{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.Firehose.Types.DeliveryStreamEncryptionConfigurationInput where

import qualified Amazonka.Core as Core
import Amazonka.Firehose.Types.KeyType
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude

-- | Specifies the type and Amazon Resource Name (ARN) of the CMK to use for
-- Server-Side Encryption (SSE).
--
-- /See:/ 'newDeliveryStreamEncryptionConfigurationInput' smart constructor.
data DeliveryStreamEncryptionConfigurationInput = DeliveryStreamEncryptionConfigurationInput'
  { -- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
    -- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
    -- @AWS_OWNED_CMK@, Kinesis Data Firehose uses a service-account CMK.
    DeliveryStreamEncryptionConfigurationInput -> Maybe Text
keyARN :: Prelude.Maybe Prelude.Text,
    -- | Indicates the type of customer master key (CMK) to use for encryption.
    -- The default setting is @AWS_OWNED_CMK@. For more information about CMKs,
    -- see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
    -- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
    -- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
    -- invokes the Amazon KMS operation
    -- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
    -- to create a grant that allows the Kinesis Data Firehose service to use
    -- the customer managed CMK to perform encryption and decryption. Kinesis
    -- Data Firehose manages that grant.
    --
    -- When you invoke StartDeliveryStreamEncryption to change the CMK for a
    -- delivery stream that is encrypted with a customer managed CMK, Kinesis
    -- Data Firehose schedules the grant it had on the old CMK for retirement.
    --
    -- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
    -- delivery streams. If a CreateDeliveryStream or
    -- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
    -- Firehose throws a @LimitExceededException@.
    --
    -- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
    -- Firehose doesn\'t support asymmetric CMKs. For information about
    -- symmetric and asymmetric CMKs, see
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
    -- in the AWS Key Management Service developer guide.
    DeliveryStreamEncryptionConfigurationInput -> KeyType
keyType :: KeyType
  }
  deriving (DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
(DeliveryStreamEncryptionConfigurationInput
 -> DeliveryStreamEncryptionConfigurationInput -> Bool)
-> (DeliveryStreamEncryptionConfigurationInput
    -> DeliveryStreamEncryptionConfigurationInput -> Bool)
-> Eq DeliveryStreamEncryptionConfigurationInput
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
$c/= :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
== :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
$c== :: DeliveryStreamEncryptionConfigurationInput
-> DeliveryStreamEncryptionConfigurationInput -> Bool
Prelude.Eq, ReadPrec [DeliveryStreamEncryptionConfigurationInput]
ReadPrec DeliveryStreamEncryptionConfigurationInput
Int -> ReadS DeliveryStreamEncryptionConfigurationInput
ReadS [DeliveryStreamEncryptionConfigurationInput]
(Int -> ReadS DeliveryStreamEncryptionConfigurationInput)
-> ReadS [DeliveryStreamEncryptionConfigurationInput]
-> ReadPrec DeliveryStreamEncryptionConfigurationInput
-> ReadPrec [DeliveryStreamEncryptionConfigurationInput]
-> Read DeliveryStreamEncryptionConfigurationInput
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [DeliveryStreamEncryptionConfigurationInput]
$creadListPrec :: ReadPrec [DeliveryStreamEncryptionConfigurationInput]
readPrec :: ReadPrec DeliveryStreamEncryptionConfigurationInput
$creadPrec :: ReadPrec DeliveryStreamEncryptionConfigurationInput
readList :: ReadS [DeliveryStreamEncryptionConfigurationInput]
$creadList :: ReadS [DeliveryStreamEncryptionConfigurationInput]
readsPrec :: Int -> ReadS DeliveryStreamEncryptionConfigurationInput
$creadsPrec :: Int -> ReadS DeliveryStreamEncryptionConfigurationInput
Prelude.Read, Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
[DeliveryStreamEncryptionConfigurationInput] -> ShowS
DeliveryStreamEncryptionConfigurationInput -> String
(Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS)
-> (DeliveryStreamEncryptionConfigurationInput -> String)
-> ([DeliveryStreamEncryptionConfigurationInput] -> ShowS)
-> Show DeliveryStreamEncryptionConfigurationInput
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [DeliveryStreamEncryptionConfigurationInput] -> ShowS
$cshowList :: [DeliveryStreamEncryptionConfigurationInput] -> ShowS
show :: DeliveryStreamEncryptionConfigurationInput -> String
$cshow :: DeliveryStreamEncryptionConfigurationInput -> String
showsPrec :: Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
$cshowsPrec :: Int -> DeliveryStreamEncryptionConfigurationInput -> ShowS
Prelude.Show, (forall x.
 DeliveryStreamEncryptionConfigurationInput
 -> Rep DeliveryStreamEncryptionConfigurationInput x)
-> (forall x.
    Rep DeliveryStreamEncryptionConfigurationInput x
    -> DeliveryStreamEncryptionConfigurationInput)
-> Generic DeliveryStreamEncryptionConfigurationInput
forall x.
Rep DeliveryStreamEncryptionConfigurationInput x
-> DeliveryStreamEncryptionConfigurationInput
forall x.
DeliveryStreamEncryptionConfigurationInput
-> Rep DeliveryStreamEncryptionConfigurationInput x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x.
Rep DeliveryStreamEncryptionConfigurationInput x
-> DeliveryStreamEncryptionConfigurationInput
$cfrom :: forall x.
DeliveryStreamEncryptionConfigurationInput
-> Rep DeliveryStreamEncryptionConfigurationInput x
Prelude.Generic)

-- |
-- Create a value of 'DeliveryStreamEncryptionConfigurationInput' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'keyARN', 'deliveryStreamEncryptionConfigurationInput_keyARN' - If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @AWS_OWNED_CMK@, Kinesis Data Firehose uses a service-account CMK.
--
-- 'keyType', 'deliveryStreamEncryptionConfigurationInput_keyType' - Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @AWS_OWNED_CMK@. For more information about CMKs,
-- see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the AWS Key Management Service developer guide.
newDeliveryStreamEncryptionConfigurationInput ::
  -- | 'keyType'
  KeyType ->
  DeliveryStreamEncryptionConfigurationInput
newDeliveryStreamEncryptionConfigurationInput :: KeyType -> DeliveryStreamEncryptionConfigurationInput
newDeliveryStreamEncryptionConfigurationInput
  KeyType
pKeyType_ =
    DeliveryStreamEncryptionConfigurationInput' :: Maybe Text -> KeyType -> DeliveryStreamEncryptionConfigurationInput
DeliveryStreamEncryptionConfigurationInput'
      { $sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: Maybe Text
keyARN =
          Maybe Text
forall a. Maybe a
Prelude.Nothing,
        $sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: KeyType
keyType = KeyType
pKeyType_
      }

-- | If you set @KeyType@ to @CUSTOMER_MANAGED_CMK@, you must specify the
-- Amazon Resource Name (ARN) of the CMK. If you set @KeyType@ to
-- @AWS_OWNED_CMK@, Kinesis Data Firehose uses a service-account CMK.
deliveryStreamEncryptionConfigurationInput_keyARN :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput (Prelude.Maybe Prelude.Text)
deliveryStreamEncryptionConfigurationInput_keyARN :: (Maybe Text -> f (Maybe Text))
-> DeliveryStreamEncryptionConfigurationInput
-> f DeliveryStreamEncryptionConfigurationInput
deliveryStreamEncryptionConfigurationInput_keyARN = (DeliveryStreamEncryptionConfigurationInput -> Maybe Text)
-> (DeliveryStreamEncryptionConfigurationInput
    -> Maybe Text -> DeliveryStreamEncryptionConfigurationInput)
-> Lens
     DeliveryStreamEncryptionConfigurationInput
     DeliveryStreamEncryptionConfigurationInput
     (Maybe Text)
     (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {Maybe Text
keyARN :: Maybe Text
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
keyARN} -> Maybe Text
keyARN) (\s :: DeliveryStreamEncryptionConfigurationInput
s@DeliveryStreamEncryptionConfigurationInput' {} Maybe Text
a -> DeliveryStreamEncryptionConfigurationInput
s {$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: Maybe Text
keyARN = Maybe Text
a} :: DeliveryStreamEncryptionConfigurationInput)

-- | Indicates the type of customer master key (CMK) to use for encryption.
-- The default setting is @AWS_OWNED_CMK@. For more information about CMKs,
-- see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys Customer Master Keys (CMKs)>.
-- When you invoke CreateDeliveryStream or StartDeliveryStreamEncryption
-- with @KeyType@ set to CUSTOMER_MANAGED_CMK, Kinesis Data Firehose
-- invokes the Amazon KMS operation
-- <https://docs.aws.amazon.com/kms/latest/APIReference/API_CreateGrant.html CreateGrant>
-- to create a grant that allows the Kinesis Data Firehose service to use
-- the customer managed CMK to perform encryption and decryption. Kinesis
-- Data Firehose manages that grant.
--
-- When you invoke StartDeliveryStreamEncryption to change the CMK for a
-- delivery stream that is encrypted with a customer managed CMK, Kinesis
-- Data Firehose schedules the grant it had on the old CMK for retirement.
--
-- You can use a CMK of type CUSTOMER_MANAGED_CMK to encrypt up to 500
-- delivery streams. If a CreateDeliveryStream or
-- StartDeliveryStreamEncryption operation exceeds this limit, Kinesis Data
-- Firehose throws a @LimitExceededException@.
--
-- To encrypt your delivery stream, use symmetric CMKs. Kinesis Data
-- Firehose doesn\'t support asymmetric CMKs. For information about
-- symmetric and asymmetric CMKs, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html About Symmetric and Asymmetric CMKs>
-- in the AWS Key Management Service developer guide.
deliveryStreamEncryptionConfigurationInput_keyType :: Lens.Lens' DeliveryStreamEncryptionConfigurationInput KeyType
deliveryStreamEncryptionConfigurationInput_keyType :: (KeyType -> f KeyType)
-> DeliveryStreamEncryptionConfigurationInput
-> f DeliveryStreamEncryptionConfigurationInput
deliveryStreamEncryptionConfigurationInput_keyType = (DeliveryStreamEncryptionConfigurationInput -> KeyType)
-> (DeliveryStreamEncryptionConfigurationInput
    -> KeyType -> DeliveryStreamEncryptionConfigurationInput)
-> Lens
     DeliveryStreamEncryptionConfigurationInput
     DeliveryStreamEncryptionConfigurationInput
     KeyType
     KeyType
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\DeliveryStreamEncryptionConfigurationInput' {KeyType
keyType :: KeyType
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
keyType} -> KeyType
keyType) (\s :: DeliveryStreamEncryptionConfigurationInput
s@DeliveryStreamEncryptionConfigurationInput' {} KeyType
a -> DeliveryStreamEncryptionConfigurationInput
s {$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: KeyType
keyType = KeyType
a} :: DeliveryStreamEncryptionConfigurationInput)

instance
  Prelude.Hashable
    DeliveryStreamEncryptionConfigurationInput

instance
  Prelude.NFData
    DeliveryStreamEncryptionConfigurationInput

instance
  Core.ToJSON
    DeliveryStreamEncryptionConfigurationInput
  where
  toJSON :: DeliveryStreamEncryptionConfigurationInput -> Value
toJSON
    DeliveryStreamEncryptionConfigurationInput' {Maybe Text
KeyType
keyType :: KeyType
keyARN :: Maybe Text
$sel:keyType:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> KeyType
$sel:keyARN:DeliveryStreamEncryptionConfigurationInput' :: DeliveryStreamEncryptionConfigurationInput -> Maybe Text
..} =
      [Pair] -> Value
Core.object
        ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
            [ (Text
"KeyARN" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
keyARN,
              Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"KeyType" Text -> KeyType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= KeyType
keyType)
            ]
        )