{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.IAM.SimulatePrincipalPolicy -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Simulate how a set of IAM policies attached to an IAM entity works with -- a list of API operations and Amazon Web Services resources to determine -- the policies\' effective permissions. The entity can be an IAM user, -- group, or role. If you specify a user, then the simulation also includes -- all of the policies that are attached to groups that the user belongs -- to. You can simulate resources that don\'t exist in your account. -- -- You can optionally include a list of one or more additional policies -- specified as strings to include in the simulation. If you want to -- simulate only policies specified as strings, use SimulateCustomPolicy -- instead. -- -- You can also optionally include one resource-based policy to be -- evaluated with each of the resources included in the simulation. -- -- The simulation does not perform the API operations; it only checks the -- authorization to determine if the simulated policies allow or deny the -- operations. -- -- __Note:__ This operation discloses information about the permissions -- granted to other users. If you do not want users to see other user\'s -- permissions, then consider allowing them to use SimulateCustomPolicy -- instead. -- -- Context keys are variables maintained by Amazon Web Services and its -- services that provide details about the context of an API query request. -- You can use the @Condition@ element of an IAM policy to evaluate context -- keys. To get the list of context keys that the policies require for -- correct simulation, use GetContextKeysForPrincipalPolicy. -- -- If the output is long, you can use the @MaxItems@ and @Marker@ -- parameters to paginate the results. -- -- For more information about using the policy simulator, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html Testing IAM policies with the IAM policy simulator> -- in the /IAM User Guide/. -- -- This operation returns paginated results. module Amazonka.IAM.SimulatePrincipalPolicy ( -- * Creating a Request SimulatePrincipalPolicy (..), newSimulatePrincipalPolicy, -- * Request Lenses simulatePrincipalPolicy_policyInputList, simulatePrincipalPolicy_resourcePolicy, simulatePrincipalPolicy_callerArn, simulatePrincipalPolicy_resourceHandlingOption, simulatePrincipalPolicy_resourceArns, simulatePrincipalPolicy_permissionsBoundaryPolicyInputList, simulatePrincipalPolicy_marker, simulatePrincipalPolicy_maxItems, simulatePrincipalPolicy_contextEntries, simulatePrincipalPolicy_resourceOwner, simulatePrincipalPolicy_policySourceArn, simulatePrincipalPolicy_actionNames, -- * Destructuring the Response SimulatePolicyResponse (..), newSimulatePolicyResponse, -- * Response Lenses simulatePolicyResponse_evaluationResults, simulatePolicyResponse_marker, simulatePolicyResponse_isTruncated, ) where import qualified Amazonka.Core as Core import Amazonka.IAM.Types import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response -- | /See:/ 'newSimulatePrincipalPolicy' smart constructor. data SimulatePrincipalPolicy = SimulatePrincipalPolicy' { -- | An optional list of additional policy documents to include in the -- simulation. Each document is specified as a string containing the -- complete, valid JSON text of an IAM policy. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) SimulatePrincipalPolicy -> Maybe [Text] policyInputList :: Prelude.Maybe [Prelude.Text], -- | A resource-based policy to include in the simulation provided as a -- string. Each resource in the simulation is treated as if it had this -- policy attached. You can include only one resource-based policy in a -- simulation. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) SimulatePrincipalPolicy -> Maybe Text resourcePolicy :: Prelude.Maybe Prelude.Text, -- | The ARN of the IAM user that you want to specify as the simulated caller -- of the API operations. If you do not specify a @CallerArn@, it defaults -- to the ARN of the user that you specify in @PolicySourceArn@, if you -- specified a user. If you include both a @PolicySourceArn@ (for example, -- @arn:aws:iam::123456789012:user\/David@) and a @CallerArn@ (for example, -- @arn:aws:iam::123456789012:user\/Bob@), the result is that you simulate -- calling the API operations as Bob, as if Bob had David\'s policies. -- -- You can specify only the ARN of an IAM user. You cannot specify the ARN -- of an assumed role, federated user, or a service principal. -- -- @CallerArn@ is required if you include a @ResourcePolicy@ and the -- @PolicySourceArn@ is not the ARN for an IAM user. This is required so -- that the resource-based policy\'s @Principal@ element has a value to use -- in evaluating the policy. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. SimulatePrincipalPolicy -> Maybe Text callerArn :: Prelude.Maybe Prelude.Text, -- | Specifies the type of simulation to run. Different API operations that -- support resource-based policies require different combinations of -- resources. By specifying the type of simulation to run, you enable the -- policy simulator to enforce the presence of the required resources to -- ensure reliable simulation results. If your simulation does not match -- one of the following scenarios, then you can omit this parameter. The -- following list shows each of the supported scenario values and the -- resources that you must define to run the simulation. -- -- Each of the EC2 scenarios requires that you specify instance, image, and -- security group resources. If your scenario includes an EBS volume, then -- you must specify that volume as a resource. If the EC2 scenario includes -- VPC, then you must supply the network interface resource. If it includes -- an IP subnet, then you must specify the subnet resource. For more -- information on the EC2 scenario options, see -- <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html Supported platforms> -- in the /Amazon EC2 User Guide/. -- -- - __EC2-Classic-InstanceStore__ -- -- instance, image, security group -- -- - __EC2-Classic-EBS__ -- -- instance, image, security group, volume -- -- - __EC2-VPC-InstanceStore__ -- -- instance, image, security group, network interface -- -- - __EC2-VPC-InstanceStore-Subnet__ -- -- instance, image, security group, network interface, subnet -- -- - __EC2-VPC-EBS__ -- -- instance, image, security group, network interface, volume -- -- - __EC2-VPC-EBS-Subnet__ -- -- instance, image, security group, network interface, subnet, volume SimulatePrincipalPolicy -> Maybe Text resourceHandlingOption :: Prelude.Maybe Prelude.Text, -- | A list of ARNs of Amazon Web Services resources to include in the -- simulation. If this parameter is not provided, then the value defaults -- to @*@ (all resources). Each API in the @ActionNames@ parameter is -- evaluated for each resource in this list. The simulation determines the -- access result (allowed or denied) of each combination and reports it in -- the response. You can simulate resources that don\'t exist in your -- account. -- -- The simulation does not automatically retrieve policies for the -- specified resources. If you want to include a resource policy in the -- simulation, then you must include the policy as a string in the -- @ResourcePolicy@ parameter. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. SimulatePrincipalPolicy -> Maybe [Text] resourceArns :: Prelude.Maybe [Prelude.Text], -- | The IAM permissions boundary policy to simulate. The permissions -- boundary sets the maximum permissions that the entity can have. You can -- input only one permissions boundary when you pass a policy to this -- operation. An IAM entity can only have one permissions boundary in -- effect at a time. For example, if a permissions boundary is attached to -- an entity and you pass in a different permissions boundary policy using -- this parameter, then the new permissions boundary policy is used for the -- simulation. For more information about permissions boundaries, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html Permissions boundaries for IAM entities> -- in the /IAM User Guide/. The policy input is specified as a string -- containing the complete, valid JSON text of a permissions boundary -- policy. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) SimulatePrincipalPolicy -> Maybe [Text] permissionsBoundaryPolicyInputList :: Prelude.Maybe [Prelude.Text], -- | Use this parameter only when paginating results and only after you -- receive a response indicating that the results are truncated. Set it to -- the value of the @Marker@ element in the response that you received to -- indicate where the next call should start. SimulatePrincipalPolicy -> Maybe Text marker :: Prelude.Maybe Prelude.Text, -- | Use this only when paginating results to indicate the maximum number of -- items you want in the response. If additional items exist beyond the -- maximum you specify, the @IsTruncated@ response element is @true@. -- -- If you do not include this parameter, the number of items defaults to -- 100. Note that IAM might return fewer results, even when there are more -- results available. In that case, the @IsTruncated@ response element -- returns @true@, and @Marker@ contains a value to include in the -- subsequent call that tells the service where to continue from. SimulatePrincipalPolicy -> Maybe Natural maxItems :: Prelude.Maybe Prelude.Natural, -- | A list of context keys and corresponding values for the simulation to -- use. Whenever a context key is evaluated in one of the simulated IAM -- permissions policies, the corresponding value is supplied. SimulatePrincipalPolicy -> Maybe [ContextEntry] contextEntries :: Prelude.Maybe [ContextEntry], -- | An Amazon Web Services account ID that specifies the owner of any -- simulated resource that does not identify its owner in the resource ARN. -- Examples of resource ARNs include an S3 bucket or object. If -- @ResourceOwner@ is specified, it is also used as the account owner of -- any @ResourcePolicy@ included in the simulation. If the @ResourceOwner@ -- parameter is not specified, then the owner of the resources and the -- resource policy defaults to the account of the identity provided in -- @CallerArn@. This parameter is required only if you specify a -- resource-based policy and account that owns the resource is different -- from the account that owns the simulated calling user @CallerArn@. SimulatePrincipalPolicy -> Maybe Text resourceOwner :: Prelude.Maybe Prelude.Text, -- | The Amazon Resource Name (ARN) of a user, group, or role whose policies -- you want to include in the simulation. If you specify a user, group, or -- role, the simulation includes all policies that are associated with that -- entity. If you specify a user, the simulation also includes all policies -- that are attached to any groups the user belongs to. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. SimulatePrincipalPolicy -> Text policySourceArn :: Prelude.Text, -- | A list of names of API operations to evaluate in the simulation. Each -- operation is evaluated for each resource. Each operation must include -- the service identifier, such as @iam:CreateUser@. SimulatePrincipalPolicy -> [Text] actionNames :: [Prelude.Text] } deriving (SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool (SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool) -> (SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool) -> Eq SimulatePrincipalPolicy forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool $c/= :: SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool == :: SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool $c== :: SimulatePrincipalPolicy -> SimulatePrincipalPolicy -> Bool Prelude.Eq, ReadPrec [SimulatePrincipalPolicy] ReadPrec SimulatePrincipalPolicy Int -> ReadS SimulatePrincipalPolicy ReadS [SimulatePrincipalPolicy] (Int -> ReadS SimulatePrincipalPolicy) -> ReadS [SimulatePrincipalPolicy] -> ReadPrec SimulatePrincipalPolicy -> ReadPrec [SimulatePrincipalPolicy] -> Read SimulatePrincipalPolicy forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [SimulatePrincipalPolicy] $creadListPrec :: ReadPrec [SimulatePrincipalPolicy] readPrec :: ReadPrec SimulatePrincipalPolicy $creadPrec :: ReadPrec SimulatePrincipalPolicy readList :: ReadS [SimulatePrincipalPolicy] $creadList :: ReadS [SimulatePrincipalPolicy] readsPrec :: Int -> ReadS SimulatePrincipalPolicy $creadsPrec :: Int -> ReadS SimulatePrincipalPolicy Prelude.Read, Int -> SimulatePrincipalPolicy -> ShowS [SimulatePrincipalPolicy] -> ShowS SimulatePrincipalPolicy -> String (Int -> SimulatePrincipalPolicy -> ShowS) -> (SimulatePrincipalPolicy -> String) -> ([SimulatePrincipalPolicy] -> ShowS) -> Show SimulatePrincipalPolicy forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [SimulatePrincipalPolicy] -> ShowS $cshowList :: [SimulatePrincipalPolicy] -> ShowS show :: SimulatePrincipalPolicy -> String $cshow :: SimulatePrincipalPolicy -> String showsPrec :: Int -> SimulatePrincipalPolicy -> ShowS $cshowsPrec :: Int -> SimulatePrincipalPolicy -> ShowS Prelude.Show, (forall x. SimulatePrincipalPolicy -> Rep SimulatePrincipalPolicy x) -> (forall x. Rep SimulatePrincipalPolicy x -> SimulatePrincipalPolicy) -> Generic SimulatePrincipalPolicy forall x. Rep SimulatePrincipalPolicy x -> SimulatePrincipalPolicy forall x. SimulatePrincipalPolicy -> Rep SimulatePrincipalPolicy x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep SimulatePrincipalPolicy x -> SimulatePrincipalPolicy $cfrom :: forall x. SimulatePrincipalPolicy -> Rep SimulatePrincipalPolicy x Prelude.Generic) -- | -- Create a value of 'SimulatePrincipalPolicy' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'policyInputList', 'simulatePrincipalPolicy_policyInputList' - An optional list of additional policy documents to include in the -- simulation. Each document is specified as a string containing the -- complete, valid JSON text of an IAM policy. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) -- -- 'resourcePolicy', 'simulatePrincipalPolicy_resourcePolicy' - A resource-based policy to include in the simulation provided as a -- string. Each resource in the simulation is treated as if it had this -- policy attached. You can include only one resource-based policy in a -- simulation. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) -- -- 'callerArn', 'simulatePrincipalPolicy_callerArn' - The ARN of the IAM user that you want to specify as the simulated caller -- of the API operations. If you do not specify a @CallerArn@, it defaults -- to the ARN of the user that you specify in @PolicySourceArn@, if you -- specified a user. If you include both a @PolicySourceArn@ (for example, -- @arn:aws:iam::123456789012:user\/David@) and a @CallerArn@ (for example, -- @arn:aws:iam::123456789012:user\/Bob@), the result is that you simulate -- calling the API operations as Bob, as if Bob had David\'s policies. -- -- You can specify only the ARN of an IAM user. You cannot specify the ARN -- of an assumed role, federated user, or a service principal. -- -- @CallerArn@ is required if you include a @ResourcePolicy@ and the -- @PolicySourceArn@ is not the ARN for an IAM user. This is required so -- that the resource-based policy\'s @Principal@ element has a value to use -- in evaluating the policy. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. -- -- 'resourceHandlingOption', 'simulatePrincipalPolicy_resourceHandlingOption' - Specifies the type of simulation to run. Different API operations that -- support resource-based policies require different combinations of -- resources. By specifying the type of simulation to run, you enable the -- policy simulator to enforce the presence of the required resources to -- ensure reliable simulation results. If your simulation does not match -- one of the following scenarios, then you can omit this parameter. The -- following list shows each of the supported scenario values and the -- resources that you must define to run the simulation. -- -- Each of the EC2 scenarios requires that you specify instance, image, and -- security group resources. If your scenario includes an EBS volume, then -- you must specify that volume as a resource. If the EC2 scenario includes -- VPC, then you must supply the network interface resource. If it includes -- an IP subnet, then you must specify the subnet resource. For more -- information on the EC2 scenario options, see -- <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html Supported platforms> -- in the /Amazon EC2 User Guide/. -- -- - __EC2-Classic-InstanceStore__ -- -- instance, image, security group -- -- - __EC2-Classic-EBS__ -- -- instance, image, security group, volume -- -- - __EC2-VPC-InstanceStore__ -- -- instance, image, security group, network interface -- -- - __EC2-VPC-InstanceStore-Subnet__ -- -- instance, image, security group, network interface, subnet -- -- - __EC2-VPC-EBS__ -- -- instance, image, security group, network interface, volume -- -- - __EC2-VPC-EBS-Subnet__ -- -- instance, image, security group, network interface, subnet, volume -- -- 'resourceArns', 'simulatePrincipalPolicy_resourceArns' - A list of ARNs of Amazon Web Services resources to include in the -- simulation. If this parameter is not provided, then the value defaults -- to @*@ (all resources). Each API in the @ActionNames@ parameter is -- evaluated for each resource in this list. The simulation determines the -- access result (allowed or denied) of each combination and reports it in -- the response. You can simulate resources that don\'t exist in your -- account. -- -- The simulation does not automatically retrieve policies for the -- specified resources. If you want to include a resource policy in the -- simulation, then you must include the policy as a string in the -- @ResourcePolicy@ parameter. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. -- -- 'permissionsBoundaryPolicyInputList', 'simulatePrincipalPolicy_permissionsBoundaryPolicyInputList' - The IAM permissions boundary policy to simulate. The permissions -- boundary sets the maximum permissions that the entity can have. You can -- input only one permissions boundary when you pass a policy to this -- operation. An IAM entity can only have one permissions boundary in -- effect at a time. For example, if a permissions boundary is attached to -- an entity and you pass in a different permissions boundary policy using -- this parameter, then the new permissions boundary policy is used for the -- simulation. For more information about permissions boundaries, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html Permissions boundaries for IAM entities> -- in the /IAM User Guide/. The policy input is specified as a string -- containing the complete, valid JSON text of a permissions boundary -- policy. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) -- -- 'marker', 'simulatePrincipalPolicy_marker' - Use this parameter only when paginating results and only after you -- receive a response indicating that the results are truncated. Set it to -- the value of the @Marker@ element in the response that you received to -- indicate where the next call should start. -- -- 'maxItems', 'simulatePrincipalPolicy_maxItems' - Use this only when paginating results to indicate the maximum number of -- items you want in the response. If additional items exist beyond the -- maximum you specify, the @IsTruncated@ response element is @true@. -- -- If you do not include this parameter, the number of items defaults to -- 100. Note that IAM might return fewer results, even when there are more -- results available. In that case, the @IsTruncated@ response element -- returns @true@, and @Marker@ contains a value to include in the -- subsequent call that tells the service where to continue from. -- -- 'contextEntries', 'simulatePrincipalPolicy_contextEntries' - A list of context keys and corresponding values for the simulation to -- use. Whenever a context key is evaluated in one of the simulated IAM -- permissions policies, the corresponding value is supplied. -- -- 'resourceOwner', 'simulatePrincipalPolicy_resourceOwner' - An Amazon Web Services account ID that specifies the owner of any -- simulated resource that does not identify its owner in the resource ARN. -- Examples of resource ARNs include an S3 bucket or object. If -- @ResourceOwner@ is specified, it is also used as the account owner of -- any @ResourcePolicy@ included in the simulation. If the @ResourceOwner@ -- parameter is not specified, then the owner of the resources and the -- resource policy defaults to the account of the identity provided in -- @CallerArn@. This parameter is required only if you specify a -- resource-based policy and account that owns the resource is different -- from the account that owns the simulated calling user @CallerArn@. -- -- 'policySourceArn', 'simulatePrincipalPolicy_policySourceArn' - The Amazon Resource Name (ARN) of a user, group, or role whose policies -- you want to include in the simulation. If you specify a user, group, or -- role, the simulation includes all policies that are associated with that -- entity. If you specify a user, the simulation also includes all policies -- that are attached to any groups the user belongs to. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. -- -- 'actionNames', 'simulatePrincipalPolicy_actionNames' - A list of names of API operations to evaluate in the simulation. Each -- operation is evaluated for each resource. Each operation must include -- the service identifier, such as @iam:CreateUser@. newSimulatePrincipalPolicy :: -- | 'policySourceArn' Prelude.Text -> SimulatePrincipalPolicy newSimulatePrincipalPolicy :: Text -> SimulatePrincipalPolicy newSimulatePrincipalPolicy Text pPolicySourceArn_ = SimulatePrincipalPolicy' :: Maybe [Text] -> Maybe Text -> Maybe Text -> Maybe Text -> Maybe [Text] -> Maybe [Text] -> Maybe Text -> Maybe Natural -> Maybe [ContextEntry] -> Maybe Text -> Text -> [Text] -> SimulatePrincipalPolicy SimulatePrincipalPolicy' { $sel:policyInputList:SimulatePrincipalPolicy' :: Maybe [Text] policyInputList = Maybe [Text] forall a. Maybe a Prelude.Nothing, $sel:resourcePolicy:SimulatePrincipalPolicy' :: Maybe Text resourcePolicy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:callerArn:SimulatePrincipalPolicy' :: Maybe Text callerArn = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:resourceHandlingOption:SimulatePrincipalPolicy' :: Maybe Text resourceHandlingOption = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:resourceArns:SimulatePrincipalPolicy' :: Maybe [Text] resourceArns = Maybe [Text] forall a. Maybe a Prelude.Nothing, $sel:permissionsBoundaryPolicyInputList:SimulatePrincipalPolicy' :: Maybe [Text] permissionsBoundaryPolicyInputList = Maybe [Text] forall a. Maybe a Prelude.Nothing, $sel:marker:SimulatePrincipalPolicy' :: Maybe Text marker = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:maxItems:SimulatePrincipalPolicy' :: Maybe Natural maxItems = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:contextEntries:SimulatePrincipalPolicy' :: Maybe [ContextEntry] contextEntries = Maybe [ContextEntry] forall a. Maybe a Prelude.Nothing, $sel:resourceOwner:SimulatePrincipalPolicy' :: Maybe Text resourceOwner = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:policySourceArn:SimulatePrincipalPolicy' :: Text policySourceArn = Text pPolicySourceArn_, $sel:actionNames:SimulatePrincipalPolicy' :: [Text] actionNames = [Text] forall a. Monoid a => a Prelude.mempty } -- | An optional list of additional policy documents to include in the -- simulation. Each document is specified as a string containing the -- complete, valid JSON text of an IAM policy. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) simulatePrincipalPolicy_policyInputList :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe [Prelude.Text]) simulatePrincipalPolicy_policyInputList :: (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_policyInputList = (SimulatePrincipalPolicy -> Maybe [Text]) -> (SimulatePrincipalPolicy -> Maybe [Text] -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe [Text]) (Maybe [Text]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe [Text] policyInputList :: Maybe [Text] $sel:policyInputList:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] policyInputList} -> Maybe [Text] policyInputList) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe [Text] a -> SimulatePrincipalPolicy s {$sel:policyInputList:SimulatePrincipalPolicy' :: Maybe [Text] policyInputList = Maybe [Text] a} :: SimulatePrincipalPolicy) ((Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy) -> ((Maybe [Text] -> f (Maybe [Text])) -> Maybe [Text] -> f (Maybe [Text])) -> (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Text] [Text] [Text] [Text] -> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Text] [Text] [Text] [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | A resource-based policy to include in the simulation provided as a -- string. Each resource in the simulation is treated as if it had this -- policy attached. You can include only one resource-based policy in a -- simulation. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) simulatePrincipalPolicy_resourcePolicy :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Text) simulatePrincipalPolicy_resourcePolicy :: (Maybe Text -> f (Maybe Text)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_resourcePolicy = (SimulatePrincipalPolicy -> Maybe Text) -> (SimulatePrincipalPolicy -> Maybe Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Text resourcePolicy :: Maybe Text $sel:resourcePolicy:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text resourcePolicy} -> Maybe Text resourcePolicy) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Text a -> SimulatePrincipalPolicy s {$sel:resourcePolicy:SimulatePrincipalPolicy' :: Maybe Text resourcePolicy = Maybe Text a} :: SimulatePrincipalPolicy) -- | The ARN of the IAM user that you want to specify as the simulated caller -- of the API operations. If you do not specify a @CallerArn@, it defaults -- to the ARN of the user that you specify in @PolicySourceArn@, if you -- specified a user. If you include both a @PolicySourceArn@ (for example, -- @arn:aws:iam::123456789012:user\/David@) and a @CallerArn@ (for example, -- @arn:aws:iam::123456789012:user\/Bob@), the result is that you simulate -- calling the API operations as Bob, as if Bob had David\'s policies. -- -- You can specify only the ARN of an IAM user. You cannot specify the ARN -- of an assumed role, federated user, or a service principal. -- -- @CallerArn@ is required if you include a @ResourcePolicy@ and the -- @PolicySourceArn@ is not the ARN for an IAM user. This is required so -- that the resource-based policy\'s @Principal@ element has a value to use -- in evaluating the policy. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. simulatePrincipalPolicy_callerArn :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Text) simulatePrincipalPolicy_callerArn :: (Maybe Text -> f (Maybe Text)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_callerArn = (SimulatePrincipalPolicy -> Maybe Text) -> (SimulatePrincipalPolicy -> Maybe Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Text callerArn :: Maybe Text $sel:callerArn:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text callerArn} -> Maybe Text callerArn) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Text a -> SimulatePrincipalPolicy s {$sel:callerArn:SimulatePrincipalPolicy' :: Maybe Text callerArn = Maybe Text a} :: SimulatePrincipalPolicy) -- | Specifies the type of simulation to run. Different API operations that -- support resource-based policies require different combinations of -- resources. By specifying the type of simulation to run, you enable the -- policy simulator to enforce the presence of the required resources to -- ensure reliable simulation results. If your simulation does not match -- one of the following scenarios, then you can omit this parameter. The -- following list shows each of the supported scenario values and the -- resources that you must define to run the simulation. -- -- Each of the EC2 scenarios requires that you specify instance, image, and -- security group resources. If your scenario includes an EBS volume, then -- you must specify that volume as a resource. If the EC2 scenario includes -- VPC, then you must supply the network interface resource. If it includes -- an IP subnet, then you must specify the subnet resource. For more -- information on the EC2 scenario options, see -- <https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html Supported platforms> -- in the /Amazon EC2 User Guide/. -- -- - __EC2-Classic-InstanceStore__ -- -- instance, image, security group -- -- - __EC2-Classic-EBS__ -- -- instance, image, security group, volume -- -- - __EC2-VPC-InstanceStore__ -- -- instance, image, security group, network interface -- -- - __EC2-VPC-InstanceStore-Subnet__ -- -- instance, image, security group, network interface, subnet -- -- - __EC2-VPC-EBS__ -- -- instance, image, security group, network interface, volume -- -- - __EC2-VPC-EBS-Subnet__ -- -- instance, image, security group, network interface, subnet, volume simulatePrincipalPolicy_resourceHandlingOption :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Text) simulatePrincipalPolicy_resourceHandlingOption :: (Maybe Text -> f (Maybe Text)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_resourceHandlingOption = (SimulatePrincipalPolicy -> Maybe Text) -> (SimulatePrincipalPolicy -> Maybe Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Text resourceHandlingOption :: Maybe Text $sel:resourceHandlingOption:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text resourceHandlingOption} -> Maybe Text resourceHandlingOption) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Text a -> SimulatePrincipalPolicy s {$sel:resourceHandlingOption:SimulatePrincipalPolicy' :: Maybe Text resourceHandlingOption = Maybe Text a} :: SimulatePrincipalPolicy) -- | A list of ARNs of Amazon Web Services resources to include in the -- simulation. If this parameter is not provided, then the value defaults -- to @*@ (all resources). Each API in the @ActionNames@ parameter is -- evaluated for each resource in this list. The simulation determines the -- access result (allowed or denied) of each combination and reports it in -- the response. You can simulate resources that don\'t exist in your -- account. -- -- The simulation does not automatically retrieve policies for the -- specified resources. If you want to include a resource policy in the -- simulation, then you must include the policy as a string in the -- @ResourcePolicy@ parameter. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. simulatePrincipalPolicy_resourceArns :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe [Prelude.Text]) simulatePrincipalPolicy_resourceArns :: (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_resourceArns = (SimulatePrincipalPolicy -> Maybe [Text]) -> (SimulatePrincipalPolicy -> Maybe [Text] -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe [Text]) (Maybe [Text]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe [Text] resourceArns :: Maybe [Text] $sel:resourceArns:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] resourceArns} -> Maybe [Text] resourceArns) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe [Text] a -> SimulatePrincipalPolicy s {$sel:resourceArns:SimulatePrincipalPolicy' :: Maybe [Text] resourceArns = Maybe [Text] a} :: SimulatePrincipalPolicy) ((Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy) -> ((Maybe [Text] -> f (Maybe [Text])) -> Maybe [Text] -> f (Maybe [Text])) -> (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Text] [Text] [Text] [Text] -> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Text] [Text] [Text] [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The IAM permissions boundary policy to simulate. The permissions -- boundary sets the maximum permissions that the entity can have. You can -- input only one permissions boundary when you pass a policy to this -- operation. An IAM entity can only have one permissions boundary in -- effect at a time. For example, if a permissions boundary is attached to -- an entity and you pass in a different permissions boundary policy using -- this parameter, then the new permissions boundary policy is used for the -- simulation. For more information about permissions boundaries, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html Permissions boundaries for IAM entities> -- in the /IAM User Guide/. The policy input is specified as a string -- containing the complete, valid JSON text of a permissions boundary -- policy. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- The <http://wikipedia.org/wiki/regex regex pattern> used to validate -- this parameter is a string of characters consisting of the following: -- -- - Any printable ASCII character ranging from the space character -- (@\\u0020@) through the end of the ASCII character range -- -- - The printable characters in the Basic Latin and Latin-1 Supplement -- character set (through @\\u00FF@) -- -- - The special characters tab (@\\u0009@), line feed (@\\u000A@), and -- carriage return (@\\u000D@) simulatePrincipalPolicy_permissionsBoundaryPolicyInputList :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe [Prelude.Text]) simulatePrincipalPolicy_permissionsBoundaryPolicyInputList :: (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_permissionsBoundaryPolicyInputList = (SimulatePrincipalPolicy -> Maybe [Text]) -> (SimulatePrincipalPolicy -> Maybe [Text] -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe [Text]) (Maybe [Text]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe [Text] permissionsBoundaryPolicyInputList :: Maybe [Text] $sel:permissionsBoundaryPolicyInputList:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] permissionsBoundaryPolicyInputList} -> Maybe [Text] permissionsBoundaryPolicyInputList) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe [Text] a -> SimulatePrincipalPolicy s {$sel:permissionsBoundaryPolicyInputList:SimulatePrincipalPolicy' :: Maybe [Text] permissionsBoundaryPolicyInputList = Maybe [Text] a} :: SimulatePrincipalPolicy) ((Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy) -> ((Maybe [Text] -> f (Maybe [Text])) -> Maybe [Text] -> f (Maybe [Text])) -> (Maybe [Text] -> f (Maybe [Text])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Text] [Text] [Text] [Text] -> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Text] [Text] [Text] [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | Use this parameter only when paginating results and only after you -- receive a response indicating that the results are truncated. Set it to -- the value of the @Marker@ element in the response that you received to -- indicate where the next call should start. simulatePrincipalPolicy_marker :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Text) simulatePrincipalPolicy_marker :: (Maybe Text -> f (Maybe Text)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_marker = (SimulatePrincipalPolicy -> Maybe Text) -> (SimulatePrincipalPolicy -> Maybe Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Text marker :: Maybe Text $sel:marker:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text marker} -> Maybe Text marker) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Text a -> SimulatePrincipalPolicy s {$sel:marker:SimulatePrincipalPolicy' :: Maybe Text marker = Maybe Text a} :: SimulatePrincipalPolicy) -- | Use this only when paginating results to indicate the maximum number of -- items you want in the response. If additional items exist beyond the -- maximum you specify, the @IsTruncated@ response element is @true@. -- -- If you do not include this parameter, the number of items defaults to -- 100. Note that IAM might return fewer results, even when there are more -- results available. In that case, the @IsTruncated@ response element -- returns @true@, and @Marker@ contains a value to include in the -- subsequent call that tells the service where to continue from. simulatePrincipalPolicy_maxItems :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Natural) simulatePrincipalPolicy_maxItems :: (Maybe Natural -> f (Maybe Natural)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_maxItems = (SimulatePrincipalPolicy -> Maybe Natural) -> (SimulatePrincipalPolicy -> Maybe Natural -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Natural maxItems :: Maybe Natural $sel:maxItems:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Natural maxItems} -> Maybe Natural maxItems) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Natural a -> SimulatePrincipalPolicy s {$sel:maxItems:SimulatePrincipalPolicy' :: Maybe Natural maxItems = Maybe Natural a} :: SimulatePrincipalPolicy) -- | A list of context keys and corresponding values for the simulation to -- use. Whenever a context key is evaluated in one of the simulated IAM -- permissions policies, the corresponding value is supplied. simulatePrincipalPolicy_contextEntries :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe [ContextEntry]) simulatePrincipalPolicy_contextEntries :: (Maybe [ContextEntry] -> f (Maybe [ContextEntry])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_contextEntries = (SimulatePrincipalPolicy -> Maybe [ContextEntry]) -> (SimulatePrincipalPolicy -> Maybe [ContextEntry] -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe [ContextEntry]) (Maybe [ContextEntry]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe [ContextEntry] contextEntries :: Maybe [ContextEntry] $sel:contextEntries:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [ContextEntry] contextEntries} -> Maybe [ContextEntry] contextEntries) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe [ContextEntry] a -> SimulatePrincipalPolicy s {$sel:contextEntries:SimulatePrincipalPolicy' :: Maybe [ContextEntry] contextEntries = Maybe [ContextEntry] a} :: SimulatePrincipalPolicy) ((Maybe [ContextEntry] -> f (Maybe [ContextEntry])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy) -> ((Maybe [ContextEntry] -> f (Maybe [ContextEntry])) -> Maybe [ContextEntry] -> f (Maybe [ContextEntry])) -> (Maybe [ContextEntry] -> f (Maybe [ContextEntry])) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [ContextEntry] [ContextEntry] [ContextEntry] [ContextEntry] -> Iso (Maybe [ContextEntry]) (Maybe [ContextEntry]) (Maybe [ContextEntry]) (Maybe [ContextEntry]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [ContextEntry] [ContextEntry] [ContextEntry] [ContextEntry] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | An Amazon Web Services account ID that specifies the owner of any -- simulated resource that does not identify its owner in the resource ARN. -- Examples of resource ARNs include an S3 bucket or object. If -- @ResourceOwner@ is specified, it is also used as the account owner of -- any @ResourcePolicy@ included in the simulation. If the @ResourceOwner@ -- parameter is not specified, then the owner of the resources and the -- resource policy defaults to the account of the identity provided in -- @CallerArn@. This parameter is required only if you specify a -- resource-based policy and account that owns the resource is different -- from the account that owns the simulated calling user @CallerArn@. simulatePrincipalPolicy_resourceOwner :: Lens.Lens' SimulatePrincipalPolicy (Prelude.Maybe Prelude.Text) simulatePrincipalPolicy_resourceOwner :: (Maybe Text -> f (Maybe Text)) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_resourceOwner = (SimulatePrincipalPolicy -> Maybe Text) -> (SimulatePrincipalPolicy -> Maybe Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Maybe Text resourceOwner :: Maybe Text $sel:resourceOwner:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text resourceOwner} -> Maybe Text resourceOwner) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Maybe Text a -> SimulatePrincipalPolicy s {$sel:resourceOwner:SimulatePrincipalPolicy' :: Maybe Text resourceOwner = Maybe Text a} :: SimulatePrincipalPolicy) -- | The Amazon Resource Name (ARN) of a user, group, or role whose policies -- you want to include in the simulation. If you specify a user, group, or -- role, the simulation includes all policies that are associated with that -- entity. If you specify a user, the simulation also includes all policies -- that are attached to any groups the user belongs to. -- -- The maximum length of the policy document that you can pass in this -- operation, including whitespace, is listed below. To view the maximum -- character counts of a managed policy with no whitespaces, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-entity-length IAM and STS character quotas>. -- -- For more information about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs)> -- in the /Amazon Web Services General Reference/. simulatePrincipalPolicy_policySourceArn :: Lens.Lens' SimulatePrincipalPolicy Prelude.Text simulatePrincipalPolicy_policySourceArn :: (Text -> f Text) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_policySourceArn = (SimulatePrincipalPolicy -> Text) -> (SimulatePrincipalPolicy -> Text -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {Text policySourceArn :: Text $sel:policySourceArn:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Text policySourceArn} -> Text policySourceArn) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} Text a -> SimulatePrincipalPolicy s {$sel:policySourceArn:SimulatePrincipalPolicy' :: Text policySourceArn = Text a} :: SimulatePrincipalPolicy) -- | A list of names of API operations to evaluate in the simulation. Each -- operation is evaluated for each resource. Each operation must include -- the service identifier, such as @iam:CreateUser@. simulatePrincipalPolicy_actionNames :: Lens.Lens' SimulatePrincipalPolicy [Prelude.Text] simulatePrincipalPolicy_actionNames :: ([Text] -> f [Text]) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy simulatePrincipalPolicy_actionNames = (SimulatePrincipalPolicy -> [Text]) -> (SimulatePrincipalPolicy -> [Text] -> SimulatePrincipalPolicy) -> Lens SimulatePrincipalPolicy SimulatePrincipalPolicy [Text] [Text] forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\SimulatePrincipalPolicy' {[Text] actionNames :: [Text] $sel:actionNames:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> [Text] actionNames} -> [Text] actionNames) (\s :: SimulatePrincipalPolicy s@SimulatePrincipalPolicy' {} [Text] a -> SimulatePrincipalPolicy s {$sel:actionNames:SimulatePrincipalPolicy' :: [Text] actionNames = [Text] a} :: SimulatePrincipalPolicy) (([Text] -> f [Text]) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy) -> (([Text] -> f [Text]) -> [Text] -> f [Text]) -> ([Text] -> f [Text]) -> SimulatePrincipalPolicy -> f SimulatePrincipalPolicy forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. ([Text] -> f [Text]) -> [Text] -> f [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced instance Core.AWSPager SimulatePrincipalPolicy where page :: SimulatePrincipalPolicy -> AWSResponse SimulatePrincipalPolicy -> Maybe SimulatePrincipalPolicy page SimulatePrincipalPolicy rq AWSResponse SimulatePrincipalPolicy rs | Maybe Bool -> Bool forall a. AWSTruncated a => a -> Bool Core.stop ( AWSResponse SimulatePrincipalPolicy SimulatePolicyResponse rs SimulatePolicyResponse -> Getting (First Bool) SimulatePolicyResponse Bool -> Maybe Bool forall s a. s -> Getting (First a) s a -> Maybe a Lens.^? (Maybe Bool -> Const (First Bool) (Maybe Bool)) -> SimulatePolicyResponse -> Const (First Bool) SimulatePolicyResponse Lens' SimulatePolicyResponse (Maybe Bool) simulatePolicyResponse_isTruncated ((Maybe Bool -> Const (First Bool) (Maybe Bool)) -> SimulatePolicyResponse -> Const (First Bool) SimulatePolicyResponse) -> ((Bool -> Const (First Bool) Bool) -> Maybe Bool -> Const (First Bool) (Maybe Bool)) -> Getting (First Bool) SimulatePolicyResponse Bool forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. (Bool -> Const (First Bool) Bool) -> Maybe Bool -> Const (First Bool) (Maybe Bool) forall a b. Prism (Maybe a) (Maybe b) a b Lens._Just ) = Maybe SimulatePrincipalPolicy forall a. Maybe a Prelude.Nothing | Maybe Text -> Bool forall a. Maybe a -> Bool Prelude.isNothing ( AWSResponse SimulatePrincipalPolicy SimulatePolicyResponse rs SimulatePolicyResponse -> Getting (First Text) SimulatePolicyResponse Text -> Maybe Text forall s a. s -> Getting (First a) s a -> Maybe a Lens.^? (Maybe Text -> Const (First Text) (Maybe Text)) -> SimulatePolicyResponse -> Const (First Text) SimulatePolicyResponse Lens' SimulatePolicyResponse (Maybe Text) simulatePolicyResponse_marker ((Maybe Text -> Const (First Text) (Maybe Text)) -> SimulatePolicyResponse -> Const (First Text) SimulatePolicyResponse) -> ((Text -> Const (First Text) Text) -> Maybe Text -> Const (First Text) (Maybe Text)) -> Getting (First Text) SimulatePolicyResponse Text forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. (Text -> Const (First Text) Text) -> Maybe Text -> Const (First Text) (Maybe Text) forall a b. Prism (Maybe a) (Maybe b) a b Lens._Just ) = Maybe SimulatePrincipalPolicy forall a. Maybe a Prelude.Nothing | Bool Prelude.otherwise = SimulatePrincipalPolicy -> Maybe SimulatePrincipalPolicy forall a. a -> Maybe a Prelude.Just (SimulatePrincipalPolicy -> Maybe SimulatePrincipalPolicy) -> SimulatePrincipalPolicy -> Maybe SimulatePrincipalPolicy forall a b. (a -> b) -> a -> b Prelude.$ SimulatePrincipalPolicy rq SimulatePrincipalPolicy -> (SimulatePrincipalPolicy -> SimulatePrincipalPolicy) -> SimulatePrincipalPolicy forall a b. a -> (a -> b) -> b Prelude.& (Maybe Text -> Identity (Maybe Text)) -> SimulatePrincipalPolicy -> Identity SimulatePrincipalPolicy Lens SimulatePrincipalPolicy SimulatePrincipalPolicy (Maybe Text) (Maybe Text) simulatePrincipalPolicy_marker ((Maybe Text -> Identity (Maybe Text)) -> SimulatePrincipalPolicy -> Identity SimulatePrincipalPolicy) -> Maybe Text -> SimulatePrincipalPolicy -> SimulatePrincipalPolicy forall s t a b. ASetter s t a b -> b -> s -> t Lens..~ AWSResponse SimulatePrincipalPolicy SimulatePolicyResponse rs SimulatePolicyResponse -> Getting (First Text) SimulatePolicyResponse Text -> Maybe Text forall s a. s -> Getting (First a) s a -> Maybe a Lens.^? (Maybe Text -> Const (First Text) (Maybe Text)) -> SimulatePolicyResponse -> Const (First Text) SimulatePolicyResponse Lens' SimulatePolicyResponse (Maybe Text) simulatePolicyResponse_marker ((Maybe Text -> Const (First Text) (Maybe Text)) -> SimulatePolicyResponse -> Const (First Text) SimulatePolicyResponse) -> ((Text -> Const (First Text) Text) -> Maybe Text -> Const (First Text) (Maybe Text)) -> Getting (First Text) SimulatePolicyResponse Text forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. (Text -> Const (First Text) Text) -> Maybe Text -> Const (First Text) (Maybe Text) forall a b. Prism (Maybe a) (Maybe b) a b Lens._Just instance Core.AWSRequest SimulatePrincipalPolicy where type AWSResponse SimulatePrincipalPolicy = SimulatePolicyResponse request :: SimulatePrincipalPolicy -> Request SimulatePrincipalPolicy request = Service -> SimulatePrincipalPolicy -> Request SimulatePrincipalPolicy forall a. ToRequest a => Service -> a -> Request a Request.postQuery Service defaultService response :: Logger -> Service -> Proxy SimulatePrincipalPolicy -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse SimulatePrincipalPolicy))) response = Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse SimulatePrincipalPolicy)) -> Logger -> Service -> Proxy SimulatePrincipalPolicy -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse SimulatePrincipalPolicy))) forall (m :: * -> *) a. MonadResource m => Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveXMLWrapper Text "SimulatePrincipalPolicyResult" (\Int s ResponseHeaders h [Node] x -> [Node] -> Either String SimulatePolicyResponse forall a. FromXML a => [Node] -> Either String a Core.parseXML [Node] x) instance Prelude.Hashable SimulatePrincipalPolicy instance Prelude.NFData SimulatePrincipalPolicy instance Core.ToHeaders SimulatePrincipalPolicy where toHeaders :: SimulatePrincipalPolicy -> ResponseHeaders toHeaders = ResponseHeaders -> SimulatePrincipalPolicy -> ResponseHeaders forall a b. a -> b -> a Prelude.const ResponseHeaders forall a. Monoid a => a Prelude.mempty instance Core.ToPath SimulatePrincipalPolicy where toPath :: SimulatePrincipalPolicy -> ByteString toPath = ByteString -> SimulatePrincipalPolicy -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery SimulatePrincipalPolicy where toQuery :: SimulatePrincipalPolicy -> QueryString toQuery SimulatePrincipalPolicy' {[Text] Maybe Natural Maybe [Text] Maybe [ContextEntry] Maybe Text Text actionNames :: [Text] policySourceArn :: Text resourceOwner :: Maybe Text contextEntries :: Maybe [ContextEntry] maxItems :: Maybe Natural marker :: Maybe Text permissionsBoundaryPolicyInputList :: Maybe [Text] resourceArns :: Maybe [Text] resourceHandlingOption :: Maybe Text callerArn :: Maybe Text resourcePolicy :: Maybe Text policyInputList :: Maybe [Text] $sel:actionNames:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> [Text] $sel:policySourceArn:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Text $sel:resourceOwner:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text $sel:contextEntries:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [ContextEntry] $sel:maxItems:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Natural $sel:marker:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text $sel:permissionsBoundaryPolicyInputList:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] $sel:resourceArns:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] $sel:resourceHandlingOption:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text $sel:callerArn:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text $sel:resourcePolicy:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe Text $sel:policyInputList:SimulatePrincipalPolicy' :: SimulatePrincipalPolicy -> Maybe [Text] ..} = [QueryString] -> QueryString forall a. Monoid a => [a] -> a Prelude.mconcat [ ByteString "Action" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "SimulatePrincipalPolicy" :: Prelude.ByteString), ByteString "Version" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "2010-05-08" :: Prelude.ByteString), ByteString "PolicyInputList" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery ( ByteString -> [Text] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Text] -> QueryString) -> Maybe [Text] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] policyInputList ), ByteString "ResourcePolicy" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text resourcePolicy, ByteString "CallerArn" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text callerArn, ByteString "ResourceHandlingOption" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text resourceHandlingOption, ByteString "ResourceArns" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [Text] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Text] -> QueryString) -> Maybe [Text] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] resourceArns), ByteString "PermissionsBoundaryPolicyInputList" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery ( ByteString -> [Text] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Text] -> QueryString) -> Maybe [Text] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] permissionsBoundaryPolicyInputList ), ByteString "Marker" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text marker, ByteString "MaxItems" ByteString -> Maybe Natural -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Natural maxItems, ByteString "ContextEntries" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery ( ByteString -> [ContextEntry] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([ContextEntry] -> QueryString) -> Maybe [ContextEntry] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [ContextEntry] contextEntries ), ByteString "ResourceOwner" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text resourceOwner, ByteString "PolicySourceArn" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text policySourceArn, ByteString "ActionNames" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: ByteString -> [Text] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" [Text] actionNames ]