{-# LANGUAGE DeriveGeneric #-}
{-# LANGUAGE DuplicateRecordFields #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE RecordWildCards #-}
{-# LANGUAGE StrictData #-}
{-# LANGUAGE NoImplicitPrelude #-}
{-# OPTIONS_GHC -fno-warn-unused-imports #-}
{-# OPTIONS_GHC -fno-warn-unused-matches #-}

-- Derived from AWS service descriptions, licensed under Apache 2.0.

-- |
-- Module      : Amazonka.MediaConvert.Types.S3EncryptionSettings
-- Copyright   : (c) 2013-2021 Brendan Hay
-- License     : Mozilla Public License, v. 2.0.
-- Maintainer  : Brendan Hay <brendan.g.hay+amazonka@gmail.com>
-- Stability   : auto-generated
-- Portability : non-portable (GHC extensions)
module Amazonka.MediaConvert.Types.S3EncryptionSettings where

import qualified Amazonka.Core as Core
import qualified Amazonka.Lens as Lens
import Amazonka.MediaConvert.Types.S3ServerSideEncryptionType
import qualified Amazonka.Prelude as Prelude

-- | Settings for how your job outputs are encrypted as they are uploaded to
-- Amazon S3.
--
-- /See:/ 'newS3EncryptionSettings' smart constructor.
data S3EncryptionSettings = S3EncryptionSettings'
  { -- | Specify how you want your data keys managed. AWS uses data keys to
    -- encrypt your content. AWS also encrypts the data keys themselves, using
    -- a customer master key (CMK), and then stores the encrypted data keys
    -- alongside your encrypted content. Use this setting to specify which AWS
    -- service manages the CMK. For simplest set up, choose Amazon S3
    -- (SERVER_SIDE_ENCRYPTION_S3). If you want your master key to be managed
    -- by AWS Key Management Service (KMS), choose AWS KMS
    -- (SERVER_SIDE_ENCRYPTION_KMS). By default, when you choose AWS KMS, KMS
    -- uses the AWS managed customer master key (CMK) associated with Amazon S3
    -- to encrypt your data keys. You can optionally choose to specify a
    -- different, customer managed CMK. Do so by specifying the Amazon Resource
    -- Name (ARN) of the key for the setting KMS ARN (kmsKeyArn).
    S3EncryptionSettings -> Maybe S3ServerSideEncryptionType
encryptionType :: Prelude.Maybe S3ServerSideEncryptionType,
    -- | Optionally, specify the customer master key (CMK) that you want to use
    -- to encrypt the data key that AWS uses to encrypt your output content.
    -- Enter the Amazon Resource Name (ARN) of the CMK. To use this setting,
    -- you must also set Server-side encryption (S3ServerSideEncryptionType) to
    -- AWS KMS (SERVER_SIDE_ENCRYPTION_KMS). If you set Server-side encryption
    -- to AWS KMS but don\'t specify a CMK here, AWS uses the AWS managed CMK
    -- associated with Amazon S3.
    S3EncryptionSettings -> Maybe Text
kmsKeyArn :: Prelude.Maybe Prelude.Text,
    -- | Optionally, specify the encryption context that you want to use
    -- alongside your KMS key. AWS KMS uses this encryption context as
    -- additional authenticated data (AAD) to support authenticated encryption.
    -- This value must be a base64-encoded UTF-8 string holding JSON which
    -- represents a string-string map. To use this setting, you must also set
    -- Server-side encryption (S3ServerSideEncryptionType) to AWS KMS
    -- (SERVER_SIDE_ENCRYPTION_KMS). For more information about encryption
    -- context, see:
    -- https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html#encrypt_context.
    S3EncryptionSettings -> Maybe Text
kmsEncryptionContext :: Prelude.Maybe Prelude.Text
  }
  deriving (S3EncryptionSettings -> S3EncryptionSettings -> Bool
(S3EncryptionSettings -> S3EncryptionSettings -> Bool)
-> (S3EncryptionSettings -> S3EncryptionSettings -> Bool)
-> Eq S3EncryptionSettings
forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a
/= :: S3EncryptionSettings -> S3EncryptionSettings -> Bool
$c/= :: S3EncryptionSettings -> S3EncryptionSettings -> Bool
== :: S3EncryptionSettings -> S3EncryptionSettings -> Bool
$c== :: S3EncryptionSettings -> S3EncryptionSettings -> Bool
Prelude.Eq, ReadPrec [S3EncryptionSettings]
ReadPrec S3EncryptionSettings
Int -> ReadS S3EncryptionSettings
ReadS [S3EncryptionSettings]
(Int -> ReadS S3EncryptionSettings)
-> ReadS [S3EncryptionSettings]
-> ReadPrec S3EncryptionSettings
-> ReadPrec [S3EncryptionSettings]
-> Read S3EncryptionSettings
forall a.
(Int -> ReadS a)
-> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a
readListPrec :: ReadPrec [S3EncryptionSettings]
$creadListPrec :: ReadPrec [S3EncryptionSettings]
readPrec :: ReadPrec S3EncryptionSettings
$creadPrec :: ReadPrec S3EncryptionSettings
readList :: ReadS [S3EncryptionSettings]
$creadList :: ReadS [S3EncryptionSettings]
readsPrec :: Int -> ReadS S3EncryptionSettings
$creadsPrec :: Int -> ReadS S3EncryptionSettings
Prelude.Read, Int -> S3EncryptionSettings -> ShowS
[S3EncryptionSettings] -> ShowS
S3EncryptionSettings -> String
(Int -> S3EncryptionSettings -> ShowS)
-> (S3EncryptionSettings -> String)
-> ([S3EncryptionSettings] -> ShowS)
-> Show S3EncryptionSettings
forall a.
(Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a
showList :: [S3EncryptionSettings] -> ShowS
$cshowList :: [S3EncryptionSettings] -> ShowS
show :: S3EncryptionSettings -> String
$cshow :: S3EncryptionSettings -> String
showsPrec :: Int -> S3EncryptionSettings -> ShowS
$cshowsPrec :: Int -> S3EncryptionSettings -> ShowS
Prelude.Show, (forall x. S3EncryptionSettings -> Rep S3EncryptionSettings x)
-> (forall x. Rep S3EncryptionSettings x -> S3EncryptionSettings)
-> Generic S3EncryptionSettings
forall x. Rep S3EncryptionSettings x -> S3EncryptionSettings
forall x. S3EncryptionSettings -> Rep S3EncryptionSettings x
forall a.
(forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a
$cto :: forall x. Rep S3EncryptionSettings x -> S3EncryptionSettings
$cfrom :: forall x. S3EncryptionSettings -> Rep S3EncryptionSettings x
Prelude.Generic)

-- |
-- Create a value of 'S3EncryptionSettings' with all optional fields omitted.
--
-- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields.
--
-- The following record fields are available, with the corresponding lenses provided
-- for backwards compatibility:
--
-- 'encryptionType', 's3EncryptionSettings_encryptionType' - Specify how you want your data keys managed. AWS uses data keys to
-- encrypt your content. AWS also encrypts the data keys themselves, using
-- a customer master key (CMK), and then stores the encrypted data keys
-- alongside your encrypted content. Use this setting to specify which AWS
-- service manages the CMK. For simplest set up, choose Amazon S3
-- (SERVER_SIDE_ENCRYPTION_S3). If you want your master key to be managed
-- by AWS Key Management Service (KMS), choose AWS KMS
-- (SERVER_SIDE_ENCRYPTION_KMS). By default, when you choose AWS KMS, KMS
-- uses the AWS managed customer master key (CMK) associated with Amazon S3
-- to encrypt your data keys. You can optionally choose to specify a
-- different, customer managed CMK. Do so by specifying the Amazon Resource
-- Name (ARN) of the key for the setting KMS ARN (kmsKeyArn).
--
-- 'kmsKeyArn', 's3EncryptionSettings_kmsKeyArn' - Optionally, specify the customer master key (CMK) that you want to use
-- to encrypt the data key that AWS uses to encrypt your output content.
-- Enter the Amazon Resource Name (ARN) of the CMK. To use this setting,
-- you must also set Server-side encryption (S3ServerSideEncryptionType) to
-- AWS KMS (SERVER_SIDE_ENCRYPTION_KMS). If you set Server-side encryption
-- to AWS KMS but don\'t specify a CMK here, AWS uses the AWS managed CMK
-- associated with Amazon S3.
--
-- 'kmsEncryptionContext', 's3EncryptionSettings_kmsEncryptionContext' - Optionally, specify the encryption context that you want to use
-- alongside your KMS key. AWS KMS uses this encryption context as
-- additional authenticated data (AAD) to support authenticated encryption.
-- This value must be a base64-encoded UTF-8 string holding JSON which
-- represents a string-string map. To use this setting, you must also set
-- Server-side encryption (S3ServerSideEncryptionType) to AWS KMS
-- (SERVER_SIDE_ENCRYPTION_KMS). For more information about encryption
-- context, see:
-- https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html#encrypt_context.
newS3EncryptionSettings ::
  S3EncryptionSettings
newS3EncryptionSettings :: S3EncryptionSettings
newS3EncryptionSettings =
  S3EncryptionSettings' :: Maybe S3ServerSideEncryptionType
-> Maybe Text -> Maybe Text -> S3EncryptionSettings
S3EncryptionSettings'
    { $sel:encryptionType:S3EncryptionSettings' :: Maybe S3ServerSideEncryptionType
encryptionType =
        Maybe S3ServerSideEncryptionType
forall a. Maybe a
Prelude.Nothing,
      $sel:kmsKeyArn:S3EncryptionSettings' :: Maybe Text
kmsKeyArn = Maybe Text
forall a. Maybe a
Prelude.Nothing,
      $sel:kmsEncryptionContext:S3EncryptionSettings' :: Maybe Text
kmsEncryptionContext = Maybe Text
forall a. Maybe a
Prelude.Nothing
    }

-- | Specify how you want your data keys managed. AWS uses data keys to
-- encrypt your content. AWS also encrypts the data keys themselves, using
-- a customer master key (CMK), and then stores the encrypted data keys
-- alongside your encrypted content. Use this setting to specify which AWS
-- service manages the CMK. For simplest set up, choose Amazon S3
-- (SERVER_SIDE_ENCRYPTION_S3). If you want your master key to be managed
-- by AWS Key Management Service (KMS), choose AWS KMS
-- (SERVER_SIDE_ENCRYPTION_KMS). By default, when you choose AWS KMS, KMS
-- uses the AWS managed customer master key (CMK) associated with Amazon S3
-- to encrypt your data keys. You can optionally choose to specify a
-- different, customer managed CMK. Do so by specifying the Amazon Resource
-- Name (ARN) of the key for the setting KMS ARN (kmsKeyArn).
s3EncryptionSettings_encryptionType :: Lens.Lens' S3EncryptionSettings (Prelude.Maybe S3ServerSideEncryptionType)
s3EncryptionSettings_encryptionType :: (Maybe S3ServerSideEncryptionType
 -> f (Maybe S3ServerSideEncryptionType))
-> S3EncryptionSettings -> f S3EncryptionSettings
s3EncryptionSettings_encryptionType = (S3EncryptionSettings -> Maybe S3ServerSideEncryptionType)
-> (S3EncryptionSettings
    -> Maybe S3ServerSideEncryptionType -> S3EncryptionSettings)
-> Lens
     S3EncryptionSettings
     S3EncryptionSettings
     (Maybe S3ServerSideEncryptionType)
     (Maybe S3ServerSideEncryptionType)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\S3EncryptionSettings' {Maybe S3ServerSideEncryptionType
encryptionType :: Maybe S3ServerSideEncryptionType
$sel:encryptionType:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe S3ServerSideEncryptionType
encryptionType} -> Maybe S3ServerSideEncryptionType
encryptionType) (\s :: S3EncryptionSettings
s@S3EncryptionSettings' {} Maybe S3ServerSideEncryptionType
a -> S3EncryptionSettings
s {$sel:encryptionType:S3EncryptionSettings' :: Maybe S3ServerSideEncryptionType
encryptionType = Maybe S3ServerSideEncryptionType
a} :: S3EncryptionSettings)

-- | Optionally, specify the customer master key (CMK) that you want to use
-- to encrypt the data key that AWS uses to encrypt your output content.
-- Enter the Amazon Resource Name (ARN) of the CMK. To use this setting,
-- you must also set Server-side encryption (S3ServerSideEncryptionType) to
-- AWS KMS (SERVER_SIDE_ENCRYPTION_KMS). If you set Server-side encryption
-- to AWS KMS but don\'t specify a CMK here, AWS uses the AWS managed CMK
-- associated with Amazon S3.
s3EncryptionSettings_kmsKeyArn :: Lens.Lens' S3EncryptionSettings (Prelude.Maybe Prelude.Text)
s3EncryptionSettings_kmsKeyArn :: (Maybe Text -> f (Maybe Text))
-> S3EncryptionSettings -> f S3EncryptionSettings
s3EncryptionSettings_kmsKeyArn = (S3EncryptionSettings -> Maybe Text)
-> (S3EncryptionSettings -> Maybe Text -> S3EncryptionSettings)
-> Lens
     S3EncryptionSettings S3EncryptionSettings (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\S3EncryptionSettings' {Maybe Text
kmsKeyArn :: Maybe Text
$sel:kmsKeyArn:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe Text
kmsKeyArn} -> Maybe Text
kmsKeyArn) (\s :: S3EncryptionSettings
s@S3EncryptionSettings' {} Maybe Text
a -> S3EncryptionSettings
s {$sel:kmsKeyArn:S3EncryptionSettings' :: Maybe Text
kmsKeyArn = Maybe Text
a} :: S3EncryptionSettings)

-- | Optionally, specify the encryption context that you want to use
-- alongside your KMS key. AWS KMS uses this encryption context as
-- additional authenticated data (AAD) to support authenticated encryption.
-- This value must be a base64-encoded UTF-8 string holding JSON which
-- represents a string-string map. To use this setting, you must also set
-- Server-side encryption (S3ServerSideEncryptionType) to AWS KMS
-- (SERVER_SIDE_ENCRYPTION_KMS). For more information about encryption
-- context, see:
-- https:\/\/docs.aws.amazon.com\/kms\/latest\/developerguide\/concepts.html#encrypt_context.
s3EncryptionSettings_kmsEncryptionContext :: Lens.Lens' S3EncryptionSettings (Prelude.Maybe Prelude.Text)
s3EncryptionSettings_kmsEncryptionContext :: (Maybe Text -> f (Maybe Text))
-> S3EncryptionSettings -> f S3EncryptionSettings
s3EncryptionSettings_kmsEncryptionContext = (S3EncryptionSettings -> Maybe Text)
-> (S3EncryptionSettings -> Maybe Text -> S3EncryptionSettings)
-> Lens
     S3EncryptionSettings S3EncryptionSettings (Maybe Text) (Maybe Text)
forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b
Lens.lens (\S3EncryptionSettings' {Maybe Text
kmsEncryptionContext :: Maybe Text
$sel:kmsEncryptionContext:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe Text
kmsEncryptionContext} -> Maybe Text
kmsEncryptionContext) (\s :: S3EncryptionSettings
s@S3EncryptionSettings' {} Maybe Text
a -> S3EncryptionSettings
s {$sel:kmsEncryptionContext:S3EncryptionSettings' :: Maybe Text
kmsEncryptionContext = Maybe Text
a} :: S3EncryptionSettings)

instance Core.FromJSON S3EncryptionSettings where
  parseJSON :: Value -> Parser S3EncryptionSettings
parseJSON =
    String
-> (Object -> Parser S3EncryptionSettings)
-> Value
-> Parser S3EncryptionSettings
forall a. String -> (Object -> Parser a) -> Value -> Parser a
Core.withObject
      String
"S3EncryptionSettings"
      ( \Object
x ->
          Maybe S3ServerSideEncryptionType
-> Maybe Text -> Maybe Text -> S3EncryptionSettings
S3EncryptionSettings'
            (Maybe S3ServerSideEncryptionType
 -> Maybe Text -> Maybe Text -> S3EncryptionSettings)
-> Parser (Maybe S3ServerSideEncryptionType)
-> Parser (Maybe Text -> Maybe Text -> S3EncryptionSettings)
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> (Object
x Object -> Text -> Parser (Maybe S3ServerSideEncryptionType)
forall a. FromJSON a => Object -> Text -> Parser (Maybe a)
Core..:? Text
"encryptionType")
            Parser (Maybe Text -> Maybe Text -> S3EncryptionSettings)
-> Parser (Maybe Text)
-> Parser (Maybe Text -> S3EncryptionSettings)
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Parser (Maybe Text)
forall a. FromJSON a => Object -> Text -> Parser (Maybe a)
Core..:? Text
"kmsKeyArn")
            Parser (Maybe Text -> S3EncryptionSettings)
-> Parser (Maybe Text) -> Parser S3EncryptionSettings
forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b
Prelude.<*> (Object
x Object -> Text -> Parser (Maybe Text)
forall a. FromJSON a => Object -> Text -> Parser (Maybe a)
Core..:? Text
"kmsEncryptionContext")
      )

instance Prelude.Hashable S3EncryptionSettings

instance Prelude.NFData S3EncryptionSettings

instance Core.ToJSON S3EncryptionSettings where
  toJSON :: S3EncryptionSettings -> Value
toJSON S3EncryptionSettings' {Maybe Text
Maybe S3ServerSideEncryptionType
kmsEncryptionContext :: Maybe Text
kmsKeyArn :: Maybe Text
encryptionType :: Maybe S3ServerSideEncryptionType
$sel:kmsEncryptionContext:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe Text
$sel:kmsKeyArn:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe Text
$sel:encryptionType:S3EncryptionSettings' :: S3EncryptionSettings -> Maybe S3ServerSideEncryptionType
..} =
    [Pair] -> Value
Core.object
      ( [Maybe Pair] -> [Pair]
forall a. [Maybe a] -> [a]
Prelude.catMaybes
          [ (Text
"encryptionType" Text -> S3ServerSideEncryptionType -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (S3ServerSideEncryptionType -> Pair)
-> Maybe S3ServerSideEncryptionType -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe S3ServerSideEncryptionType
encryptionType,
            (Text
"kmsKeyArn" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=) (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
kmsKeyArn,
            (Text
"kmsEncryptionContext" Text -> Text -> Pair
forall kv v. (KeyValue kv, ToJSON v) => Text -> v -> kv
Core..=)
              (Text -> Pair) -> Maybe Text -> Maybe Pair
forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b
Prelude.<$> Maybe Text
kmsEncryptionContext
          ]
      )