrimaryRegionRequest(input) + return out, req.Send() +} + +// UpdatePrimaryRegionWithContext is the same as UpdatePrimaryRegion with the addition of +// the ability to pass a context and additional request options. +// +// See UpdatePrimaryRegion for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *KMS) UpdatePrimaryRegionWithContext(ctx aws.Context, input *UpdatePrimaryRegionInput, opts ...request.Option) (*UpdatePrimaryRegionOutput, error) { + req, out := c.UpdatePrimaryRegionRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opVerify = "Verify" // VerifyRequest generates a "aws/request.Request" representing the @@ -7048,7 +7511,7 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V // the CMK to verify signatures. // // The CMK that you use for this operation must be in a compatible key state. -// For details, see How Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) // in the AWS Key Management Service Developer Guide. // // Cross-account use: Yes. To perform this operation with a CMK in a different @@ -7149,11 +7612,15 @@ type AliasListEntry struct { // String that contains the alias. This value begins with alias/. AliasName *string `min:"1" type:"string"` + // Date and time that the alias was most recently created in the account and + // Region. Formatted as Unix time. CreationDate *time.Time `type:"timestamp"` + // Date and time that the alias was most recently associated with a CMK in the + // account and Region. Formatted as Unix time. LastUpdatedDate *time.Time `type:"timestamp"` - // String that contains the key identifier referred to by the alias. + // String that contains the key identifier of the CMK associated with the alias. TargetKeyId *string `min:"1" type:"string"` } @@ -7257,10 +7724,9 @@ func (s *AlreadyExistsException) RequestID() string { type CancelKeyDeletionInput struct { _ struct{} `type:"structure"` - // The unique identifier for the customer master key (CMK) for which to cancel - // deletion. + // Identifies the customer master key (CMK) whose deletion is being canceled. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -7742,7 +8208,7 @@ type CreateAliasInput struct { // For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) // in the AWS Key Management Service Developer Guide. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -7945,25 +8411,37 @@ func (s *CreateCustomKeyStoreOutput) SetCustomKeyStoreId(v string) *CreateCustom type CreateGrantInput struct { _ struct{} `type:"structure"` - // Allows a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // only when the encryption context matches or includes the encryption context - // specified in this structure. For more information about encryption context, - // see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide . + // Specifies a grant constraint. // - // Grant constraints are not applied to operations that do not support an encryption - // context, such as cryptographic operations with asymmetric CMKs and management - // operations, such as DescribeKey or RetireGrant. + // AWS KMS supports the EncryptionContextEquals and EncryptionContextSubset + // grant constraints. Each constraint value can include up to 8 encryption context + // pairs. The encryption context value in each constraint cannot exceed 384 + // characters. + // + // These grant constraints allow a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) + // only when the encryption context in the request matches (EncryptionContextEquals) + // or includes (EncryptionContextSubset) the encryption context specified in + // this structure. For more information about encryption context, see Encryption + // Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the AWS Key Management Service Developer Guide . For information about + // grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) + // in the AWS Key Management Service Developer Guide. + // + // The encryption context grant constraints are supported only on operations + // that include an encryption context. You cannot use an encryption context + // grant constraint for cryptographic operations with asymmetric CMKs or for + // management operations, such as DescribeKey or RetireGrant. Constraints *GrantConstraints `type:"structure"` // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // The principal that is given permission to perform the operations that the - // grant permits. + // The identity that gets the permissions specified in the grant. // // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM @@ -7975,11 +8453,11 @@ type CreateGrantInput struct { // GranteePrincipal is a required field GranteePrincipal *string `min:"1" type:"string" required:"true"` - // The unique identifier for the customer master key (CMK) that the grant applies - // to. + // Identifies the customer master key (CMK) for the grant. The grant gives principals + // permission to use this CMK. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify - // a CMK in a different AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the CMK. To specify a CMK in a different + // AWS account, you must use the key ARN. // // For example: // @@ -8008,6 +8486,13 @@ type CreateGrantInput struct { // A list of operations that the grant permits. // + // The operation must be supported on the CMK. For example, you cannot create + // a grant for a symmetric CMK that allows the Sign operation, or a grant for + // an asymmetric CMK that allows the GenerateDataKey operation. If you try, + // AWS KMS returns a ValidationError exception. For details, see Grant operations + // (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) + // in the AWS Key Management Service Developer Guide. + // // Operations is a required field Operations []*string `type:"list" required:"true"` @@ -8116,7 +8601,9 @@ type CreateGrantOutput struct { // The grant token. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantToken *string `min:"1" type:"string"` } @@ -8168,8 +8655,8 @@ type CreateKeyInput struct { // the custom key store must have at least two active HSMs, each in a different // Availability Zone in the Region. // - // This parameter is valid only for symmetric CMKs. You cannot create an asymmetric - // CMK in a custom key store. + // This parameter is valid only for symmetric CMKs and regional CMKs. You cannot + // create an asymmetric CMK or a multi-Region CMK in a custom key store. // // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. // @@ -8218,7 +8705,7 @@ type CreateKeyInput struct { // A description of the CMK. // // Use a description that helps you decide whether the CMK is appropriate for - // a task. + // a task. The default value is an empty string (no description). Description *string `type:"string"` // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) @@ -8236,22 +8723,43 @@ type CreateKeyInput struct { // * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY. KeyUsage *string `type:"string" enum:"KeyUsageType"` - // The source of the key material for the CMK. You cannot change the origin - // after you create the CMK. The default is AWS_KMS, which means AWS KMS creates - // the key material. + // Creates a multi-Region primary key that you can replicate into other AWS + // Regions. You cannot change this value after you create the CMK. // - // When the parameter value is EXTERNAL, AWS KMS creates a CMK without key material - // so that you can import key material from your existing key management infrastructure. - // For more information about importing key material into AWS KMS, see Importing - // Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) + // For a multi-Region key, set this parameter to True. For a single-Region CMK, + // omit this parameter or set it to False. The default value is False. + // + // This operation supports multi-Region keys, an AWS KMS feature that lets you + // create multiple interoperable CMKs in different AWS Regions. Because these + // CMKs have the same key ID, key material, and other metadata, you can use + // them to encrypt data in one AWS Region and decrypt it in a different AWS + // Region without making a cross-Region call or exposing the plaintext data. + // For more information about multi-Region keys, see Using multi-Region keys + // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) + // in the AWS Key Management Service Developer Guide. + // + // This value creates a primary key, not a replica. To create a replica key, + // use the ReplicateKey operation. + // + // You can create a symmetric or asymmetric multi-Region CMK, and you can create + // a multi-Region CMK with imported key material. However, you cannot create + // a multi-Region CMK in a custom key store. + MultiRegion *bool `type:"boolean"` + + // The source of the key material for the CMK. You cannot change the origin + // after you create the CMK. The default is AWS_KMS, which means that AWS KMS + // creates the key material. + // + // To create a CMK with no key material (for imported key material), set the + // value to EXTERNAL. For more information about importing key material into + // AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) // in the AWS Key Management Service Developer Guide. This value is valid only // for symmetric CMKs. // - // When the parameter value is AWS_CLOUDHSM, AWS KMS creates the CMK in an AWS - // KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // and creates its key material in the associated AWS CloudHSM cluster. You - // must also use the CustomKeyStoreId parameter to identify the custom key store. - // This value is valid only for symmetric CMKs. + // To create a CMK in an AWS KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and create its key material in the associated AWS CloudHSM cluster, set this + // value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to + // identify the custom key store. This value is valid only for symmetric CMKs. Origin *string `type:"string" enum:"OriginType"` // The key policy to attach to the CMK. @@ -8285,19 +8793,25 @@ type CreateKeyInput struct { // in the IAM User Guide . Policy *string `min:"1" type:"string"` - // One or more tags. Each tag consists of a tag key and a tag value. Both the - // tag key and the tag value are required, but the tag value can be an empty - // (null) string. + // Assigns one or more tags to the CMK. Use this parameter to tag the CMK when + // it is created. To tag an existing CMK, use the TagResource operation. // - // When you add tags to an AWS resource, AWS generates a cost allocation report - // with usage and costs aggregated by tags. For information about adding, changing, - // deleting and listing tags for CMKs, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). - // - // Use this parameter to tag the CMK when it is created. To add tags to an existing - // CMK, use the TagResource operation. + // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, + // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the AWS Key Management Service Developer Guide. // // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // permission in an IAM policy. + // + // Each tag consists of a tag key and a tag value. Both the tag key and the + // tag value are required, but the tag value can be an empty (null) string. + // You cannot have more than one tag on a CMK with the same tag key. If you + // specify an existing tag key with a different tag value, AWS KMS replaces + // the current tag value with the specified one. + // + // When you assign tags to an AWS resource, AWS generates a cost allocation + // report with usage and costs aggregated by tags. Tags can also be used to + // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). Tags []*Tag `type:"list"` } @@ -8367,6 +8881,12 @@ func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { return s } +// SetMultiRegion sets the MultiRegion field's value. +func (s *CreateKeyInput) SetMultiRegion(v bool) *CreateKeyInput { + s.MultiRegion = &v + return s +} + // SetOrigin sets the Origin field's value. func (s *CreateKeyInput) SetOrigin(v string) *CreateKeyInput { s.Origin = &v @@ -8842,7 +9362,11 @@ type DecryptInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a newly created grant that has not yet achieved eventual consistency. Use + // a grant token when your permission to call this operation comes from a new + // grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -8855,9 +9379,9 @@ type DecryptInput struct { // recommended as a best practice. This practice ensures that you use the CMK // that you intend. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -9096,7 +9620,7 @@ type DeleteImportedKeyMaterialInput struct { // Identifies the CMK from which you are deleting imported key material. The // Origin of the CMK must be EXTERNAL. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -9220,7 +9744,7 @@ type DescribeCustomKeyStoresInput struct { // store ID. // // By default, this operation gets information about all custom key stores in - // the account and region. To limit the output to a particular custom key store, + // the account and Region. To limit the output to a particular custom key store, // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, // but not both. CustomKeyStoreId *string `min:"1" type:"string"` @@ -9229,7 +9753,7 @@ type DescribeCustomKeyStoresInput struct { // name of the custom key store. // // By default, this operation gets information about all custom key stores in - // the account and region. To limit the output to a particular custom key store, + // the account and Region. To limit the output to a particular custom key store, // you can use either the CustomKeyStoreId or CustomKeyStoreName parameter, // but not both. CustomKeyStoreName *string `min:"1" type:"string"` @@ -9351,7 +9875,9 @@ type DescribeKeyInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -9361,9 +9887,9 @@ type DescribeKeyInput struct { // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) // and returns its KeyId and Arn in the response. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -9446,9 +9972,9 @@ func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { type DisableKeyInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Identifies the customer master key (CMK) to disable. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -9516,7 +10042,7 @@ type DisableKeyRotationInput struct { // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -9691,9 +10217,9 @@ func (s DisconnectCustomKeyStoreOutput) GoString() string { type EnableKeyInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Identifies the customer master key (CMK) to enable. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -9757,10 +10283,14 @@ type EnableKeyRotationInput struct { _ struct{} `type:"structure"` // Identifies a symmetric customer master key (CMK). You cannot enable automatic - // rotation of asymmetric CMKs, CMKs with imported key material, or CMKs in - // a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), + // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), + // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // To enable or disable automatic rotation of a set of related multi-Region + // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), + // set the property on the primary key. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -9848,15 +10378,17 @@ type EncryptInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // A unique identifier for the customer master key (CMK). + // Identifies the customer master key (CMK) to use in the encryption operation. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -10065,15 +10597,17 @@ type GenerateDataKeyInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` // Identifies the symmetric CMK that encrypts the data key. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -10234,7 +10768,9 @@ type GenerateDataKeyPairInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -10242,9 +10778,9 @@ type GenerateDataKeyPairInput struct { // pair. You cannot specify an asymmetric CMK or a CMK in a custom key store. // To get the type and origin of your CMK, use the DescribeKey operation. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -10412,7 +10948,9 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -10421,9 +10959,9 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { // a custom key store. To get the type and origin of your CMK, use the DescribeKey // operation. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -10579,16 +11117,18 @@ type GenerateDataKeyWithoutPlaintextInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` // The identifier of the symmetric customer master key (CMK) that encrypts the // data key. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -10791,9 +11331,9 @@ func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { type GetKeyPolicyInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Gets the key policy for the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -10883,10 +11423,10 @@ func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { type GetKeyRotationStatusInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Gets the rotation status for the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify - // a CMK in a different AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the CMK. To specify a CMK in a different + // AWS account, you must use the key ARN. // // For example: // @@ -10961,7 +11501,7 @@ type GetParametersForImportInput struct { // The identifier of the symmetric CMK into which you will import key material. // The Origin of the CMK must be EXTERNAL. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -11103,15 +11643,17 @@ type GetPublicKeyInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` // Identifies the asymmetric CMK that includes the public key. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -11456,7 +11998,7 @@ type ImportKeyMaterialInput struct { // The CMK's Origin must be EXTERNAL. This must be the same CMK specified in // the KeyID parameter of the corresponding GetParametersForImport request. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -12446,8 +12988,13 @@ type KeyMetadata struct { // Describes the type of key material in the CMK. CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` - // The date and time after which AWS KMS deletes the CMK. This value is present - // only when KeyState is PendingDeletion. + // The date and time after which AWS KMS deletes this CMK. This value is present + // only when the CMK is scheduled for deletion, that is, when its KeyState is + // PendingDeletion. + // + // When the primary key in a multi-Region key is scheduled for deletion but + // still has replica keys, its key state is PendingReplicaDeletion and the length + // of its waiting period is displayed in the PendingDeletionWindowInDays field. DeletionDate *time.Time `type:"timestamp"` // The description of the CMK. @@ -12460,7 +13007,7 @@ type KeyMetadata struct { // The encryption algorithms that the CMK supports. You cannot use the CMK with // other encryption algorithms within AWS KMS. // - // This field appears only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. + // This value is present only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. EncryptionAlgorithms []*string `type:"list"` // Specifies whether the CMK's key material expires. This value is present only @@ -12489,6 +13036,30 @@ type KeyMetadata struct { // for which you can use the CMK. KeyUsage *string `type:"string" enum:"KeyUsageType"` + // Indicates whether the CMK is a multi-Region (True) or regional (False) key. + // This value is True for multi-Region primary and replica CMKs and False for + // regional CMKs. + // + // For more information about multi-Region keys, see Using multi-Region keys + // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) + // in the AWS Key Management Service Developer Guide. + MultiRegion *bool `type:"boolean"` + + // Lists the primary and replica CMKs in same multi-Region CMK. This field is + // present only when the value of the MultiRegion field is True. + // + // For more information about any listed CMK, use the DescribeKey operation. + // + // * MultiRegionKeyType indicates whether the CMK is a PRIMARY or REPLICA + // key. + // + // * PrimaryKey displays the key ARN and Region of the primary key. This + // field displays the current CMK if it is the primary key. + // + // * ReplicaKeys displays the key ARNs and Regions of all replica keys. This + // field includes the current CMK if it is a replica key. + MultiRegionConfiguration *MultiRegionConfiguration `type:"structure"` + // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS // created the key material. When this value is EXTERNAL, the key material was // imported from your existing key management infrastructure or the CMK lacks @@ -12496,6 +13067,21 @@ type KeyMetadata struct { // in the AWS CloudHSM cluster associated with a custom key store. Origin *string `type:"string" enum:"OriginType"` + // The waiting period before the primary key in a multi-Region key is deleted. + // This waiting period begins when the last of its replica keys is deleted. + // This value is present only when the KeyState of the CMK is PendingReplicaDeletion. + // That indicates that the CMK is the primary key in a multi-Region key, it + // is scheduled for deletion, and it still has existing replica keys. + // + // When a regional CMK or a replica key in a multi-Region key is scheduled for + // deletion, its deletion date is displayed in the DeletionDate field. However, + // when the primary key in a multi-Region key is scheduled for deletion, its + // waiting period doesn't begin until all of its replica keys are deleted. This + // value displays that waiting period. When the last replica key in the multi-Region + // key is deleted, the KeyState of the scheduled primary key changes from PendingReplicaDeletion + // to PendingDeletion and the deletion date appears in the DeletionDate field. + PendingDeletionWindowInDays *int64 `min:"1" type:"integer"` + // The signing algorithms that the CMK supports. You cannot use the CMK with // other signing algorithms within AWS KMS. // @@ -12609,12 +13195,30 @@ func (s *KeyMetadata) SetKeyUsage(v string) *KeyMetadata { return s } +// SetMultiRegion sets the MultiRegion field's value. +func (s *KeyMetadata) SetMultiRegion(v bool) *KeyMetadata { + s.MultiRegion = &v + return s +} + +// SetMultiRegionConfiguration sets the MultiRegionConfiguration field's value. +func (s *KeyMetadata) SetMultiRegionConfiguration(v *MultiRegionConfiguration) *KeyMetadata { + s.MultiRegionConfiguration = v + return s +} + // SetOrigin sets the Origin field's value. func (s *KeyMetadata) SetOrigin(v string) *KeyMetadata { s.Origin = &v return s } +// SetPendingDeletionWindowInDays sets the PendingDeletionWindowInDays field's value. +func (s *KeyMetadata) SetPendingDeletionWindowInDays(v int64) *KeyMetadata { + s.PendingDeletionWindowInDays = &v + return s +} + // SetSigningAlgorithms sets the SigningAlgorithms field's value. func (s *KeyMetadata) SetSigningAlgorithms(v []*string) *KeyMetadata { s.SigningAlgorithms = v @@ -12751,7 +13355,7 @@ type ListAliasesInput struct { // This parameter is optional. If you omit it, ListAliases returns all aliases // in the account and Region. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -12882,8 +13486,8 @@ type ListGrantsInput struct { // Returns only grants for the specified customer master key (CMK). This parameter // is required. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify - // a CMK in a different AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the CMK. To specify a CMK in a different + // AWS account, you must use the key ARN. // // For example: // @@ -13026,9 +13630,9 @@ func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { type ListKeyPoliciesInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Gets the names of key policies for the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -13255,9 +13859,9 @@ func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { type ListResourceTagsInput struct { _ struct{} `type:"structure"` - // A unique identifier for the customer master key (CMK). + // Gets tags on the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -13347,6 +13951,10 @@ type ListResourceTagsOutput struct { NextMarker *string `min:"1" type:"string"` // A list of tags. Each tag consists of a tag key and a tag value. + // + // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, + // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the AWS Key Management Service Developer Guide. Tags []*Tag `type:"list"` // A flag that indicates whether there are more items in the list. When this @@ -13521,6 +14129,86 @@ func (s *MalformedPolicyDocumentException) RequestID() string { return s.RespMetadata.RequestID } +// Describes the configuration of this multi-Region CMK. This field appears +// only when the CMK is a primary or replica of a multi-Region CMK. +// +// For more information about any listed CMK, use the DescribeKey operation. +type MultiRegionConfiguration struct { + _ struct{} `type:"structure"` + + // Indicates whether the CMK is a PRIMARY or REPLICA key. + MultiRegionKeyType *string `type:"string" enum:"MultiRegionKeyType"` + + // Displays the key ARN and Region of the primary key. This field includes the + // current CMK if it is the primary key. + PrimaryKey *MultiRegionKey `type:"structure"` + + // displays the key ARNs and Regions of all replica keys. This field includes + // the current CMK if it is a replica key. + ReplicaKeys []*MultiRegionKey `type:"list"` +} + +// String returns the string representation +func (s MultiRegionConfiguration) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s MultiRegionConfiguration) GoString() string { + return s.String() +} + +// SetMultiRegionKeyType sets the MultiRegionKeyType field's value. +func (s *MultiRegionConfiguration) SetMultiRegionKeyType(v string) *MultiRegionConfiguration { + s.MultiRegionKeyType = &v + return s +} + +// SetPrimaryKey sets the PrimaryKey field's value. +func (s *MultiRegionConfiguration) SetPrimaryKey(v *MultiRegionKey) *MultiRegionConfiguration { + s.PrimaryKey = v + return s +} + +// SetReplicaKeys sets the ReplicaKeys field's value. +func (s *MultiRegionConfiguration) SetReplicaKeys(v []*MultiRegionKey) *MultiRegionConfiguration { + s.ReplicaKeys = v + return s +} + +// Describes the primary or replica key in a multi-Region key. +type MultiRegionKey struct { + _ struct{} `type:"structure"` + + // Displays the key ARN of a primary or replica key of a multi-Region key. + Arn *string `min:"20" type:"string"` + + // Displays the AWS Region of a primary or replica key in a multi-Region key. + Region *string `min:"1" type:"string"` +} + +// String returns the string representation +func (s MultiRegionKey) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s MultiRegionKey) GoString() string { + return s.String() +} + +// SetArn sets the Arn field's value. +func (s *MultiRegionKey) SetArn(v string) *MultiRegionKey { + s.Arn = &v + return s +} + +// SetRegion sets the Region field's value. +func (s *MultiRegionKey) SetRegion(v string) *MultiRegionKey { + s.Region = &v + return s +} + // The request was rejected because the specified entity or resource could not // be found. type NotFoundException struct { @@ -13595,9 +14283,9 @@ type PutKeyPolicyInput struct { // The default value is false. BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` - // A unique identifier for the customer master key (CMK). + // Sets the key policy on the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -13757,9 +14445,9 @@ type ReEncryptInput struct { // a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To // find the KeyUsage value of a CMK, use the DescribeKey operation. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -13779,7 +14467,9 @@ type ReEncryptInput struct { // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -13817,9 +14507,9 @@ type ReEncryptInput struct { // recommended as a best practice. This practice ensures that you use the CMK // that you intend. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -13983,19 +14673,272 @@ func (s *ReEncryptOutput) SetSourceKeyId(v string) *ReEncryptOutput { return s } +type ReplicateKeyInput struct { + _ struct{} `type:"structure"` + + // A flag to indicate whether to bypass the key policy lockout safety check. + // + // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Do not set this value to true indiscriminately. + // + // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section in the AWS Key Management Service Developer Guide. + // + // Use this parameter only when you intend to prevent the principal that is + // making the request from making a subsequent PutKeyPolicy request on the CMK. + // + // The default value is false. + BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` + + // A description of the CMK. Use a description that helps you decide whether + // the CMK is appropriate for a task. The default value is an empty string (no + // description). + // + // The description is not a shared property of multi-Region keys. You can specify + // the same description or a different description for each key in a set of + // related multi-Region keys. AWS KMS does not synchronize this property. + Description *string `type:"string"` + + // Identifies the multi-Region primary key that is being replicated. To determine + // whether a CMK is a multi-Region primary key, use the DescribeKey operation + // to check the value of the MultiRegionKeyType property. + // + // Specify the key ID or key ARN of a multi-Region primary key. + // + // For example: + // + // * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The key policy to attach to the CMK. This parameter is optional. If you do + // not provide a key policy, AWS KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) + // to the CMK. + // + // The key policy is not a shared property of multi-Region keys. You can specify + // the same key policy or a different key policy for each key in a set of related + // multi-Region keys. AWS KMS does not synchronize this property. + // + // If you provide a key policy, it must meet the following criteria: + // + // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy + // must give the caller kms:PutKeyPolicy permission on the replica CMK. This + // reduces the risk that the CMK becomes unmanageable. For more information, + // refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the AWS Key Management Service Developer Guide . + // + // * Each statement in the key policy must contain one or more principals. + // The principals in the key policy must exist and be visible to AWS KMS. + // When you create a new AWS principal (for example, an IAM user or role), + // you might need to enforce a delay before including the new principal in + // a key policy because the new principal might not be immediately visible + // to AWS KMS. For more information, see Changes that I make are not always + // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the AWS Identity and Access Management User Guide. + // + // * The key policy size quota is 32 kilobytes (32768 bytes). + Policy *string `min:"1" type:"string"` + + // The Region ID of the AWS Region for this replica key. + // + // Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of AWS + // Regions in which AWS KMS is supported, see AWS KMS service endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) + // in the Amazon Web Services General Reference. + // + // The replica must be in a different AWS Region than its primary key and other + // replicas of that primary key, but in the same AWS partition. AWS KMS must + // be available in the replica Region. If the Region is not enabled by default, + // the AWS account must be enabled in the Region. + // + // For information about AWS partitions, see Amazon Resource Names (ARNs) in + // the Amazon Web Services General Reference. (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // For information about enabling and disabling Regions, see Enabling a Region + // (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) + // and Disabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable) + // in the Amazon Web Services General Reference. + // + // ReplicaRegion is a required field + ReplicaRegion *string `min:"1" type:"string" required:"true"` + + // Assigns one or more tags to the replica key. Use this parameter to tag the + // CMK when it is created. To tag an existing CMK, use the TagResource operation. + // + // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, + // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the AWS Key Management Service Developer Guide. + // + // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) + // permission in an IAM policy. + // + // Tags are not a shared property of multi-Region keys. You can specify the + // same tags or different tags for each key in a set of related multi-Region + // keys. AWS KMS does not synchronize this property. + // + // Each tag consists of a tag key and a tag value. Both the tag key and the + // tag value are required, but the tag value can be an empty (null) string. + // You cannot have more than one tag on a CMK with the same tag key. If you + // specify an existing tag key with a different tag value, AWS KMS replaces + // the current tag value with the specified one. + // + // When you assign tags to an AWS resource, AWS generates a cost allocation + // report with usage and costs aggregated by tags. Tags can also be used to + // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). + Tags []*Tag `type:"list"` +} + +// String returns the string representation +func (s ReplicateKeyInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReplicateKeyInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ReplicateKeyInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ReplicateKeyInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.Policy != nil && len(*s.Policy) < 1 { + invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) + } + if s.ReplicaRegion == nil { + invalidParams.Add(request.NewErrParamRequired("ReplicaRegion")) + } + if s.ReplicaRegion != nil && len(*s.ReplicaRegion) < 1 { + invalidParams.Add(request.NewErrParamMinLen("ReplicaRegion", 1)) + } + if s.Tags != nil { + for i, v := range s.Tags { + if v == nil { + continue + } + if err := v.Validate(); err != nil { + invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) + } + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetBypassPolicyLockoutSafetyCheck sets the BypassPolicyLockoutSafetyCheck field's value. +func (s *ReplicateKeyInput) SetBypassPolicyLockoutSafetyCheck(v bool) *ReplicateKeyInput { + s.BypassPolicyLockoutSafetyCheck = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *ReplicateKeyInput) SetDescription(v string) *ReplicateKeyInput { + s.Description = &v + return s +} + +// SetKeyId sets the KeyId field's value. +func (s *ReplicateKeyInput) SetKeyId(v string) *ReplicateKeyInput { + s.KeyId = &v + return s +} + +// SetPolicy sets the Policy field's value. +func (s *ReplicateKeyInput) SetPolicy(v string) *ReplicateKeyInput { + s.Policy = &v + return s +} + +// SetReplicaRegion sets the ReplicaRegion field's value. +func (s *ReplicateKeyInput) SetReplicaRegion(v string) *ReplicateKeyInput { + s.ReplicaRegion = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *ReplicateKeyInput) SetTags(v []*Tag) *ReplicateKeyInput { + s.Tags = v + return s +} + +type ReplicateKeyOutput struct { + _ struct{} `type:"structure"` + + // Displays details about the new replica CMK, including its Amazon Resource + // Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) + // and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). + // It also includes the ARN and AWS Region of its primary key and other replica + // keys. + ReplicaKeyMetadata *KeyMetadata `type:"structure"` + + // The key policy of the new replica key. The value is a key policy document + // in JSON format. + ReplicaPolicy *string `min:"1" type:"string"` + + // The tags on the new replica key. The value is a list of tag key and tag value + // pairs. + ReplicaTags []*Tag `type:"list"` +} + +// String returns the string representation +func (s ReplicateKeyOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReplicateKeyOutput) GoString() string { + return s.String() +} + +// SetReplicaKeyMetadata sets the ReplicaKeyMetadata field's value. +func (s *ReplicateKeyOutput) SetReplicaKeyMetadata(v *KeyMetadata) *ReplicateKeyOutput { + s.ReplicaKeyMetadata = v + return s +} + +// SetReplicaPolicy sets the ReplicaPolicy field's value. +func (s *ReplicateKeyOutput) SetReplicaPolicy(v string) *ReplicateKeyOutput { + s.ReplicaPolicy = &v + return s +} + +// SetReplicaTags sets the ReplicaTags field's value. +func (s *ReplicateKeyOutput) SetReplicaTags(v []*Tag) *ReplicateKeyOutput { + s.ReplicaTags = v + return s +} + type RetireGrantInput struct { _ struct{} `type:"structure"` - // Unique identifier of the grant to retire. The grant ID is returned in the - // response to a CreateGrant operation. + // Identifies the grant to retire. To get the grant ID, use CreateGrant, ListGrants, + // or ListRetirableGrants. // // * Grant ID Example - 0123456789012345678901234567890123456789012345678901234567890123 GrantId *string `min:"1" type:"string"` - // Token that identifies the grant to be retired. + // Identifies the grant to be retired. You can use a grant token to identify + // a new grant even before it has achieved eventual consistency. + // + // Only the CreateGrant operation returns a grant token. For details, see Grant + // token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) + // in the AWS Key Management Service Developer Guide. GrantToken *string `min:"1" type:"string"` - // The Amazon Resource Name (ARN) of the CMK associated with the grant. + // The key ARN CMK associated with the grant. To find the key ARN, use the ListKeys + // operation. // // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab KeyId *string `min:"1" type:"string"` @@ -14065,15 +15008,17 @@ func (s RetireGrantOutput) GoString() string { type RevokeGrantInput struct { _ struct{} `type:"structure"` - // Identifier of the grant to be revoked. + // Identifies the grant to revoke. To get the grant ID, use CreateGrant, ListGrants, + // or ListRetirableGrants. // // GrantId is a required field GrantId *string `min:"1" type:"string" required:"true"` - // A unique identifier for the customer master key associated with the grant. + // A unique identifier for the customer master key (CMK) associated with the + // grant. To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. To specify - // a CMK in a different AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the CMK. To specify a CMK in a different + // AWS account, you must use the key ARN. // // For example: // @@ -14150,7 +15095,7 @@ type ScheduleKeyDeletionInput struct { // The unique identifier of the customer master key (CMK) to delete. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -14166,6 +15111,10 @@ type ScheduleKeyDeletionInput struct { // The waiting period, specified in number of days. After the waiting period // ends, AWS KMS deletes the customer master key (CMK). // + // If the CMK is a multi-Region primary key with replicas, the waiting period + // begins when the last of its replica keys is deleted. Otherwise, the waiting + // period begins immediately. + // // This value is optional. If you include a value, it must be between 7 and // 30, inclusive. If you do not include a value, it defaults to 30. PendingWindowInDays *int64 `min:"1" type:"integer"` @@ -14216,11 +15165,29 @@ type ScheduleKeyDeletionOutput struct { _ struct{} `type:"structure"` // The date and time after which AWS KMS deletes the customer master key (CMK). + // + // If the CMK is a multi-Region primary key with replica keys, this field does + // not appear. The deletion date for the primary key isn't known until its last + // replica key is deleted. DeletionDate *time.Time `type:"timestamp"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) // of the CMK whose deletion is scheduled. KeyId *string `min:"1" type:"string"` + + // The current status of the CMK. + // + // For more information about how key state affects the use of a CMK, see Key + // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the AWS Key Management Service Developer Guide. + KeyState *string `type:"string" enum:"KeyState"` + + // The waiting period before the CMK is deleted. + // + // If the CMK is a multi-Region primary key with replicas, the waiting period + // begins when the last of its replica keys is deleted. Otherwise, the waiting + // period begins immediately. + PendingWindowInDays *int64 `min:"1" type:"integer"` } // String returns the string representation @@ -14245,12 +15212,26 @@ func (s *ScheduleKeyDeletionOutput) SetKeyId(v string) *ScheduleKeyDeletionOutpu return s } +// SetKeyState sets the KeyState field's value. +func (s *ScheduleKeyDeletionOutput) SetKeyState(v string) *ScheduleKeyDeletionOutput { + s.KeyState = &v + return s +} + +// SetPendingWindowInDays sets the PendingWindowInDays field's value. +func (s *ScheduleKeyDeletionOutput) SetPendingWindowInDays(v int64) *ScheduleKeyDeletionOutput { + s.PendingWindowInDays = &v + return s +} + type SignInput struct { _ struct{} `type:"structure"` // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -14258,9 +15239,9 @@ type SignInput struct { // CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. // To find the KeyUsage of a CMK, use the DescribeKey operation. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -14546,7 +15527,7 @@ type TagResourceInput struct { // Identifies a customer managed CMK in the account and Region. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -14699,7 +15680,7 @@ type UntagResourceInput struct { // Identifies the CMK from which you are removing tags. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -14791,7 +15772,7 @@ type UpdateAliasInput struct { // new target CMK must be the same type as the current target CMK (both symmetric // or both asymmetric) and they must have the same key usage. // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -14981,9 +15962,9 @@ type UpdateKeyDescriptionInput struct { // Description is a required field Description *string `type:"string" required:"true"` - // A unique identifier for the customer master key (CMK). + // Updates the description of the specified customer master key (CMK). // - // Specify the key ID or the Amazon Resource Name (ARN) of the CMK. + // Specify the key ID or key ARN of the CMK. // // For example: // @@ -15052,12 +16033,101 @@ func (s UpdateKeyDescriptionOutput) GoString() string { return s.String() } +type UpdatePrimaryRegionInput struct { + _ struct{} `type:"structure"` + + // Identifies the current primary key. When the operation completes, this CMK + // will be a replica key. + // + // Specify the key ID or key ARN of a multi-Region primary key. + // + // For example: + // + // * Key ID: mrk-1234abcd12ab34cd56ef1234567890ab + // + // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab + // + // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // + // KeyId is a required field + KeyId *string `min:"1" type:"string" required:"true"` + + // The AWS Region of the new primary key. Enter the Region ID, such as us-east-1 + // or ap-southeast-2. There must be an existing replica key in this Region. + // + // When the operation completes, the multi-Region key in this Region will be + // the primary key. + // + // PrimaryRegion is a required field + PrimaryRegion *string `min:"1" type:"string" required:"true"` +} + +// String returns the string representation +func (s UpdatePrimaryRegionInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdatePrimaryRegionInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *UpdatePrimaryRegionInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "UpdatePrimaryRegionInput"} + if s.KeyId == nil { + invalidParams.Add(request.NewErrParamRequired("KeyId")) + } + if s.KeyId != nil && len(*s.KeyId) < 1 { + invalidParams.Add(request.NewErrParamMinLen("KeyId", 1)) + } + if s.PrimaryRegion == nil { + invalidParams.Add(request.NewErrParamRequired("PrimaryRegion")) + } + if s.PrimaryRegion != nil && len(*s.PrimaryRegion) < 1 { + invalidParams.Add(request.NewErrParamMinLen("PrimaryRegion", 1)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetKeyId sets the KeyId field's value. +func (s *UpdatePrimaryRegionInput) SetKeyId(v string) *UpdatePrimaryRegionInput { + s.KeyId = &v + return s +} + +// SetPrimaryRegion sets the PrimaryRegion field's value. +func (s *UpdatePrimaryRegionInput) SetPrimaryRegion(v string) *UpdatePrimaryRegionInput { + s.PrimaryRegion = &v + return s +} + +type UpdatePrimaryRegionOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation +func (s UpdatePrimaryRegionOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s UpdatePrimaryRegionOutput) GoString() string { + return s.String() +} + type VerifyInput struct { _ struct{} `type:"structure"` // A list of grant tokens. // - // For more information, see Grant Tokens (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) + // Use a grant token when your permission to call this operation comes from + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) // in the AWS Key Management Service Developer Guide. GrantTokens []*string `type:"list"` @@ -15065,9 +16135,9 @@ type VerifyInput struct { // This must be the same CMK that was used to generate the signature. If you // specify a different CMK, the signature verification fails. // - // To specify a CMK, use its key ID, Amazon Resource Name (ARN), alias name, - // or alias ARN. When using an alias name, prefix it with "alias/". To specify - // a CMK in a different AWS account, you must use the key ARN or alias ARN. + // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When + // using an alias name, prefix it with "alias/". To specify a CMK in a different + // AWS account, you must use the key ARN or alias ARN. // // For example: // @@ -15544,6 +16614,9 @@ func KeyManagerType_Values() []string { } const ( + // KeyStateCreating is a KeyState enum value + KeyStateCreating = "Creating" + // KeyStateEnabled is a KeyState enum value KeyStateEnabled = "Enabled" @@ -15556,18 +16629,27 @@ const ( // KeyStatePendingImport is a KeyState enum value KeyStatePendingImport = "PendingImport" + // KeyStatePendingReplicaDeletion is a KeyState enum value + KeyStatePendingReplicaDeletion = "PendingReplicaDeletion" + // KeyStateUnavailable is a KeyState enum value KeyStateUnavailable = "Unavailable" + + // KeyStateUpdating is a KeyState enum value + KeyStateUpdating = "Updating" ) // KeyState_Values returns all elements of the KeyState enum func KeyState_Values() []string { return []string{ + KeyStateCreating, KeyStateEnabled, KeyStateDisabled, KeyStatePendingDeletion, KeyStatePendingImport, + KeyStatePendingReplicaDeletion, KeyStateUnavailable, + KeyStateUpdating, } } @@ -15603,6 +16685,22 @@ func MessageType_Values() []string { } } +const ( + // MultiRegionKeyTypePrimary is a MultiRegionKeyType enum value + MultiRegionKeyTypePrimary = "PRIMARY" + + // MultiRegionKeyTypeReplica is a MultiRegionKeyType enum value + MultiRegionKeyTypeReplica = "REPLICA" +) + +// MultiRegionKeyType_Values returns all elements of the MultiRegionKeyType enum +func MultiRegionKeyType_Values() []string { + return []string{ + MultiRegionKeyTypePrimary, + MultiRegionKeyTypeReplica, + } +} + const ( // OriginTypeAwsKms is a OriginType enum value OriginTypeAwsKms = "AWS_KMS" diff --git a/vendor/modules.txt b/vendor/modules.txt index fe4480a89..ebf3400be 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/aws/aws-sdk-go v1.38.54 +# github.com/aws/aws-sdk-go v1.38.63 ## explicit github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/awserr