{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE TypeFamilies #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-binds #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.KMS.UpdateAlias
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
--
-- Associates an existing KMS alias with a different KMS key. Each alias is
-- associated with only one KMS key at a time, although a KMS key can have
-- multiple aliases. The alias and the KMS key must be in the same Amazon
-- Web Services account and Region.
--
-- Adding, deleting, or updating an alias can allow or deny permission to
-- the KMS key. For details, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/abac.html Using ABAC in KMS>
-- in the /Key Management Service Developer Guide/.
--
-- The current and new KMS key must be the same type (both symmetric or
-- both asymmetric), and they must have the same key usage
-- (@ENCRYPT_DECRYPT@ or @SIGN_VERIFY@). This restriction prevents errors
-- in code that uses aliases. If you must assign an alias to a different
-- type of KMS key, use DeleteAlias to delete the old alias and CreateAlias
-- to create a new alias.
--
-- You cannot use @UpdateAlias@ to change an alias name. To change an alias
-- name, use DeleteAlias to delete the old alias and CreateAlias to create
-- a new alias.
--
-- Because an alias is not a property of a KMS key, you can create, update,
-- and delete the aliases of a KMS key without affecting the KMS key. Also,
-- aliases do not appear in the response from the DescribeKey operation. To
-- get the aliases of all KMS keys in the account, use the ListAliases
-- operation.
--
-- The KMS key that you use for this operation must be in a compatible key
-- state. For details, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html Key state: Effect on your KMS key>
-- in the /Key Management Service Developer Guide/.
--
-- __Cross-account use__: No. You cannot perform this operation on a KMS
-- key in a different Amazon Web Services account.
--
-- __Required permissions__
--
-- -   <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:UpdateAlias>
--     on the alias (IAM policy).
--
-- -   <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:UpdateAlias>
--     on the current KMS key (key policy).
--
-- -   <https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html kms:UpdateAlias>
--     on the new KMS key (key policy).
--
-- For details, see
-- <https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access Controlling access to aliases>
-- in the /Key Management Service Developer Guide/.
--
-- __Related operations:__
--
-- -   CreateAlias
--
-- -   DeleteAlias
--
-- -   ListAliases
module Amazonka.KMS.UpdateAlias
  ( -- * Creating a Request
    UpdateAlias (..),
    newUpdateAlias,

    -- * Request Lenses
    updateAlias_aliasName,
    updateAlias_targetKeyId,

    -- * Destructuring the Response
    UpdateAliasResponse (..),
    newUpdateAliasResponse,
  )
where

import qualified Amazonka.Core as Core
import Amazonka.KMS.Types
import qualified Amazonka.Lens as Lens
import qualified Amazonka.Prelude as Prelude
import qualified Amazonka.Request as Request
import qualified Amazonka.Response as Response

-- | /See:/ 'newUpdateAlias' smart constructor.
data UpdateAlias = UpdateAlias'
  { -- | Identifies the alias that is changing its KMS key. This value must begin
    -- with @alias\/@ followed by the alias name, such as
    -- @alias\/ExampleAlias@. You cannot use UpdateAlias to change the alias
    -- name.
    UpdateAlias -> Text
aliasName :: Prelude.Text,
    -- | Identifies the
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk customer managed key>
    -- to associate with the alias. You don\'t have permission to associate an
    -- alias with an
    -- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed key>.
    --
    -- The KMS key must be in the same Amazon Web Services account and Region
    -- as the alias. Also, the new target KMS key must be the same type as the
    -- current target KMS key (both symmetric or both asymmetric) and they must
    -- have the same key usage.
    --
    -- Specify the key ID or key ARN of the KMS key.
    --
    -- For example:
    --
    -- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- -   Key ARN:
    --     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
    --
    -- To get the key ID and key ARN for a KMS key, use ListKeys or
    -- DescribeKey.
    --
    -- To verify that the alias is mapped to the correct KMS key, use
    -- ListAliases.
    UpdateAlias -> Text
targetKeyId :: Prelude.Text
  }
  deriving (UpdateAlias -> UpdateAlias -> Bool
(UpdateAlias -> UpdateAlias -> Bool)
-> (UpdateAlias -> UpdateAlias -> Bool) -> Eq UpdateAlias
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: UpdateAlias -> UpdateAlias -> Bool
$c/= :: UpdateAlias -> UpdateAlias -> Bool
== :: UpdateAlias -> UpdateAlias -> Bool
$c== :: UpdateAlias -> UpdateAlias -> Bool
Prelude.Eq, ReadPrec [UpdateAlias]
ReadPrec UpdateAlias
Int -> ReadS UpdateAlias
ReadS [UpdateAlias]
(Int -> ReadS UpdateAlias)
-> ReadS [UpdateAlias]
-> ReadPrec UpdateAlias
-> ReadPrec [UpdateAlias]
-> Read UpdateAlias
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [UpdateAlias]
$creadListPrec :: ReadPrec [UpdateAlias]
readPrec :: ReadPrec UpdateAlias
$creadPrec :: ReadPrec UpdateAlias
readList :: ReadS [UpdateAlias]
$creadList :: ReadS [UpdateAlias]
readsPrec :: Int -> ReadS UpdateAlias
$creadsPrec :: Int -> ReadS UpdateAlias
Prelude.Read, Int -> UpdateAlias -> ShowS
[UpdateAlias] -> ShowS
UpdateAlias -> String
(Int -> UpdateAlias -> ShowS)
-> (UpdateAlias -> String)
-> ([UpdateAlias] -> ShowS)
-> Show UpdateAlias
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [UpdateAlias] -> ShowS
$cshowList :: [UpdateAlias] -> ShowS
show :: UpdateAlias -> String
$cshow :: UpdateAlias -> String
showsPrec :: Int -> UpdateAlias -> ShowS
$cshowsPrec :: Int -> UpdateAlias -> ShowS
Prelude.Show, (forall x. UpdateAlias -> Rep UpdateAlias x)
-> (forall x. Rep UpdateAlias x -> UpdateAlias)
-> Generic UpdateAlias
forall x. Rep UpdateAlias x -> UpdateAlias
forall x. UpdateAlias -> Rep UpdateAlias x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep UpdateAlias x -> UpdateAlias
$cfrom :: forall x. UpdateAlias -> Rep UpdateAlias x
Prelude.Generic)

-- |
-- Create a value of 'UpdateAlias' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'aliasName', 'updateAlias_aliasName' - Identifies the alias that is changing its KMS key. This value must begin
-- with @alias\/@ followed by the alias name, such as
-- @alias\/ExampleAlias@. You cannot use UpdateAlias to change the alias
-- name.
--
-- 'targetKeyId', 'updateAlias_targetKeyId' - Identifies the
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk customer managed key>
-- to associate with the alias. You don\'t have permission to associate an
-- alias with an
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed key>.
--
-- The KMS key must be in the same Amazon Web Services account and Region
-- as the alias. Also, the new target KMS key must be the same type as the
-- current target KMS key (both symmetric or both asymmetric) and they must
-- have the same key usage.
--
-- Specify the key ID or key ARN of the KMS key.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey.
--
-- To verify that the alias is mapped to the correct KMS key, use
-- ListAliases.
newUpdateAlias ::
  -- | 'aliasName'
  Prelude.Text ->
  -- | 'targetKeyId'
  Prelude.Text ->
  UpdateAlias
newUpdateAlias :: Text -> Text -> UpdateAlias
newUpdateAlias Text
pAliasName_ Text
pTargetKeyId_ =
  UpdateAlias' :: Text -> Text -> UpdateAlias
UpdateAlias'
    { $sel:aliasName:UpdateAlias' :: Text
aliasName = Text
pAliasName_,
      $sel:targetKeyId:UpdateAlias' :: Text
targetKeyId = Text
pTargetKeyId_
    }

-- | Identifies the alias that is changing its KMS key. This value must begin
-- with @alias\/@ followed by the alias name, such as
-- @alias\/ExampleAlias@. You cannot use UpdateAlias to change the alias
-- name.
updateAlias_aliasName :: Lens.Lens' UpdateAlias Prelude.Text
updateAlias_aliasName :: (Text -> f Text) -> UpdateAlias -> f UpdateAlias
updateAlias_aliasName = (UpdateAlias -> Text)
-> (UpdateAlias -> Text -> UpdateAlias)
-> Lens UpdateAlias UpdateAlias Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\UpdateAlias' {Text
aliasName :: Text
$sel:aliasName:UpdateAlias' :: UpdateAlias -> Text
aliasName} -> Text
aliasName) (\s :: UpdateAlias
s@UpdateAlias' {} Text
a -> UpdateAlias
s {$sel:aliasName:UpdateAlias' :: Text
aliasName = Text
a} :: UpdateAlias)

-- | Identifies the
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk customer managed key>
-- to associate with the alias. You don\'t have permission to associate an
-- alias with an
-- <https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk Amazon Web Services managed key>.
--
-- The KMS key must be in the same Amazon Web Services account and Region
-- as the alias. Also, the new target KMS key must be the same type as the
-- current target KMS key (both symmetric or both asymmetric) and they must
-- have the same key usage.
--
-- Specify the key ID or key ARN of the KMS key.
--
-- For example:
--
-- -   Key ID: @1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- -   Key ARN:
--     @arn:aws:kms:us-east-2:111122223333:key\/1234abcd-12ab-34cd-56ef-1234567890ab@
--
-- To get the key ID and key ARN for a KMS key, use ListKeys or
-- DescribeKey.
--
-- To verify that the alias is mapped to the correct KMS key, use
-- ListAliases.
updateAlias_targetKeyId :: Lens.Lens' UpdateAlias Prelude.Text
updateAlias_targetKeyId :: (Text -> f Text) -> UpdateAlias -> f UpdateAlias
updateAlias_targetKeyId = (UpdateAlias -> Text)
-> (UpdateAlias -> Text -> UpdateAlias)
-> Lens UpdateAlias UpdateAlias Text Text
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\UpdateAlias' {Text
targetKeyId :: Text
$sel:targetKeyId:UpdateAlias' :: UpdateAlias -> Text
targetKeyId} -> Text
targetKeyId) (\s :: UpdateAlias
s@UpdateAlias' {} Text
a -> UpdateAlias
s {$sel:targetKeyId:UpdateAlias' :: Text
targetKeyId = Text
a} :: UpdateAlias)

instance Core.AWSRequest UpdateAlias where
  type AWSResponse UpdateAlias = UpdateAliasResponse
  request :: UpdateAlias -> Request UpdateAlias
request = Service -> UpdateAlias -> Request UpdateAlias
forall a. (ToRequest a, ToJSON a) => Service -> a -> Request a
Request.postJSON Service
defaultService
  response :: Logger
-> Service
-> Proxy UpdateAlias
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse UpdateAlias)))
response = AWSResponse UpdateAlias
-> Logger
-> Service
-> Proxy UpdateAlias
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse UpdateAlias)))
forall (m :: * -> *) a.
MonadResource m =>
AWSResponse a
-> Logger
-> Service
-> Proxy a
-> ClientResponse ClientBody
-> m (Either Error (ClientResponse (AWSResponse a)))
Response.receiveNull AWSResponse UpdateAlias
UpdateAliasResponse
UpdateAliasResponse'

instance Prelude.Hashable UpdateAlias

instance Prelude.NFData UpdateAlias

instance Core.ToHeaders UpdateAlias where
  toHeaders :: UpdateAlias -> [Header]
toHeaders =
    [Header] -> UpdateAlias -> [Header]
forall a b. a -> b -> a
Prelude.const
      ( [[Header]] -> [Header]
forall a. Monoid a => [a] -> a
Prelude.mconcat
          [ HeaderName
"X-Amz-Target"
              HeaderName -> ByteString -> [Header]
forall a. ToHeader a => HeaderName -> a -> [Header]
Core.=# (ByteString
"TrentService.UpdateAlias" :: Prelude.ByteString),
            HeaderName
"Content-Type"
              HeaderName -> ByteString -> [Header]
forall a. ToHeader a => HeaderName -> a -> [Header]
Core.=# ( ByteString
"application/x-amz-json-1.1" ::
                          Prelude.ByteString
                      )
          ]
      )

instance Core.ToJSON UpdateAlias where
  toJSON :: UpdateAlias -> Value
toJSON UpdateAlias' {Text
targetKeyId :: Text
aliasName :: Text
$sel:targetKeyId:UpdateAlias' :: UpdateAlias -> Text
$sel:aliasName:UpdateAlias' :: UpdateAlias -> Text
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"AliasName" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
aliasName),
            Pair -> Maybe Pair
forall a. a -> Maybe a
Prelude.Just (Text
"TargetKeyId" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..= Text
targetKeyId)
          ]
      )

instance Core.ToPath UpdateAlias where
  toPath :: UpdateAlias -> ByteString
toPath = ByteString -> UpdateAlias -> ByteString
forall a b. a -> b -> a
Prelude.const ByteString
"/"

instance Core.ToQuery UpdateAlias where
  toQuery :: UpdateAlias -> QueryString
toQuery = QueryString -> UpdateAlias -> QueryString
forall a b. a -> b -> a
Prelude.const QueryString
forall a. Monoid a => a
Prelude.mempty

-- | /See:/ 'newUpdateAliasResponse' smart constructor.
data UpdateAliasResponse = UpdateAliasResponse'
  {
  }
  deriving (UpdateAliasResponse -> UpdateAliasResponse -> Bool
(UpdateAliasResponse -> UpdateAliasResponse -> Bool)
-> (UpdateAliasResponse -> UpdateAliasResponse -> Bool)
-> Eq UpdateAliasResponse
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: UpdateAliasResponse -> UpdateAliasResponse -> Bool
$c/= :: UpdateAliasResponse -> UpdateAliasResponse -> Bool
== :: UpdateAliasResponse -> UpdateAliasResponse -> Bool
$c== :: UpdateAliasResponse -> UpdateAliasResponse -> Bool
Prelude.Eq, ReadPrec [UpdateAliasResponse]
ReadPrec UpdateAliasResponse
Int -> ReadS UpdateAliasResponse
ReadS [UpdateAliasResponse]
(Int -> ReadS UpdateAliasResponse)
-> ReadS [UpdateAliasResponse]
-> ReadPrec UpdateAliasResponse
-> ReadPrec [UpdateAliasResponse]
-> Read UpdateAliasResponse
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [UpdateAliasResponse]
$creadListPrec :: ReadPrec [UpdateAliasResponse]
readPrec :: ReadPrec UpdateAliasResponse
$creadPrec :: ReadPrec UpdateAliasResponse
readList :: ReadS [UpdateAliasResponse]
$creadList :: ReadS [UpdateAliasResponse]
readsPrec :: Int -> ReadS UpdateAliasResponse
$creadsPrec :: Int -> ReadS UpdateAliasResponse
Prelude.Read, Int -> UpdateAliasResponse -> ShowS
[UpdateAliasResponse] -> ShowS
UpdateAliasResponse -> String
(Int -> UpdateAliasResponse -> ShowS)
-> (UpdateAliasResponse -> String)
-> ([UpdateAliasResponse] -> ShowS)
-> Show UpdateAliasResponse
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [UpdateAliasResponse] -> ShowS
$cshowList :: [UpdateAliasResponse] -> ShowS
show :: UpdateAliasResponse -> String
$cshow :: UpdateAliasResponse -> String
showsPrec :: Int -> UpdateAliasResponse -> ShowS
$cshowsPrec :: Int -> UpdateAliasResponse -> ShowS
Prelude.Show, (forall x. UpdateAliasResponse -> Rep UpdateAliasResponse x)
-> (forall x. Rep UpdateAliasResponse x -> UpdateAliasResponse)
-> Generic UpdateAliasResponse
forall x. Rep UpdateAliasResponse x -> UpdateAliasResponse
forall x. UpdateAliasResponse -> Rep UpdateAliasResponse x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep UpdateAliasResponse x -> UpdateAliasResponse
$cfrom :: forall x. UpdateAliasResponse -> Rep UpdateAliasResponse x
Prelude.Generic)

-- |
-- Create a value of 'UpdateAliasResponse' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
newUpdateAliasResponse ::
  UpdateAliasResponse
newUpdateAliasResponse :: UpdateAliasResponse
newUpdateAliasResponse = UpdateAliasResponse
UpdateAliasResponse'

instance Prelude.NFData UpdateAliasResponse