{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.CloudTrail.Types.DataResource
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.CloudTrail.Types.DataResource where

import qualified Amazonka.Core as Core
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude

-- | The Amazon S3 buckets, Lambda functions, or Amazon DynamoDB tables that
-- you specify in your event selectors for your trail to log data events.
-- Data events provide information about the resource operations performed
-- on or within a resource itself. These are also known as data plane
-- operations. You can specify up to 250 data resources for a trail.
--
-- The total number of allowed data resources is 250. This number can be
-- distributed between 1 and 5 event selectors, but the total cannot exceed
-- 250 across all selectors.
--
-- If you are using advanced event selectors, the maximum total number of
-- values for all conditions, across all advanced event selectors for the
-- trail, is 500.
--
-- The following example demonstrates how logging works when you configure
-- logging of all data events for an S3 bucket named @bucket-1@. In this
-- example, the CloudTrail user specified an empty prefix, and the option
-- to log both @Read@ and @Write@ data events.
--
-- 1.  A user uploads an image file to @bucket-1@.
--
-- 2.  The @PutObject@ API operation is an Amazon S3 object-level API. It
--     is recorded as a data event in CloudTrail. Because the CloudTrail
--     user specified an S3 bucket with an empty prefix, events that occur
--     on any object in that bucket are logged. The trail processes and
--     logs the event.
--
-- 3.  A user uploads an object to an Amazon S3 bucket named
--     @arn:aws:s3:::bucket-2@.
--
-- 4.  The @PutObject@ API operation occurred for an object in an S3 bucket
--     that the CloudTrail user didn\'t specify for the trail. The trail
--     doesn’t log the event.
--
-- The following example demonstrates how logging works when you configure
-- logging of Lambda data events for a Lambda function named
-- /MyLambdaFunction/, but not for all Lambda functions.
--
-- 1.  A user runs a script that includes a call to the /MyLambdaFunction/
--     function and the /MyOtherLambdaFunction/ function.
--
-- 2.  The @Invoke@ API operation on /MyLambdaFunction/ is an Lambda API.
--     It is recorded as a data event in CloudTrail. Because the CloudTrail
--     user specified logging data events for /MyLambdaFunction/, any
--     invocations of that function are logged. The trail processes and
--     logs the event.
--
-- 3.  The @Invoke@ API operation on /MyOtherLambdaFunction/ is an Lambda
--     API. Because the CloudTrail user did not specify logging data events
--     for all Lambda functions, the @Invoke@ operation for
--     /MyOtherLambdaFunction/ does not match the function specified for
--     the trail. The trail doesn’t log the event.
--
-- /See:/ 'newDataResource' smart constructor.
data DataResource = DataResource'
  { -- | An array of Amazon Resource Name (ARN) strings or partial ARN strings
    -- for the specified objects.
    --
    -- -   To log data events for all objects in all S3 buckets in your Amazon
    --     Web Services account, specify the prefix as @arn:aws:s3:::@.
    --
    --     This also enables logging of data event activity performed by any
    --     user or role in your Amazon Web Services account, even if that
    --     activity is performed on a bucket that belongs to another Amazon Web
    --     Services account.
    --
    -- -   To log data events for all objects in an S3 bucket, specify the
    --     bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@.
    --     The trail logs data events for all objects in this S3 bucket.
    --
    -- -   To log data events for specific objects, specify the S3 bucket and
    --     object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The
    --     trail logs data events for objects in this S3 bucket that match the
    --     prefix.
    --
    -- -   To log data events for all Lambda functions in your Amazon Web
    --     Services account, specify the prefix as @arn:aws:lambda@.
    --
    --     This also enables logging of @Invoke@ activity performed by any user
    --     or role in your Amazon Web Services account, even if that activity
    --     is performed on a function that belongs to another Amazon Web
    --     Services account.
    --
    -- -   To log data events for a specific Lambda function, specify the
    --     function ARN.
    --
    --     Lambda function ARNs are exact. For example, if you specify a
    --     function ARN
    --     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data
    --     events will only be logged for
    --     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They
    --     will not be logged for
    --     /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/.
    --
    -- -   To log data events for all DynamoDB tables in your Amazon Web
    --     Services account, specify the prefix as @arn:aws:dynamodb@.
    DataResource -> Maybe [Text]
values :: Prelude.Maybe [Prelude.Text],
    -- | The resource type in which you want to log data events. You can specify
    -- @AWS::S3::Object@, @AWS::Lambda::Function@, or @AWS::DynamoDB::Table@
    -- resources.
    --
    -- The @AWS::S3Outposts::Object@, @AWS::ManagedBlockchain::Node@,
    -- @AWS::S3ObjectLambda::AccessPoint@, and @AWS::EC2::Snapshot@ resource
    -- types are not valid in basic event selectors. To log data events on
    -- these resource types, use advanced event selectors.
    DataResource -> Maybe Text
type' :: Prelude.Maybe Prelude.Text
  }
  deriving (DataResource -> DataResource -> Bool
(DataResource -> DataResource -> Bool)
-> (DataResource -> DataResource -> Bool) -> Eq DataResource
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: DataResource -> DataResource -> Bool
$c/= :: DataResource -> DataResource -> Bool
== :: DataResource -> DataResource -> Bool
$c== :: DataResource -> DataResource -> Bool
Prelude.Eq, ReadPrec [DataResource]
ReadPrec DataResource
Int -> ReadS DataResource
ReadS [DataResource]
(Int -> ReadS DataResource)
-> ReadS [DataResource]
-> ReadPrec DataResource
-> ReadPrec [DataResource]
-> Read DataResource
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [DataResource]
$creadListPrec :: ReadPrec [DataResource]
readPrec :: ReadPrec DataResource
$creadPrec :: ReadPrec DataResource
readList :: ReadS [DataResource]
$creadList :: ReadS [DataResource]
readsPrec :: Int -> ReadS DataResource
$creadsPrec :: Int -> ReadS DataResource
Prelude.Read, Int -> DataResource -> ShowS
[DataResource] -> ShowS
DataResource -> String
(Int -> DataResource -> ShowS)
-> (DataResource -> String)
-> ([DataResource] -> ShowS)
-> Show DataResource
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [DataResource] -> ShowS
$cshowList :: [DataResource] -> ShowS
show :: DataResource -> String
$cshow :: DataResource -> String
showsPrec :: Int -> DataResource -> ShowS
$cshowsPrec :: Int -> DataResource -> ShowS
Prelude.Show, (forall x. DataResource -> Rep DataResource x)
-> (forall x. Rep DataResource x -> DataResource)
-> Generic DataResource
forall x. Rep DataResource x -> DataResource
forall x. DataResource -> Rep DataResource x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep DataResource x -> DataResource
$cfrom :: forall x. DataResource -> Rep DataResource x
Prelude.Generic)

-- |
-- Create a value of 'DataResource' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'values', 'dataResource_values' - An array of Amazon Resource Name (ARN) strings or partial ARN strings
-- for the specified objects.
--
-- -   To log data events for all objects in all S3 buckets in your Amazon
--     Web Services account, specify the prefix as @arn:aws:s3:::@.
--
--     This also enables logging of data event activity performed by any
--     user or role in your Amazon Web Services account, even if that
--     activity is performed on a bucket that belongs to another Amazon Web
--     Services account.
--
-- -   To log data events for all objects in an S3 bucket, specify the
--     bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@.
--     The trail logs data events for all objects in this S3 bucket.
--
-- -   To log data events for specific objects, specify the S3 bucket and
--     object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The
--     trail logs data events for objects in this S3 bucket that match the
--     prefix.
--
-- -   To log data events for all Lambda functions in your Amazon Web
--     Services account, specify the prefix as @arn:aws:lambda@.
--
--     This also enables logging of @Invoke@ activity performed by any user
--     or role in your Amazon Web Services account, even if that activity
--     is performed on a function that belongs to another Amazon Web
--     Services account.
--
-- -   To log data events for a specific Lambda function, specify the
--     function ARN.
--
--     Lambda function ARNs are exact. For example, if you specify a
--     function ARN
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data
--     events will only be logged for
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They
--     will not be logged for
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/.
--
-- -   To log data events for all DynamoDB tables in your Amazon Web
--     Services account, specify the prefix as @arn:aws:dynamodb@.
--
-- 'type'', 'dataResource_type' - The resource type in which you want to log data events. You can specify
-- @AWS::S3::Object@, @AWS::Lambda::Function@, or @AWS::DynamoDB::Table@
-- resources.
--
-- The @AWS::S3Outposts::Object@, @AWS::ManagedBlockchain::Node@,
-- @AWS::S3ObjectLambda::AccessPoint@, and @AWS::EC2::Snapshot@ resource
-- types are not valid in basic event selectors. To log data events on
-- these resource types, use advanced event selectors.
newDataResource ::
  DataResource
newDataResource :: DataResource
newDataResource =
  DataResource' :: Maybe [Text] -> Maybe Text -> DataResource
DataResource'
    { $sel:values:DataResource' :: Maybe [Text]
values = Maybe [Text]
forall a. Maybe a
Prelude.Nothing,
      $sel:type':DataResource' :: Maybe Text
type' = Maybe Text
forall a. Maybe a
Prelude.Nothing
    }

-- | An array of Amazon Resource Name (ARN) strings or partial ARN strings
-- for the specified objects.
--
-- -   To log data events for all objects in all S3 buckets in your Amazon
--     Web Services account, specify the prefix as @arn:aws:s3:::@.
--
--     This also enables logging of data event activity performed by any
--     user or role in your Amazon Web Services account, even if that
--     activity is performed on a bucket that belongs to another Amazon Web
--     Services account.
--
-- -   To log data events for all objects in an S3 bucket, specify the
--     bucket and an empty object prefix such as @arn:aws:s3:::bucket-1\/@.
--     The trail logs data events for all objects in this S3 bucket.
--
-- -   To log data events for specific objects, specify the S3 bucket and
--     object prefix such as @arn:aws:s3:::bucket-1\/example-images@. The
--     trail logs data events for objects in this S3 bucket that match the
--     prefix.
--
-- -   To log data events for all Lambda functions in your Amazon Web
--     Services account, specify the prefix as @arn:aws:lambda@.
--
--     This also enables logging of @Invoke@ activity performed by any user
--     or role in your Amazon Web Services account, even if that activity
--     is performed on a function that belongs to another Amazon Web
--     Services account.
--
-- -   To log data events for a specific Lambda function, specify the
--     function ARN.
--
--     Lambda function ARNs are exact. For example, if you specify a
--     function ARN
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/, data
--     events will only be logged for
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld/. They
--     will not be logged for
--     /arn:aws:lambda:us-west-2:111111111111:function:helloworld2/.
--
-- -   To log data events for all DynamoDB tables in your Amazon Web
--     Services account, specify the prefix as @arn:aws:dynamodb@.
dataResource_values :: Lens.Lens' DataResource (Prelude.Maybe [Prelude.Text])
dataResource_values :: (Maybe [Text] -> f (Maybe [Text]))
-> DataResource -> f DataResource
dataResource_values = (DataResource -> Maybe [Text])
-> (DataResource -> Maybe [Text] -> DataResource)
-> Lens DataResource DataResource (Maybe [Text]) (Maybe [Text])
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DataResource' {Maybe [Text]
values :: Maybe [Text]
$sel:values:DataResource' :: DataResource -> Maybe [Text]
values} -> Maybe [Text]
values) (\s :: DataResource
s@DataResource' {} Maybe [Text]
a -> DataResource
s {$sel:values:DataResource' :: Maybe [Text]
values = Maybe [Text]
a} :: DataResource) ((Maybe [Text] -> f (Maybe [Text]))
 -> DataResource -> f DataResource)
-> ((Maybe [Text] -> f (Maybe [Text]))
    -> Maybe [Text] -> f (Maybe [Text]))
-> (Maybe [Text] -> f (Maybe [Text]))
-> DataResource
-> f DataResource
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. AnIso [Text] [Text] [Text] [Text]
-> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text])
forall (f :: * -> *) (g :: * -> *) s t a b.
(Functor f, Functor g) =>
AnIso s t a b -> Iso (f s) (g t) (f a) (g b)
Lens.mapping AnIso [Text] [Text] [Text] [Text]
forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b
Lens.coerced

-- | The resource type in which you want to log data events. You can specify
-- @AWS::S3::Object@, @AWS::Lambda::Function@, or @AWS::DynamoDB::Table@
-- resources.
--
-- The @AWS::S3Outposts::Object@, @AWS::ManagedBlockchain::Node@,
-- @AWS::S3ObjectLambda::AccessPoint@, and @AWS::EC2::Snapshot@ resource
-- types are not valid in basic event selectors. To log data events on
-- these resource types, use advanced event selectors.
dataResource_type :: Lens.Lens' DataResource (Prelude.Maybe Prelude.Text)
dataResource_type :: (Maybe Text -> f (Maybe Text)) -> DataResource -> f DataResource
dataResource_type = (DataResource -> Maybe Text)
-> (DataResource -> Maybe Text -> DataResource)
-> Lens DataResource DataResource (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DataResource' {Maybe Text
type' :: Maybe Text
$sel:type':DataResource' :: DataResource -> Maybe Text
type'} -> Maybe Text
type') (\s :: DataResource
s@DataResource' {} Maybe Text
a -> DataResource
s {$sel:type':DataResource' :: Maybe Text
type' = Maybe Text
a} :: DataResource)

instance Core.FromJSON DataResource where
  parseJSON :: Value -> Parser DataResource
parseJSON =
    String
-> (Object -> Parser DataResource) -> Value -> Parser DataResource
forall a. String -> (Object -> Parser a) -> Value -> Parser a
Core.withObject
      String
"DataResource"
      ( \Object
x ->
          Maybe [Text] -> Maybe Text -> DataResource
DataResource'
            (Maybe [Text] -> Maybe Text -> DataResource)
-> Parser (Maybe [Text]) -> Parser (Maybe Text -> DataResource)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Parser (Maybe (Maybe [Text]))
forall a. FromJSON a => Object -> Text -> Parser (Maybe a)
Core..:? Text
"Values" Parser (Maybe (Maybe [Text]))
-> Maybe [Text] -> Parser (Maybe [Text])
forall a. Parser (Maybe a) -> a -> Parser a
Core..!= Maybe [Text]
forall a. Monoid a => a
Prelude.mempty)
            Parser (Maybe Text -> DataResource)
-> Parser (Maybe Text) -> Parser DataResource
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Parser (Maybe Text)
forall a. FromJSON a => Object -> Text -> Parser (Maybe a)
Core..:? Text
"Type")
      )

instance Prelude.Hashable DataResource

instance Prelude.NFData DataResource

instance Core.ToJSON DataResource where
  toJSON :: DataResource -> Value
toJSON DataResource' {Maybe [Text]
Maybe Text
type' :: Maybe Text
values :: Maybe [Text]
$sel:type':DataResource' :: DataResource -> Maybe Text
$sel:values:DataResource' :: DataResource -> Maybe [Text]
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"Values" Text -> [Text] -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) ([Text] -> Pair) -> Maybe [Text] -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe [Text]
values,
            (Text
"Type" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
type'
          ]
      )