{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.KMS.Types
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.KMS.Types
  ( -- * Service Configuration
    defaultService,

    -- * Errors
    _InvalidMarkerException,
    _KMSInvalidStateException,
    _InvalidKeyUsageException,
    _MalformedPolicyDocumentException,
    _CustomKeyStoreNameInUseException,
    _UnsupportedOperationException,
    _DisabledException,
    _KeyUnavailableException,
    _IncorrectKeyMaterialException,
    _KMSInternalException,
    _TagException,
    _CustomKeyStoreHasCMKsException,
    _InvalidImportTokenException,
    _CloudHsmClusterNotRelatedException,
    _IncorrectTrustAnchorException,
    _CloudHsmClusterInvalidConfigurationException,
    _CloudHsmClusterNotActiveException,
    _CloudHsmClusterNotFoundException,
    _NotFoundException,
    _KMSInvalidSignatureException,
    _InvalidAliasNameException,
    _CustomKeyStoreNotFoundException,
    _CustomKeyStoreInvalidStateException,
    _InvalidGrantIdException,
    _InvalidGrantTokenException,
    _InvalidArnException,
    _DependencyTimeoutException,
    _ExpiredImportTokenException,
    _InvalidCiphertextException,
    _CloudHsmClusterInUseException,
    _IncorrectKeyException,
    _AlreadyExistsException,
    _LimitExceededException,

    -- * AlgorithmSpec
    AlgorithmSpec (..),

    -- * ConnectionErrorCodeType
    ConnectionErrorCodeType (..),

    -- * ConnectionStateType
    ConnectionStateType (..),

    -- * CustomerMasterKeySpec
    CustomerMasterKeySpec (..),

    -- * DataKeyPairSpec
    DataKeyPairSpec (..),

    -- * DataKeySpec
    DataKeySpec (..),

    -- * EncryptionAlgorithmSpec
    EncryptionAlgorithmSpec (..),

    -- * ExpirationModelType
    ExpirationModelType (..),

    -- * GrantOperation
    GrantOperation (..),

    -- * KeyManagerType
    KeyManagerType (..),

    -- * KeySpec
    KeySpec (..),

    -- * KeyState
    KeyState (..),

    -- * KeyUsageType
    KeyUsageType (..),

    -- * MessageType
    MessageType (..),

    -- * MultiRegionKeyType
    MultiRegionKeyType (..),

    -- * OriginType
    OriginType (..),

    -- * SigningAlgorithmSpec
    SigningAlgorithmSpec (..),

    -- * WrappingKeySpec
    WrappingKeySpec (..),

    -- * AliasListEntry
    AliasListEntry (..),
    newAliasListEntry,
    aliasListEntry_targetKeyId,
    aliasListEntry_aliasName,
    aliasListEntry_creationDate,
    aliasListEntry_lastUpdatedDate,
    aliasListEntry_aliasArn,

    -- * CustomKeyStoresListEntry
    CustomKeyStoresListEntry (..),
    newCustomKeyStoresListEntry,
    customKeyStoresListEntry_customKeyStoreName,
    customKeyStoresListEntry_trustAnchorCertificate,
    customKeyStoresListEntry_connectionErrorCode,
    customKeyStoresListEntry_creationDate,
    customKeyStoresListEntry_cloudHsmClusterId,
    customKeyStoresListEntry_customKeyStoreId,
    customKeyStoresListEntry_connectionState,

    -- * GrantConstraints
    GrantConstraints (..),
    newGrantConstraints,
    grantConstraints_encryptionContextEquals,
    grantConstraints_encryptionContextSubset,

    -- * GrantListEntry
    GrantListEntry (..),
    newGrantListEntry,
    grantListEntry_keyId,
    grantListEntry_retiringPrincipal,
    grantListEntry_issuingAccount,
    grantListEntry_grantId,
    grantListEntry_constraints,
    grantListEntry_granteePrincipal,
    grantListEntry_name,
    grantListEntry_creationDate,
    grantListEntry_operations,

    -- * KeyListEntry
    KeyListEntry (..),
    newKeyListEntry,
    keyListEntry_keyId,
    keyListEntry_keyArn,

    -- * KeyMetadata
    KeyMetadata (..),
    newKeyMetadata,
    keyMetadata_origin,
    keyMetadata_expirationModel,
    keyMetadata_keyManager,
    keyMetadata_keySpec,
    keyMetadata_customerMasterKeySpec,
    keyMetadata_enabled,
    keyMetadata_validTo,
    keyMetadata_arn,
    keyMetadata_keyState,
    keyMetadata_encryptionAlgorithms,
    keyMetadata_aWSAccountId,
    keyMetadata_signingAlgorithms,
    keyMetadata_pendingDeletionWindowInDays,
    keyMetadata_keyUsage,
    keyMetadata_creationDate,
    keyMetadata_deletionDate,
    keyMetadata_cloudHsmClusterId,
    keyMetadata_description,
    keyMetadata_customKeyStoreId,
    keyMetadata_multiRegion,
    keyMetadata_multiRegionConfiguration,
    keyMetadata_keyId,

    -- * ListGrantsResponse
    ListGrantsResponse (..),
    newListGrantsResponse,
    listGrantsResponse_truncated,
    listGrantsResponse_grants,
    listGrantsResponse_nextMarker,

    -- * MultiRegionConfiguration
    MultiRegionConfiguration (..),
    newMultiRegionConfiguration,
    multiRegionConfiguration_primaryKey,
    multiRegionConfiguration_replicaKeys,
    multiRegionConfiguration_multiRegionKeyType,

    -- * MultiRegionKey
    MultiRegionKey (..),
    newMultiRegionKey,
    multiRegionKey_arn,
    multiRegionKey_region,

    -- * Tag
    Tag (..),
    newTag,
    tag_tagKey,
    tag_tagValue,
  )
where

import qualified Amazonka.Core as Core
import Amazonka.KMS.Types.AlgorithmSpec
import Amazonka.KMS.Types.AliasListEntry
import Amazonka.KMS.Types.ConnectionErrorCodeType
import Amazonka.KMS.Types.ConnectionStateType
import Amazonka.KMS.Types.CustomKeyStoresListEntry
import Amazonka.KMS.Types.CustomerMasterKeySpec
import Amazonka.KMS.Types.DataKeyPairSpec
import Amazonka.KMS.Types.DataKeySpec
import Amazonka.KMS.Types.EncryptionAlgorithmSpec
import Amazonka.KMS.Types.ExpirationModelType
import Amazonka.KMS.Types.GrantConstraints
import Amazonka.KMS.Types.GrantListEntry
import Amazonka.KMS.Types.GrantOperation
import Amazonka.KMS.Types.KeyListEntry
import Amazonka.KMS.Types.KeyManagerType
import Amazonka.KMS.Types.KeyMetadata
import Amazonka.KMS.Types.KeySpec
import Amazonka.KMS.Types.KeyState
import Amazonka.KMS.Types.KeyUsageType
import Amazonka.KMS.Types.ListGrantsResponse
import Amazonka.KMS.Types.MessageType
import Amazonka.KMS.Types.MultiRegionConfiguration
import Amazonka.KMS.Types.MultiRegionKey
import Amazonka.KMS.Types.MultiRegionKeyType
import Amazonka.KMS.Types.OriginType
import Amazonka.KMS.Types.SigningAlgorithmSpec
import Amazonka.KMS.Types.Tag
import Amazonka.KMS.Types.WrappingKeySpec
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Sign.V4 as Sign

-- | API version @2014-11-01@ of the Amazon Key Management Service SDK configuration.
defaultService :: Core.Service
defaultService :: Service
defaultService =
  Service :: Abbrev
-> Signer
-> ByteString
-> ByteString
-> ByteString
-> (Region -> Endpoint)
-> Maybe Seconds
-> (Status -> Bool)
-> (Status -> [Header] -> ByteStringLazy -> Error)
-> Retry
-> Service
Core.Service
    { $sel:_serviceAbbrev:Service :: Abbrev
Core._serviceAbbrev = Abbrev
"KMS",
      $sel:_serviceSigner:Service :: Signer
Core._serviceSigner = Signer
Sign.v4,
      $sel:_serviceEndpointPrefix:Service :: ByteString
Core._serviceEndpointPrefix = ByteString
"kms",
      $sel:_serviceSigningName:Service :: ByteString
Core._serviceSigningName = ByteString
"kms",
      $sel:_serviceVersion:Service :: ByteString
Core._serviceVersion = ByteString
"2014-11-01",
      $sel:_serviceEndpoint:Service :: Region -> Endpoint
Core._serviceEndpoint =
        Service -> Region -> Endpoint
Core.defaultEndpoint Service
defaultService,
      $sel:_serviceTimeout:Service :: Maybe Seconds
Core._serviceTimeout = Seconds -> Maybe Seconds
forall a. a -> Maybe a
Prelude.Just Seconds
70,
      $sel:_serviceCheck:Service :: Status -> Bool
Core._serviceCheck = Status -> Bool
Core.statusSuccess,
      $sel:_serviceError:Service :: Status -> [Header] -> ByteStringLazy -> Error
Core._serviceError = Abbrev -> Status -> [Header] -> ByteStringLazy -> Error
Core.parseJSONError Abbrev
"KMS",
      $sel:_serviceRetry:Service :: Retry
Core._serviceRetry = Retry
retry
    }
  where
    retry :: Retry
retry =
      Exponential :: Double -> Int -> Int -> (ServiceError -> Maybe Text) -> Retry
Core.Exponential
        { $sel:_retryBase:Exponential :: Double
Core._retryBase = Double
5.0e-2,
          $sel:_retryGrowth:Exponential :: Int
Core._retryGrowth = Int
2,
          $sel:_retryAttempts:Exponential :: Int
Core._retryAttempts = Int
5,
          $sel:_retryCheck:Exponential :: ServiceError -> Maybe Text
Core._retryCheck = ServiceError -> Maybe Text
forall a. IsString a => ServiceError -> Maybe a
check
        }
    check :: ServiceError -> Maybe a
check ServiceError
e
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has
          ( ErrorCode -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
ErrorCode -> Optic' p f ServiceError ServiceError
Core.hasCode ErrorCode
"ThrottledException"
              Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
400
          )
          ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"throttled_exception"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
429) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"too_many_requests"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has
          ( ErrorCode -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
ErrorCode -> Optic' p f ServiceError ServiceError
Core.hasCode ErrorCode
"ThrottlingException"
              Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
400
          )
          ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"throttling_exception"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has
          ( ErrorCode -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
ErrorCode -> Optic' p f ServiceError ServiceError
Core.hasCode ErrorCode
"Throttling"
              Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
400
          )
          ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"throttling"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has
          ( ErrorCode -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
ErrorCode -> Optic' p f ServiceError ServiceError
Core.hasCode
              ErrorCode
"ProvisionedThroughputExceededException"
              Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
400
          )
          ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"throughput_exceeded"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
504) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"gateway_timeout"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has
          ( ErrorCode -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
ErrorCode -> Optic' p f ServiceError ServiceError
Core.hasCode ErrorCode
"RequestThrottledException"
              Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
-> Getting Any ServiceError ServiceError
forall b c a. (b -> c) -> (a -> b) -> a -> c
Prelude.. Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
400
          )
          ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"request_throttled_exception"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
502) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"bad_gateway"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
503) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"service_unavailable"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
500) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"general_server_error"
      | Getting Any ServiceError ServiceError -> ServiceError -> Bool
forall s a. Getting Any s a -> s -> Bool
Lens.has (Int -> Getting Any ServiceError ServiceError
forall (f :: * -> *) (p :: * -> * -> *).
(Applicative f, Choice p) =>
Int -> Optic' p f ServiceError ServiceError
Core.hasStatus Int
509) ServiceError
e =
        a -> Maybe a
forall a. a -> Maybe a
Prelude.Just a
"limit_exceeded"
      | Bool
Prelude.otherwise = Maybe a
forall a. Maybe a
Prelude.Nothing

-- | The request was rejected because the marker that specifies where
-- pagination should next begin is not valid.
_InvalidMarkerException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidMarkerException :: Getting (First ServiceError) a ServiceError
_InvalidMarkerException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidMarkerException"

-- | The request was rejected because the state of the specified resource is
-- not valid for this request.
--
-- For more information about how key state affects the use of a KMS key,
-- see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html Key state: Effect on your KMS key>
-- in the //Key Management Service Developer Guide// .
_KMSInvalidStateException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_KMSInvalidStateException :: Getting (First ServiceError) a ServiceError
_KMSInvalidStateException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"KMSInvalidStateException"

-- | The request was rejected for one of the following reasons:
--
-- -   The @KeyUsage@ value of the KMS key is incompatible with the API
--     operation.
--
-- -   The encryption algorithm or signing algorithm specified for the
--     operation is incompatible with the type of key material in the KMS
--     key @(KeySpec@).
--
-- For encrypting, decrypting, re-encrypting, and generating data keys, the
-- @KeyUsage@ must be @ENCRYPT_DECRYPT@. For signing and verifying, the
-- @KeyUsage@ must be @SIGN_VERIFY@. To find the @KeyUsage@ of a KMS key,
-- use the DescribeKey operation.
--
-- To find the encryption or signing algorithms supported for a particular
-- KMS key, use the DescribeKey operation.
_InvalidKeyUsageException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidKeyUsageException :: Getting (First ServiceError) a ServiceError
_InvalidKeyUsageException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidKeyUsageException"

-- | The request was rejected because the specified policy is not
-- syntactically or semantically correct.
_MalformedPolicyDocumentException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_MalformedPolicyDocumentException :: Getting (First ServiceError) a ServiceError
_MalformedPolicyDocumentException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"MalformedPolicyDocumentException"

-- | The request was rejected because the specified custom key store name is
-- already assigned to another custom key store in the account. Try again
-- with a custom key store name that is unique in the account.
_CustomKeyStoreNameInUseException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CustomKeyStoreNameInUseException :: Getting (First ServiceError) a ServiceError
_CustomKeyStoreNameInUseException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CustomKeyStoreNameInUseException"

-- | The request was rejected because a specified parameter is not supported
-- or a specified resource is not valid for this operation.
_UnsupportedOperationException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_UnsupportedOperationException :: Getting (First ServiceError) a ServiceError
_UnsupportedOperationException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"UnsupportedOperationException"

-- | The request was rejected because the specified KMS key is not enabled.
_DisabledException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_DisabledException :: Getting (First ServiceError) a ServiceError
_DisabledException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"DisabledException"

-- | The request was rejected because the specified KMS key was not
-- available. You can retry the request.
_KeyUnavailableException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_KeyUnavailableException :: Getting (First ServiceError) a ServiceError
_KeyUnavailableException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"KeyUnavailableException"

-- | The request was rejected because the key material in the request is,
-- expired, invalid, or is not the same key material that was previously
-- imported into this KMS key.
_IncorrectKeyMaterialException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_IncorrectKeyMaterialException :: Getting (First ServiceError) a ServiceError
_IncorrectKeyMaterialException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"IncorrectKeyMaterialException"

-- | The request was rejected because an internal exception occurred. The
-- request can be retried.
_KMSInternalException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_KMSInternalException :: Getting (First ServiceError) a ServiceError
_KMSInternalException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"KMSInternalException"

-- | The request was rejected because one or more tags are not valid.
_TagException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_TagException :: Getting (First ServiceError) a ServiceError
_TagException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"TagException"

-- | The request was rejected because the custom key store contains KMS keys.
-- After verifying that you do not need to use the KMS keys, use the
-- ScheduleKeyDeletion operation to delete the KMS keys. After they are
-- deleted, you can delete the custom key store.
_CustomKeyStoreHasCMKsException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CustomKeyStoreHasCMKsException :: Getting (First ServiceError) a ServiceError
_CustomKeyStoreHasCMKsException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CustomKeyStoreHasCMKsException"

-- | The request was rejected because the provided import token is invalid or
-- is associated with a different KMS key.
_InvalidImportTokenException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidImportTokenException :: Getting (First ServiceError) a ServiceError
_InvalidImportTokenException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidImportTokenException"

-- | The request was rejected because the specified CloudHSM cluster has a
-- different cluster certificate than the original cluster. You cannot use
-- the operation to specify an unrelated cluster.
--
-- Specify a cluster that shares a backup history with the original
-- cluster. This includes clusters that were created from a backup of the
-- current cluster, and clusters that were created from the same backup
-- that produced the current cluster.
--
-- Clusters that share a backup history have the same cluster certificate.
-- To view the cluster certificate of a cluster, use the
-- <https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html DescribeClusters>
-- operation.
_CloudHsmClusterNotRelatedException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CloudHsmClusterNotRelatedException :: Getting (First ServiceError) a ServiceError
_CloudHsmClusterNotRelatedException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CloudHsmClusterNotRelatedException"

-- | The request was rejected because the trust anchor certificate in the
-- request is not the trust anchor certificate for the specified CloudHSM
-- cluster.
--
-- When you
-- <https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr initialize the cluster>,
-- you create the trust anchor certificate and save it in the
-- @customerCA.crt@ file.
_IncorrectTrustAnchorException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_IncorrectTrustAnchorException :: Getting (First ServiceError) a ServiceError
_IncorrectTrustAnchorException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"IncorrectTrustAnchorException"

-- | The request was rejected because the associated CloudHSM cluster did not
-- meet the configuration requirements for a custom key store.
--
-- -   The cluster must be configured with private subnets in at least two
--     different Availability Zones in the Region.
--
-- -   The
--     <https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html security group for the cluster>
--     (cloudhsm-cluster-/\<cluster-id>/-sg) must include inbound rules and
--     outbound rules that allow TCP traffic on ports 2223-2225. The
--     __Source__ in the inbound rules and the __Destination__ in the
--     outbound rules must match the security group ID. These rules are set
--     by default when you create the cluster. Do not delete or change
--     them. To get information about a particular security group, use the
--     <https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroups.html DescribeSecurityGroups>
--     operation.
--
-- -   The cluster must contain at least as many HSMs as the operation
--     requires. To add HSMs, use the CloudHSM
--     <https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html CreateHsm>
--     operation.
--
--     For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey
--     operations, the CloudHSM cluster must have at least two active HSMs,
--     each in a different Availability Zone. For the ConnectCustomKeyStore
--     operation, the CloudHSM must contain at least one active HSM.
--
-- For information about the requirements for an CloudHSM cluster that is
-- associated with a custom key store, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore Assemble the Prerequisites>
-- in the /Key Management Service Developer Guide/. For information about
-- creating a private subnet for an CloudHSM cluster, see
-- <https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html Create a Private Subnet>
-- in the /CloudHSM User Guide/. For information about cluster security
-- groups, see
-- <https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html Configure a Default Security Group>
-- in the //CloudHSM User Guide// .
_CloudHsmClusterInvalidConfigurationException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CloudHsmClusterInvalidConfigurationException :: Getting (First ServiceError) a ServiceError
_CloudHsmClusterInvalidConfigurationException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CloudHsmClusterInvalidConfigurationException"

-- | The request was rejected because the CloudHSM cluster that is associated
-- with the custom key store is not active. Initialize and activate the
-- cluster and try the command again. For detailed instructions, see
-- <https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html Getting Started>
-- in the /CloudHSM User Guide/.
_CloudHsmClusterNotActiveException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CloudHsmClusterNotActiveException :: Getting (First ServiceError) a ServiceError
_CloudHsmClusterNotActiveException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CloudHsmClusterNotActiveException"

-- | The request was rejected because KMS cannot find the CloudHSM cluster
-- with the specified cluster ID. Retry the request with a different
-- cluster ID.
_CloudHsmClusterNotFoundException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CloudHsmClusterNotFoundException :: Getting (First ServiceError) a ServiceError
_CloudHsmClusterNotFoundException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CloudHsmClusterNotFoundException"

-- | The request was rejected because the specified entity or resource could
-- not be found.
_NotFoundException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_NotFoundException :: Getting (First ServiceError) a ServiceError
_NotFoundException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"NotFoundException"

-- | The request was rejected because the signature verification failed.
-- Signature verification fails when it cannot confirm that signature was
-- produced by signing the specified message with the specified KMS key and
-- signing algorithm.
_KMSInvalidSignatureException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_KMSInvalidSignatureException :: Getting (First ServiceError) a ServiceError
_KMSInvalidSignatureException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"KMSInvalidSignatureException"

-- | The request was rejected because the specified alias name is not valid.
_InvalidAliasNameException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidAliasNameException :: Getting (First ServiceError) a ServiceError
_InvalidAliasNameException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidAliasNameException"

-- | The request was rejected because KMS cannot find a custom key store with
-- the specified key store name or ID.
_CustomKeyStoreNotFoundException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CustomKeyStoreNotFoundException :: Getting (First ServiceError) a ServiceError
_CustomKeyStoreNotFoundException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CustomKeyStoreNotFoundException"

-- | The request was rejected because of the @ConnectionState@ of the custom
-- key store. To get the @ConnectionState@ of a custom key store, use the
-- DescribeCustomKeyStores operation.
--
-- This exception is thrown under the following conditions:
--
-- -   You requested the CreateKey or GenerateRandom operation in a custom
--     key store that is not connected. These operations are valid only
--     when the custom key store @ConnectionState@ is @CONNECTED@.
--
-- -   You requested the UpdateCustomKeyStore or DeleteCustomKeyStore
--     operation on a custom key store that is not disconnected. This
--     operation is valid only when the custom key store @ConnectionState@
--     is @DISCONNECTED@.
--
-- -   You requested the ConnectCustomKeyStore operation on a custom key
--     store with a @ConnectionState@ of @DISCONNECTING@ or @FAILED@. This
--     operation is valid for all other @ConnectionState@ values.
_CustomKeyStoreInvalidStateException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CustomKeyStoreInvalidStateException :: Getting (First ServiceError) a ServiceError
_CustomKeyStoreInvalidStateException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CustomKeyStoreInvalidStateException"

-- | The request was rejected because the specified @GrantId@ is not valid.
_InvalidGrantIdException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidGrantIdException :: Getting (First ServiceError) a ServiceError
_InvalidGrantIdException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidGrantIdException"

-- | The request was rejected because the specified grant token is not valid.
_InvalidGrantTokenException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidGrantTokenException :: Getting (First ServiceError) a ServiceError
_InvalidGrantTokenException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidGrantTokenException"

-- | The request was rejected because a specified ARN, or an ARN in a key
-- policy, is not valid.
_InvalidArnException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidArnException :: Getting (First ServiceError) a ServiceError
_InvalidArnException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidArnException"

-- | The system timed out while trying to fulfill the request. The request
-- can be retried.
_DependencyTimeoutException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_DependencyTimeoutException :: Getting (First ServiceError) a ServiceError
_DependencyTimeoutException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"DependencyTimeoutException"

-- | The request was rejected because the specified import token is expired.
-- Use GetParametersForImport to get a new import token and public key, use
-- the new public key to encrypt the key material, and then try the request
-- again.
_ExpiredImportTokenException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_ExpiredImportTokenException :: Getting (First ServiceError) a ServiceError
_ExpiredImportTokenException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"ExpiredImportTokenException"

-- | From the Decrypt or ReEncrypt operation, the request was rejected
-- because the specified ciphertext, or additional authenticated data
-- incorporated into the ciphertext, such as the encryption context, is
-- corrupted, missing, or otherwise invalid.
--
-- From the ImportKeyMaterial operation, the request was rejected because
-- KMS could not decrypt the encrypted (wrapped) key material.
_InvalidCiphertextException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_InvalidCiphertextException :: Getting (First ServiceError) a ServiceError
_InvalidCiphertextException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"InvalidCiphertextException"

-- | The request was rejected because the specified CloudHSM cluster is
-- already associated with a custom key store or it shares a backup history
-- with a cluster that is associated with a custom key store. Each custom
-- key store must be associated with a different CloudHSM cluster.
--
-- Clusters that share a backup history have the same cluster certificate.
-- To view the cluster certificate of a cluster, use the
-- <https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html DescribeClusters>
-- operation.
_CloudHsmClusterInUseException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_CloudHsmClusterInUseException :: Getting (First ServiceError) a ServiceError
_CloudHsmClusterInUseException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"CloudHsmClusterInUseException"

-- | The request was rejected because the specified KMS key cannot decrypt
-- the data. The @KeyId@ in a Decrypt request and the @SourceKeyId@ in a
-- ReEncrypt request must identify the same KMS key that was used to
-- encrypt the ciphertext.
_IncorrectKeyException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_IncorrectKeyException :: Getting (First ServiceError) a ServiceError
_IncorrectKeyException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"IncorrectKeyException"

-- | The request was rejected because it attempted to create a resource that
-- already exists.
_AlreadyExistsException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_AlreadyExistsException :: Getting (First ServiceError) a ServiceError
_AlreadyExistsException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"AlreadyExistsException"

-- | The request was rejected because a quota was exceeded. For more
-- information, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/limits.html Quotas>
-- in the /Key Management Service Developer Guide/.
_LimitExceededException :: Core.AsError a => Lens.Getting (Prelude.First Core.ServiceError) a Core.ServiceError
_LimitExceededException :: Getting (First ServiceError) a ServiceError
_LimitExceededException =
  Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
forall a.
AsError a =>
Service -> ErrorCode -> Getting (First ServiceError) a ServiceError
Core._MatchServiceError
    Service
defaultService
    ErrorCode
"LimitExceededException"