Returns a list of ConfigurationItems for the specified resource. The list contains details about each state of the resource during the specified time interval. If you specified a retention period to retain your ConfigurationItems between a minimum of 30 days and a maximum of 7 years (2557 days), Config returns the ConfigurationItems for the specified retention period.
The response is paginated. By default, Config returns a limit of 10 configuration items per page. You can customize this number with the limit parameter. The response includes a nextToken string. To get the next page of results, run the request again and specify the string for the nextToken parameter.
Each call to the API is limited to span a duration of seven days. It is likely that the number of records returned is smaller than the specified limit. In such cases, you can make another call, using the nextToken.
Returns the details of a specific stored query.
", "ListAggregateDiscoveredResources": "Accepts a resource type and returns a list of resource identifiers that are aggregated for a specific resource type across accounts and regions. A resource identifier includes the resource type, ID, (if available) the custom resource name, source account, and source region. You can narrow the results to include only resources that have specific resource IDs, or a resource name, or source account ID, or source region.
For example, if the input consists of accountID 12345678910 and the region is us-east-1 for resource type AWS::EC2::Instance then the API returns all the EC2 instance identifiers of accountID 12345678910 and region us-east-1.
Returns a list of conformance pack compliance scores. A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack. This metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand compliance deviations in your conformance packs.
", + "ListConformancePackComplianceScores": "Returns a list of conformance pack compliance scores. A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack. This metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand the level of compliance in your conformance packs.
Conformance packs with no evaluation results will have a compliance score of INSUFFICIENT_DATA.
Accepts a resource type and returns a list of resource identifiers for the resources of that type. A resource identifier includes the resource type, ID, and (if available) the custom resource name. The results consist of resources that Config has discovered, including those that Config is not currently recording. You can narrow the results to include only resources that have specific resource IDs or a resource name.
You can specify either resource IDs or a resource name, but not both, in the same request.
The response is paginated. By default, Config lists 100 resource identifiers on each page. You can customize this number with the limit parameter. The response includes a nextToken string. To get the next page of results, run the request again and specify the string for the nextToken parameter.
Lists the stored queries for a single Amazon Web Services account and a single Amazon Web Services Region. The default is 100.
", "ListTagsForResource": "List the tags for Config resource.
", "PutAggregationAuthorization": "Authorizes the aggregator account and region to collect data from the source account and region.
", - "PutConfigRule": "Adds or updates an Config rule for evaluating whether your Amazon Web Services resources comply with your desired configurations.
You can use this action for Config custom rules and Config managed rules. A Config custom rule is a rule that you develop and maintain. An Config managed rule is a customizable, predefined rule that Config provides.
If you are adding a new Config custom rule, you must first create the Lambda function that the rule invokes to evaluate your resources. When you use the PutConfigRule action to add the rule to Config, you must specify the Amazon Resource Name (ARN) that Lambda assigns to the function. Specify the ARN for the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.
If you are adding an Config managed rule, specify the rule's identifier for the SourceIdentifier key. To reference Config managed rule identifiers, see About Config managed rules.
For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by Config for new rules.
If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.
For information on how many Config rules you can have per account, see Service Limits in the Config Developer Guide.
For more information about developing and using Config rules, see Evaluating Amazon Web Services resource Configurations with Config in the Config Developer Guide.
", - "PutConfigurationAggregator": "Creates and updates the configuration aggregator with the selected source accounts and regions. The source account can be individual account(s) or an organization.
accountIds that are passed will be replaced with existing accounts. If you want to add additional accounts into the aggregator, call DescribeConfigurationAggregators to get the previous accounts and then append new ones.
Config should be enabled in source accounts and regions you want to aggregate.
If your source type is an organization, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. If the caller is a management account, Config calls EnableAwsServiceAccess API to enable integration between Config and Organizations. If the caller is a registered delegated administrator, Config calls ListDelegatedAdministrators API to verify whether the caller is a valid delegated administrator.
To register a delegated administrator, see Register a Delegated Administrator in the Config developer guide.
Adds or updates an Config rule to evaluate if your Amazon Web Services resources comply with your desired configurations. For information on how many Config rules you can have per account, see Service Limits in the Config Developer Guide.
There are two types of rules: Config Custom Rules and Config Managed Rules. You can use PutConfigRule to create both Config custom rules and Config managed rules.
Custom rules are rules that you can create using either Guard or Lambda functions. Guard (Guard GitHub Repository) is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. Lambda uses custom code that you upload to evaluate a custom rule. If you are adding a new Custom Lambda rule, you first need to create an Lambda function that the rule invokes to evaluate your resources. When you use PutConfigRule to add a Custom Lambda rule to Config, you must specify the Amazon Resource Name (ARN) that Lambda assigns to the function. You specify the ARN in the SourceIdentifier key. This key is part of the Source object, which is part of the ConfigRule object.
Managed rules are predefined, customizable rules created by Config. For a list of managed rules, see List of Config Managed Rules. If you are adding an Config managed rule, you must specify the rule's identifier for the SourceIdentifier key.
For any new rule that you add, specify the ConfigRuleName in the ConfigRule object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values are generated by Config for new rules.
If you are updating a rule that you added previously, you can specify the rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule data type that you use in this request.
For more information about developing and using Config rules, see Evaluating Amazon Web Services resource Configurations with Config in the Config Developer Guide.
", + "PutConfigurationAggregator": "Creates and updates the configuration aggregator with the selected source accounts and regions. The source account can be individual account(s) or an organization.
accountIds that are passed will be replaced with existing accounts. If you want to add additional accounts into the aggregator, call DescribeConfigurationAggregators to get the previous accounts and then append new ones.
Config should be enabled in source accounts and regions you want to aggregate.
If your source type is an organization, you must be signed in to the management account or a registered delegated administrator and all the features must be enabled in your organization. If the caller is a management account, Config calls EnableAwsServiceAccess API to enable integration between Config and Organizations. If the caller is a registered delegated administrator, Config calls ListDelegatedAdministrators API to verify whether the caller is a valid delegated administrator.
To register a delegated administrator, see Register a Delegated Administrator in the Config developer guide.
Creates a new configuration recorder to record the selected resource configurations.
You can use this action to change the role roleARN or the recordingGroup of an existing recorder. To change the role, call the action on the existing configuration recorder and specify a role.
Currently, you can specify only one configuration recorder per region in your account.
If ConfigurationRecorder does not have the recordingGroup parameter specified, the default is to record all supported resource types.
Creates or updates a conformance pack. A conformance pack is a collection of Config rules that can be easily deployed in an account and a region and across Amazon Web Services Organization. For information on how many conformance packs you can have per account, see Service Limits in the Config Developer Guide.
This API creates a service linked role AWSServiceRoleForConfigConforms in your account. The service linked role is created only when the role does not exist in your account.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Creates or updates a conformance pack. A conformance pack is a collection of Config rules that can be easily deployed in an account and a region and across Amazon Web Services Organization. For information on how many conformance packs you can have per account, see Service Limits in the Config Developer Guide.
This API creates a service-linked role AWSServiceRoleForConfigConforms in your account. The service-linked role is created only when the role does not exist in your account.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Creates a delivery channel object to deliver configuration information to an Amazon S3 bucket and Amazon SNS topic.
Before you can create a delivery channel, you must create a configuration recorder.
You can use this action to change the Amazon S3 bucket or an Amazon SNS topic of the existing delivery channel. To change the Amazon S3 bucket or an Amazon SNS topic, call this action and specify the changed values for the S3 bucket and the SNS topic. If you specify a different value for either the S3 bucket or the SNS topic, this action will keep the existing value for the parameter that is not changed.
You can have only one delivery channel per region in your account.
Used by an Lambda function to deliver evaluation results to Config. This action is required in every Lambda function that is invoked by an Config rule.
", "PutExternalEvaluation": "Add or updates the evaluations for process checks. This API checks if the rule is a process check when the name of the Config rule is provided.
", - "PutOrganizationConfigRule": "Adds or updates organization Config rule for your entire organization evaluating whether your Amazon Web Services resources comply with your desired configurations. For information on how many organization Config rules you can have per account, see Service Limits in the Config Developer Guide.
Only a master account and a delegated administrator can create or update an organization Config rule. When calling this API with a delegated administrator, you must ensure Organizations ListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access through the EnableAWSServiceAccess action and creates a service linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service linked role is created only when the role does not exist in the caller account. Config verifies the existence of role with GetRole action.
To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization register-delegated-administrator for config-multiaccountsetup.amazonaws.com.
You can use this action to create both Config custom rules and Config managed rules. If you are adding a new Config custom rule, you must first create Lambda function in the master account or a delegated administrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed-account that can be assumed by the Lambda function. When you use the PutOrganizationConfigRule action to add the rule to Config, you must specify the Amazon Resource Name (ARN) that Lambda assigns to the function. If you are adding an Config managed rule, specify the rule's identifier for the RuleIdentifier key.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata.
Deploys conformance packs across member accounts in an Amazon Web Services Organization. For information on how many organization conformance packs and how many Config rules you can have per account, see Service Limits in the Config Developer Guide.
Only a master account and a delegated administrator can call this API. When calling this API with a delegated administrator, you must ensure Organizations ListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access for config-multiaccountsetup.amazonaws.com through the EnableAWSServiceAccess action and creates a service linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service linked role is created only when the role does not exist in the caller account. To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization register-delegate-admin for config-multiaccountsetup.amazonaws.com.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Config sets the state of a conformance pack to CREATE_IN_PROGRESS and UPDATE_IN_PROGRESS until the conformance pack is created or updated. You cannot update a conformance pack while it is in this state.
Adds or updates an Config rule for your entire organization to evaluate if your Amazon Web Services resources comply with your desired configurations. For information on how many organization Config rules you can have per account, see Service Limits in the Config Developer Guide.
Only a master account and a delegated administrator can create or update an organization Config rule. When calling this API with a delegated administrator, you must ensure Organizations ListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access through the EnableAWSServiceAccess action and creates a service-linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service-linked role is created only when the role does not exist in the caller account. Config verifies the existence of role with GetRole action.
To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization register-delegated-administrator for config-multiaccountsetup.amazonaws.com.
There are two types of rules: Config Custom Rules and Config Managed Rules. You can use PutOrganizationConfigRule to create both Config custom rules and Config managed rules.
Custom rules are rules that you can create using either Guard or Lambda functions. Guard (Guard GitHub Repository) is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. Lambda uses custom code that you upload to evaluate a custom rule. If you are adding a new Custom Lambda rule, you first need to create an Lambda function in the master account or a delegated administrator that the rule invokes to evaluate your resources. You also need to create an IAM role in the managed account that can be assumed by the Lambda function. When you use PutOrganizationConfigRule to add a Custom Lambda rule to Config, you must specify the Amazon Resource Name (ARN) that Lambda assigns to the function.
Managed rules are predefined, customizable rules created by Config. For a list of managed rules, see List of Config Managed Rules. If you are adding an Config managed rule, you must specify the rule's identifier for the RuleIdentifier key.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
Make sure to specify one of either OrganizationCustomPolicyRuleMetadata for Custom Policy rules, OrganizationCustomRuleMetadata for Custom Lambda rules, or OrganizationManagedRuleMetadata for managed rules.
Deploys conformance packs across member accounts in an Amazon Web Services Organization. For information on how many organization conformance packs and how many Config rules you can have per account, see Service Limits in the Config Developer Guide.
Only a master account and a delegated administrator can call this API. When calling this API with a delegated administrator, you must ensure Organizations ListDelegatedAdministrator permissions are added. An organization can have up to 3 delegated administrators.
This API enables organization service access for config-multiaccountsetup.amazonaws.com through the EnableAWSServiceAccess action and creates a service-linked role AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator account of your organization. The service-linked role is created only when the role does not exist in the caller account. To use this API with delegated administrator, register a delegated administrator by calling Amazon Web Services Organization register-delegate-admin for config-multiaccountsetup.amazonaws.com.
Prerequisite: Ensure you call EnableAllFeatures API to enable all features in an organization.
You must specify either the TemplateS3Uri or the TemplateBody parameter, but not both. If you provide both Config uses the TemplateS3Uri parameter and ignores the TemplateBody parameter.
Config sets the state of a conformance pack to CREATE_IN_PROGRESS and UPDATE_IN_PROGRESS until the conformance pack is created or updated. You cannot update a conformance pack while it is in this state.
Adds or updates the remediation configuration with a specific Config rule with the selected target or action. The API creates the RemediationConfiguration object for the Config rule. The Config rule must already exist for you to add a remediation configuration. The target (SSM document) must exist and have permissions to use the target.
If you make backward incompatible changes to the SSM document, you must call this again to ensure the remediations can run.
This API does not support adding remediation configurations for service-linked Config Rules such as Organization Config rules, the rules deployed by conformance packs, and rules deployed by Amazon Web Services Security Hub.
For manual remediation configuration, you need to provide a value for automationAssumeRole or use a value in the assumeRolefield to remediate your resources. The SSM automation document can use either as long as it maps to a valid parameter.
However, for automatic remediation configuration, the only valid assumeRole field value is AutomationAssumeRole and you need to provide a value for AutomationAssumeRole to remediate your resources.
A remediation exception is when a specific resource is no longer considered for auto-remediation. This API adds a new exception or updates an existing exception for a specific resource with a specific Config rule.
Config generates a remediation exception when a problem occurs executing a remediation action to a specific resource. Remediation exceptions blocks auto-remediation until the exception is cleared.
Records the configuration state for the resource provided in the request. The configuration state of a resource is represented in Config as Configuration Items. Once this API records the configuration item, you can retrieve the list of configuration items for the custom resource type using existing Config APIs.
The custom resource type must be registered with CloudFormation. This API accepts the configuration item registered with CloudFormation.
When you call this API, Config only stores configuration state of the resource provided in the request. This API does not change or remediate the configuration of the resource.
Write-only schema properites are not recorded as part of the published configuration item.
Creates and updates the retention configuration with details about retention period (number of days) that Config stores your historical information. The API creates the RetentionConfiguration object and names the object as default. When you have a RetentionConfiguration object named default, calling the API modifies the default object.
Currently, Config supports only one retention configuration per region in your account.
Saves a new query or updates an existing saved query. The QueryName must be unique for a single Amazon Web Services account and a single Amazon Web Services Region. You can create upto 300 queries in a single Amazon Web Services account and a single Amazon Web Services Region.
Accepts a structured query language (SQL) SELECT command and an aggregator to query configuration state of Amazon Web Services resources across multiple accounts and regions, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the Query Components section in the Config Developer Guide.
If you run an aggregation query (i.e., using GROUP BY or using aggregate functions such as COUNT; e.g., SELECT resourceId, COUNT(*) WHERE resourceType = 'AWS::IAM::Role' GROUP BY resourceId) and do not specify the MaxResults or the Limit query parameters, the default page size is set to 500.
If you run a non-aggregation query (i.e., not using GROUP BY or aggregate function; e.g., SELECT * WHERE resourceType = 'AWS::IAM::Role') and do not specify the MaxResults or the Limit query parameters, the default page size is set to 25.
Accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the Query Components section in the Config Developer Guide.
", + "SelectResourceConfig": "Accepts a structured query language (SQL) SELECT command, performs the corresponding search, and returns resource configurations matching the properties.
For more information about query components, see the Query Components section in the Config Developer Guide.
", "StartConfigRulesEvaluation": "Runs an on-demand evaluation for the specified Config rules against the last known configuration state of the resources. Use StartConfigRulesEvaluation when you want to test that a rule you updated is working as expected. StartConfigRulesEvaluation does not re-record the latest configuration state for your resources. It re-runs an evaluation against the last known state of your resources.
You can specify up to 25 Config rules per request.
An existing StartConfigRulesEvaluation call for the specified rules must complete before you can call the API again. If you chose to have Config stream to an Amazon SNS topic, you will receive a ConfigRuleEvaluationStarted notification when the evaluation starts.
You don't need to call the StartConfigRulesEvaluation API to run an evaluation for a new rule. When you create a rule, Config evaluates your resources against the rule automatically.
The StartConfigRulesEvaluation API is useful if you want to run on-demand evaluations, such as the following example:
You have a custom rule that evaluates your IAM resources every 24 hours.
You update your Lambda function to add additional conditions to your rule.
Instead of waiting for the next periodic evaluation, you call the StartConfigRulesEvaluation API.
Config invokes your Lambda function and evaluates your IAM resources.
Your custom rule will still run periodic evaluations every 24 hours.
Starts recording configurations of the Amazon Web Services resources you have selected to record in your Amazon Web Services account.
You must have created at least one delivery channel to successfully start the configuration recorder.
", "StartRemediationExecution": "Runs an on-demand remediation for the specified Config rules against the last known remediation configuration. It runs an execution against the current state of your resources. Remediation execution is asynchronous.
You can specify up to 100 resource keys per request. An existing StartRemediationExecution call for the specified resource keys must complete before you can call the API again.
", @@ -485,7 +485,7 @@ "ComplianceScore": { "base": null, "refs": { - "ConformancePackComplianceScore$Score": "Compliance score for the conformance pack.
" + "ConformancePackComplianceScore$Score": "Compliance score for the conformance pack. Conformance packs with no evaluation results will have a compliance score of INSUFFICIENT_DATA.
An Config rule represents an Lambda function that you create for a custom rule or a predefined function for an Config managed rule. The function evaluates configuration items to assess whether your Amazon Web Services resources comply with your desired configurations. This function can run when Config detects a configuration change to an Amazon Web Services resource and at a periodic frequency that you choose (for example, every 24 hours).
You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create a rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
For more information about developing and using Config rules, see Evaluating Amazon Web Services resource Configurations with Config in the Config Developer Guide.
", + "base": "Config rules evaluate the configuration settings of your Amazon Web Services resources. A rule can run when Config detects a configuration change to an Amazon Web Services resource or at a periodic frequency that you choose (for example, every 24 hours). There are two types of rules: Config Managed Rules and Config Custom Rules. Managed rules are predefined, customizable rules created by Config. For a list of managed rules, see List of Config Managed Rules.
Custom rules are rules that you can create using either Guard or Lambda functions. Guard (Guard GitHub Repository) is a policy-as-code language that allows you to write policies that are enforced by Config Custom Policy rules. Lambda uses custom code that you upload to evaluate a custom rule. It is invoked by events that are published to it by an event source, which Config invokes when the custom rule is initiated.
For more information about developing and using Config rules, see Evaluating Amazon Web Services resource Configurations with Config in the Config Developer Guide.
You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you want to create a rule that triggers evaluations for your resources when Config delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties.
The rule that you want to add to your account.
" @@ -778,7 +778,7 @@ } }, "ConformancePackComplianceScore": { - "base": "A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack. This metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand compliance deviations in your conformance packs.
", + "base": "A compliance score is the percentage of the number of compliant rule-resource combinations in a conformance pack compared to the number of total possible rule-resource combinations in the conformance pack. This metric provides you with a high-level view of the compliance state of your conformance packs, and can be used to identify, investigate, and understand the level of compliance in your conformance packs.
", "refs": { "ConformancePackComplianceScores$member": null } @@ -786,11 +786,11 @@ "ConformancePackComplianceScores": { "base": null, "refs": { - "ListConformancePackComplianceScoresResponse$ConformancePackComplianceScores": "A list of ConformancePackComplianceScore objects
A list of ConformancePackComplianceScore objects.
A list of filters to apply to the conformance pack compliance score result set.
", + "base": "A list of filters to apply to the conformance pack compliance score result set.
", "refs": { "ListConformancePackComplianceScoresRequest$Filters": "Filters the results based on the ConformancePackComplianceScoresFilters.
The name of a conformance pack whose score should be included in the compliance score result.
" + "ConformancePackComplianceScoresFilters$ConformancePackNames": "The names of the conformance packs whose compliance scores you want to include in the conformance pack compliance score result set. You can include up to 25 conformance packs in the ConformancePackNames array of strings, each with a character limit of 256 characters for the conformance pack name.
Indicates one of the following errors:
For PutConfigRule, the rule cannot be created because the IAM role assigned to Config lacks permissions to perform the config:Put* action.
For PutConfigRule, the Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
For PutOrganizationConfigRule, organization Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service linked role.
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have permissions:
To call IAM GetRole action or create a service linked role.
To read Amazon S3 bucket.
Indicates one of the following errors:
For PutConfigRule, the rule cannot be created because the IAM role assigned to Config lacks permissions to perform the config:Put* action.
For PutConfigRule, the Lambda function cannot be invoked. Check the function ARN, and check the function's permissions.
For PutOrganizationConfigRule, organization Config rule cannot be created because you do not have permissions to call IAM GetRole action or create a service-linked role.
For PutConformancePack and PutOrganizationConformancePack, a conformance pack cannot be created because you do not have permissions:
To call IAM GetRole action or create a service-linked role.
To read Amazon S3 bucket.
An object that specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
", "refs": { - "PutOrganizationConfigRuleRequest$OrganizationCustomPolicyRuleMetadata": "An object that specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
" + "PutOrganizationConfigRuleRequest$OrganizationCustomPolicyRuleMetadata": "An OrganizationCustomPolicyRuleMetadata object. This object specifies metadata for your organization's Config Custom Policy rule. The metadata includes the runtime system in use, which accounts have debug logging enabled, and other custom rule metadata, such as resource type, resource ID of Amazon Web Services resource, and organization trigger types that initiate Config to evaluate Amazon Web Services resources against a rule.
An object that specifies organization custom rule metadata such as resource type, resource ID of Amazon Web Services resource, Lambda function ARN, and organization trigger types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
", "refs": { "OrganizationConfigRule$OrganizationCustomRuleMetadata": "An OrganizationCustomRuleMetadata object.
An OrganizationCustomRuleMetadata object.
An OrganizationCustomRuleMetadata object. This object specifies organization custom rule metadata such as resource type, resource ID of Amazon Web Services resource, Lambda function ARN, and organization trigger types that trigger Config to evaluate your Amazon Web Services resources against a rule. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
An object that specifies organization managed rule metadata such as resource type and ID of Amazon Web Services resource along with the rule identifier. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
", "refs": { "OrganizationConfigRule$OrganizationManagedRuleMetadata": "An OrganizationManagedRuleMetadata object.
An OrganizationManagedRuleMetadata object.
An OrganizationManagedRuleMetadata object. This object specifies organization managed rule metadata such as resource type and ID of Amazon Web Services resource along with the rule identifier. It also provides the frequency with which you want Config to run evaluations for the rule if the trigger type is periodic.
Indicates whether Amazon Web Services or the customer owns and manages the Config rule.
Config Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide.
Config Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Lambda (CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
Indicates whether Amazon Web Services or the customer owns and manages the Config rule.
Config Managed Rules are predefined rules owned by Amazon Web Services. For more information, see Config Managed Rules in the Config developer guide.
Config Custom Rules are rules that you can develop either with Guard (CUSTOM_POLICY) or Lambda (CUSTOM_LAMBDA). For more information, see Config Custom Rules in the Config developer guide.
Sorts your conformance pack compliance scores in either ascending or descending order, depending on SortOrder.
Sorts your conformance pack compliance scores in either ascending or descending order, depending on SortOrder.
By default, conformance pack compliance scores are sorted in ascending order by compliance score and alphabetically by name of the conformance pack if there is more than one conformance pack with the same compliance score.
" } }, "SortOrder": { "base": null, "refs": { - "ListConformancePackComplianceScoresRequest$SortOrder": "Determines the order in which conformance pack compliance scores are sorted. Either in ascending or descending order.
" + "ListConformancePackComplianceScoresRequest$SortOrder": "Determines the order in which conformance pack compliance scores are sorted. Either in ascending or descending order.
Conformance packs with a compliance score of INSUFFICIENT_DATA will be first when sorting by ascending order and last when sorting by descending order.
Provides the CustomPolicyDetails, the rule owner (Amazon Web Services or customer), the rule identifier, and the events that cause the evaluation of your Amazon Web Services resources.
", + "base": "Provides the CustomPolicyDetails, the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the events that cause the evaluation of your Amazon Web Services resources.
Provides the rule owner (Amazon Web Services or customer), the rule identifier, and the notifications that cause the function to evaluate your Amazon Web Services resources.
" + "ConfigRule$Source": "Provides the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the rule identifier, and the notifications that cause the function to evaluate your Amazon Web Services resources.
The message indicating that the recording failed due to an error.
", "DeleteRemediationConfigurationRequest$ResourceType": "The type of a resource.
", "DeliverConfigSnapshotResponse$configSnapshotId": "The ID of the snapshot that is being created.
", - "DeliveryChannel$s3BucketName": "The name of the Amazon S3 bucket to which Config delivers configuration snapshots and configuration history files.
If you specify a bucket that belongs to another Amazon Web Services account, that bucket must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon S3 Bucket in the Config Developer Guide.
", + "DeliveryChannel$s3BucketName": "The name of the Amazon S3 bucket to which Config delivers configuration snapshots and configuration history files.
If you specify a bucket that belongs to another Amazon Web Services account, that bucket must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon S3 Bucket in the Config Developer Guide.
", "DeliveryChannel$s3KeyPrefix": "The prefix for the specified Amazon S3 bucket.
", "DeliveryChannel$s3KmsKeyArn": "The Amazon Resource Name (ARN) of the Key Management Service (KMS ) KMS key (KMS key) used to encrypt objects delivered by Config. Must belong to the same Region as the destination S3 bucket.
", - "DeliveryChannel$snsTopicARN": "The Amazon Resource Name (ARN) of the Amazon SNS topic to which Config sends notifications about configuration changes.
If you choose a topic from another account, the topic must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon SNS Topic in the Config Developer Guide.
", + "DeliveryChannel$snsTopicARN": "The Amazon Resource Name (ARN) of the Amazon SNS topic to which Config sends notifications about configuration changes.
If you choose a topic from another account, the topic must have policies that grant access permissions to Config. For more information, see Permissions for the Amazon SNS Topic in the Config Developer Guide.
", "DeliveryChannelStatus$name": "The name of the delivery channel.
", "DescribeAggregationAuthorizationsRequest$NextToken": "The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
The nextToken string returned on a previous page that you use to get the next page of results in a paginated response.
A string, in JSON format, that is passed to the Config rule Lambda function.
", "PutRemediationExceptionsRequest$Message": "The message contains an explanation of the exception.
", "RemediationConfiguration$Arn": "Amazon Resource Name (ARN) of remediation configuration.
", - "RemediationConfiguration$CreatedByService": "Name of the service that owns the service linked rule, if applicable.
", + "RemediationConfiguration$CreatedByService": "Name of the service that owns the service-linked rule, if applicable.
", "RemediationException$ResourceId": "The ID of the resource (for example., sg-xxxxxx).
", "RemediationException$Message": "An explanation of an remediation exception.
", "RemediationExceptionResourceKey$ResourceId": "The ID of the resource (for example., sg-xxxxxx).
" @@ -3328,7 +3328,7 @@ "ComplianceResourceTypes$member": null, "ComplianceSummaryByResourceType$ResourceType": "The type of Amazon Web Services resource.
", "ConfigRule$ConfigRuleArn": "The Amazon Resource Name (ARN) of the Config rule.
", - "ConfigRule$CreatedBy": "Service principal name of the service that created the rule.
The field is populated only if the service linked rule is created by a service. The field is empty if you create your own rule.
Service principal name of the service that created the rule.
The field is populated only if the service-linked rule is created by a service. The field is empty if you create your own rule.
Amazon Web Services service that created the configuration aggregator.
", "ConformancePackComplianceResourceIds$member": null, "ConformancePackDetail$CreatedBy": "Amazon Web Services service that created the conformance pack.
", diff --git a/models/apis/workspaces/2015-04-08/api-2.json b/models/apis/workspaces/2015-04-08/api-2.json index ffa43f2bb4..33a4b739f4 100644 --- a/models/apis/workspaces/2015-04-08/api-2.json +++ b/models/apis/workspaces/2015-04-08/api-2.json @@ -659,6 +659,21 @@ {"shape":"AccessDeniedException"} ] }, + "ModifySamlProperties":{ + "name":"ModifySamlProperties", + "http":{ + "method":"POST", + "requestUri":"/" + }, + "input":{"shape":"ModifySamlPropertiesRequest"}, + "output":{"shape":"ModifySamlPropertiesResult"}, + "errors":[ + {"shape":"AccessDeniedException"}, + {"shape":"InvalidParameterValuesException"}, + {"shape":"OperationNotSupportedException"}, + {"shape":"ResourceNotFoundException"} + ] + }, "ModifySelfservicePermissions":{ "name":"ModifySelfservicePermissions", "http":{ @@ -1467,6 +1482,17 @@ "EnableMaintenanceMode":{"shape":"BooleanObject"} } }, + "DeletableSamlPropertiesList":{ + "type":"list", + "member":{"shape":"DeletableSamlProperty"} + }, + "DeletableSamlProperty":{ + "type":"string", + "enum":[ + "SAML_PROPERTIES_USER_ACCESS_URL", + "SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME" + ] + }, "DeleteClientBrandingRequest":{ "type":"structure", "required":[ @@ -2165,6 +2191,20 @@ "members":{ } }, + "ModifySamlPropertiesRequest":{ + "type":"structure", + "required":["ResourceId"], + "members":{ + "ResourceId":{"shape":"DirectoryId"}, + "SamlProperties":{"shape":"SamlProperties"}, + "PropertiesToDelete":{"shape":"DeletableSamlPropertiesList"} + } + }, + "ModifySamlPropertiesResult":{ + "type":"structure", + "members":{ + } + }, "ModifySelfservicePermissionsRequest":{ "type":"structure", "required":[ @@ -2465,6 +2505,28 @@ ] }, "RunningModeAutoStopTimeoutInMinutes":{"type":"integer"}, + "SamlProperties":{ + "type":"structure", + "members":{ + "Status":{"shape":"SamlStatusEnum"}, + "UserAccessUrl":{"shape":"SamlUserAccessUrl"}, + "RelayStateParameterName":{"shape":"NonEmptyString"} + } + }, + "SamlStatusEnum":{ + "type":"string", + "enum":[ + "DISABLED", + "ENABLED", + "ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK" + ] + }, + "SamlUserAccessUrl":{ + "type":"string", + "max":200, + "min":8, + "pattern":"^(http|https)\\://\\S+$" + }, "SecurityGroupId":{ "type":"string", "max":20, @@ -2840,7 +2902,8 @@ "ipGroupIds":{"shape":"IpGroupIdList"}, "WorkspaceAccessProperties":{"shape":"WorkspaceAccessProperties"}, "Tenancy":{"shape":"Tenancy"}, - "SelfservicePermissions":{"shape":"SelfservicePermissions"} + "SelfservicePermissions":{"shape":"SelfservicePermissions"}, + "SamlProperties":{"shape":"SamlProperties"} } }, "WorkspaceDirectoryState":{ diff --git a/models/apis/workspaces/2015-04-08/docs-2.json b/models/apis/workspaces/2015-04-08/docs-2.json index 64126b756e..6c027507e5 100644 --- a/models/apis/workspaces/2015-04-08/docs-2.json +++ b/models/apis/workspaces/2015-04-08/docs-2.json @@ -46,6 +46,7 @@ "MigrateWorkspace": "Migrates a WorkSpace from one operating system or bundle type to another, while retaining the data on the user volume.
The migration process recreates the WorkSpace by using a new root volume from the target bundle image and the user volume from the last available snapshot of the original WorkSpace. During migration, the original D:\\Users\\%USERNAME% user profile folder is renamed to D:\\Users\\%USERNAME%MMddyyTHHmmss%.NotMigrated. A new D:\\Users\\%USERNAME%\\ folder is generated by the new OS. Certain files in the old user profile are moved to the new user profile.
For available migration scenarios, details about what happens during migration, and best practices, see Migrate a WorkSpace.
", "ModifyAccount": "Modifies the configuration of Bring Your Own License (BYOL) for the specified account.
", "ModifyClientProperties": "Modifies the properties of the specified Amazon WorkSpaces clients.
", + "ModifySamlProperties": "Modifies multiple properties related to SAML 2.0 authentication, including the enablement status, user access URL, and relay state parameter name that are used for configuring federation with an SAML 2.0 identity provider.
", "ModifySelfservicePermissions": "Modifies the self-service WorkSpace management capabilities for your users. For more information, see Enable Self-Service WorkSpace Management Capabilities for Your Users.
", "ModifyWorkspaceAccessProperties": "Specifies which devices and operating systems users can use to access their WorkSpaces. For more information, see Control Device Access.
", "ModifyWorkspaceCreationProperties": "Modify the default properties used to create WorkSpaces.
", @@ -599,6 +600,18 @@ "WorkspaceDirectory$WorkspaceCreationProperties": "The default creation properties for all WorkSpaces in the directory.
" } }, + "DeletableSamlPropertiesList": { + "base": null, + "refs": { + "ModifySamlPropertiesRequest$PropertiesToDelete": "The SAML properties to delete as part of your request.
Specify one of the following options:
SAML_PROPERTIES_USER_ACCESS_URL to delete the user access URL.
SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME to delete the relay state parameter name.
The identifier of the directory.
", "ImportClientBrandingRequest$ResourceId": "The directory identifier of the WorkSpace for which you want to import client branding.
", + "ModifySamlPropertiesRequest$ResourceId": "The directory identifier for which you want to configure SAML properties.
", "ModifySelfservicePermissionsRequest$ResourceId": "The identifier of the directory.
", "ModifyWorkspaceAccessPropertiesRequest$ResourceId": "The identifier of the directory.
", "ModifyWorkspaceCreationPropertiesRequest$ResourceId": "The identifier of the directory.
", @@ -1262,6 +1276,16 @@ "refs": { } }, + "ModifySamlPropertiesRequest": { + "base": null, + "refs": { + } + }, + "ModifySamlPropertiesResult": { + "base": null, + "refs": { + } + }, "ModifySelfservicePermissionsRequest": { "base": null, "refs": { @@ -1327,6 +1351,7 @@ "ResourceNotFoundException$ResourceId": "The ID of the resource that could not be found.
", "ResourceUnavailableException$ResourceId": "The identifier of the resource that is not available.
", "RootStorage$Capacity": "The size of the root volume.
", + "SamlProperties$RelayStateParameterName": "The relay state parameter name supported by the SAML 2.0 identity provider (IdP). When the end user is redirected to the user access URL from the WorkSpaces client application, this relay state parameter name is appended as a query parameter to the URL along with the relay state endpoint to return the user to the client application session.
To use SAML 2.0 authentication with WorkSpaces, the IdP must support IdP-initiated deep linking for the relay state URL. Consult your IdP documentation for more information.
", "TagKeyList$member": null, "UserStorage$Capacity": "The size of the user volume.
", "WorkspaceBundle$Name": "The name of the bundle.
" @@ -1542,6 +1567,25 @@ "WorkspaceProperties$RunningModeAutoStopTimeoutInMinutes": "The time after a user logs off when WorkSpaces are automatically stopped. Configured in 60-minute intervals.
" } }, + "SamlProperties": { + "base": "Describes the enablement status, user access URL, and relay state parameter name that are used for configuring federation with an SAML 2.0 identity provider.
", + "refs": { + "ModifySamlPropertiesRequest$SamlProperties": "The properties for configuring SAML 2.0 authentication.
", + "WorkspaceDirectory$SamlProperties": "Describes the enablement status, user access URL, and relay state parameter name that are used for configuring federation with an SAML 2.0 identity provider.
" + } + }, + "SamlStatusEnum": { + "base": null, + "refs": { + "SamlProperties$Status": "Indicates the status of SAML 2.0 authentication. These statuses include the following.
If the setting is DISABLED, end users will be directed to login with their directory credentials.
If the setting is ENABLED, end users will be directed to login via the user access URL. Users attempting to connect to WorkSpaces from a client application that does not support SAML 2.0 authentication will not be able to connect.
If the setting is ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK, end users will be directed to login via the user access URL on supported client applications, but will not prevent clients that do not support SAML 2.0 authentication from connecting as if SAML 2.0 authentication was disabled.
The SAML 2.0 identity provider (IdP) user access URL is the URL a user would navigate to in their web browser in order to federate from the IdP and directly access the application, without any SAML 2.0 service provider (SP) bindings.
" + } + }, "SecurityGroupId": { "base": null, "refs": { diff --git a/service/configservice/api.go b/service/configservice/api.go index 7ce6f2b9e3..6b5ecfd7c7 100644 --- a/service/configservice/api.go +++ b/service/configservice/api.go @@ -1325,11 +1325,11 @@ func (c *ConfigService) DeleteRemediationConfigurationRequest(input *DeleteRemed // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * InvalidParameterValueException // One or more of the specified parameters are invalid. Verify that your parameters @@ -8088,9 +8088,12 @@ func (c *ConfigService) ListConformancePackComplianceScoresRequest(input *ListCo // a conformance pack compared to the number of total possible rule-resource // combinations in the conformance pack. This metric provides you with a high-level // view of the compliance state of your conformance packs, and can be used to -// identify, investigate, and understand compliance deviations in your conformance +// identify, investigate, and understand the level of compliance in your conformance // packs. // +// Conformance packs with no evaluation results will have a compliance score +// of INSUFFICIENT_DATA. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -8784,23 +8787,30 @@ func (c *ConfigService) PutConfigRuleRequest(input *PutConfigRuleInput) (req *re // PutConfigRule API operation for AWS Config. // -// Adds or updates an Config rule for evaluating whether your Amazon Web Services -// resources comply with your desired configurations. -// -// You can use this action for Config custom rules and Config managed rules. -// A Config custom rule is a rule that you develop and maintain. An Config managed -// rule is a customizable, predefined rule that Config provides. +// Adds or updates an Config rule to evaluate if your Amazon Web Services resources +// comply with your desired configurations. For information on how many Config +// rules you can have per account, see Service Limits (https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) +// in the Config Developer Guide. // -// If you are adding a new Config custom rule, you must first create the Lambda -// function that the rule invokes to evaluate your resources. When you use the -// PutConfigRule action to add the rule to Config, you must specify the Amazon -// Resource Name (ARN) that Lambda assigns to the function. Specify the ARN -// for the SourceIdentifier key. This key is part of the Source object, which -// is part of the ConfigRule object. +// There are two types of rules: Config Custom Rules and Config Managed Rules. +// You can use PutConfigRule to create both Config custom rules and Config managed +// rules. // -// If you are adding an Config managed rule, specify the rule's identifier for -// the SourceIdentifier key. To reference Config managed rule identifiers, see -// About Config managed rules (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_use-managed-rules.html). +// Custom rules are rules that you can create using either Guard or Lambda functions. +// Guard (Guard GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard)) +// is a policy-as-code language that allows you to write policies that are enforced +// by Config Custom Policy rules. Lambda uses custom code that you upload to +// evaluate a custom rule. If you are adding a new Custom Lambda rule, you first +// need to create an Lambda function that the rule invokes to evaluate your +// resources. When you use PutConfigRule to add a Custom Lambda rule to Config, +// you must specify the Amazon Resource Name (ARN) that Lambda assigns to the +// function. You specify the ARN in the SourceIdentifier key. This key is part +// of the Source object, which is part of the ConfigRule object. +// +// Managed rules are predefined, customizable rules created by Config. For a +// list of managed rules, see List of Config Managed Rules (https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). +// If you are adding an Config managed rule, you must specify the rule's identifier +// for the SourceIdentifier key. // // For any new rule that you add, specify the ConfigRuleName in the ConfigRule // object. Do not specify the ConfigRuleArn or the ConfigRuleId. These values @@ -8810,10 +8820,6 @@ func (c *ConfigService) PutConfigRuleRequest(input *PutConfigRuleInput) (req *re // rule by ConfigRuleName, ConfigRuleId, or ConfigRuleArn in the ConfigRule // data type that you use in this request. // -// For information on how many Config rules you can have per account, see Service -// Limits (https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) -// in the Config Developer Guide. -// // For more information about developing and using Config rules, see Evaluating // Amazon Web Services resource Configurations with Config (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) // in the Config Developer Guide. @@ -8872,11 +8878,11 @@ func (c *ConfigService) PutConfigRuleRequest(input *PutConfigRuleInput) (req *re // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * NoAvailableConfigurationRecorderException // There are no configuration recorders available to provide the role needed @@ -9197,8 +9203,8 @@ func (c *ConfigService) PutConformancePackRequest(input *PutConformancePackInput // packs you can have per account, see Service Limits (https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) // in the Config Developer Guide. // -// This API creates a service linked role AWSServiceRoleForConfigConforms in -// your account. The service linked role is created only when the role does +// This API creates a service-linked role AWSServiceRoleForConfigConforms in +// your account. The service-linked role is created only when the role does // not exist in your account. // // You must specify either the TemplateS3Uri or the TemplateBody parameter, @@ -9224,11 +9230,11 @@ func (c *ConfigService) PutConformancePackRequest(input *PutConformancePackInput // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * ConformancePackTemplateValidationException // You have specified a template that is not valid or supported. @@ -9625,8 +9631,8 @@ func (c *ConfigService) PutOrganizationConfigRuleRequest(input *PutOrganizationC // PutOrganizationConfigRule API operation for AWS Config. // -// Adds or updates organization Config rule for your entire organization evaluating -// whether your Amazon Web Services resources comply with your desired configurations. +// Adds or updates an Config rule for your entire organization to evaluate if +// your Amazon Web Services resources comply with your desired configurations. // For information on how many organization Config rules you can have per account, // see Service Limits (https://docs.aws.amazon.com/config/latest/developerguide/configlimits.html) // in the Config Developer Guide. @@ -9637,29 +9643,42 @@ func (c *ConfigService) PutOrganizationConfigRuleRequest(input *PutOrganizationC // added. An organization can have up to 3 delegated administrators. // // This API enables organization service access through the EnableAWSServiceAccess -// action and creates a service linked role AWSServiceRoleForConfigMultiAccountSetup +// action and creates a service-linked role AWSServiceRoleForConfigMultiAccountSetup // in the master or delegated administrator account of your organization. The -// service linked role is created only when the role does not exist in the caller +// service-linked role is created only when the role does not exist in the caller // account. Config verifies the existence of role with GetRole action. // // To use this API with delegated administrator, register a delegated administrator // by calling Amazon Web Services Organization register-delegated-administrator // for config-multiaccountsetup.amazonaws.com. // -// You can use this action to create both Config custom rules and Config managed -// rules. If you are adding a new Config custom rule, you must first create -// Lambda function in the master account or a delegated administrator that the -// rule invokes to evaluate your resources. You also need to create an IAM role -// in the managed-account that can be assumed by the Lambda function. When you -// use the PutOrganizationConfigRule action to add the rule to Config, you must -// specify the Amazon Resource Name (ARN) that Lambda assigns to the function. -// If you are adding an Config managed rule, specify the rule's identifier for -// the RuleIdentifier key. +// There are two types of rules: Config Custom Rules and Config Managed Rules. +// You can use PutOrganizationConfigRule to create both Config custom rules +// and Config managed rules. +// +// Custom rules are rules that you can create using either Guard or Lambda functions. +// Guard (Guard GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard)) +// is a policy-as-code language that allows you to write policies that are enforced +// by Config Custom Policy rules. Lambda uses custom code that you upload to +// evaluate a custom rule. If you are adding a new Custom Lambda rule, you first +// need to create an Lambda function in the master account or a delegated administrator +// that the rule invokes to evaluate your resources. You also need to create +// an IAM role in the managed account that can be assumed by the Lambda function. +// When you use PutOrganizationConfigRule to add a Custom Lambda rule to Config, +// you must specify the Amazon Resource Name (ARN) that Lambda assigns to the +// function. +// +// Managed rules are predefined, customizable rules created by Config. For a +// list of managed rules, see List of Config Managed Rules (https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). +// If you are adding an Config managed rule, you must specify the rule's identifier +// for the RuleIdentifier key. // // Prerequisite: Ensure you call EnableAllFeatures API to enable all features // in an organization. // -// Specify either OrganizationCustomRuleMetadata or OrganizationManagedRuleMetadata. +// Make sure to specify one of either OrganizationCustomPolicyRuleMetadata for +// Custom Policy rules, OrganizationCustomRuleMetadata for Custom Lambda rules, +// or OrganizationManagedRuleMetadata for managed rules. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -9757,11 +9776,11 @@ func (c *ConfigService) PutOrganizationConfigRuleRequest(input *PutOrganizationC // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // See also, https://docs.aws.amazon.com/goto/WebAPI/config-2014-11-12/PutOrganizationConfigRule func (c *ConfigService) PutOrganizationConfigRule(input *PutOrganizationConfigRuleInput) (*PutOrganizationConfigRuleOutput, error) { @@ -9840,9 +9859,9 @@ func (c *ConfigService) PutOrganizationConformancePackRequest(input *PutOrganiza // up to 3 delegated administrators. // // This API enables organization service access for config-multiaccountsetup.amazonaws.com -// through the EnableAWSServiceAccess action and creates a service linked role +// through the EnableAWSServiceAccess action and creates a service-linked role // AWSServiceRoleForConfigMultiAccountSetup in the master or delegated administrator -// account of your organization. The service linked role is created only when +// account of your organization. The service-linked role is created only when // the role does not exist in the caller account. To use this API with delegated // administrator, register a delegated administrator by calling Amazon Web Services // Organization register-delegate-admin for config-multiaccountsetup.amazonaws.com. @@ -9944,11 +9963,11 @@ func (c *ConfigService) PutOrganizationConformancePackRequest(input *PutOrganiza // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * OrganizationConformancePackTemplateValidationException // You have specified a template that is not valid or supported. @@ -10066,11 +10085,11 @@ func (c *ConfigService) PutRemediationConfigurationsRequest(input *PutRemediatio // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * InvalidParameterValueException // One or more of the specified parameters are invalid. Verify that your parameters @@ -10173,11 +10192,11 @@ func (c *ConfigService) PutRemediationExceptionsRequest(input *PutRemediationExc // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // See also, https://docs.aws.amazon.com/goto/WebAPI/config-2014-11-12/PutRemediationExceptions func (c *ConfigService) PutRemediationExceptions(input *PutRemediationExceptionsInput) (*PutRemediationExceptionsOutput, error) { @@ -10292,11 +10311,11 @@ func (c *ConfigService) PutResourceConfigRequest(input *PutResourceConfigInput) // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * NoRunningConfigurationRecorderException // There is no configuration recorder running. @@ -11138,11 +11157,11 @@ func (c *ConfigService) StartRemediationExecutionRequest(input *StartRemediation // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. // // * NoSuchRemediationConfigurationException // You specified an Config rule without a remediation configuration. @@ -13083,20 +13102,28 @@ func (s *ConfigExportDeliveryInfo) SetNextDeliveryTime(v time.Time) *ConfigExpor return s } -// An Config rule represents an Lambda function that you create for a custom -// rule or a predefined function for an Config managed rule. The function evaluates -// configuration items to assess whether your Amazon Web Services resources -// comply with your desired configurations. This function can run when Config -// detects a configuration change to an Amazon Web Services resource and at -// a periodic frequency that you choose (for example, every 24 hours). +// Config rules evaluate the configuration settings of your Amazon Web Services +// resources. A rule can run when Config detects a configuration change to an +// Amazon Web Services resource or at a periodic frequency that you choose (for +// example, every 24 hours). There are two types of rules: Config Managed Rules +// and Config Custom Rules. Managed rules are predefined, customizable rules +// created by Config. For a list of managed rules, see List of Config Managed +// Rules (https://docs.aws.amazon.com/config/latest/developerguide/managed-rules-by-aws-config.html). // -// You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you -// want to create a rule that triggers evaluations for your resources when Config -// delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties. +// Custom rules are rules that you can create using either Guard or Lambda functions. +// Guard (Guard GitHub Repository (https://github.com/aws-cloudformation/cloudformation-guard)) +// is a policy-as-code language that allows you to write policies that are enforced +// by Config Custom Policy rules. Lambda uses custom code that you upload to +// evaluate a custom rule. It is invoked by events that are published to it +// by an event source, which Config invokes when the custom rule is initiated. // // For more information about developing and using Config rules, see Evaluating // Amazon Web Services resource Configurations with Config (https://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html) // in the Config Developer Guide. +// +// You can use the Amazon Web Services CLI and Amazon Web Services SDKs if you +// want to create a rule that triggers evaluations for your resources when Config +// delivers the configuration snapshot. For more information, see ConfigSnapshotDeliveryProperties. type ConfigRule struct { _ struct{} `type:"structure"` @@ -13128,7 +13155,7 @@ type ConfigRule struct { // Service principal name of the service that created the rule. // - // The field is populated only if the service linked rule is created by a service. + // The field is populated only if the service-linked rule is created by a service. // The field is empty if you create your own rule. CreatedBy *string `min:"1" type:"string"` @@ -13161,9 +13188,10 @@ type ConfigRule struct { // The scope can be empty. Scope *Scope `type:"structure"` - // Provides the rule owner (Amazon Web Services or customer), the rule identifier, - // and the notifications that cause the function to evaluate your Amazon Web - // Services resources. + // Provides the rule owner (Amazon Web Services for managed rules, CUSTOM_POLICY + // for Custom Policy rules, and CUSTOM_LAMBDA for Custom Lambda rules), the + // rule identifier, and the notifications that cause the function to evaluate + // your Amazon Web Services resources. // // Source is a required field Source *Source `type:"structure" required:"true"` @@ -14242,7 +14270,7 @@ func (s *ConformancePackComplianceFilters) SetConfigRuleNames(v []*string) *Conf // combinations in a conformance pack compared to the number of total possible // rule-resource combinations in the conformance pack. This metric provides // you with a high-level view of the compliance state of your conformance packs, -// and can be used to identify, investigate, and understand compliance deviations +// and can be used to identify, investigate, and understand the level of compliance // in your conformance packs. type ConformancePackComplianceScore struct { _ struct{} `type:"structure"` @@ -14253,7 +14281,8 @@ type ConformancePackComplianceScore struct { // The time that the conformance pack compliance score was last updated. LastUpdatedTime *time.Time `type:"timestamp"` - // Compliance score for the conformance pack. + // Compliance score for the conformance pack. Conformance packs with no evaluation + // results will have a compliance score of INSUFFICIENT_DATA. Score *string `type:"string"` } @@ -14298,8 +14327,10 @@ func (s *ConformancePackComplianceScore) SetScore(v string) *ConformancePackComp type ConformancePackComplianceScoresFilters struct { _ struct{} `type:"structure"` - // The name of a conformance pack whose score should be included in the compliance - // score result. + // The names of the conformance packs whose compliance scores you want to include + // in the conformance pack compliance score result set. You can include up to + // 25 conformance packs in the ConformancePackNames array of strings, each with + // a character limit of 256 characters for the conformance pack name. // // ConformancePackNames is a required field ConformancePackNames []*string `min:"1" type:"list" required:"true"` @@ -21723,11 +21754,11 @@ func (s *InsufficientDeliveryPolicyException) RequestID() string { // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create -// a service linked role. +// a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM -// GetRole action or create a service linked role. To read Amazon S3 bucket. +// GetRole action or create a service-linked role. To read Amazon S3 bucket. type InsufficientPermissionsException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -22915,10 +22946,17 @@ type ListConformancePackComplianceScoresInput struct { // Sorts your conformance pack compliance scores in either ascending or descending // order, depending on SortOrder. + // + // By default, conformance pack compliance scores are sorted in ascending order + // by compliance score and alphabetically by name of the conformance pack if + // there is more than one conformance pack with the same compliance score. SortBy *string `type:"string" enum:"SortBy"` // Determines the order in which conformance pack compliance scores are sorted. // Either in ascending or descending order. + // + // Conformance packs with a compliance score of INSUFFICIENT_DATA will be first + // when sorting by ascending order and last when sorting by descending order. SortOrder *string `type:"string" enum:"SortOrder"` } @@ -22988,7 +23026,7 @@ func (s *ListConformancePackComplianceScoresInput) SetSortOrder(v string) *ListC type ListConformancePackComplianceScoresOutput struct { _ struct{} `type:"structure"` - // A list of ConformancePackComplianceScore objects + // A list of ConformancePackComplianceScore objects. // // ConformancePackComplianceScores is a required field ConformancePackComplianceScores []*ConformancePackComplianceScore `type:"list" required:"true"` @@ -27514,18 +27552,27 @@ type PutOrganizationConfigRuleInput struct { // OrganizationConfigRuleName is a required field OrganizationConfigRuleName *string `min:"1" type:"string" required:"true"` - // An object that specifies metadata for your organization's Config Custom Policy - // rule. The metadata includes the runtime system in use, which accounts have - // debug logging enabled, and other custom rule metadata, such as resource type, - // resource ID of Amazon Web Services resource, and organization trigger types - // that initiate Config to evaluate Amazon Web Services resources against a - // rule. + // An OrganizationCustomPolicyRuleMetadata object. This object specifies metadata + // for your organization's Config Custom Policy rule. The metadata includes + // the runtime system in use, which accounts have debug logging enabled, and + // other custom rule metadata, such as resource type, resource ID of Amazon + // Web Services resource, and organization trigger types that initiate Config + // to evaluate Amazon Web Services resources against a rule. OrganizationCustomPolicyRuleMetadata *OrganizationCustomPolicyRuleMetadata `type:"structure"` - // An OrganizationCustomRuleMetadata object. + // An OrganizationCustomRuleMetadata object. This object specifies organization + // custom rule metadata such as resource type, resource ID of Amazon Web Services + // resource, Lambda function ARN, and organization trigger types that trigger + // Config to evaluate your Amazon Web Services resources against a rule. It + // also provides the frequency with which you want Config to run evaluations + // for the rule if the trigger type is periodic. OrganizationCustomRuleMetadata *OrganizationCustomRuleMetadata `type:"structure"` - // An OrganizationManagedRuleMetadata object. + // An OrganizationManagedRuleMetadata object. This object specifies organization + // managed rule metadata such as resource type and ID of Amazon Web Services + // resource along with the rule identifier. It also provides the frequency with + // which you want Config to run evaluations for the rule if the trigger type + // is periodic. OrganizationManagedRuleMetadata *OrganizationManagedRuleMetadata `type:"structure"` } @@ -28568,7 +28615,7 @@ type RemediationConfiguration struct { // ConfigRuleName is a required field ConfigRuleName *string `min:"1" type:"string" required:"true"` - // Name of the service that owns the service linked rule, if applicable. + // Name of the service that owns the service-linked rule, if applicable. CreatedByService *string `min:"1" type:"string"` // An ExecutionControls object. @@ -30188,9 +30235,10 @@ func (s *SelectResourceConfigOutput) SetResults(v []*string) *SelectResourceConf return s } -// Provides the CustomPolicyDetails, the rule owner (Amazon Web Services or -// customer), the rule identifier, and the events that cause the evaluation -// of your Amazon Web Services resources. +// Provides the CustomPolicyDetails, the rule owner (Amazon Web Services for +// managed rules, CUSTOM_POLICY for Custom Policy rules, and CUSTOM_LAMBDA for +// Custom Lambda rules), the rule identifier, and the events that cause the +// evaluation of your Amazon Web Services resources. type Source struct { _ struct{} `type:"structure"` diff --git a/service/configservice/errors.go b/service/configservice/errors.go index 7d3db4b518..3c5a2f4396 100644 --- a/service/configservice/errors.go +++ b/service/configservice/errors.go @@ -33,11 +33,11 @@ const ( // // * For PutOrganizationConfigRule, organization Config rule cannot be created // because you do not have permissions to call IAM GetRole action or create - // a service linked role. + // a service-linked role. // // * For PutConformancePack and PutOrganizationConformancePack, a conformance // pack cannot be created because you do not have permissions: To call IAM - // GetRole action or create a service linked role. To read Amazon S3 bucket. + // GetRole action or create a service-linked role. To read Amazon S3 bucket. ErrCodeInsufficientPermissionsException = "InsufficientPermissionsException" // ErrCodeInvalidConfigurationRecorderNameException for service response error code diff --git a/service/workspaces/api.go b/service/workspaces/api.go index cf1681963d..069c02be55 100644 --- a/service/workspaces/api.go +++ b/service/workspaces/api.go @@ -4200,6 +4200,97 @@ func (c *WorkSpaces) ModifyClientPropertiesWithContext(ctx aws.Context, input *M return out, req.Send() } +const opModifySamlProperties = "ModifySamlProperties" + +// ModifySamlPropertiesRequest generates a "aws/request.Request" representing the +// client's request for the ModifySamlProperties operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifySamlProperties for more information on using the ModifySamlProperties +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifySamlPropertiesRequest method. +// req, resp := client.ModifySamlPropertiesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/workspaces-2015-04-08/ModifySamlProperties +func (c *WorkSpaces) ModifySamlPropertiesRequest(input *ModifySamlPropertiesInput) (req *request.Request, output *ModifySamlPropertiesOutput) { + op := &request.Operation{ + Name: opModifySamlProperties, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifySamlPropertiesInput{} + } + + output = &ModifySamlPropertiesOutput{} + req = c.newRequest(op, input, output) + req.Handlers.Unmarshal.Swap(jsonrpc.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) + return +} + +// ModifySamlProperties API operation for Amazon WorkSpaces. +// +// Modifies multiple properties related to SAML 2.0 authentication, including +// the enablement status, user access URL, and relay state parameter name that +// are used for configuring federation with an SAML 2.0 identity provider. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon WorkSpaces's +// API operation ModifySamlProperties for usage and error information. +// +// Returned Error Types: +// * AccessDeniedException +// The user is not authorized to access a resource. +// +// * InvalidParameterValuesException +// One or more parameter values are not valid. +// +// * OperationNotSupportedException +// This operation is not supported. +// +// * ResourceNotFoundException +// The resource could not be found. +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/workspaces-2015-04-08/ModifySamlProperties +func (c *WorkSpaces) ModifySamlProperties(input *ModifySamlPropertiesInput) (*ModifySamlPropertiesOutput, error) { + req, out := c.ModifySamlPropertiesRequest(input) + return out, req.Send() +} + +// ModifySamlPropertiesWithContext is the same as ModifySamlProperties with the addition of +// the ability to pass a context and additional request options. +// +// See ModifySamlProperties for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *WorkSpaces) ModifySamlPropertiesWithContext(ctx aws.Context, input *ModifySamlPropertiesInput, opts ...request.Option) (*ModifySamlPropertiesOutput, error) { + req, out := c.ModifySamlPropertiesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifySelfservicePermissions = "ModifySelfservicePermissions" // ModifySelfservicePermissionsRequest generates a "aws/request.Request" representing the @@ -12021,6 +12112,107 @@ func (s ModifyClientPropertiesOutput) GoString() string { return s.String() } +type ModifySamlPropertiesInput struct { + _ struct{} `type:"structure"` + + // The SAML properties to delete as part of your request. + // + // Specify one of the following options: + // + // * SAML_PROPERTIES_USER_ACCESS_URL to delete the user access URL. + // + // * SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME to delete the relay state + // parameter name. + PropertiesToDelete []*string `type:"list" enum:"DeletableSamlProperty"` + + // The directory identifier for which you want to configure SAML properties. + // + // ResourceId is a required field + ResourceId *string `min:"10" type:"string" required:"true"` + + // The properties for configuring SAML 2.0 authentication. + SamlProperties *SamlProperties `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ModifySamlPropertiesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ModifySamlPropertiesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ModifySamlPropertiesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ModifySamlPropertiesInput"} + if s.ResourceId == nil { + invalidParams.Add(request.NewErrParamRequired("ResourceId")) + } + if s.ResourceId != nil && len(*s.ResourceId) < 10 { + invalidParams.Add(request.NewErrParamMinLen("ResourceId", 10)) + } + if s.SamlProperties != nil { + if err := s.SamlProperties.Validate(); err != nil { + invalidParams.AddNested("SamlProperties", err.(request.ErrInvalidParams)) + } + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetPropertiesToDelete sets the PropertiesToDelete field's value. +func (s *ModifySamlPropertiesInput) SetPropertiesToDelete(v []*string) *ModifySamlPropertiesInput { + s.PropertiesToDelete = v + return s +} + +// SetResourceId sets the ResourceId field's value. +func (s *ModifySamlPropertiesInput) SetResourceId(v string) *ModifySamlPropertiesInput { + s.ResourceId = &v + return s +} + +// SetSamlProperties sets the SamlProperties field's value. +func (s *ModifySamlPropertiesInput) SetSamlProperties(v *SamlProperties) *ModifySamlPropertiesInput { + s.SamlProperties = v + return s +} + +type ModifySamlPropertiesOutput struct { + _ struct{} `type:"structure"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ModifySamlPropertiesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s ModifySamlPropertiesOutput) GoString() string { + return s.String() +} + type ModifySelfservicePermissionsInput struct { _ struct{} `type:"structure"` @@ -13619,6 +13811,97 @@ func (s *RootStorage) SetCapacity(v string) *RootStorage { return s } +// Describes the enablement status, user access URL, and relay state parameter +// name that are used for configuring federation with an SAML 2.0 identity provider. +type SamlProperties struct { + _ struct{} `type:"structure"` + + // The relay state parameter name supported by the SAML 2.0 identity provider + // (IdP). When the end user is redirected to the user access URL from the WorkSpaces + // client application, this relay state parameter name is appended as a query + // parameter to the URL along with the relay state endpoint to return the user + // to the client application session. + // + // To use SAML 2.0 authentication with WorkSpaces, the IdP must support IdP-initiated + // deep linking for the relay state URL. Consult your IdP documentation for + // more information. + RelayStateParameterName *string `min:"1" type:"string"` + + // Indicates the status of SAML 2.0 authentication. These statuses include the + // following. + // + // * If the setting is DISABLED, end users will be directed to login with + // their directory credentials. + // + // * If the setting is ENABLED, end users will be directed to login via the + // user access URL. Users attempting to connect to WorkSpaces from a client + // application that does not support SAML 2.0 authentication will not be + // able to connect. + // + // * If the setting is ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK, end users will + // be directed to login via the user access URL on supported client applications, + // but will not prevent clients that do not support SAML 2.0 authentication + // from connecting as if SAML 2.0 authentication was disabled. + Status *string `type:"string" enum:"SamlStatusEnum"` + + // The SAML 2.0 identity provider (IdP) user access URL is the URL a user would + // navigate to in their web browser in order to federate from the IdP and directly + // access the application, without any SAML 2.0 service provider (SP) bindings. + UserAccessUrl *string `min:"8" type:"string"` +} + +// String returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s SamlProperties) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation. +// +// API parameter values that are decorated as "sensitive" in the API will not +// be included in the string output. The member name will be present, but the +// value will be replaced with "sensitive". +func (s SamlProperties) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *SamlProperties) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "SamlProperties"} + if s.RelayStateParameterName != nil && len(*s.RelayStateParameterName) < 1 { + invalidParams.Add(request.NewErrParamMinLen("RelayStateParameterName", 1)) + } + if s.UserAccessUrl != nil && len(*s.UserAccessUrl) < 8 { + invalidParams.Add(request.NewErrParamMinLen("UserAccessUrl", 8)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetRelayStateParameterName sets the RelayStateParameterName field's value. +func (s *SamlProperties) SetRelayStateParameterName(v string) *SamlProperties { + s.RelayStateParameterName = &v + return s +} + +// SetStatus sets the Status field's value. +func (s *SamlProperties) SetStatus(v string) *SamlProperties { + s.Status = &v + return s +} + +// SetUserAccessUrl sets the UserAccessUrl field's value. +func (s *SamlProperties) SetUserAccessUrl(v string) *SamlProperties { + s.UserAccessUrl = &v + return s +} + // Describes the self-service permissions for a directory. For more information, // see Enable Self-Service WorkSpace Management Capabilities for Your Users // (https://docs.aws.amazon.com/workspaces/latest/adminguide/enable-user-self-service-workspace-management.html). @@ -15404,6 +15687,10 @@ type WorkspaceDirectory struct { // in their Amazon WorkSpaces client application to connect to the directory. RegistrationCode *string `min:"1" type:"string"` + // Describes the enablement status, user access URL, and relay state parameter + // name that are used for configuring federation with an SAML 2.0 identity provider. + SamlProperties *SamlProperties `type:"structure"` + // The default self-service permissions for WorkSpaces in the directory. SelfservicePermissions *SelfservicePermissions `type:"structure"` @@ -15506,6 +15793,12 @@ func (s *WorkspaceDirectory) SetRegistrationCode(v string) *WorkspaceDirectory { return s } +// SetSamlProperties sets the SamlProperties field's value. +func (s *WorkspaceDirectory) SetSamlProperties(v *SamlProperties) *WorkspaceDirectory { + s.SamlProperties = v + return s +} + // SetSelfservicePermissions sets the SelfservicePermissions field's value. func (s *WorkspaceDirectory) SetSelfservicePermissions(v *SelfservicePermissions) *WorkspaceDirectory { s.SelfservicePermissions = v @@ -16177,6 +16470,22 @@ func DedicatedTenancySupportResultEnum_Values() []string { } } +const ( + // DeletableSamlPropertySamlPropertiesUserAccessUrl is a DeletableSamlProperty enum value + DeletableSamlPropertySamlPropertiesUserAccessUrl = "SAML_PROPERTIES_USER_ACCESS_URL" + + // DeletableSamlPropertySamlPropertiesRelayStateParameterName is a DeletableSamlProperty enum value + DeletableSamlPropertySamlPropertiesRelayStateParameterName = "SAML_PROPERTIES_RELAY_STATE_PARAMETER_NAME" +) + +// DeletableSamlProperty_Values returns all elements of the DeletableSamlProperty enum +func DeletableSamlProperty_Values() []string { + return []string{ + DeletableSamlPropertySamlPropertiesUserAccessUrl, + DeletableSamlPropertySamlPropertiesRelayStateParameterName, + } +} + const ( // ImageTypeOwned is a ImageType enum value ImageTypeOwned = "OWNED" @@ -16277,6 +16586,26 @@ func RunningMode_Values() []string { } } +const ( + // SamlStatusEnumDisabled is a SamlStatusEnum enum value + SamlStatusEnumDisabled = "DISABLED" + + // SamlStatusEnumEnabled is a SamlStatusEnum enum value + SamlStatusEnumEnabled = "ENABLED" + + // SamlStatusEnumEnabledWithDirectoryLoginFallback is a SamlStatusEnum enum value + SamlStatusEnumEnabledWithDirectoryLoginFallback = "ENABLED_WITH_DIRECTORY_LOGIN_FALLBACK" +) + +// SamlStatusEnum_Values returns all elements of the SamlStatusEnum enum +func SamlStatusEnum_Values() []string { + return []string{ + SamlStatusEnumDisabled, + SamlStatusEnumEnabled, + SamlStatusEnumEnabledWithDirectoryLoginFallback, + } +} + const ( // TargetWorkspaceStateAvailable is a TargetWorkspaceState enum value TargetWorkspaceStateAvailable = "AVAILABLE" diff --git a/service/workspaces/workspacesiface/interface.go b/service/workspaces/workspacesiface/interface.go index f6f73a12bd..687684b155 100644 --- a/service/workspaces/workspacesiface/interface.go +++ b/service/workspaces/workspacesiface/interface.go @@ -245,6 +245,10 @@ type WorkSpacesAPI interface { ModifyClientPropertiesWithContext(aws.Context, *workspaces.ModifyClientPropertiesInput, ...request.Option) (*workspaces.ModifyClientPropertiesOutput, error) ModifyClientPropertiesRequest(*workspaces.ModifyClientPropertiesInput) (*request.Request, *workspaces.ModifyClientPropertiesOutput) + ModifySamlProperties(*workspaces.ModifySamlPropertiesInput) (*workspaces.ModifySamlPropertiesOutput, error) + ModifySamlPropertiesWithContext(aws.Context, *workspaces.ModifySamlPropertiesInput, ...request.Option) (*workspaces.ModifySamlPropertiesOutput, error) + ModifySamlPropertiesRequest(*workspaces.ModifySamlPropertiesInput) (*request.Request, *workspaces.ModifySamlPropertiesOutput) + ModifySelfservicePermissions(*workspaces.ModifySelfservicePermissionsInput) (*workspaces.ModifySelfservicePermissionsOutput, error) ModifySelfservicePermissionsWithContext(aws.Context, *workspaces.ModifySelfservicePermissionsInput, ...request.Option) (*workspaces.ModifySelfservicePermissionsOutput, error) ModifySelfservicePermissionsRequest(*workspaces.ModifySelfservicePermissionsInput) (*request.Request, *workspaces.ModifySelfservicePermissionsOutput)