diff --git a/go.mod b/go.mod index aa025eab4..d432e7e0a 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/ceph/ceph-csi go 1.16 require ( - github.com/aws/aws-sdk-go v1.38.63 + github.com/aws/aws-sdk-go v1.40.34 github.com/ceph/go-ceph v0.11.0 github.com/container-storage-interface/spec v1.5.0 github.com/csi-addons/replication-lib-utils v0.2.0 diff --git a/go.sum b/go.sum index a4d60eed9..78a89b70f 100644 --- a/go.sum +++ b/go.sum @@ -133,8 +133,8 @@ github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi github.com/aws/aws-sdk-go v1.30.27/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= github.com/aws/aws-sdk-go v1.35.24/go.mod h1:tlPOdRjfxPBpNIwqDj61rmsnA85v9jc0Ps9+muhnW+k= github.com/aws/aws-sdk-go v1.38.49/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= -github.com/aws/aws-sdk-go v1.38.63 h1:BqPxe0sujTRTbir6OWj0f1VmeJcAIv7ZhTCAhaU1zmE= -github.com/aws/aws-sdk-go v1.38.63/go.mod h1:hcU610XS61/+aQV88ixoOzUoG7v3b31pl2zKMmprdro= +github.com/aws/aws-sdk-go v1.40.34 h1:SBYmodndE2d4AYucuuJnOXk4MD1SFbucoIdpwKVKeSA= +github.com/aws/aws-sdk-go v1.40.34/go.mod h1:585smgzpB/KqRA+K3y/NL/oYRqQvpNJYvLm+LY1U59Q= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= github.com/benbjohnson/clock v1.0.3/go.mod h1:bGMdMPoPVvcYyt1gHDf4J2KE153Yf9BuiUKYMaxlTDM= github.com/benbjohnson/clock v1.1.0 h1:Q92kusRqC1XV2MjkWETPvjJVqKetz1OzxZB7mHJLju8= @@ -1157,8 +1157,9 @@ golang.org/x/net v0.0.0-20201224014010-6772e930b67b/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM= golang.org/x/net v0.0.0-20210428140749-89ef3d95e781/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= -golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 h1:ADo5wSpq2gqaCGQWzk7S5vd//0iyyLeAratkEoG5dLE= golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e h1:XpT3nA5TvE525Ne3hInMh6+GETgn27Zfm9dxsThnX2Q= +golang.org/x/net v0.0.0-20210614182718-04defd469f4e/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20181203162652-d668ce993890/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190130055435-99b60b757ec1/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= diff --git a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/prettify.go b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/prettify.go index 710eb432f..11d4240d6 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/prettify.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/prettify.go @@ -50,9 +50,19 @@ func prettify(v reflect.Value, indent int, buf *bytes.Buffer) { for i, n := range names { val := v.FieldByName(n) + ft, ok := v.Type().FieldByName(n) + if !ok { + panic(fmt.Sprintf("expected to find field %v on type %v, but was not found", n, v.Type())) + } + buf.WriteString(strings.Repeat(" ", indent+2)) buf.WriteString(n + ": ") - prettify(val, indent+2, buf) + + if tag := ft.Tag.Get("sensitive"); tag == "true" { + buf.WriteString("") + } else { + prettify(val, indent+2, buf) + } if i < len(names)-1 { buf.WriteString(",\n") diff --git a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/string_value.go b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/string_value.go index 645df2450..3f7cffd95 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/awsutil/string_value.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/awsutil/string_value.go @@ -8,6 +8,8 @@ import ( ) // StringValue returns the string representation of a value. +// +// Deprecated: Use Prettify instead. func StringValue(i interface{}) string { var buf bytes.Buffer stringValue(reflect.ValueOf(i), 0, &buf) diff --git a/vendor/github.com/aws/aws-sdk-go/aws/context_1_5.go b/vendor/github.com/aws/aws-sdk-go/aws/context_1_5.go index 2866f9a7f..89aad2c67 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/context_1_5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/context_1_5.go @@ -1,3 +1,4 @@ +//go:build !go1.9 // +build !go1.9 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/context_1_9.go b/vendor/github.com/aws/aws-sdk-go/aws/context_1_9.go index 3718b26e1..6ee9ddd18 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/context_1_9.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/context_1_9.go @@ -1,3 +1,4 @@ +//go:build go1.9 // +build go1.9 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_5.go b/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_5.go index 2f9446333..313218190 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_5.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_7.go b/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_7.go index 9c29f29af..9975d561b 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_7.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/context_background_1_7.go @@ -1,3 +1,4 @@ +//go:build go1.7 // +build go1.7 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.5.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.5.go index 5852b2648..6e3406b1f 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.5.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package credentials diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.7.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.7.go index 388b21541..a68df0ee7 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.7.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_background_go1.7.go @@ -1,3 +1,4 @@ +//go:build go1.7 // +build go1.7 package credentials diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.5.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.5.go index 8152a864a..0345fab2d 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.5.go @@ -1,3 +1,4 @@ +//go:build !go1.9 // +build !go1.9 package credentials diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.9.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.9.go index 4356edb3d..79018aba7 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.9.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/context_go1.9.go @@ -1,3 +1,4 @@ +//go:build go1.9 // +build go1.9 package credentials diff --git a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go index ceca7dcee..d4df39a7a 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/credentials/ssocreds/os.go @@ -1,3 +1,4 @@ +//go:build !windows // +build !windows package ssocreds diff --git a/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go index 8f35b3464..df63bade1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/ec2metadata/service.go @@ -13,7 +13,6 @@ package ec2metadata import ( "bytes" - "errors" "io" "net/http" "net/url" @@ -234,7 +233,8 @@ func unmarshalError(r *request.Request) { // Response body format is not consistent between metadata endpoints. // Grab the error message as a string and include that as the source error - r.Error = awserr.NewRequestFailure(awserr.New("EC2MetadataError", "failed to make EC2Metadata request", errors.New(b.String())), + r.Error = awserr.NewRequestFailure( + awserr.New("EC2MetadataError", "failed to make EC2Metadata request\n"+b.String(), nil), r.HTTPResponse.StatusCode, r.RequestID) } diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/decode.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/decode.go index 654fb1ad5..b98ea8698 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/decode.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/decode.go @@ -81,7 +81,6 @@ func decodeV3Endpoints(modelDef modelDefinition, opts DecodeModelOptions) (Resol // Customization for i := 0; i < len(ps); i++ { p := &ps[i] - custAddEC2Metadata(p) custAddS3DualStack(p) custRegionalS3(p) custRmIotDataService(p) @@ -140,19 +139,6 @@ func custAddDualstack(p *partition, svcName string) { p.Services[svcName] = s } -func custAddEC2Metadata(p *partition) { - p.Services["ec2metadata"] = service{ - IsRegionalized: boxedFalse, - PartitionEndpoint: "aws-global", - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - } -} - func custRmIotDataService(p *partition) { delete(p.Services, "data.iot") } diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go index fc4988738..9b8acb6b1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/defaults.go @@ -32,7 +32,6 @@ const ( EuWest1RegionID = "eu-west-1" // Europe (Ireland). EuWest2RegionID = "eu-west-2" // Europe (London). EuWest3RegionID = "eu-west-3" // Europe (Paris). - InAmazon1RegionID = "in-amazon-1" // India (Begumpet). MeSouth1RegionID = "me-south-1" // Middle East (Bahrain). SaEast1RegionID = "sa-east-1" // South America (Sao Paulo). UsEast1RegionID = "us-east-1" // US East (N. Virginia). @@ -101,7 +100,7 @@ var awsPartition = partition{ DNSSuffix: "amazonaws.com", RegionRegex: regionRegex{ Regexp: func() *regexp.Regexp { - reg, _ := regexp.Compile("^(us|eu|ap|sa|ca|me|af|in)\\-\\w+\\-\\d+$") + reg, _ := regexp.Compile("^(us|eu|ap|sa|ca|me|af)\\-\\w+\\-\\d+$") return reg }(), }, @@ -156,9 +155,6 @@ var awsPartition = partition{ "eu-west-3": region{ Description: "Europe (Paris)", }, - "in-amazon-1": region{ - Description: "India (Begumpet)", - }, "me-south-1": region{ Description: "Middle East (Bahrain)", }, @@ -369,6 +365,30 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "amplify": service{ + + Endpoints: endpoints{ + "ap-east-1": endpoint{}, + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "ca-central-1": endpoint{}, + "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, + "eu-south-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "amplifybackend": service{ Endpoints: endpoints{ @@ -652,9 +672,33 @@ var awsPartition = partition{ "eu-north-1": endpoint{}, "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-2": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "api.fleethub.iot-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "api.fleethub.iot-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "api.fleethub.iot-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "api.fleethub.iot-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, }, }, "api.mediatailor": service{ @@ -771,6 +815,7 @@ var awsPartition = partition{ "appflow": service{ Endpoints: endpoints{ + "af-south-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, "ap-south-1": endpoint{}, @@ -866,6 +911,7 @@ var awsPartition = partition{ "ap-southeast-2": endpoint{}, "eu-central-1": endpoint{}, "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, "fips": endpoint{ Hostname: "appstream2-fips.us-west-2.amazonaws.com", CredentialScope: credentialScope{ @@ -882,6 +928,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -900,6 +947,18 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "aps": service{ + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "eu-central-1": endpoint{}, + "eu-west-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "athena": service{ Endpoints: endpoints{ @@ -907,6 +966,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -986,6 +1046,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1357,6 +1418,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -1837,6 +1899,59 @@ var awsPartition = partition{ "us-east-1": endpoint{}, }, }, + "data.jobs.iot": service{ + + Endpoints: endpoints{ + "ap-east-1": endpoint{}, + "ap-northeast-1": endpoint{}, + "ap-northeast-2": endpoint{}, + "ap-south-1": endpoint{}, + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "ca-central-1": endpoint{}, + "eu-central-1": endpoint{}, + "eu-north-1": endpoint{}, + "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, + "eu-west-3": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "data.jobs.iot-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "data.jobs.iot-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "data.jobs.iot-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "data.jobs.iot-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "data.jobs.iot-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "data.mediastore": service{ Endpoints: endpoints{ @@ -1884,6 +1999,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2146,6 +2262,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -2373,17 +2490,6 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, - "ec2metadata": service{ - PartitionEndpoint: "aws-global", - IsRegionalized: boxedFalse, - - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - }, "ecs": service{ Endpoints: endpoints{ @@ -2873,11 +2979,41 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "emr-containers-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "emr-containers-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "emr-containers-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "emr-containers-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "emr-containers-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "entitlement.marketplace": service{ @@ -3051,6 +3187,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3249,6 +3386,17 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "frauddetector": service{ + + Endpoints: endpoints{ + "ap-southeast-1": endpoint{}, + "ap-southeast-2": endpoint{}, + "eu-west-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, + }, + }, "fsx": service{ Endpoints: endpoints{ @@ -3256,6 +3404,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -3559,6 +3708,8 @@ var awsPartition = partition{ }, Endpoints: endpoints{ "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-2": endpoint{}, }, }, "honeycode": service{ @@ -3586,6 +3737,18 @@ var awsPartition = partition{ }, }, }, + "identity-chime": service{ + + Endpoints: endpoints{ + "us-east-1": endpoint{}, + "us-east-1-fips": endpoint{ + Hostname: "identity-chime-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + }, + }, "identitystore": service{ Endpoints: endpoints{ @@ -3679,18 +3842,49 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "iot-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "iot-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "iot-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "iot-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "iot-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "iotanalytics": service{ Endpoints: endpoints{ "ap-northeast-1": endpoint{}, + "ap-south-1": endpoint{}, "ap-southeast-2": endpoint{}, "eu-central-1": endpoint{}, "eu-west-1": endpoint{}, @@ -3794,12 +3988,42 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, - "us-east-2": endpoint{}, - "us-west-1": endpoint{}, - "us-west-2": endpoint{}, + "fips-ca-central-1": endpoint{ + Hostname: "api.tunneling.iot-fips.ca-central-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ca-central-1", + }, + }, + "fips-us-east-1": endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + "fips-us-east-2": endpoint{ + Hostname: "api.tunneling.iot-fips.us-east-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-2", + }, + }, + "fips-us-west-1": endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-1", + }, + }, + "fips-us-west-2": endpoint{ + Hostname: "api.tunneling.iot-fips.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, + "us-east-2": endpoint{}, + "us-west-1": endpoint{}, + "us-west-2": endpoint{}, }, }, "iotthingsgraph": service{ @@ -3820,6 +4044,18 @@ var awsPartition = partition{ "iotwireless": service{ Endpoints: endpoints{ + "ap-northeast-1": endpoint{ + Hostname: "api.iotwireless.ap-northeast-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-northeast-1", + }, + }, + "ap-southeast-2": endpoint{ + Hostname: "api.iotwireless.ap-southeast-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "ap-southeast-2", + }, + }, "eu-west-1": endpoint{ Hostname: "api.iotwireless.eu-west-1.amazonaws.com", CredentialScope: credentialScope{ @@ -3832,6 +4068,12 @@ var awsPartition = partition{ Region: "us-east-1", }, }, + "us-west-2": endpoint{ + Hostname: "api.iotwireless.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, }, }, "kafka": service{ @@ -4433,6 +4675,7 @@ var awsPartition = partition{ "eu-west-3": endpoint{}, "sa-east-1": endpoint{}, "us-east-1": endpoint{}, + "us-east-2": endpoint{}, "us-west-1": endpoint{}, "us-west-2": endpoint{}, }, @@ -4451,6 +4694,18 @@ var awsPartition = partition{ "us-west-2": endpoint{}, }, }, + "messaging-chime": service{ + + Endpoints: endpoints{ + "us-east-1": endpoint{}, + "us-east-1-fips": endpoint{ + Hostname: "messaging-chime-fips.us-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-east-1", + }, + }, + }, + }, "metering.marketplace": service{ Defaults: endpoint{ CredentialScope: credentialScope{ @@ -4815,6 +5070,12 @@ var awsPartition = partition{ Region: "eu-west-2", }, }, + "eu-west-3": endpoint{ + Hostname: "oidc.eu-west-3.amazonaws.com", + CredentialScope: credentialScope{ + Region: "eu-west-3", + }, + }, "us-east-1": endpoint{ Hostname: "oidc.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -4895,6 +5156,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -5141,6 +5403,7 @@ var awsPartition = partition{ "ap-southeast-2": endpoint{}, "eu-central-1": endpoint{}, "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, "fips-us-east-1": endpoint{ Hostname: "qldb-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -5463,6 +5726,17 @@ var awsPartition = partition{ }, }, }, + "route53-recovery-control-config": service{ + + Endpoints: endpoints{ + "aws-global": endpoint{ + Hostname: "route53-recovery-control-config.us-west-2.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-west-2", + }, + }, + }, + }, "route53domains": service{ Endpoints: endpoints{ @@ -6303,6 +6577,7 @@ var awsPartition = partition{ "ap-southeast-2": endpoint{}, "eu-central-1": endpoint{}, "eu-west-1": endpoint{}, + "eu-west-2": endpoint{}, "fips-us-east-1": endpoint{ Hostname: "session.qldb-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -6738,6 +7013,7 @@ var awsPartition = partition{ "ap-east-1": endpoint{}, "ap-northeast-1": endpoint{}, "ap-northeast-2": endpoint{}, + "ap-northeast-3": endpoint{}, "ap-south-1": endpoint{}, "ap-southeast-1": endpoint{}, "ap-southeast-2": endpoint{}, @@ -6851,15 +7127,9 @@ var awsPartition = partition{ "eu-west-1": endpoint{}, "eu-west-2": endpoint{}, "eu-west-3": endpoint{}, - "in-amazon-1": endpoint{ - Hostname: "sts.ap-south-1.amazonaws.com", - CredentialScope: credentialScope{ - Region: "ap-south-1", - }, - }, - "me-south-1": endpoint{}, - "sa-east-1": endpoint{}, - "us-east-1": endpoint{}, + "me-south-1": endpoint{}, + "sa-east-1": endpoint{}, + "us-east-1": endpoint{}, "us-east-1-fips": endpoint{ Hostname: "sts-fips.us-east-1.amazonaws.com", CredentialScope: credentialScope{ @@ -7751,9 +8021,17 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, + "data.jobs.iot": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "dax": service{ Endpoints: endpoints{ + "cn-north-1": endpoint{}, "cn-northwest-1": endpoint{}, }, }, @@ -7814,17 +8092,6 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, - "ec2metadata": service{ - PartitionEndpoint: "aws-global", - IsRegionalized: boxedFalse, - - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - }, "ecs": service{ Endpoints: endpoints{ @@ -7892,6 +8159,13 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, + "emr-containers": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "es": service{ Endpoints: endpoints{ @@ -7913,6 +8187,15 @@ var awscnPartition = partition{ "cn-northwest-1": endpoint{}, }, }, + "fms": service{ + Defaults: endpoint{ + Protocols: []string{"https"}, + }, + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "fsx": service{ Endpoints: endpoints{ @@ -7923,7 +8206,8 @@ var awscnPartition = partition{ "gamelift": service{ Endpoints: endpoints{ - "cn-north-1": endpoint{}, + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, }, }, "glacier": service{ @@ -8108,6 +8392,12 @@ var awscnPartition = partition{ "neptune": service{ Endpoints: endpoints{ + "cn-north-1": endpoint{ + Hostname: "rds.cn-north-1.amazonaws.com.cn", + CredentialScope: credentialScope{ + Region: "cn-north-1", + }, + }, "cn-northwest-1": endpoint{ Hostname: "rds.cn-northwest-1.amazonaws.com.cn", CredentialScope: credentialScope{ @@ -8415,6 +8705,13 @@ var awscnPartition = partition{ }, }, }, + "transcribestreaming": service{ + + Endpoints: endpoints{ + "cn-north-1": endpoint{}, + "cn-northwest-1": endpoint{}, + }, + }, "transfer": service{ Endpoints: endpoints{ @@ -8936,6 +9233,25 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "data.jobs.iot": service{ + + Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "data.jobs.iot-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "data.jobs.iot-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + "us-gov-east-1": endpoint{}, + "us-gov-west-1": endpoint{}, + }, + }, "datasync": service{ Endpoints: endpoints{ @@ -9058,17 +9374,6 @@ var awsusgovPartition = partition{ }, }, }, - "ec2metadata": service{ - PartitionEndpoint: "aws-global", - IsRegionalized: boxedFalse, - - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - }, "ecs": service{ Endpoints: endpoints{ @@ -9454,6 +9759,18 @@ var awsusgovPartition = partition{ }, }, Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "iot-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "iot-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Service: "execute-api", + }, + }, "us-gov-east-1": endpoint{}, "us-gov-west-1": endpoint{}, }, @@ -9461,6 +9778,18 @@ var awsusgovPartition = partition{ "iotsecuredtunneling": service{ Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "api.tunneling.iot-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, "us-gov-east-1": endpoint{}, "us-gov-west-1": endpoint{}, }, @@ -9633,6 +9962,25 @@ var awsusgovPartition = partition{ "us-gov-west-1": endpoint{}, }, }, + "mq": service{ + + Endpoints: endpoints{ + "fips-us-gov-east-1": endpoint{ + Hostname: "mq-fips.us-gov-east-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-east-1", + }, + }, + "fips-us-gov-west-1": endpoint{ + Hostname: "mq-fips.us-gov-west-1.amazonaws.com", + CredentialScope: credentialScope{ + Region: "us-gov-west-1", + }, + }, + "us-gov-east-1": endpoint{}, + "us-gov-west-1": endpoint{}, + }, + }, "neptune": service{ Endpoints: endpoints{ @@ -10522,17 +10870,6 @@ var awsisoPartition = partition{ "us-iso-east-1": endpoint{}, }, }, - "ec2metadata": service{ - PartitionEndpoint: "aws-global", - IsRegionalized: boxedFalse, - - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - }, "ecs": service{ Endpoints: endpoints{ @@ -10642,6 +10979,12 @@ var awsisoPartition = partition{ "us-iso-east-1": endpoint{}, }, }, + "license-manager": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "logs": service{ Endpoints: endpoints{ @@ -10703,6 +11046,12 @@ var awsisoPartition = partition{ }, }, }, + "route53resolver": service{ + + Endpoints: endpoints{ + "us-iso-east-1": endpoint{}, + }, + }, "runtime.sagemaker": service{ Endpoints: endpoints{ @@ -10923,6 +11272,12 @@ var awsisobPartition = partition{ "us-isob-east-1": endpoint{}, }, }, + "ds": service{ + + Endpoints: endpoints{ + "us-isob-east-1": endpoint{}, + }, + }, "dynamodb": service{ Defaults: endpoint{ Protocols: []string{"http", "https"}, @@ -10939,17 +11294,6 @@ var awsisobPartition = partition{ "us-isob-east-1": endpoint{}, }, }, - "ec2metadata": service{ - PartitionEndpoint: "aws-global", - IsRegionalized: boxedFalse, - - Endpoints: endpoints{ - "aws-global": endpoint{ - Hostname: "169.254.169.254/latest", - Protocols: []string{"http"}, - }, - }, - }, "ecs": service{ Endpoints: endpoints{ @@ -11155,6 +11499,12 @@ var awsisobPartition = partition{ }, "swf": service{ + Endpoints: endpoints{ + "us-isob-east-1": endpoint{}, + }, + }, + "tagging": service{ + Endpoints: endpoints{ "us-isob-east-1": endpoint{}, }, diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go index ca956e5f1..8e8636f5f 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/endpoints.go @@ -48,6 +48,9 @@ type Options struct { // This option is ignored if StrictMatching is enabled. ResolveUnknownService bool + // Specifies the EC2 Instance Metadata Service default endpoint selection mode (IPv4 or IPv6) + EC2MetadataEndpointMode EC2IMDSEndpointModeState + // STS Regional Endpoint flag helps with resolving the STS endpoint STSRegionalEndpoint STSRegionalEndpoint @@ -55,6 +58,33 @@ type Options struct { S3UsEast1RegionalEndpoint S3UsEast1RegionalEndpoint } +// EC2IMDSEndpointModeState is an enum configuration variable describing the client endpoint mode. +type EC2IMDSEndpointModeState uint + +// Enumeration values for EC2IMDSEndpointModeState +const ( + EC2IMDSEndpointModeStateUnset EC2IMDSEndpointModeState = iota + EC2IMDSEndpointModeStateIPv4 + EC2IMDSEndpointModeStateIPv6 +) + +// SetFromString sets the EC2IMDSEndpointModeState based on the provided string value. Unknown values will default to EC2IMDSEndpointModeStateUnset +func (e *EC2IMDSEndpointModeState) SetFromString(v string) error { + v = strings.TrimSpace(v) + + switch { + case len(v) == 0: + *e = EC2IMDSEndpointModeStateUnset + case strings.EqualFold(v, "IPv6"): + *e = EC2IMDSEndpointModeStateIPv6 + case strings.EqualFold(v, "IPv4"): + *e = EC2IMDSEndpointModeStateIPv4 + default: + return fmt.Errorf("unknown EC2 IMDS endpoint mode, must be either IPv6 or IPv4") + } + return nil +} + // STSRegionalEndpoint is an enum for the states of the STS Regional Endpoint // options. type STSRegionalEndpoint int @@ -247,7 +277,7 @@ func RegionsForService(ps []Partition, partitionID, serviceID string) (map[strin if p.ID() != partitionID { continue } - if _, ok := p.p.Services[serviceID]; !ok { + if _, ok := p.p.Services[serviceID]; !(ok || serviceID == Ec2metadataServiceID) { break } @@ -333,6 +363,7 @@ func (p Partition) Regions() map[string]Region { // enumerating over the services in a partition. func (p Partition) Services() map[string]Service { ss := make(map[string]Service, len(p.p.Services)) + for id := range p.p.Services { ss[id] = Service{ id: id, @@ -340,6 +371,15 @@ func (p Partition) Services() map[string]Service { } } + // Since we have removed the customization that injected this into the model + // we still need to pretend that this is a modeled service. + if _, ok := ss[Ec2metadataServiceID]; !ok { + ss[Ec2metadataServiceID] = Service{ + id: Ec2metadataServiceID, + p: p.p, + } + } + return ss } @@ -400,7 +440,18 @@ func (s Service) ResolveEndpoint(region string, opts ...func(*Options)) (Resolve // an URL that can be resolved to a instance of a service. func (s Service) Regions() map[string]Region { rs := map[string]Region{} - for id := range s.p.Services[s.id].Endpoints { + + service, ok := s.p.Services[s.id] + + // Since ec2metadata customization has been removed we need to check + // if it was defined in non-standard endpoints.json file. If it's not + // then we can return the empty map as there is no regional-endpoints for IMDS. + // Otherwise, we iterate need to iterate the non-standard model. + if s.id == Ec2metadataServiceID && !ok { + return rs + } + + for id := range service.Endpoints { if r, ok := s.p.Regions[id]; ok { rs[id] = Region{ id: id, diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model.go index aaff68260..c6c6a0338 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model.go @@ -7,6 +7,11 @@ import ( "strings" ) +const ( + ec2MetadataEndpointIPv6 = "http://[fd00:ec2::254]/latest" + ec2MetadataEndpointIPv4 = "http://169.254.169.254/latest" +) + var regionValidationRegex = regexp.MustCompile(`^[[:alnum:]]([[:alnum:]\-]*[[:alnum:]])?$`) type partitions []partition @@ -102,6 +107,12 @@ func (p partition) EndpointFor(service, region string, opts ...func(*Options)) ( opt.Set(opts...) s, hasService := p.Services[service] + + if service == Ec2metadataServiceID && !hasService { + endpoint := getEC2MetadataEndpoint(p.ID, service, opt.EC2MetadataEndpointMode) + return endpoint, nil + } + if len(service) == 0 || !(hasService || opt.ResolveUnknownService) { // Only return error if the resolver will not fallback to creating // endpoint based on service endpoint ID passed in. @@ -129,6 +140,31 @@ func (p partition) EndpointFor(service, region string, opts ...func(*Options)) ( return e.resolve(service, p.ID, region, p.DNSSuffix, defs, opt) } +func getEC2MetadataEndpoint(partitionID, service string, mode EC2IMDSEndpointModeState) ResolvedEndpoint { + switch mode { + case EC2IMDSEndpointModeStateIPv6: + return ResolvedEndpoint{ + URL: ec2MetadataEndpointIPv6, + PartitionID: partitionID, + SigningRegion: "aws-global", + SigningName: service, + SigningNameDerived: true, + SigningMethod: "v4", + } + case EC2IMDSEndpointModeStateIPv4: + fallthrough + default: + return ResolvedEndpoint{ + URL: ec2MetadataEndpointIPv4, + PartitionID: partitionID, + SigningRegion: "aws-global", + SigningName: service, + SigningNameDerived: true, + SigningMethod: "v4", + } + } +} + func serviceList(ss services) []string { list := make([]string, 0, len(ss)) for k := range ss { diff --git a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model_codegen.go b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model_codegen.go index 0fdfcc56e..db6efd605 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model_codegen.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/endpoints/v3model_codegen.go @@ -1,3 +1,4 @@ +//go:build codegen // +build codegen package endpoints diff --git a/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_7.go b/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_7.go index e36e468b7..5921b8ff2 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_7.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_7.go @@ -1,3 +1,4 @@ +//go:build !go1.8 // +build !go1.8 package request diff --git a/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_8.go b/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_8.go index de1292f45..ea643c9c4 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_8.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/request/request_1_8.go @@ -1,3 +1,4 @@ +//go:build go1.8 // +build go1.8 package request diff --git a/vendor/github.com/aws/aws-sdk-go/aws/request/request_context.go b/vendor/github.com/aws/aws-sdk-go/aws/request/request_context.go index a7365cd1e..d8c505302 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/request/request_context.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/request/request_context.go @@ -1,3 +1,4 @@ +//go:build go1.7 // +build go1.7 package request diff --git a/vendor/github.com/aws/aws-sdk-go/aws/request/request_context_1_6.go b/vendor/github.com/aws/aws-sdk-go/aws/request/request_context_1_6.go index 307fa0705..49a243ef2 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/request/request_context_1_6.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/request/request_context_1_6.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package request diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go index 593aedc42..4390ad52f 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport.go @@ -1,3 +1,4 @@ +//go:build go1.13 // +build go1.13 package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go index 1bf31cf8e..668565bea 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.12.go @@ -1,3 +1,4 @@ +//go:build !go1.13 && go1.7 // +build !go1.13,go1.7 package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go index 253d7bc9d..e101aa6b6 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.5.go @@ -1,3 +1,4 @@ +//go:build !go1.6 && go1.5 // +build !go1.6,go1.5 package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go index db2406054..b5fcbe0d1 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/custom_transport_go1.6.go @@ -1,3 +1,4 @@ +//go:build !go1.7 && go1.6 // +build !go1.7,go1.6 package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go b/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go index 9419b518d..43b56863e 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/doc.go @@ -283,7 +283,7 @@ component must be enclosed in square brackets. The custom EC2 IMDS endpoint can also be specified via the Session options. sess, err := session.NewSessionWithOptions(session.Options{ - EC2IMDSEndpoint: "http://[::1]", + EC2MetadataEndpoint: "http://[::1]", }) */ package session diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go index 3cd5d4b5a..fffe2f350 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/env_config.go @@ -161,10 +161,15 @@ type envConfig struct { // AWS_S3_USE_ARN_REGION=true S3UseARNRegion bool - // Specifies the alternative endpoint to use for EC2 IMDS. + // Specifies the EC2 Instance Metadata Service endpoint to use. If specified it overrides EC2IMDSEndpointMode. // // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1] EC2IMDSEndpoint string + + // Specifies the EC2 Instance Metadata Service default endpoint selection mode (IPv4 or IPv6) + // + // AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6 + EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState } var ( @@ -231,6 +236,9 @@ var ( ec2IMDSEndpointEnvKey = []string{ "AWS_EC2_METADATA_SERVICE_ENDPOINT", } + ec2IMDSEndpointModeEnvKey = []string{ + "AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE", + } useCABundleKey = []string{ "AWS_CA_BUNDLE", } @@ -364,6 +372,9 @@ func envConfigLoad(enableSharedConfig bool) (envConfig, error) { } setFromEnvVal(&cfg.EC2IMDSEndpoint, ec2IMDSEndpointEnvKey) + if err := setEC2IMDSEndpointMode(&cfg.EC2IMDSEndpointMode, ec2IMDSEndpointModeEnvKey); err != nil { + return envConfig{}, err + } return cfg, nil } @@ -376,3 +387,17 @@ func setFromEnvVal(dst *string, keys []string) { } } } + +func setEC2IMDSEndpointMode(mode *endpoints.EC2IMDSEndpointModeState, keys []string) error { + for _, k := range keys { + value := os.Getenv(k) + if len(value) == 0 { + continue + } + if err := mode.SetFromString(value); err != nil { + return fmt.Errorf("invalid value for environment variable, %s=%s, %v", k, value, err) + } + return nil + } + return nil +} diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go index 038ae222f..4b2e057e9 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/session.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/session.go @@ -283,8 +283,8 @@ type Options struct { Handlers request.Handlers // Allows specifying a custom endpoint to be used by the EC2 IMDS client - // when making requests to the EC2 IMDS API. The must endpoint value must - // include protocol prefix. + // when making requests to the EC2 IMDS API. The endpoint value should + // include the URI scheme. If the scheme is not present it will be defaulted to http. // // If unset, will the EC2 IMDS client will use its default endpoint. // @@ -298,6 +298,11 @@ type Options struct { // // AWS_EC2_METADATA_SERVICE_ENDPOINT=http://[::1] EC2IMDSEndpoint string + + // Specifies the EC2 Instance Metadata Service default endpoint selection mode (IPv4 or IPv6) + // + // AWS_EC2_METADATA_SERVICE_ENDPOINT_MODE=IPv6 + EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState } // NewSessionWithOptions returns a new Session created from SDK defaults, config files, @@ -375,19 +380,23 @@ func Must(sess *Session, err error) *Session { // Wraps the endpoint resolver with a resolver that will return a custom // endpoint for EC2 IMDS. -func wrapEC2IMDSEndpoint(resolver endpoints.Resolver, endpoint string) endpoints.Resolver { +func wrapEC2IMDSEndpoint(resolver endpoints.Resolver, endpoint string, mode endpoints.EC2IMDSEndpointModeState) endpoints.Resolver { return endpoints.ResolverFunc( func(service, region string, opts ...func(*endpoints.Options)) ( endpoints.ResolvedEndpoint, error, ) { - if service == ec2MetadataServiceID { + if service == ec2MetadataServiceID && len(endpoint) > 0 { return endpoints.ResolvedEndpoint{ URL: endpoint, SigningName: ec2MetadataServiceID, SigningRegion: region, }, nil + } else if service == ec2MetadataServiceID { + opts = append(opts, func(o *endpoints.Options) { + o.EC2MetadataEndpointMode = mode + }) } - return resolver.EndpointFor(service, region) + return resolver.EndpointFor(service, region, opts...) }) } @@ -404,8 +413,8 @@ func deprecatedNewSession(envCfg envConfig, cfgs ...*aws.Config) *Session { cfg.EndpointResolver = endpoints.DefaultResolver() } - if len(envCfg.EC2IMDSEndpoint) != 0 { - cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, envCfg.EC2IMDSEndpoint) + if !(len(envCfg.EC2IMDSEndpoint) == 0 && envCfg.EC2IMDSEndpointMode == endpoints.EC2IMDSEndpointModeStateUnset) { + cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, envCfg.EC2IMDSEndpoint, envCfg.EC2IMDSEndpointMode) } cfg.Credentials = defaults.CredChain(cfg, handlers) @@ -737,12 +746,32 @@ func mergeConfigSrcs(cfg, userCfg *aws.Config, endpoints.LegacyS3UsEast1Endpoint, }) - ec2IMDSEndpoint := sessOpts.EC2IMDSEndpoint - if len(ec2IMDSEndpoint) == 0 { - ec2IMDSEndpoint = envCfg.EC2IMDSEndpoint + var ec2IMDSEndpoint string + for _, v := range []string{ + sessOpts.EC2IMDSEndpoint, + envCfg.EC2IMDSEndpoint, + sharedCfg.EC2IMDSEndpoint, + } { + if len(v) != 0 { + ec2IMDSEndpoint = v + break + } } - if len(ec2IMDSEndpoint) != 0 { - cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint) + + var endpointMode endpoints.EC2IMDSEndpointModeState + for _, v := range []endpoints.EC2IMDSEndpointModeState{ + sessOpts.EC2IMDSEndpointMode, + envCfg.EC2IMDSEndpointMode, + sharedCfg.EC2IMDSEndpointMode, + } { + if v != endpoints.EC2IMDSEndpointModeStateUnset { + endpointMode = v + break + } + } + + if len(ec2IMDSEndpoint) != 0 || endpointMode != endpoints.EC2IMDSEndpointModeStateUnset { + cfg.EndpointResolver = wrapEC2IMDSEndpoint(cfg.EndpointResolver, ec2IMDSEndpoint, endpointMode) } // Configure credentials if not already set by the user when creating the diff --git a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go index 42b16a7db..6830ece70 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/session/shared_config.go @@ -66,6 +66,12 @@ const ( // S3 ARN Region Usage s3UseARNRegionKey = "s3_use_arn_region" + + // EC2 IMDS Endpoint Mode + ec2MetadataServiceEndpointModeKey = "ec2_metadata_service_endpoint_mode" + + // EC2 IMDS Endpoint + ec2MetadataServiceEndpointKey = "ec2_metadata_service_endpoint" ) // sharedConfig represents the configuration fields of the SDK config files. @@ -145,6 +151,16 @@ type sharedConfig struct { // // s3_use_arn_region=true S3UseARNRegion bool + + // Specifies the EC2 Instance Metadata Service default endpoint selection mode (IPv4 or IPv6) + // + // ec2_metadata_service_endpoint_mode=IPv6 + EC2IMDSEndpointMode endpoints.EC2IMDSEndpointModeState + + // Specifies the EC2 Instance Metadata Service endpoint to use. If specified it overrides EC2IMDSEndpointMode. + // + // ec2_metadata_service_endpoint=http://fd00:ec2::254 + EC2IMDSEndpoint string } type sharedConfigFile struct { @@ -334,6 +350,12 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e updateString(&cfg.SSORegion, section, ssoRegionKey) updateString(&cfg.SSORoleName, section, ssoRoleNameKey) updateString(&cfg.SSOStartURL, section, ssoStartURL) + + if err := updateEC2MetadataServiceEndpointMode(&cfg.EC2IMDSEndpointMode, section, ec2MetadataServiceEndpointModeKey); err != nil { + return fmt.Errorf("failed to load %s from shared config, %s, %v", + ec2MetadataServiceEndpointModeKey, file.Filename, err) + } + updateString(&cfg.EC2IMDSEndpoint, section, ec2MetadataServiceEndpointKey) } updateString(&cfg.CredentialProcess, section, credentialProcessKey) @@ -364,6 +386,14 @@ func (cfg *sharedConfig) setFromIniFile(profile string, file sharedConfigFile, e return nil } +func updateEC2MetadataServiceEndpointMode(endpointMode *endpoints.EC2IMDSEndpointModeState, section ini.Section, key string) error { + if !section.Has(key) { + return nil + } + value := section.String(key) + return endpointMode.SetFromString(value) +} + func (cfg *sharedConfig) validateCredentialsConfig(profile string) error { if err := cfg.validateCredentialsRequireARN(profile); err != nil { return err diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/header_rules.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/header_rules.go index 07ea799fb..993753831 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/header_rules.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/header_rules.go @@ -34,23 +34,23 @@ func (m mapRule) IsValid(value string) bool { return ok } -// whitelist is a generic rule for whitelisting -type whitelist struct { +// allowList is a generic rule for allow listing +type allowList struct { rule } -// IsValid for whitelist checks if the value is within the whitelist -func (w whitelist) IsValid(value string) bool { +// IsValid for allow list checks if the value is within the allow list +func (w allowList) IsValid(value string) bool { return w.rule.IsValid(value) } -// blacklist is a generic rule for blacklisting -type blacklist struct { +// excludeList is a generic rule for exclude listing +type excludeList struct { rule } -// IsValid for whitelist checks if the value is within the whitelist -func (b blacklist) IsValid(value string) bool { +// IsValid for exclude list checks if the value is within the exclude list +func (b excludeList) IsValid(value string) bool { return !b.rule.IsValid(value) } diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.5.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.5.go index f35fc860b..cf672b6ac 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.5.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.5.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package v4 diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.7.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.7.go index fed5c859c..21fe74e6f 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.7.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/request_context_go1.7.go @@ -1,3 +1,4 @@ +//go:build go1.7 // +build go1.7 package v4 diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/uri_path.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/uri_path.go index bd082e9d1..7711ec737 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/uri_path.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/uri_path.go @@ -1,3 +1,4 @@ +//go:build go1.5 // +build go1.5 package v4 diff --git a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go index 1737c2686..d4653031f 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/signer/v4/v4.go @@ -90,7 +90,7 @@ const ( ) var ignoredHeaders = rules{ - blacklist{ + excludeList{ mapRule{ authorizationHeader: struct{}{}, "User-Agent": struct{}{}, @@ -99,9 +99,9 @@ var ignoredHeaders = rules{ }, } -// requiredSignedHeaders is a whitelist for build canonical headers. +// requiredSignedHeaders is a allow list for build canonical headers. var requiredSignedHeaders = rules{ - whitelist{ + allowList{ mapRule{ "Cache-Control": struct{}{}, "Content-Disposition": struct{}{}, @@ -145,12 +145,13 @@ var requiredSignedHeaders = rules{ }, }, patterns{"X-Amz-Meta-"}, + patterns{"X-Amz-Object-Lock-"}, } -// allowedHoisting is a whitelist for build query headers. The boolean value +// allowedHoisting is a allow list for build query headers. The boolean value // represents whether or not it is a pattern. var allowedQueryHoisting = inclusiveRules{ - blacklist{requiredSignedHeaders}, + excludeList{requiredSignedHeaders}, patterns{"X-Amz-"}, } @@ -417,7 +418,7 @@ var SignRequestHandler = request.NamedHandler{ // request handler should only be used with the SDK's built in service client's // API operation requests. // -// This function should not be used on its on its own, but in conjunction with +// This function should not be used on its own, but in conjunction with // an AWS service client's API operation call. To sign a standalone request // not created by a service client's API operation method use the "Sign" or // "Presign" functions of the "Signer" type. diff --git a/vendor/github.com/aws/aws-sdk-go/aws/url.go b/vendor/github.com/aws/aws-sdk-go/aws/url.go index 6192b2455..fed561bd5 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/url.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/url.go @@ -1,3 +1,4 @@ +//go:build go1.8 // +build go1.8 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/url_1_7.go b/vendor/github.com/aws/aws-sdk-go/aws/url_1_7.go index 0210d2720..95282db03 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/url_1_7.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/url_1_7.go @@ -1,3 +1,4 @@ +//go:build !go1.8 // +build !go1.8 package aws diff --git a/vendor/github.com/aws/aws-sdk-go/aws/version.go b/vendor/github.com/aws/aws-sdk-go/aws/version.go index f31a01db9..8b03158df 100644 --- a/vendor/github.com/aws/aws-sdk-go/aws/version.go +++ b/vendor/github.com/aws/aws-sdk-go/aws/version.go @@ -5,4 +5,4 @@ package aws const SDKName = "aws-sdk-go" // SDKVersion is the version of this SDK -const SDKVersion = "1.38.63" +const SDKVersion = "1.40.34" diff --git a/vendor/github.com/aws/aws-sdk-go/internal/context/background_go1.5.go b/vendor/github.com/aws/aws-sdk-go/internal/context/background_go1.5.go index 876dcb3fd..365345353 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/context/background_go1.5.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/context/background_go1.5.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package context diff --git a/vendor/github.com/aws/aws-sdk-go/internal/ini/doc.go b/vendor/github.com/aws/aws-sdk-go/internal/ini/doc.go index 25ce0fe13..1e55bbd07 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/ini/doc.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/doc.go @@ -13,17 +13,30 @@ // } // // Below is the BNF that describes this parser -// Grammar: -// stmt -> value stmt' -// stmt' -> epsilon | op stmt -// value -> number | string | boolean | quoted_string +// Grammar: +// stmt -> section | stmt' +// stmt' -> epsilon | expr +// expr -> value (stmt)* | equal_expr (stmt)* +// equal_expr -> value ( ':' | '=' ) equal_expr' +// equal_expr' -> number | string | quoted_string +// quoted_string -> " quoted_string' +// quoted_string' -> string quoted_string_end +// quoted_string_end -> " // -// section -> [ section' -// section' -> value section_close -// section_close -> ] +// section -> [ section' +// section' -> section_value section_close +// section_value -> number | string_subset | boolean | quoted_string_subset +// quoted_string_subset -> " quoted_string_subset' +// quoted_string_subset' -> string_subset quoted_string_end +// quoted_string_subset -> " +// section_close -> ] // -// SkipState will skip (NL WS)+ +// value -> number | string_subset | boolean +// string -> ? UTF-8 Code-Points except '\n' (U+000A) and '\r\n' (U+000D U+000A) ? +// string_subset -> ? Code-points excepted by grammar except ':' (U+003A), '=' (U+003D), '[' (U+005B), and ']' (U+005D) ? // -// comment -> # comment' | ; comment' -// comment' -> epsilon | value +// SkipState will skip (NL WS)+ +// +// comment -> # comment' | ; comment' +// comment' -> epsilon | value package ini diff --git a/vendor/github.com/aws/aws-sdk-go/internal/ini/fuzz.go b/vendor/github.com/aws/aws-sdk-go/internal/ini/fuzz.go index 8d462f77e..6e545b63b 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/ini/fuzz.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/fuzz.go @@ -1,3 +1,4 @@ +//go:build gofuzz // +build gofuzz package ini diff --git a/vendor/github.com/aws/aws-sdk-go/internal/ini/ini_parser.go b/vendor/github.com/aws/aws-sdk-go/internal/ini/ini_parser.go index 55fa73ebc..0ba319491 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/ini/ini_parser.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/ini_parser.go @@ -5,9 +5,12 @@ import ( "io" ) +// ParseState represents the current state of the parser. +type ParseState uint + // State enums for the parse table const ( - InvalidState = iota + InvalidState ParseState = iota // stmt -> value stmt' StatementState // stmt' -> MarkComplete | op stmt @@ -36,8 +39,8 @@ const ( ) // parseTable is a state machine to dictate the grammar above. -var parseTable = map[ASTKind]map[TokenType]int{ - ASTKindStart: map[TokenType]int{ +var parseTable = map[ASTKind]map[TokenType]ParseState{ + ASTKindStart: { TokenLit: StatementState, TokenSep: OpenScopeState, TokenWS: SkipTokenState, @@ -45,7 +48,7 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenComment: CommentState, TokenNone: TerminalState, }, - ASTKindCommentStatement: map[TokenType]int{ + ASTKindCommentStatement: { TokenLit: StatementState, TokenSep: OpenScopeState, TokenWS: SkipTokenState, @@ -53,7 +56,7 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenComment: CommentState, TokenNone: MarkCompleteState, }, - ASTKindExpr: map[TokenType]int{ + ASTKindExpr: { TokenOp: StatementPrimeState, TokenLit: ValueState, TokenSep: OpenScopeState, @@ -62,13 +65,15 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenComment: CommentState, TokenNone: MarkCompleteState, }, - ASTKindEqualExpr: map[TokenType]int{ - TokenLit: ValueState, - TokenWS: SkipTokenState, - TokenNL: SkipState, - TokenNone: SkipState, + ASTKindEqualExpr: { + TokenLit: ValueState, + TokenSep: ValueState, + TokenOp: ValueState, + TokenWS: SkipTokenState, + TokenNL: SkipState, + TokenNone: SkipState, }, - ASTKindStatement: map[TokenType]int{ + ASTKindStatement: { TokenLit: SectionState, TokenSep: CloseScopeState, TokenWS: SkipTokenState, @@ -76,9 +81,9 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenComment: CommentState, TokenNone: MarkCompleteState, }, - ASTKindExprStatement: map[TokenType]int{ + ASTKindExprStatement: { TokenLit: ValueState, - TokenSep: OpenScopeState, + TokenSep: ValueState, TokenOp: ValueState, TokenWS: ValueState, TokenNL: MarkCompleteState, @@ -86,14 +91,14 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenNone: TerminalState, TokenComma: SkipState, }, - ASTKindSectionStatement: map[TokenType]int{ + ASTKindSectionStatement: { TokenLit: SectionState, TokenOp: SectionState, TokenSep: CloseScopeState, TokenWS: SectionState, TokenNL: SkipTokenState, }, - ASTKindCompletedSectionStatement: map[TokenType]int{ + ASTKindCompletedSectionStatement: { TokenWS: SkipTokenState, TokenNL: SkipTokenState, TokenLit: StatementState, @@ -101,7 +106,7 @@ var parseTable = map[ASTKind]map[TokenType]int{ TokenComment: CommentState, TokenNone: MarkCompleteState, }, - ASTKindSkipStatement: map[TokenType]int{ + ASTKindSkipStatement: { TokenLit: StatementState, TokenSep: OpenScopeState, TokenWS: SkipTokenState, @@ -205,18 +210,6 @@ loop: case ValueState: // ValueState requires the previous state to either be an equal expression // or an expression statement. - // - // This grammar occurs when the RHS is a number, word, or quoted string. - // equal_expr -> lit op equal_expr' - // equal_expr' -> number | string | quoted_string - // quoted_string -> " quoted_string' - // quoted_string' -> string quoted_string_end - // quoted_string_end -> " - // - // otherwise - // expr_stmt -> equal_expr (expr_stmt')* - // expr_stmt' -> ws S | op S | MarkComplete - // S -> equal_expr' expr_stmt' switch k.Kind { case ASTKindEqualExpr: // assigning a value to some key @@ -243,7 +236,7 @@ loop: } children[len(children)-1] = rhs - k.SetChildren(children) + root.SetChildren(children) stack.Push(k) } diff --git a/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go b/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go index 94841c324..081cf4334 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/ini/visitor.go @@ -50,7 +50,10 @@ func (v *DefaultVisitor) VisitExpr(expr AST) error { rhs := children[1] - if rhs.Root.Type() != TokenLit { + // The right-hand value side the equality expression is allowed to contain '[', ']', ':', '=' in the values. + // If the token is not either a literal or one of the token types that identifies those four additional + // tokens then error. + if !(rhs.Root.Type() == TokenLit || rhs.Root.Type() == TokenOp || rhs.Root.Type() == TokenSep) { return NewParseError("unexpected token type") } diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.6.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.6.go index 5aa9137e0..037a998c4 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.6.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.6.go @@ -1,3 +1,4 @@ +//go:build !go1.7 // +build !go1.7 package sdkio diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.7.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.7.go index e5f005613..65e7c60c4 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.7.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkio/io_go1.7.go @@ -1,3 +1,4 @@ +//go:build go1.7 // +build go1.7 package sdkio diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor.go index 44898eed0..a84528783 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor.go @@ -1,3 +1,4 @@ +//go:build go1.10 // +build go1.10 package sdkmath diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor_go1.9.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor_go1.9.go index 810ec7f08..a3ae3e5db 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor_go1.9.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkmath/floor_go1.9.go @@ -1,3 +1,4 @@ +//go:build !go1.10 // +build !go1.10 package sdkmath diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read.go index f4651da2d..4bae66cee 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read.go @@ -1,3 +1,4 @@ +//go:build go1.6 // +build go1.6 package sdkrand diff --git a/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read_1_5.go b/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read_1_5.go index b1d93a33d..3a6ab8825 100644 --- a/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read_1_5.go +++ b/vendor/github.com/aws/aws-sdk-go/internal/sdkrand/read_1_5.go @@ -1,3 +1,4 @@ +//go:build !go1.6 // +build !go1.6 package sdkrand diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go index 1301b149d..fb35fee5f 100644 --- a/vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/rest/build.go @@ -98,7 +98,7 @@ func buildLocationElements(r *request.Request, v reflect.Value, buildGETQuery bo // Support the ability to customize values to be marshaled as a // blob even though they were modeled as a string. Required for S3 - // API operations like SSECustomerKey is modeled as stirng but + // API operations like SSECustomerKey is modeled as string but // required to be base64 encoded in request. if field.Tag.Get("marshal-as") == "blob" { m = m.Convert(byteSliceType) diff --git a/vendor/github.com/aws/aws-sdk-go/private/protocol/timestamp.go b/vendor/github.com/aws/aws-sdk-go/private/protocol/timestamp.go index 98f4caed9..d9a4e7649 100644 --- a/vendor/github.com/aws/aws-sdk-go/private/protocol/timestamp.go +++ b/vendor/github.com/aws/aws-sdk-go/private/protocol/timestamp.go @@ -1,6 +1,8 @@ package protocol import ( + "bytes" + "fmt" "math" "strconv" "time" @@ -19,13 +21,16 @@ const ( // Output time is intended to not contain decimals const ( // RFC 7231#section-7.1.1.1 timetamp format. e.g Tue, 29 Apr 2014 18:30:38 GMT - RFC822TimeFormat = "Mon, 2 Jan 2006 15:04:05 GMT" + RFC822TimeFormat = "Mon, 2 Jan 2006 15:04:05 GMT" + rfc822TimeFormatSingleDigitDay = "Mon, _2 Jan 2006 15:04:05 GMT" + rfc822TimeFormatSingleDigitDayTwoDigitYear = "Mon, _2 Jan 06 15:04:05 GMT" // This format is used for output time without seconds precision RFC822OutputTimeFormat = "Mon, 02 Jan 2006 15:04:05 GMT" // RFC3339 a subset of the ISO8601 timestamp format. e.g 2014-04-29T18:30:38Z - ISO8601TimeFormat = "2006-01-02T15:04:05.999999999Z" + ISO8601TimeFormat = "2006-01-02T15:04:05.999999999Z" + iso8601TimeFormatNoZ = "2006-01-02T15:04:05.999999999" // This format is used for output time with fractional second precision up to milliseconds ISO8601OutputTimeFormat = "2006-01-02T15:04:05.999999999Z" @@ -67,10 +72,21 @@ func FormatTime(name string, t time.Time) string { // the time if it was able to be parsed, and fails otherwise. func ParseTime(formatName, value string) (time.Time, error) { switch formatName { - case RFC822TimeFormatName: - return time.Parse(RFC822TimeFormat, value) - case ISO8601TimeFormatName: - return time.Parse(ISO8601TimeFormat, value) + case RFC822TimeFormatName: // Smithy HTTPDate format + return tryParse(value, + RFC822TimeFormat, + rfc822TimeFormatSingleDigitDay, + rfc822TimeFormatSingleDigitDayTwoDigitYear, + time.RFC850, + time.ANSIC, + ) + case ISO8601TimeFormatName: // Smithy DateTime format + return tryParse(value, + ISO8601TimeFormat, + iso8601TimeFormatNoZ, + time.RFC3339Nano, + time.RFC3339, + ) case UnixTimeFormatName: v, err := strconv.ParseFloat(value, 64) _, dec := math.Modf(v) @@ -83,3 +99,36 @@ func ParseTime(formatName, value string) (time.Time, error) { panic("unknown timestamp format name, " + formatName) } } + +func tryParse(v string, formats ...string) (time.Time, error) { + var errs parseErrors + for _, f := range formats { + t, err := time.Parse(f, v) + if err != nil { + errs = append(errs, parseError{ + Format: f, + Err: err, + }) + continue + } + return t, nil + } + + return time.Time{}, fmt.Errorf("unable to parse time string, %v", errs) +} + +type parseErrors []parseError + +func (es parseErrors) Error() string { + var s bytes.Buffer + for _, e := range es { + fmt.Fprintf(&s, "\n * %q: %v", e.Format, e.Err) + } + + return "parse errors:" + s.String() +} + +type parseError struct { + Format string + Err error +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go index 425ed0792..a18c8b80c 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/ec2/api.go @@ -604,10 +604,11 @@ func (c *EC2) AllocateAddressRequest(input *AllocateAddressInput) (req *request. // AllocateAddress API operation for Amazon Elastic Compute Cloud. // -// Allocates an Elastic IP address to your account. After you allocate the Elastic -// IP address you can associate it with an instance or network interface. After -// you release an Elastic IP address, it is released to the IP address pool -// and can be allocated to a different account. +// Allocates an Elastic IP address to your Amazon Web Services account. After +// you allocate the Elastic IP address you can associate it with an instance +// or network interface. After you release an Elastic IP address, it is released +// to the IP address pool and can be allocated to a different Amazon Web Services +// account. // // You can allocate an Elastic IP address from an address pool owned by Amazon // Web Services or from an address pool created from a public IPv4 address range @@ -618,9 +619,9 @@ func (c *EC2) AllocateAddressRequest(input *AllocateAddressInput) (req *request. // // [EC2-VPC] If you release an Elastic IP address, you might be able to recover // it. You cannot recover an Elastic IP address that you released after it is -// allocated to another account. You cannot recover an Elastic IP address for -// EC2-Classic. To attempt to recover an Elastic IP address that you released, -// specify it in this operation. +// allocated to another Amazon Web Services account. You cannot recover an Elastic +// IP address for EC2-Classic. To attempt to recover an Elastic IP address that +// you released, specify it in this operation. // // An Elastic IP address is for use either in the EC2-Classic platform or in // a VPC. By default, you can allocate 5 Elastic IP addresses for EC2-Classic @@ -869,6 +870,12 @@ func (c *EC2) AssignIpv6AddressesRequest(input *AssignIpv6AddressesInput) (req * // You must specify either the IPv6 addresses or the IPv6 address count in the // request. // +// You can optionally use Prefix Delegation on the network interface. You must +// specify either the IPV6 Prefix Delegation prefixes, or the IPv6 Prefix Delegation +// count. For information, see Assigning prefixes to Amazon EC2 network interfaces +// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) +// in the Amazon Elastic Compute Cloud User Guide. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -962,6 +969,12 @@ func (c *EC2) AssignPrivateIpAddressesRequest(input *AssignPrivateIpAddressesInp // // You must specify either the IP addresses or the IP address count in the request. // +// You can optionally use Prefix Delegation on the network interface. You must +// specify either the IPv4 Prefix Delegation prefixes, or the IPv4 Prefix Delegation +// count. For information, see Assigning prefixes to Amazon EC2 network interfaces +// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) +// in the Amazon Elastic Compute Cloud User Guide. +// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -1234,7 +1247,7 @@ func (c *EC2) AssociateDhcpOptionsRequest(input *AssociateDhcpOptionsInput) (req // its DHCP lease. You can explicitly renew the lease using the operating system // on the instance. // -// For more information, see DHCP Options Sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) +// For more information, see DHCP options sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -1309,25 +1322,25 @@ func (c *EC2) AssociateEnclaveCertificateIamRoleRequest(input *AssociateEnclaveC // AssociateEnclaveCertificateIamRole API operation for Amazon Elastic Compute Cloud. // -// Associates an AWS Identity and Access Management (IAM) role with an AWS Certificate +// Associates an Identity and Access Management (IAM) role with an Certificate // Manager (ACM) certificate. This enables the certificate to be used by the // ACM for Nitro Enclaves application inside an enclave. For more information, -// see AWS Certificate Manager for Nitro Enclaves (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html) -// in the AWS Nitro Enclaves User Guide. +// see Certificate Manager for Nitro Enclaves (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html) +// in the Amazon Web Services Nitro Enclaves User Guide. // // When the IAM role is associated with the ACM certificate, the certificate, // certificate chain, and encrypted private key are placed in an Amazon S3 bucket // that only the associated IAM role can access. The private key of the certificate -// is encrypted with an AWS-managed KMS customer master (CMK) that has an attached -// attestation-based CMK policy. +// is encrypted with an Amazon Web Services managed key that has an attached +// attestation-based key policy. // // To enable the IAM role to access the Amazon S3 object, you must grant it // permission to call s3:GetObject on the Amazon S3 bucket returned by the command. -// To enable the IAM role to access the AWS KMS CMK, you must grant it permission -// to call kms:Decrypt on the AWS KMS CMK returned by the command. For more -// information, see Grant the role permission to access the certificate and -// encryption key (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html#add-policy) -// in the AWS Nitro Enclaves User Guide. +// To enable the IAM role to access the KMS key, you must grant it permission +// to call kms:Decrypt on the KMS key returned by the command. For more information, +// see Grant the role permission to access the certificate and encryption key +// (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave-refapp.html#add-policy) +// in the Amazon Web Services Nitro Enclaves User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -1432,6 +1445,85 @@ func (c *EC2) AssociateIamInstanceProfileWithContext(ctx aws.Context, input *Ass return out, req.Send() } +const opAssociateInstanceEventWindow = "AssociateInstanceEventWindow" + +// AssociateInstanceEventWindowRequest generates a "aws/request.Request" representing the +// client's request for the AssociateInstanceEventWindow operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See AssociateInstanceEventWindow for more information on using the AssociateInstanceEventWindow +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the AssociateInstanceEventWindowRequest method. +// req, resp := client.AssociateInstanceEventWindowRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AssociateInstanceEventWindow +func (c *EC2) AssociateInstanceEventWindowRequest(input *AssociateInstanceEventWindowInput) (req *request.Request, output *AssociateInstanceEventWindowOutput) { + op := &request.Operation{ + Name: opAssociateInstanceEventWindow, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &AssociateInstanceEventWindowInput{} + } + + output = &AssociateInstanceEventWindowOutput{} + req = c.newRequest(op, input, output) + return +} + +// AssociateInstanceEventWindow API operation for Amazon Elastic Compute Cloud. +// +// Associates one or more targets with an event window. Only one type of target +// (instance IDs, Dedicated Host IDs, or tags) can be specified with an event +// window. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation AssociateInstanceEventWindow for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/AssociateInstanceEventWindow +func (c *EC2) AssociateInstanceEventWindow(input *AssociateInstanceEventWindowInput) (*AssociateInstanceEventWindowOutput, error) { + req, out := c.AssociateInstanceEventWindowRequest(input) + return out, req.Send() +} + +// AssociateInstanceEventWindowWithContext is the same as AssociateInstanceEventWindow with the addition of +// the ability to pass a context and additional request options. +// +// See AssociateInstanceEventWindow for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) AssociateInstanceEventWindowWithContext(ctx aws.Context, input *AssociateInstanceEventWindowInput, opts ...request.Option) (*AssociateInstanceEventWindowOutput, error) { + req, out := c.AssociateInstanceEventWindowRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opAssociateRouteTable = "AssociateRouteTable" // AssociateRouteTableRequest generates a "aws/request.Request" representing the @@ -1483,7 +1575,7 @@ func (c *EC2) AssociateRouteTableRequest(input *AssociateRouteTableInput) (req * // in order to disassociate the route table later. A route table can be associated // with multiple subnets. // -// For more information, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// For more information, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -1788,6 +1880,10 @@ func (c *EC2) AssociateTrunkInterfaceRequest(input *AssociateTrunkInterfaceInput // AssociateTrunkInterface API operation for Amazon Elastic Compute Cloud. // +// +// This API action is currently in limited preview only. If you are interested +// in using this feature, contact your account manager. +// // Associates a branch network interface with a trunk network interface. // // Before you create the association, run the create-network-interface (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateNetworkInterface.html) @@ -1795,9 +1891,6 @@ func (c *EC2) AssociateTrunkInterfaceRequest(input *AssociateTrunkInterfaceInput // interface for each branch network interface that you want to associate with // the trunk network interface. // -// For more information, see Network interface trunking (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/eni-trunking.html) -// in the Amazon Elastic Compute Cloud User Guide. -// // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. @@ -1880,7 +1973,7 @@ func (c *EC2) AssociateVpcCidrBlockRequest(input *AssociateVpcCidrBlockInput) (r // an IPv6 pool, or an Amazon-provided IPv6 CIDR block. // // For more information about associating CIDR blocks with your VPC and applicable -// restrictions, see VPC and Subnet Sizing (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing) +// restrictions, see VPC and subnet sizing (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html#VPC_Sizing) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -2200,13 +2293,14 @@ func (c *EC2) AttachVolumeRequest(input *AttachVolumeInput) (req *request.Reques // in the Amazon Elastic Compute Cloud User Guide. // // After you attach an EBS volume, you must make it available. For more information, -// see Making an EBS volume available for use (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html). +// see Make an EBS volume available for use (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html). // -// If a volume has an AWS Marketplace product code: +// If a volume has an Amazon Web Services Marketplace product code: // // * The volume can be attached only to a stopped instance. // -// * AWS Marketplace product codes are copied from the volume to the instance. +// * Amazon Web Services Marketplace product codes are copied from the volume +// to the instance. // // * You must be subscribed to the product. // @@ -2214,7 +2308,7 @@ func (c *EC2) AttachVolumeRequest(input *AttachVolumeInput) (req *request.Reques // the product. For example, you can't detach a volume from a Windows instance // and attach it to a Linux instance. // -// For more information, see Attaching Amazon EBS volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html) +// For more information, see Attach an Amazon EBS volume to an instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-attaching-volume.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -2439,18 +2533,17 @@ func (c *EC2) AuthorizeSecurityGroupEgressRequest(input *AuthorizeSecurityGroupE output = &AuthorizeSecurityGroupEgressOutput{} req = c.newRequest(op, input, output) - req.Handlers.Unmarshal.Swap(ec2query.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) return } // AuthorizeSecurityGroupEgress API operation for Amazon Elastic Compute Cloud. // -// [VPC only] Adds the specified egress rules to a security group for use with -// a VPC. +// [VPC only] Adds the specified outbound (egress) rules to a security group +// for use with a VPC. // // An outbound rule permits instances to send traffic to the specified IPv4 -// or IPv6 CIDR address ranges, or to the instances associated with the specified -// destination security groups. +// or IPv6 CIDR address ranges, or to the instances that are associated with +// the specified destination security groups. // // You specify a protocol for each rule (for example, TCP). For the TCP and // UDP protocols, you must also specify the destination port or port range. @@ -2460,8 +2553,7 @@ func (c *EC2) AuthorizeSecurityGroupEgressRequest(input *AuthorizeSecurityGroupE // Rule changes are propagated to affected instances as quickly as possible. // However, a small delay might occur. // -// For more information about VPC security group limits, see Amazon VPC Limits -// (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). +// For information about VPC security group quotas, see Amazon VPC quotas (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -2530,17 +2622,16 @@ func (c *EC2) AuthorizeSecurityGroupIngressRequest(input *AuthorizeSecurityGroup output = &AuthorizeSecurityGroupIngressOutput{} req = c.newRequest(op, input, output) - req.Handlers.Unmarshal.Swap(ec2query.UnmarshalHandler.Name, protocol.UnmarshalDiscardBodyHandler) return } // AuthorizeSecurityGroupIngress API operation for Amazon Elastic Compute Cloud. // -// Adds the specified ingress rules to a security group. +// Adds the specified inbound (ingress) rules to a security group. // // An inbound rule permits instances to receive traffic from the specified IPv4 -// or IPv6 CIDR address ranges, or from the instances associated with the specified -// destination security groups. +// or IPv6 CIDR address range, or from the instances that are associated with +// the specified destination security groups. // // You specify a protocol for each rule (for example, TCP). For TCP and UDP, // you must also specify the destination port or port range. For ICMP/ICMPv6, @@ -2550,7 +2641,7 @@ func (c *EC2) AuthorizeSecurityGroupIngressRequest(input *AuthorizeSecurityGroup // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. // -// For more information about VPC security group limits, see Amazon VPC Limits +// For more information about VPC security group quotas, see Amazon VPC quotas // (https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -3587,10 +3678,10 @@ func (c *EC2) CopySnapshotRequest(input *CopySnapshotInput) (req *request.Reques // When copying snapshots to a Region, copies of encrypted EBS snapshots remain // encrypted. Copies of unencrypted snapshots remain unencrypted, unless you // enable encryption for the snapshot copy operation. By default, encrypted -// snapshot copies use the default AWS Key Management Service (AWS KMS) customer -// master key (CMK); however, you can specify a different CMK. To copy an encrypted -// snapshot that has been shared from another account, you must have permissions -// for the CMK used to encrypt the snapshot. +// snapshot copies use the default Key Management Service (KMS) KMS key; however, +// you can specify a different KMS key. To copy an encrypted snapshot that has +// been shared from another account, you must have permissions for the KMS key +// used to encrypt the snapshot. // // Snapshots copied to an Outpost are encrypted by default using the default // encryption key for the Region, or a different key that you specify in the @@ -3601,7 +3692,7 @@ func (c *EC2) CopySnapshotRequest(input *CopySnapshotInput) (req *request.Reques // Snapshots created by copying another snapshot have an arbitrary volume ID // that should not be used for any purpose. // -// For more information, see Copying an Amazon EBS snapshot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html) +// For more information, see Copy an Amazon EBS snapshot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -3775,7 +3866,7 @@ func (c *EC2) CreateCarrierGatewayRequest(input *CreateCarrierGatewayInput) (req // // Creates a carrier gateway. For more information about carrier gateways, see // Carrier gateways (https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#wavelength-carrier-gateway) -// in the AWS Wavelength Developer Guide. +// in the Amazon Web Services Wavelength Developer Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -4107,7 +4198,7 @@ func (c *EC2) CreateDefaultSubnetRequest(input *CreateDefaultSubnetInput) (req * // // Creates a default subnet with a size /20 IPv4 CIDR block in the specified // Availability Zone in your default VPC. You can have only one default subnet -// per Availability Zone. For more information, see Creating a Default Subnet +// per Availability Zone. For more information, see Creating a default subnet // (https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html#create-default-subnet) // in the Amazon Virtual Private Cloud User Guide. // @@ -4185,7 +4276,7 @@ func (c *EC2) CreateDefaultVpcRequest(input *CreateDefaultVpcInput) (req *reques // // Creates a default VPC with a size /16 IPv4 CIDR block and a default subnet // in each Availability Zone. For more information about the components of a -// default VPC, see Default VPC and Default Subnets (https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html) +// default VPC, see Default VPC and default subnets (https://docs.aws.amazon.com/vpc/latest/userguide/default-vpc.html) // in the Amazon Virtual Private Cloud User Guide. You cannot specify the components // of the default VPC yourself. // @@ -4306,7 +4397,7 @@ func (c *EC2) CreateDhcpOptionsRequest(input *CreateDhcpOptionsInput) (req *requ // only a DNS server that we provide (AmazonProvidedDNS). If you create a set // of options, and if your VPC has an internet gateway, make sure to set the // domain-name-servers option either to AmazonProvidedDNS or to a domain name -// server of your choice. For more information, see DHCP Options Sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) +// server of your choice. For more information, see DHCP options sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -4543,7 +4634,7 @@ func (c *EC2) CreateFlowLogsRequest(input *CreateFlowLogsInput) (req *request.Re // // Flow log data for a monitored network interface is recorded as flow log records, // which are log events consisting of fields that describe the traffic flow. -// For more information, see Flow Log Records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records) +// For more information, see Flow log records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records) // in the Amazon Virtual Private Cloud User Guide. // // When publishing to CloudWatch Logs, flow log records are published to a log @@ -4747,6 +4838,103 @@ func (c *EC2) CreateImageWithContext(ctx aws.Context, input *CreateImageInput, o return out, req.Send() } +const opCreateInstanceEventWindow = "CreateInstanceEventWindow" + +// CreateInstanceEventWindowRequest generates a "aws/request.Request" representing the +// client's request for the CreateInstanceEventWindow operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateInstanceEventWindow for more information on using the CreateInstanceEventWindow +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateInstanceEventWindowRequest method. +// req, resp := client.CreateInstanceEventWindowRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateInstanceEventWindow +func (c *EC2) CreateInstanceEventWindowRequest(input *CreateInstanceEventWindowInput) (req *request.Request, output *CreateInstanceEventWindowOutput) { + op := &request.Operation{ + Name: opCreateInstanceEventWindow, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateInstanceEventWindowInput{} + } + + output = &CreateInstanceEventWindowOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateInstanceEventWindow API operation for Amazon Elastic Compute Cloud. +// +// Creates an event window in which scheduled events for the associated Amazon +// EC2 instances can run. +// +// You can define either a set of time ranges or a cron expression when creating +// the event window, but not both. All event window times are in UTC. +// +// You can create up to 200 event windows per Amazon Web Services Region. +// +// When you create the event window, targets (instance IDs, Dedicated Host IDs, +// or tags) are not yet associated with it. To ensure that the event window +// can be used, you must associate one or more targets with it by using the +// AssociateInstanceEventWindow API. +// +// Event windows are applicable only for scheduled events that stop, reboot, +// or terminate instances. +// +// Event windows are not applicable for: +// +// * Expedited scheduled events and network maintenance events. +// +// * Unscheduled maintenance such as AutoRecovery and unplanned reboots. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation CreateInstanceEventWindow for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateInstanceEventWindow +func (c *EC2) CreateInstanceEventWindow(input *CreateInstanceEventWindowInput) (*CreateInstanceEventWindowOutput, error) { + req, out := c.CreateInstanceEventWindowRequest(input) + return out, req.Send() +} + +// CreateInstanceEventWindowWithContext is the same as CreateInstanceEventWindow with the addition of +// the ability to pass a context and additional request options. +// +// See CreateInstanceEventWindow for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) CreateInstanceEventWindowWithContext(ctx aws.Context, input *CreateInstanceEventWindowInput, opts ...request.Option) (*CreateInstanceEventWindowOutput, error) { + req, out := c.CreateInstanceEventWindowRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateInstanceExportTask = "CreateInstanceExportTask" // CreateInstanceExportTaskRequest generates a "aws/request.Request" representing the @@ -4948,18 +5136,19 @@ func (c *EC2) CreateKeyPairRequest(input *CreateKeyPairInput) (req *request.Requ // CreateKeyPair API operation for Amazon Elastic Compute Cloud. // -// Creates a 2048-bit RSA key pair with the specified name. Amazon EC2 stores -// the public key and displays the private key for you to save to a file. The -// private key is returned as an unencrypted PEM encoded PKCS#1 private key. -// If a key with the specified name already exists, Amazon EC2 returns an error. +// Creates an ED25519 or 2048-bit RSA key pair with the specified name. Amazon +// EC2 stores the public key and displays the private key for you to save to +// a file. The private key is returned as an unencrypted PEM encoded PKCS#1 +// private key. If a key with the specified name already exists, Amazon EC2 +// returns an error. // -// You can have up to five thousand key pairs per Region. +// The key pair returned to you is available only in the Amazon Web Services +// Region in which you create it. If you prefer, you can create your own key +// pair using a third-party tool and upload it to any Region using ImportKeyPair. // -// The key pair returned to you is available only in the Region in which you -// create it. If you prefer, you can create your own key pair using a third-party -// tool and upload it to any Region using ImportKeyPair. +// You can have up to 5,000 key pairs per Amazon Web Services Region. // -// For more information, see Key Pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) +// For more information, see Amazon EC2 key pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -5434,7 +5623,7 @@ func (c *EC2) CreateNatGatewayRequest(input *CreateNatGatewayInput) (req *reques // IPv4 addresses, preserving private IPv4 addresses, and communicating between // overlapping networks. // -// For more information, see NAT Gateways (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) +// For more information, see NAT gateways (https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat-gateway.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -5837,8 +6026,8 @@ func (c *EC2) CreateNetworkInterfacePermissionRequest(input *CreateNetworkInterf // Grants an Amazon Web Services-authorized account permission to attach the // specified network interface to an instance in their account. // -// You can grant permission to a single account only, and only one account at -// a time. +// You can grant permission to a single Amazon Web Services account only, and +// only one account at a time. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -6001,7 +6190,7 @@ func (c *EC2) CreateReplaceRootVolumeTaskRequest(input *CreateReplaceRootVolumeT // volume can either be restored to its initial launch state, or it can be restored // using a specific snapshot. // -// For more information, see Replace a root volume (https://docs.aws.amazon.com/) +// For more information, see Replace a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html#replace-root) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6272,7 +6461,7 @@ func (c *EC2) CreateRouteRequest(input *CreateRouteInput) (req *request.Request, // route in the list covers a smaller number of IP addresses and is therefore // more specific, so we use that route to determine where to target the traffic. // -// For more information about route tables, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// For more information about route tables, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6350,7 +6539,7 @@ func (c *EC2) CreateRouteTableRequest(input *CreateRouteTableInput) (req *reques // Creates a route table for the specified VPC. After you create a route table, // you can add routes and associate the table with a subnet. // -// For more information, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// For more information, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6428,9 +6617,9 @@ func (c *EC2) CreateSecurityGroupRequest(input *CreateSecurityGroupInput) (req * // Creates a security group. // // A security group acts as a virtual firewall for your instance to control -// inbound and outbound traffic. For more information, see Amazon EC2 Security -// Groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) -// in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your +// inbound and outbound traffic. For more information, see Amazon EC2 security +// groups (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) +// in the Amazon Elastic Compute Cloud User Guide and Security groups for your // VPC (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) // in the Amazon Virtual Private Cloud User Guide. // @@ -6534,28 +6723,29 @@ func (c *EC2) CreateSnapshotRequest(input *CreateSnapshotInput) (req *request.Re // an Outpost, the snapshot can be stored on the same Outpost as the volume, // or in the Region for that Outpost. // -// When a snapshot is created, any AWS Marketplace product codes that are associated -// with the source volume are propagated to the snapshot. +// When a snapshot is created, any Amazon Web Services Marketplace product codes +// that are associated with the source volume are propagated to the snapshot. // // You can take a snapshot of an attached volume that is in use. However, snapshots -// only capture data that has been written to your EBS volume at the time the -// snapshot command is issued; this might exclude any data that has been cached -// by any applications or the operating system. If you can pause any file systems -// on the volume long enough to take a snapshot, your snapshot should be complete. -// However, if you cannot pause all file writes to the volume, you should unmount -// the volume from within the instance, issue the snapshot command, and then -// remount the volume to ensure a consistent and complete snapshot. You may -// remount and use your volume while the snapshot status is pending. +// only capture data that has been written to your Amazon EBS volume at the +// time the snapshot command is issued; this might exclude any data that has +// been cached by any applications or the operating system. If you can pause +// any file systems on the volume long enough to take a snapshot, your snapshot +// should be complete. However, if you cannot pause all file writes to the volume, +// you should unmount the volume from within the instance, issue the snapshot +// command, and then remount the volume to ensure a consistent and complete +// snapshot. You may remount and use your volume while the snapshot status is +// pending. // -// To create a snapshot for EBS volumes that serve as root devices, you should -// stop the instance before taking the snapshot. +// To create a snapshot for Amazon EBS volumes that serve as root devices, you +// should stop the instance before taking the snapshot. // // Snapshots that are taken from encrypted volumes are automatically encrypted. // Volumes that are created from encrypted snapshots are also automatically // encrypted. Your encrypted volumes and any associated snapshots always remain // protected. // -// You can tag your snapshots during creation. For more information, see Tagging +// You can tag your snapshots during creation. For more information, see Tag // your Amazon EC2 resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) // in the Amazon Elastic Compute Cloud User Guide. // @@ -6719,8 +6909,8 @@ func (c *EC2) CreateSpotDatafeedSubscriptionRequest(input *CreateSpotDatafeedSub // CreateSpotDatafeedSubscription API operation for Amazon Elastic Compute Cloud. // // Creates a data feed for Spot Instances, enabling you to view Spot Instance -// usage logs. You can create one data feed per AWS account. For more information, -// see Spot Instance data feed (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-data-feeds.html) +// usage logs. You can create one data feed per Amazon Web Services account. +// For more information, see Spot Instance data feed (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-data-feeds.html) // in the Amazon EC2 User Guide for Linux Instances. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6886,8 +7076,8 @@ func (c *EC2) CreateSubnetRequest(input *CreateSubnetInput) (req *request.Reques // If you've associated an IPv6 CIDR block with your VPC, you can create a subnet // with an IPv6 CIDR block that uses a /64 prefix length. // -// AWS reserves both the first four and the last IPv4 address in each subnet's -// CIDR block. They're not available for use. +// Amazon Web Services reserves both the first four and the last IPv4 address +// in each subnet's CIDR block. They're not available for use. // // If you add more than one subnet to a VPC, they're set up in a star topology // with a logical router in the middle. @@ -6896,7 +7086,7 @@ func (c *EC2) CreateSubnetRequest(input *CreateSubnetInput) (req *request.Reques // It's therefore possible to have a subnet with no running instances (they're // all stopped), but no remaining IP addresses available. // -// For more information about subnets, see Your VPC and Subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) +// For more information about subnets, see Your VPC and subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -6927,6 +7117,82 @@ func (c *EC2) CreateSubnetWithContext(ctx aws.Context, input *CreateSubnetInput, return out, req.Send() } +const opCreateSubnetCidrReservation = "CreateSubnetCidrReservation" + +// CreateSubnetCidrReservationRequest generates a "aws/request.Request" representing the +// client's request for the CreateSubnetCidrReservation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See CreateSubnetCidrReservation for more information on using the CreateSubnetCidrReservation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the CreateSubnetCidrReservationRequest method. +// req, resp := client.CreateSubnetCidrReservationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateSubnetCidrReservation +func (c *EC2) CreateSubnetCidrReservationRequest(input *CreateSubnetCidrReservationInput) (req *request.Request, output *CreateSubnetCidrReservationOutput) { + op := &request.Operation{ + Name: opCreateSubnetCidrReservation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &CreateSubnetCidrReservationInput{} + } + + output = &CreateSubnetCidrReservationOutput{} + req = c.newRequest(op, input, output) + return +} + +// CreateSubnetCidrReservation API operation for Amazon Elastic Compute Cloud. +// +// Creates a subnet CIDR reservation. For information about subnet CIDR reservations, +// see Subnet CIDR reservations (https://docs.aws.amazon.com/vpc/latest/userguide/subnet-cidr-reservation.html) +// in the Amazon Virtual Private Cloud User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation CreateSubnetCidrReservation for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/CreateSubnetCidrReservation +func (c *EC2) CreateSubnetCidrReservation(input *CreateSubnetCidrReservationInput) (*CreateSubnetCidrReservationOutput, error) { + req, out := c.CreateSubnetCidrReservationRequest(input) + return out, req.Send() +} + +// CreateSubnetCidrReservationWithContext is the same as CreateSubnetCidrReservation with the addition of +// the ability to pass a context and additional request options. +// +// See CreateSubnetCidrReservation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) CreateSubnetCidrReservationWithContext(ctx aws.Context, input *CreateSubnetCidrReservationInput, opts ...request.Option) (*CreateSubnetCidrReservationOutput, error) { + req, out := c.CreateSubnetCidrReservationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opCreateTags = "CreateTags" // CreateTagsRequest generates a "aws/request.Request" representing the @@ -7482,8 +7748,8 @@ func (c *EC2) CreateTransitGatewayConnectRequest(input *CreateTransitGatewayConn // A Connect attachment is a GRE-based tunnel attachment that you can use to // establish a connection between a transit gateway and an appliance. // -// A Connect attachment uses an existing VPC or AWS Direct Connect attachment -// as the underlying transport mechanism. +// A Connect attachment uses an existing VPC or Amazon Web Services Direct Connect +// attachment as the underlying transport mechanism. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -7719,7 +7985,7 @@ func (c *EC2) CreateTransitGatewayPeeringAttachmentRequest(input *CreateTransitG // Requests a transit gateway peering attachment between the specified transit // gateway (requester) and a peer transit gateway (accepter). The transit gateways // must be in different Regions. The peer transit gateway can be in your account -// or a different AWS account. +// or a different Amazon Web Services account. // // After you create the peering attachment, the owner of the accepter transit // gateway must accept the attachment request. @@ -8104,8 +8370,8 @@ func (c *EC2) CreateVolumeRequest(input *CreateVolumeInput) (req *request.Reques // Zone. // // You can create a new empty volume or restore a volume from an EBS snapshot. -// Any AWS Marketplace product codes from the snapshot are propagated to the -// volume. +// Any Amazon Web Services Marketplace product codes from the snapshot are propagated +// to the volume. // // You can create encrypted volumes. Encrypted volumes must be attached to instances // that support Amazon EBS encryption. Volumes that are created from encrypted @@ -8113,11 +8379,11 @@ func (c *EC2) CreateVolumeRequest(input *CreateVolumeInput) (req *request.Reques // EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // -// You can tag your volumes during creation. For more information, see Tagging -// your Amazon EC2 resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) +// You can tag your volumes during creation. For more information, see Tag your +// Amazon EC2 resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html) // in the Amazon Elastic Compute Cloud User Guide. // -// For more information, see Creating an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html) +// For more information, see Create an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-volume.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -8195,7 +8461,7 @@ func (c *EC2) CreateVpcRequest(input *CreateVpcInput) (req *request.Request, out // Creates a VPC with the specified IPv4 CIDR block. The smallest VPC you can // create uses a /28 netmask (16 IPv4 addresses), and the largest uses a /16 // netmask (65,536 IPv4 addresses). For more information about how large to -// make your VPC, see Your VPC and Subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) +// make your VPC, see Your VPC and subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) // in the Amazon Virtual Private Cloud User Guide. // // You can optionally request an IPv6 CIDR block for the VPC. You can request @@ -8205,7 +8471,7 @@ func (c *EC2) CreateVpcRequest(input *CreateVpcInput) (req *request.Request, out // // By default, each instance you launch in the VPC has the default DHCP options, // which include only a default DNS server that we provide (AmazonProvidedDNS). -// For more information, see DHCP Options Sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) +// For more information, see DHCP options sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) // in the Amazon Virtual Private Cloud User Guide. // // You can specify the instance tenancy value for the VPC when you create it. @@ -8554,9 +8820,9 @@ func (c *EC2) CreateVpcPeeringConnectionRequest(input *CreateVpcPeeringConnectio // // Requests a VPC peering connection between two VPCs: a requester VPC that // you own and an accepter VPC with which to create the connection. The accepter -// VPC can belong to another AWS account and can be in a different Region to -// the requester VPC. The requester VPC and accepter VPC cannot have overlapping -// CIDR blocks. +// VPC can belong to another Amazon Web Services account and can be in a different +// Region to the requester VPC. The requester VPC and accepter VPC cannot have +// overlapping CIDR blocks. // // Limitations and rules apply to a VPC peering connection. For more information, // see the limitations (https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-basics.html#vpc-peering-limitations) @@ -9554,6 +9820,83 @@ func (c *EC2) DeleteFpgaImageWithContext(ctx aws.Context, input *DeleteFpgaImage return out, req.Send() } +const opDeleteInstanceEventWindow = "DeleteInstanceEventWindow" + +// DeleteInstanceEventWindowRequest generates a "aws/request.Request" representing the +// client's request for the DeleteInstanceEventWindow operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteInstanceEventWindow for more information on using the DeleteInstanceEventWindow +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteInstanceEventWindowRequest method. +// req, resp := client.DeleteInstanceEventWindowRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteInstanceEventWindow +func (c *EC2) DeleteInstanceEventWindowRequest(input *DeleteInstanceEventWindowInput) (req *request.Request, output *DeleteInstanceEventWindowOutput) { + op := &request.Operation{ + Name: opDeleteInstanceEventWindow, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteInstanceEventWindowInput{} + } + + output = &DeleteInstanceEventWindowOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteInstanceEventWindow API operation for Amazon Elastic Compute Cloud. +// +// Deletes the specified event window. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteInstanceEventWindow for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteInstanceEventWindow +func (c *EC2) DeleteInstanceEventWindow(input *DeleteInstanceEventWindowInput) (*DeleteInstanceEventWindowOutput, error) { + req, out := c.DeleteInstanceEventWindowRequest(input) + return out, req.Send() +} + +// DeleteInstanceEventWindowWithContext is the same as DeleteInstanceEventWindow with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteInstanceEventWindow for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteInstanceEventWindowWithContext(ctx aws.Context, input *DeleteInstanceEventWindowInput, opts ...request.Option) (*DeleteInstanceEventWindowOutput, error) { + req, out := c.DeleteInstanceEventWindowRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDeleteInternetGateway = "DeleteInternetGateway" // DeleteInternetGatewayRequest generates a "aws/request.Request" representing the @@ -11051,7 +11394,7 @@ func (c *EC2) DeleteSnapshotRequest(input *DeleteSnapshotInput) (req *request.Re // a registered AMI. You must first de-register the AMI before you can delete // the snapshot. // -// For more information, see Deleting an Amazon EBS snapshot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html) +// For more information, see Delete an Amazon EBS snapshot (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-snapshot.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -11233,6 +11576,80 @@ func (c *EC2) DeleteSubnetWithContext(ctx aws.Context, input *DeleteSubnetInput, return out, req.Send() } +const opDeleteSubnetCidrReservation = "DeleteSubnetCidrReservation" + +// DeleteSubnetCidrReservationRequest generates a "aws/request.Request" representing the +// client's request for the DeleteSubnetCidrReservation operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DeleteSubnetCidrReservation for more information on using the DeleteSubnetCidrReservation +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DeleteSubnetCidrReservationRequest method. +// req, resp := client.DeleteSubnetCidrReservationRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteSubnetCidrReservation +func (c *EC2) DeleteSubnetCidrReservationRequest(input *DeleteSubnetCidrReservationInput) (req *request.Request, output *DeleteSubnetCidrReservationOutput) { + op := &request.Operation{ + Name: opDeleteSubnetCidrReservation, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DeleteSubnetCidrReservationInput{} + } + + output = &DeleteSubnetCidrReservationOutput{} + req = c.newRequest(op, input, output) + return +} + +// DeleteSubnetCidrReservation API operation for Amazon Elastic Compute Cloud. +// +// Deletes a subnet CIDR reservation. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DeleteSubnetCidrReservation for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DeleteSubnetCidrReservation +func (c *EC2) DeleteSubnetCidrReservation(input *DeleteSubnetCidrReservationInput) (*DeleteSubnetCidrReservationOutput, error) { + req, out := c.DeleteSubnetCidrReservationRequest(input) + return out, req.Send() +} + +// DeleteSubnetCidrReservationWithContext is the same as DeleteSubnetCidrReservation with the addition of +// the ability to pass a context and additional request options. +// +// See DeleteSubnetCidrReservation for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DeleteSubnetCidrReservationWithContext(ctx aws.Context, input *DeleteSubnetCidrReservationInput, opts ...request.Option) (*DeleteSubnetCidrReservationOutput, error) { + req, out := c.DeleteSubnetCidrReservationRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDeleteTags = "DeleteTags" // DeleteTagsRequest generates a "aws/request.Request" representing the @@ -12334,7 +12751,7 @@ func (c *EC2) DeleteVolumeRequest(input *DeleteVolumeInput) (req *request.Reques // // The volume can remain in the deleting state for several minutes. // -// For more information, see Deleting an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html) +// For more information, see Delete an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-deleting-volume.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -13217,6 +13634,8 @@ func (c *EC2) DeregisterInstanceEventNotificationAttributesRequest(input *Deregi // DeregisterInstanceEventNotificationAttributes API operation for Amazon Elastic Compute Cloud. // +// c +// // Deregisters tag keys to prevent tags that have the specified tag keys from // being included in scheduled event notifications for resources in the Region. // @@ -14136,7 +14555,8 @@ func (c *EC2) DescribeCapacityReservationsRequest(input *DescribeCapacityReserva // DescribeCapacityReservations API operation for Amazon Elastic Compute Cloud. // // Describes one or more of your Capacity Reservations. The results describe -// only the Capacity Reservations in the AWS Region that you're currently using. +// only the Capacity Reservations in the Amazon Web Services Region that you're +// currently using. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -15486,7 +15906,7 @@ func (c *EC2) DescribeDhcpOptionsRequest(input *DescribeDhcpOptionsInput) (req * // // Describes one or more of your DHCP options sets. // -// For more information, see DHCP Options Sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) +// For more information, see DHCP options sets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_DHCP_Options.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -18205,6 +18625,148 @@ func (c *EC2) DescribeInstanceEventNotificationAttributesWithContext(ctx aws.Con return out, req.Send() } +const opDescribeInstanceEventWindows = "DescribeInstanceEventWindows" + +// DescribeInstanceEventWindowsRequest generates a "aws/request.Request" representing the +// client's request for the DescribeInstanceEventWindows operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeInstanceEventWindows for more information on using the DescribeInstanceEventWindows +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeInstanceEventWindowsRequest method. +// req, resp := client.DescribeInstanceEventWindowsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeInstanceEventWindows +func (c *EC2) DescribeInstanceEventWindowsRequest(input *DescribeInstanceEventWindowsInput) (req *request.Request, output *DescribeInstanceEventWindowsOutput) { + op := &request.Operation{ + Name: opDescribeInstanceEventWindows, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeInstanceEventWindowsInput{} + } + + output = &DescribeInstanceEventWindowsOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeInstanceEventWindows API operation for Amazon Elastic Compute Cloud. +// +// Describes the specified event windows or all event windows. +// +// If you specify event window IDs, the output includes information for only +// the specified event windows. If you specify filters, the output includes +// information for only those event windows that meet the filter criteria. If +// you do not specify event windows IDs or filters, the output includes information +// for all event windows, which can affect performance. We recommend that you +// use pagination to ensure that the operation returns quickly and successfully. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeInstanceEventWindows for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeInstanceEventWindows +func (c *EC2) DescribeInstanceEventWindows(input *DescribeInstanceEventWindowsInput) (*DescribeInstanceEventWindowsOutput, error) { + req, out := c.DescribeInstanceEventWindowsRequest(input) + return out, req.Send() +} + +// DescribeInstanceEventWindowsWithContext is the same as DescribeInstanceEventWindows with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeInstanceEventWindows for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeInstanceEventWindowsWithContext(ctx aws.Context, input *DescribeInstanceEventWindowsInput, opts ...request.Option) (*DescribeInstanceEventWindowsOutput, error) { + req, out := c.DescribeInstanceEventWindowsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeInstanceEventWindowsPages iterates over the pages of a DescribeInstanceEventWindows operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeInstanceEventWindows method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeInstanceEventWindows operation. +// pageNum := 0 +// err := client.DescribeInstanceEventWindowsPages(params, +// func(page *ec2.DescribeInstanceEventWindowsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeInstanceEventWindowsPages(input *DescribeInstanceEventWindowsInput, fn func(*DescribeInstanceEventWindowsOutput, bool) bool) error { + return c.DescribeInstanceEventWindowsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeInstanceEventWindowsPagesWithContext same as DescribeInstanceEventWindowsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeInstanceEventWindowsPagesWithContext(ctx aws.Context, input *DescribeInstanceEventWindowsInput, fn func(*DescribeInstanceEventWindowsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeInstanceEventWindowsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeInstanceEventWindowsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeInstanceEventWindowsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeInstanceStatus = "DescribeInstanceStatus" // DescribeInstanceStatusRequest generates a "aws/request.Request" representing the @@ -19086,7 +19648,7 @@ func (c *EC2) DescribeKeyPairsRequest(input *DescribeKeyPairsInput) (req *reques // // Describes the specified key pairs or all of your key pairs. // -// For more information about key pairs, see Key Pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) +// For more information about key pairs, see Amazon EC2 key pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -21941,8 +22503,8 @@ func (c *EC2) DescribeReplaceRootVolumeTasksRequest(input *DescribeReplaceRootVo // DescribeReplaceRootVolumeTasks API operation for Amazon Elastic Compute Cloud. // // Describes a root volume replacement task. For more information, see Replace -// a root volume (https://docs.aws.amazon.com/) in the Amazon Elastic Compute -// Cloud User Guide. +// a root volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html#replace-root) +// in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -22534,7 +23096,7 @@ func (c *EC2) DescribeRouteTablesRequest(input *DescribeRouteTablesInput) (req * // with the main route table. This command does not return the subnet ID for // implicit associations. // -// For more information, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// For more information, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -22964,6 +23526,138 @@ func (c *EC2) DescribeSecurityGroupReferencesWithContext(ctx aws.Context, input return out, req.Send() } +const opDescribeSecurityGroupRules = "DescribeSecurityGroupRules" + +// DescribeSecurityGroupRulesRequest generates a "aws/request.Request" representing the +// client's request for the DescribeSecurityGroupRules operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DescribeSecurityGroupRules for more information on using the DescribeSecurityGroupRules +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DescribeSecurityGroupRulesRequest method. +// req, resp := client.DescribeSecurityGroupRulesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeSecurityGroupRules +func (c *EC2) DescribeSecurityGroupRulesRequest(input *DescribeSecurityGroupRulesInput) (req *request.Request, output *DescribeSecurityGroupRulesOutput) { + op := &request.Operation{ + Name: opDescribeSecurityGroupRules, + HTTPMethod: "POST", + HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, + } + + if input == nil { + input = &DescribeSecurityGroupRulesInput{} + } + + output = &DescribeSecurityGroupRulesOutput{} + req = c.newRequest(op, input, output) + return +} + +// DescribeSecurityGroupRules API operation for Amazon Elastic Compute Cloud. +// +// Describes one or more of your security group rules. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DescribeSecurityGroupRules for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DescribeSecurityGroupRules +func (c *EC2) DescribeSecurityGroupRules(input *DescribeSecurityGroupRulesInput) (*DescribeSecurityGroupRulesOutput, error) { + req, out := c.DescribeSecurityGroupRulesRequest(input) + return out, req.Send() +} + +// DescribeSecurityGroupRulesWithContext is the same as DescribeSecurityGroupRules with the addition of +// the ability to pass a context and additional request options. +// +// See DescribeSecurityGroupRules for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeSecurityGroupRulesWithContext(ctx aws.Context, input *DescribeSecurityGroupRulesInput, opts ...request.Option) (*DescribeSecurityGroupRulesOutput, error) { + req, out := c.DescribeSecurityGroupRulesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + +// DescribeSecurityGroupRulesPages iterates over the pages of a DescribeSecurityGroupRules operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeSecurityGroupRules method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeSecurityGroupRules operation. +// pageNum := 0 +// err := client.DescribeSecurityGroupRulesPages(params, +// func(page *ec2.DescribeSecurityGroupRulesOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeSecurityGroupRulesPages(input *DescribeSecurityGroupRulesInput, fn func(*DescribeSecurityGroupRulesOutput, bool) bool) error { + return c.DescribeSecurityGroupRulesPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeSecurityGroupRulesPagesWithContext same as DescribeSecurityGroupRulesPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeSecurityGroupRulesPagesWithContext(ctx aws.Context, input *DescribeSecurityGroupRulesInput, fn func(*DescribeSecurityGroupRulesOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeSecurityGroupRulesInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeSecurityGroupRulesRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeSecurityGroupRulesOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeSecurityGroups = "DescribeSecurityGroups" // DescribeSecurityGroupsRequest generates a "aws/request.Request" representing the @@ -23017,9 +23711,9 @@ func (c *EC2) DescribeSecurityGroupsRequest(input *DescribeSecurityGroupsInput) // Describes the specified security groups or all of your security groups. // // A security group is for use with instances either in the EC2-Classic platform -// or in a specific VPC. For more information, see Amazon EC2 Security Groups +// or in a specific VPC. For more information, see Amazon EC2 security groups // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html) -// in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your +// in the Amazon Elastic Compute Cloud User Guide and Security groups for your // VPC (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html) // in the Amazon Virtual Private Cloud User Guide. // @@ -23235,25 +23929,25 @@ func (c *EC2) DescribeSnapshotsRequest(input *DescribeSnapshotsInput) (req *requ // snapshots available to you. // // The snapshots available to you include public snapshots, private snapshots -// that you own, and private snapshots owned by other AWS accounts for which -// you have explicit create volume permissions. +// that you own, and private snapshots owned by other Amazon Web Services accounts +// for which you have explicit create volume permissions. // // The create volume permissions fall into the following categories: // // * public: The owner of the snapshot granted create volume permissions -// for the snapshot to the all group. All AWS accounts have create volume -// permissions for these snapshots. +// for the snapshot to the all group. All Amazon Web Services accounts have +// create volume permissions for these snapshots. // // * explicit: The owner of the snapshot granted create volume permissions -// to a specific AWS account. +// to a specific Amazon Web Services account. // -// * implicit: An AWS account has implicit create volume permissions for -// all snapshots it owns. +// * implicit: An Amazon Web Services account has implicit create volume +// permissions for all snapshots it owns. // // The list of snapshots returned can be filtered by specifying snapshot IDs, -// snapshot owners, or AWS accounts with create volume permissions. If no options -// are specified, Amazon EC2 returns all snapshots for which you have create -// volume permissions. +// snapshot owners, or Amazon Web Services accounts with create volume permissions. +// If no options are specified, Amazon EC2 returns all snapshots for which you +// have create volume permissions. // // If you specify one or more snapshot IDs, only snapshots that have the specified // IDs are returned. If you specify an invalid snapshot ID, an error is returned. @@ -23262,13 +23956,14 @@ func (c *EC2) DescribeSnapshotsRequest(input *DescribeSnapshotsInput) (req *requ // // If you specify one or more snapshot owners using the OwnerIds option, only // snapshots from the specified owners and for which you have access are returned. -// The results can include the AWS account IDs of the specified owners, amazon -// for snapshots owned by Amazon, or self for snapshots that you own. +// The results can include the Amazon Web Services account IDs of the specified +// owners, amazon for snapshots owned by Amazon, or self for snapshots that +// you own. // // If you specify a list of restorable users, only snapshots with create snapshot -// permissions for those users are returned. You can specify AWS account IDs -// (if you own the snapshots), self for snapshots for which you own or have -// explicit permissions, or all for public snapshots. +// permissions for those users are returned. You can specify Amazon Web Services +// account IDs (if you own the snapshots), self for snapshots for which you +// own or have explicit permissions, or all for public snapshots. // // If you are describing a long list of snapshots, we recommend that you paginate // the output to make the list more manageable. The MaxResults parameter sets @@ -24348,7 +25043,7 @@ func (c *EC2) DescribeSubnetsRequest(input *DescribeSubnetsInput) (req *request. // // Describes one or more of your subnets. // -// For more information, see Your VPC and Subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) +// For more information, see Your VPC and subnets (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Subnets.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -26056,6 +26751,12 @@ func (c *EC2) DescribeTrunkInterfaceAssociationsRequest(input *DescribeTrunkInte Name: opDescribeTrunkInterfaceAssociations, HTTPMethod: "POST", HTTPPath: "/", + Paginator: &request.Paginator{ + InputTokens: []string{"NextToken"}, + OutputTokens: []string{"NextToken"}, + LimitToken: "MaxResults", + TruncationToken: "", + }, } if input == nil { @@ -26069,6 +26770,10 @@ func (c *EC2) DescribeTrunkInterfaceAssociationsRequest(input *DescribeTrunkInte // DescribeTrunkInterfaceAssociations API operation for Amazon Elastic Compute Cloud. // +// +// This API action is currently in limited preview only. If you are interested +// in using this feature, contact your account manager. +// // Describes one or more network interface trunk associations. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -26099,6 +26804,58 @@ func (c *EC2) DescribeTrunkInterfaceAssociationsWithContext(ctx aws.Context, inp return out, req.Send() } +// DescribeTrunkInterfaceAssociationsPages iterates over the pages of a DescribeTrunkInterfaceAssociations operation, +// calling the "fn" function with the response data for each page. To stop +// iterating, return false from the fn function. +// +// See DescribeTrunkInterfaceAssociations method for more information on how to use this operation. +// +// Note: This operation can generate multiple requests to a service. +// +// // Example iterating over at most 3 pages of a DescribeTrunkInterfaceAssociations operation. +// pageNum := 0 +// err := client.DescribeTrunkInterfaceAssociationsPages(params, +// func(page *ec2.DescribeTrunkInterfaceAssociationsOutput, lastPage bool) bool { +// pageNum++ +// fmt.Println(page) +// return pageNum <= 3 +// }) +// +func (c *EC2) DescribeTrunkInterfaceAssociationsPages(input *DescribeTrunkInterfaceAssociationsInput, fn func(*DescribeTrunkInterfaceAssociationsOutput, bool) bool) error { + return c.DescribeTrunkInterfaceAssociationsPagesWithContext(aws.BackgroundContext(), input, fn) +} + +// DescribeTrunkInterfaceAssociationsPagesWithContext same as DescribeTrunkInterfaceAssociationsPages except +// it takes a Context and allows setting request options on the pages. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DescribeTrunkInterfaceAssociationsPagesWithContext(ctx aws.Context, input *DescribeTrunkInterfaceAssociationsInput, fn func(*DescribeTrunkInterfaceAssociationsOutput, bool) bool, opts ...request.Option) error { + p := request.Pagination{ + NewRequest: func() (*request.Request, error) { + var inCpy *DescribeTrunkInterfaceAssociationsInput + if input != nil { + tmp := *input + inCpy = &tmp + } + req, _ := c.DescribeTrunkInterfaceAssociationsRequest(inCpy) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return req, nil + }, + } + + for p.Next() { + if !fn(p.Page().(*DescribeTrunkInterfaceAssociationsOutput), !p.HasNextPage()) { + break + } + } + + return p.Err() +} + const opDescribeVolumeAttribute = "DescribeVolumeAttribute" // DescribeVolumeAttributeRequest generates a "aws/request.Request" representing the @@ -26244,7 +27001,7 @@ func (c *EC2) DescribeVolumeStatusRequest(input *DescribeVolumeStatusInput) (req // status of the volume is ok. If the check fails, the overall status is impaired. // If the status is insufficient-data, then the checks might still be taking // place on your volume at the time. We recommend that you retry the request. -// For more information about volume status, see Monitoring the status of your +// For more information about volume status, see Monitor the status of your // volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-status.html) // in the Amazon Elastic Compute Cloud User Guide. // @@ -26546,7 +27303,7 @@ func (c *EC2) DescribeVolumesModificationsRequest(input *DescribeVolumesModifica // You can also use CloudWatch Events to check the status of a modification // to an EBS volume. For information about CloudWatch Events, see the Amazon // CloudWatch Events User Guide (https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/). -// For more information, see Monitoring volume modifications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html#monitoring_mods) +// For more information, see Monitor the progress of volume modifications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-modifications.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -28359,10 +29116,10 @@ func (c *EC2) DetachVolumeRequest(input *DetachVolumeInput) (req *request.Reques // while the instance is running. To detach the root volume, stop the instance // first. // -// When a volume with an AWS Marketplace product code is detached from an instance, -// the product code is no longer associated with the instance. +// When a volume with an Amazon Web Services Marketplace product code is detached +// from an instance, the product code is no longer associated with the instance. // -// For more information, see Detaching an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html) +// For more information, see Detach an Amazon EBS volume (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -29305,13 +30062,12 @@ func (c *EC2) DisassociateEnclaveCertificateIamRoleRequest(input *DisassociateEn // DisassociateEnclaveCertificateIamRole API operation for Amazon Elastic Compute Cloud. // -// Disassociates an IAM role from an AWS Certificate Manager (ACM) certificate. +// Disassociates an IAM role from an Certificate Manager (ACM) certificate. // Disassociating an IAM role from an ACM certificate removes the Amazon S3 // object that contains the certificate, certificate chain, and encrypted private // key from the Amazon S3 bucket. It also revokes the IAM role's permission -// to use the AWS Key Management Service (KMS) customer master key (CMK) used -// to encrypt the private key. This effectively revokes the role's permission -// to use the certificate. +// to use the KMS key used to encrypt the private key. This effectively revokes +// the role's permission to use the certificate. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -29417,6 +30173,83 @@ func (c *EC2) DisassociateIamInstanceProfileWithContext(ctx aws.Context, input * return out, req.Send() } +const opDisassociateInstanceEventWindow = "DisassociateInstanceEventWindow" + +// DisassociateInstanceEventWindowRequest generates a "aws/request.Request" representing the +// client's request for the DisassociateInstanceEventWindow operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See DisassociateInstanceEventWindow for more information on using the DisassociateInstanceEventWindow +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the DisassociateInstanceEventWindowRequest method. +// req, resp := client.DisassociateInstanceEventWindowRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisassociateInstanceEventWindow +func (c *EC2) DisassociateInstanceEventWindowRequest(input *DisassociateInstanceEventWindowInput) (req *request.Request, output *DisassociateInstanceEventWindowOutput) { + op := &request.Operation{ + Name: opDisassociateInstanceEventWindow, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &DisassociateInstanceEventWindowInput{} + } + + output = &DisassociateInstanceEventWindowOutput{} + req = c.newRequest(op, input, output) + return +} + +// DisassociateInstanceEventWindow API operation for Amazon Elastic Compute Cloud. +// +// Disassociates one or more targets from an event window. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation DisassociateInstanceEventWindow for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/DisassociateInstanceEventWindow +func (c *EC2) DisassociateInstanceEventWindow(input *DisassociateInstanceEventWindowInput) (*DisassociateInstanceEventWindowOutput, error) { + req, out := c.DisassociateInstanceEventWindowRequest(input) + return out, req.Send() +} + +// DisassociateInstanceEventWindowWithContext is the same as DisassociateInstanceEventWindow with the addition of +// the ability to pass a context and additional request options. +// +// See DisassociateInstanceEventWindow for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) DisassociateInstanceEventWindowWithContext(ctx aws.Context, input *DisassociateInstanceEventWindowInput, opts ...request.Option) (*DisassociateInstanceEventWindowOutput, error) { + req, out := c.DisassociateInstanceEventWindowRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opDisassociateRouteTable = "DisassociateRouteTable" // DisassociateRouteTableRequest generates a "aws/request.Request" representing the @@ -29466,7 +30299,7 @@ func (c *EC2) DisassociateRouteTableRequest(input *DisassociateRouteTableInput) // // After you perform this action, the subnet no longer uses the routes in the // route table. Instead, it uses the routes in the VPC's main route table. For -// more information about route tables, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// more information about route tables, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -29765,6 +30598,10 @@ func (c *EC2) DisassociateTrunkInterfaceRequest(input *DisassociateTrunkInterfac // DisassociateTrunkInterface API operation for Amazon Elastic Compute Cloud. // +// +// This API action is currently in limited preview only. If you are interested +// in using this feature, contact your account manager. +// // Removes an association between a branch network interface with a trunk network // interface. // @@ -29923,12 +30760,12 @@ func (c *EC2) EnableEbsEncryptionByDefaultRequest(input *EnableEbsEncryptionByDe // Enables EBS encryption by default for your account in the current Region. // // After you enable encryption by default, the EBS volumes that you create are -// always encrypted, either using the default CMK or the CMK that you specified -// when you created each volume. For more information, see Amazon EBS encryption -// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// always encrypted, either using the default KMS key or the KMS key that you +// specified when you created each volume. For more information, see Amazon +// EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // -// You can specify the default CMK for encryption by default using ModifyEbsDefaultKmsKeyId +// You can specify the default KMS key for encryption by default using ModifyEbsDefaultKmsKeyId // or ResetEbsDefaultKmsKeyId. // // Enabling encryption by default has no effect on the encryption status of @@ -30944,11 +31781,10 @@ func (c *EC2) GetAssociatedEnclaveCertificateIamRolesRequest(input *GetAssociate // GetAssociatedEnclaveCertificateIamRoles API operation for Amazon Elastic Compute Cloud. // -// Returns the IAM roles that are associated with the specified AWS Certificate -// Manager (ACM) certificate. It also returns the name of the Amazon S3 bucket -// and the Amazon S3 object key where the certificate, certificate chain, and -// encrypted private key bundle are stored, and the ARN of the AWS Key Management -// Service (KMS) customer master key (CMK) that's used to encrypt the private +// Returns the IAM roles that are associated with the specified ACM (ACM) certificate. +// It also returns the name of the Amazon S3 bucket and the Amazon S3 object +// key where the certificate, certificate chain, and encrypted private key bundle +// are stored, and the ARN of the KMS key that's used to encrypt the private // key. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -31158,8 +31994,8 @@ func (c *EC2) GetCapacityReservationUsageRequest(input *GetCapacityReservationUs // // Gets usage information about a Capacity Reservation. If the Capacity Reservation // is shared, it shows usage information for the Capacity Reservation owner -// and each AWS account that is currently using the shared capacity. If the -// Capacity Reservation is not shared, it shows only the Capacity Reservation +// and each Amazon Web Services account that is currently using the shared capacity. +// If the Capacity Reservation is not shared, it shows only the Capacity Reservation // owner's usage. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -31552,9 +32388,9 @@ func (c *EC2) GetEbsDefaultKmsKeyIdRequest(input *GetEbsDefaultKmsKeyIdInput) (r // GetEbsDefaultKmsKeyId API operation for Amazon Elastic Compute Cloud. // -// Describes the default customer master key (CMK) for EBS encryption by default -// for your account in this Region. You can change the default CMK for encryption -// by default using ModifyEbsDefaultKmsKeyId or ResetEbsDefaultKmsKeyId. +// Describes the default KMS key for EBS encryption by default for your account +// in this Region. You can change the default KMS key for encryption by default +// using ModifyEbsDefaultKmsKeyId or ResetEbsDefaultKmsKeyId. // // For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. @@ -32555,6 +33391,80 @@ func (c *EC2) GetSerialConsoleAccessStatusWithContext(ctx aws.Context, input *Ge return out, req.Send() } +const opGetSubnetCidrReservations = "GetSubnetCidrReservations" + +// GetSubnetCidrReservationsRequest generates a "aws/request.Request" representing the +// client's request for the GetSubnetCidrReservations operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See GetSubnetCidrReservations for more information on using the GetSubnetCidrReservations +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the GetSubnetCidrReservationsRequest method. +// req, resp := client.GetSubnetCidrReservationsRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetSubnetCidrReservations +func (c *EC2) GetSubnetCidrReservationsRequest(input *GetSubnetCidrReservationsInput) (req *request.Request, output *GetSubnetCidrReservationsOutput) { + op := &request.Operation{ + Name: opGetSubnetCidrReservations, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &GetSubnetCidrReservationsInput{} + } + + output = &GetSubnetCidrReservationsOutput{} + req = c.newRequest(op, input, output) + return +} + +// GetSubnetCidrReservations API operation for Amazon Elastic Compute Cloud. +// +// Gets information about the subnet CIDR reservations. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation GetSubnetCidrReservations for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/GetSubnetCidrReservations +func (c *EC2) GetSubnetCidrReservations(input *GetSubnetCidrReservationsInput) (*GetSubnetCidrReservationsOutput, error) { + req, out := c.GetSubnetCidrReservationsRequest(input) + return out, req.Send() +} + +// GetSubnetCidrReservationsWithContext is the same as GetSubnetCidrReservations with the addition of +// the ability to pass a context and additional request options. +// +// See GetSubnetCidrReservations for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) GetSubnetCidrReservationsWithContext(ctx aws.Context, input *GetSubnetCidrReservationsInput, opts ...request.Option) (*GetSubnetCidrReservationsOutput, error) { + req, out := c.GetSubnetCidrReservationsRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opGetTransitGatewayAttachmentPropagations = "GetTransitGatewayAttachmentPropagations" // GetTransitGatewayAttachmentPropagationsRequest generates a "aws/request.Request" representing the @@ -33426,9 +34336,9 @@ func (c *EC2) ImportInstanceRequest(input *ImportInstanceInput) (req *request.Re // This API action supports only single-volume VMs. To import multi-volume VMs, // use ImportImage instead. // -// This API action is not supported by the AWS Command Line Interface (AWS CLI). -// For information about using the Amazon EC2 CLI, which is deprecated, see -// Importing a VM to Amazon EC2 (https://awsdocs.s3.amazonaws.com/EC2/ec2-clt.pdf#UsingVirtualMachinesinAmazonEC2) +// This API action is not supported by the Command Line Interface (CLI). For +// information about using the Amazon EC2 CLI, which is deprecated, see Importing +// a VM to Amazon EC2 (https://awsdocs.s3.amazonaws.com/EC2/ec2-clt.pdf#UsingVirtualMachinesinAmazonEC2) // in the Amazon EC2 CLI Reference PDF file. // // For information about the import manifest referenced by this API action, @@ -33506,13 +34416,14 @@ func (c *EC2) ImportKeyPairRequest(input *ImportKeyPairInput) (req *request.Requ // ImportKeyPair API operation for Amazon Elastic Compute Cloud. // -// Imports the public key from an RSA key pair that you created with a third-party -// tool. Compare this with CreateKeyPair, in which AWS creates the key pair -// and gives the keys to you (AWS keeps a copy of the public key). With ImportKeyPair, -// you create the key pair and give AWS just the public key. The private key -// is never transferred between you and AWS. +// Imports the public key from an RSA or ED25519 key pair that you created with +// a third-party tool. Compare this with CreateKeyPair, in which Amazon Web +// Services creates the key pair and gives the keys to you (Amazon Web Services +// keeps a copy of the public key). With ImportKeyPair, you create the key pair +// and give Amazon Web Services just the public key. The private key is never +// transferred between you and Amazon Web Services. // -// For more information about key pairs, see Key Pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) +// For more information about key pairs, see Amazon EC2 key pairs (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -33671,9 +34582,9 @@ func (c *EC2) ImportVolumeRequest(input *ImportVolumeInput) (req *request.Reques // use ImportImage instead. To import a disk to a snapshot, use ImportSnapshot // instead. // -// This API action is not supported by the AWS Command Line Interface (AWS CLI). -// For information about using the Amazon EC2 CLI, which is deprecated, see -// Importing Disks to Amazon EBS (https://awsdocs.s3.amazonaws.com/EC2/ec2-clt.pdf#importing-your-volumes-into-amazon-ebs) +// This API action is not supported by the Command Line Interface (CLI). For +// information about using the Amazon EC2 CLI, which is deprecated, see Importing +// Disks to Amazon EBS (https://awsdocs.s3.amazonaws.com/EC2/ec2-clt.pdf#importing-your-volumes-into-amazon-ebs) // in the Amazon EC2 CLI Reference PDF file. // // For information about the import manifest referenced by this API action, @@ -34059,16 +34970,16 @@ func (c *EC2) ModifyDefaultCreditSpecificationRequest(input *ModifyDefaultCredit // ModifyDefaultCreditSpecification API operation for Amazon Elastic Compute Cloud. // // Modifies the default credit option for CPU usage of burstable performance -// instances. The default credit option is set at the account level per AWS -// Region, and is specified per instance family. All new burstable performance -// instances in the account launch using the default credit option. +// instances. The default credit option is set at the account level per Amazon +// Web Services Region, and is specified per instance family. All new burstable +// performance instances in the account launch using the default credit option. // // ModifyDefaultCreditSpecification is an asynchronous operation, which works -// at an AWS Region level and modifies the credit option for each Availability -// Zone. All zones in a Region are updated within five minutes. But if instances -// are launched during this operation, they might not get the new credit option -// until the zone is updated. To verify whether the update has occurred, you -// can call GetDefaultCreditSpecification and check DefaultCreditSpecification +// at an Amazon Web Services Region level and modifies the credit option for +// each Availability Zone. All zones in a Region are updated within five minutes. +// But if instances are launched during this operation, they might not get the +// new credit option until the zone is updated. To verify whether the update +// has occurred, you can call GetDefaultCreditSpecification and check DefaultCreditSpecification // for updates. // // For more information, see Burstable performance instances (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/burstable-performance-instances.html) @@ -34146,17 +35057,18 @@ func (c *EC2) ModifyEbsDefaultKmsKeyIdRequest(input *ModifyEbsDefaultKmsKeyIdInp // ModifyEbsDefaultKmsKeyId API operation for Amazon Elastic Compute Cloud. // -// Changes the default customer master key (CMK) for EBS encryption by default -// for your account in this Region. +// Changes the default KMS key for EBS encryption by default for your account +// in this Region. // -// AWS creates a unique AWS managed CMK in each Region for use with encryption -// by default. If you change the default CMK to a symmetric customer managed -// CMK, it is used instead of the AWS managed CMK. To reset the default CMK -// to the AWS managed CMK for EBS, use ResetEbsDefaultKmsKeyId. Amazon EBS does -// not support asymmetric CMKs. +// Amazon Web Services creates a unique Amazon Web Services managed KMS key +// in each Region for use with encryption by default. If you change the default +// KMS key to a symmetric customer managed KMS key, it is used instead of the +// Amazon Web Services managed KMS key. To reset the default KMS key to the +// Amazon Web Services managed KMS key for EBS, use ResetEbsDefaultKmsKeyId. +// Amazon EBS does not support asymmetric KMS keys. // -// If you delete or disable the customer managed CMK that you specified for -// use with encryption by default, your instances will fail to launch. +// If you delete or disable the customer managed KMS key that you specified +// for use with encryption by default, your instances will fail to launch. // // For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. @@ -35043,6 +35955,92 @@ func (c *EC2) ModifyInstanceEventStartTimeWithContext(ctx aws.Context, input *Mo return out, req.Send() } +const opModifyInstanceEventWindow = "ModifyInstanceEventWindow" + +// ModifyInstanceEventWindowRequest generates a "aws/request.Request" representing the +// client's request for the ModifyInstanceEventWindow operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifyInstanceEventWindow for more information on using the ModifyInstanceEventWindow +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifyInstanceEventWindowRequest method. +// req, resp := client.ModifyInstanceEventWindowRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyInstanceEventWindow +func (c *EC2) ModifyInstanceEventWindowRequest(input *ModifyInstanceEventWindowInput) (req *request.Request, output *ModifyInstanceEventWindowOutput) { + op := &request.Operation{ + Name: opModifyInstanceEventWindow, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifyInstanceEventWindowInput{} + } + + output = &ModifyInstanceEventWindowOutput{} + req = c.newRequest(op, input, output) + return +} + +// ModifyInstanceEventWindow API operation for Amazon Elastic Compute Cloud. +// +// Modifies the specified event window. +// +// You can define either a set of time ranges or a cron expression when modifying +// the event window, but not both. +// +// To modify the targets associated with the event window, use the AssociateInstanceEventWindow +// and DisassociateInstanceEventWindow API. +// +// If Amazon Web Services has already scheduled an event, modifying an event +// window won't change the time of the scheduled event. +// +// For more information, see Define event windows for scheduled events (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/event-windows.html) +// in the Amazon EC2 User Guide. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation ModifyInstanceEventWindow for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifyInstanceEventWindow +func (c *EC2) ModifyInstanceEventWindow(input *ModifyInstanceEventWindowInput) (*ModifyInstanceEventWindowOutput, error) { + req, out := c.ModifyInstanceEventWindowRequest(input) + return out, req.Send() +} + +// ModifyInstanceEventWindowWithContext is the same as ModifyInstanceEventWindow with the addition of +// the ability to pass a context and additional request options. +// +// See ModifyInstanceEventWindow for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) ModifyInstanceEventWindowWithContext(ctx aws.Context, input *ModifyInstanceEventWindowInput, opts ...request.Option) (*ModifyInstanceEventWindowOutput, error) { + req, out := c.ModifyInstanceEventWindowRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifyInstanceMetadataOptions = "ModifyInstanceMetadataOptions" // ModifyInstanceMetadataOptionsRequest generates a "aws/request.Request" representing the @@ -35532,6 +36530,80 @@ func (c *EC2) ModifyReservedInstancesWithContext(ctx aws.Context, input *ModifyR return out, req.Send() } +const opModifySecurityGroupRules = "ModifySecurityGroupRules" + +// ModifySecurityGroupRulesRequest generates a "aws/request.Request" representing the +// client's request for the ModifySecurityGroupRules operation. The "output" return +// value will be populated with the request's response once the request completes +// successfully. +// +// Use "Send" method on the returned Request to send the API call to the service. +// the "output" return value is not valid until after Send returns without error. +// +// See ModifySecurityGroupRules for more information on using the ModifySecurityGroupRules +// API call, and error handling. +// +// This method is useful when you want to inject custom logic or configuration +// into the SDK's request lifecycle. Such as custom headers, or retry logic. +// +// +// // Example sending a request using the ModifySecurityGroupRulesRequest method. +// req, resp := client.ModifySecurityGroupRulesRequest(params) +// +// err := req.Send() +// if err == nil { // resp is now filled +// fmt.Println(resp) +// } +// +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifySecurityGroupRules +func (c *EC2) ModifySecurityGroupRulesRequest(input *ModifySecurityGroupRulesInput) (req *request.Request, output *ModifySecurityGroupRulesOutput) { + op := &request.Operation{ + Name: opModifySecurityGroupRules, + HTTPMethod: "POST", + HTTPPath: "/", + } + + if input == nil { + input = &ModifySecurityGroupRulesInput{} + } + + output = &ModifySecurityGroupRulesOutput{} + req = c.newRequest(op, input, output) + return +} + +// ModifySecurityGroupRules API operation for Amazon Elastic Compute Cloud. +// +// Modifies the rules of a security group. +// +// Returns awserr.Error for service API and SDK errors. Use runtime type assertions +// with awserr.Error's Code and Message methods to get detailed information about +// the error. +// +// See the AWS API reference guide for Amazon Elastic Compute Cloud's +// API operation ModifySecurityGroupRules for usage and error information. +// See also, https://docs.aws.amazon.com/goto/WebAPI/ec2-2016-11-15/ModifySecurityGroupRules +func (c *EC2) ModifySecurityGroupRules(input *ModifySecurityGroupRulesInput) (*ModifySecurityGroupRulesOutput, error) { + req, out := c.ModifySecurityGroupRulesRequest(input) + return out, req.Send() +} + +// ModifySecurityGroupRulesWithContext is the same as ModifySecurityGroupRules with the addition of +// the ability to pass a context and additional request options. +// +// See ModifySecurityGroupRules for details on how to use this API operation. +// +// The context must be non-nil and will be used for request cancellation. If +// the context is nil a panic will occur. In the future the SDK may create +// sub-contexts for http.Requests. See https://golang.org/pkg/context/ +// for more information on using Contexts. +func (c *EC2) ModifySecurityGroupRulesWithContext(ctx aws.Context, input *ModifySecurityGroupRulesInput, opts ...request.Option) (*ModifySecurityGroupRulesOutput, error) { + req, out := c.ModifySecurityGroupRulesRequest(input) + req.SetContext(ctx) + req.ApplyOptions(opts...) + return out, req.Send() +} + const opModifySnapshotAttribute = "ModifySnapshotAttribute" // ModifySnapshotAttributeRequest generates a "aws/request.Request" representing the @@ -35578,16 +36650,17 @@ func (c *EC2) ModifySnapshotAttributeRequest(input *ModifySnapshotAttributeInput // ModifySnapshotAttribute API operation for Amazon Elastic Compute Cloud. // // Adds or removes permission settings for the specified snapshot. You may add -// or remove specified AWS account IDs from a snapshot's list of create volume -// permissions, but you cannot do both in a single operation. If you need to -// both add and remove account IDs for a snapshot, you must use multiple operations. -// You can make up to 500 modifications to a snapshot in a single operation. +// or remove specified Amazon Web Services account IDs from a snapshot's list +// of create volume permissions, but you cannot do both in a single operation. +// If you need to both add and remove account IDs for a snapshot, you must use +// multiple operations. You can make up to 500 modifications to a snapshot in +// a single operation. // -// Encrypted snapshots and snapshots with AWS Marketplace product codes cannot -// be made public. Snapshots encrypted with your default CMK cannot be shared -// with other accounts. +// Encrypted snapshots and snapshots with Amazon Web Services Marketplace product +// codes cannot be made public. Snapshots encrypted with your default KMS key +// cannot be shared with other accounts. // -// For more information about modifying snapshot permissions, see Sharing snapshots +// For more information about modifying snapshot permissions, see Share a snapshot // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) // in the Amazon Elastic Compute Cloud User Guide. // @@ -36305,34 +37378,28 @@ func (c *EC2) ModifyVolumeRequest(input *ModifyVolumeInput) (req *request.Reques // size, volume type, and IOPS capacity. If your EBS volume is attached to a // current-generation EC2 instance type, you might be able to apply these changes // without stopping the instance or detaching the volume from it. For more information -// about modifying an EBS volume running Linux, see Modifying the size, IOPS, -// or type of an EBS volume on Linux (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html). -// For more information about modifying an EBS volume running Windows, see Modifying -// the size, IOPS, or type of an EBS volume on Windows (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-expand-volume.html). +// about modifying EBS volumes, see Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html) +// (Linux instances) or Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-modify-volume.html) +// (Windows instances). // // When you complete a resize operation on your volume, you need to extend the // volume's file-system size to take advantage of the new storage capacity. -// For information about extending a Linux file system, see Extending a Linux -// file system (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html#recognize-expanded-volume-linux). -// For information about extending a Windows file system, see Extending a Windows -// file system (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-expand-volume.html#recognize-expanded-volume-windows). +// For more information, see Extend a Linux file system (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html#recognize-expanded-volume-linux) +// or Extend a Windows file system (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-expand-volume.html#recognize-expanded-volume-windows). // // You can use CloudWatch Events to check the status of a modification to an // EBS volume. For information about CloudWatch Events, see the Amazon CloudWatch // Events User Guide (https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/). // You can also track the status of a modification using DescribeVolumesModifications. -// For information about tracking status changes using either method, see Monitoring -// volume modifications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html#monitoring_mods). +// For information about tracking status changes using either method, see Monitor +// the progress of volume modifications (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/monitoring-volume-modifications.html). // // With previous-generation instance types, resizing an EBS volume might require // detaching and reattaching the volume or stopping and restarting the instance. -// For more information, see Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modify-volume.html) -// (Linux) or Amazon EBS Elastic Volumes (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/ebs-modify-volume.html) -// (Windows). // -// If you reach the maximum volume modification rate per volume limit, you will -// need to wait at least six hours before applying further modifications to -// the affected EBS volume. +// If you reach the maximum volume modification rate per volume limit, you must +// wait at least six hours before applying further modifications to the affected +// EBS volume. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -36894,16 +37961,17 @@ func (c *EC2) ModifyVpcPeeringConnectionOptionsRequest(input *ModifyVpcPeeringCo // * Enable/disable the ability to resolve public DNS hostnames to private // IP addresses when queried from instances in the peer VPC. // -// If the peered VPCs are in the same AWS account, you can enable DNS resolution -// for queries from the local VPC. This ensures that queries from the local -// VPC resolve to private IP addresses in the peer VPC. This option is not available -// if the peered VPCs are in different AWS accounts or different Regions. For -// peered VPCs in different AWS accounts, each AWS account owner must initiate -// a separate request to modify the peering connection options. For inter-region -// peering connections, you must use the Region for the requester VPC to modify -// the requester VPC peering options and the Region for the accepter VPC to -// modify the accepter VPC peering options. To verify which VPCs are the accepter -// and the requester for a VPC peering connection, use the DescribeVpcPeeringConnections +// If the peered VPCs are in the same Amazon Web Services account, you can enable +// DNS resolution for queries from the local VPC. This ensures that queries +// from the local VPC resolve to private IP addresses in the peer VPC. This +// option is not available if the peered VPCs are in different different Amazon +// Web Services accounts or different Regions. For peered VPCs in different +// Amazon Web Services accounts, each Amazon Web Services account owner must +// initiate a separate request to modify the peering connection options. For +// inter-region peering connections, you must use the Region for the requester +// VPC to modify the requester VPC peering options and the Region for the accepter +// VPC to modify the accepter VPC peering options. To verify which VPCs are +// the accepter and the requester for a VPC peering connection, use the DescribeVpcPeeringConnections // command. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -38747,7 +39815,7 @@ func (c *EC2) ReleaseAddressRequest(input *ReleaseAddressInput) (req *request.Re // Be sure to update your DNS records and any servers or devices that communicate // with the address. If you attempt to release an Elastic IP address that you // already released, you'll get an AuthFailure error if the address is already -// allocated to another account. +// allocated to another Amazon Web Services account. // // [EC2-VPC] After you release an Elastic IP address for use in a VPC, you might // be able to recover it. For more information, see AllocateAddress. @@ -39149,7 +40217,7 @@ func (c *EC2) ReplaceRouteRequest(input *ReplaceRouteInput) (req *request.Reques // instance, NAT gateway, VPC peering connection, network interface, egress-only // internet gateway, or transit gateway. // -// For more information, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// For more information, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -39227,7 +40295,7 @@ func (c *EC2) ReplaceRouteTableAssociationRequest(input *ReplaceRouteTableAssoci // Changes the route table associated with a given subnet, internet gateway, // or virtual private gateway in a VPC. After the operation completes, the subnet // or gateway uses the routes in the new route table. For more information about -// route tables, see Route Tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) +// route tables, see Route tables (https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Route_Tables.html) // in the Amazon Virtual Private Cloud User Guide. // // You can also use this operation to change which table is the main route table @@ -39711,12 +40779,13 @@ func (c *EC2) ResetEbsDefaultKmsKeyIdRequest(input *ResetEbsDefaultKmsKeyIdInput // ResetEbsDefaultKmsKeyId API operation for Amazon Elastic Compute Cloud. // -// Resets the default customer master key (CMK) for EBS encryption for your -// account in this Region to the AWS managed CMK for EBS. +// Resets the default KMS key for EBS encryption for your account in this Region +// to the Amazon Web Services managed KMS key for EBS. // -// After resetting the default CMK to the AWS managed CMK, you can continue -// to encrypt by a customer managed CMK by specifying it when you create the -// volume. For more information, see Amazon EBS encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) +// After resetting the default KMS key to the Amazon Web Services managed KMS +// key, you can continue to encrypt by a customer managed KMS key by specifying +// it when you create the volume. For more information, see Amazon EBS encryption +// (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions @@ -40105,7 +41174,7 @@ func (c *EC2) ResetSnapshotAttributeRequest(input *ResetSnapshotAttributeInput) // // Resets permission settings for the specified snapshot. // -// For more information about modifying snapshot permissions, see Sharing snapshots +// For more information about modifying snapshot permissions, see Share a snapshot // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.html) // in the Amazon Elastic Compute Cloud User Guide. // @@ -40407,23 +41476,25 @@ func (c *EC2) RevokeSecurityGroupEgressRequest(input *RevokeSecurityGroupEgressI // RevokeSecurityGroupEgress API operation for Amazon Elastic Compute Cloud. // -// [VPC only] Removes the specified egress rules from a security group for EC2-VPC. -// This action does not apply to security groups for use in EC2-Classic. To -// remove a rule, the values that you specify (for example, ports) must match -// the existing rule's values exactly. +// [VPC only] Removes the specified outbound (egress) rules from a security +// group for EC2-VPC. This action does not apply to security groups for use +// in EC2-Classic. +// +// You can specify rules using either rule IDs or security group rule properties. +// If you use rule properties, the values that you specify (for example, ports) +// must match the existing rule's values exactly. Each rule has a protocol, +// from and to ports, and destination (CIDR range, security group, or prefix +// list). For the TCP and UDP protocols, you must also specify the destination +// port or range of ports. For the ICMP protocol, you must also specify the +// ICMP type and code. If the security group rule has a description, you do +// not need to specify the description to revoke the rule. // // [Default VPC] If the values you specify do not match the existing rule's // values, no error is returned, and the output describes the security group // rules that were not revoked. // -// AWS recommends that you use DescribeSecurityGroups to verify that the rule -// has been removed. -// -// Each rule consists of the protocol and the IPv4 or IPv6 CIDR range or source -// security group. For the TCP and UDP protocols, you must also specify the -// destination port or range of ports. For the ICMP protocol, you must also -// specify the ICMP type and code. If the security group rule has a description, -// you do not have to specify the description to revoke the rule. +// Amazon Web Services recommends that you describe the security group to verify +// that the rules were removed. // // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. @@ -40500,22 +41571,23 @@ func (c *EC2) RevokeSecurityGroupIngressRequest(input *RevokeSecurityGroupIngres // RevokeSecurityGroupIngress API operation for Amazon Elastic Compute Cloud. // -// Removes the specified ingress rules from a security group. To remove a rule, -// the values that you specify (for example, ports) must match the existing -// rule's values exactly. +// Removes the specified inbound (ingress) rules from a security group. // -// [EC2-Classic , default VPC] If the values you specify do not match the existing +// You can specify rules using either rule IDs or security group rule properties. +// If you use rule properties, the values that you specify (for example, ports) +// must match the existing rule's values exactly. Each rule has a protocol, +// from and to ports, and source (CIDR range, security group, or prefix list). +// For the TCP and UDP protocols, you must also specify the destination port +// or range of ports. For the ICMP protocol, you must also specify the ICMP +// type and code. If the security group rule has a description, you do not need +// to specify the description to revoke the rule. +// +// [EC2-Classic, default VPC] If the values you specify do not match the existing // rule's values, no error is returned, and the output describes the security // group rules that were not revoked. // -// AWS recommends that you use DescribeSecurityGroups to verify that the rule -// has been removed. -// -// Each rule consists of the protocol and the CIDR range or source security -// group. For the TCP and UDP protocols, you must also specify the destination -// port or range of ports. For the ICMP protocol, you must also specify the -// ICMP type and code. If the security group rule has a description, you do -// not have to specify the description to revoke the rule. +// Amazon Web Services recommends that you describe the security group to verify +// that the rules were removed. // // Rule changes are propagated to instances within the security group as quickly // as possible. However, a small delay might occur. @@ -41239,11 +42311,7 @@ func (c *EC2) StartInstancesRequest(input *StartInstancesInput) (req *request.Re // released and you are not billed for instance usage. However, your root partition // Amazon EBS volume remains and continues to persist your data, and you are // charged for Amazon EBS volume usage. You can restart your instance at any -// time. Every time you start your Windows instance, Amazon EC2 charges you -// for a full instance hour. If you stop and restart your Windows instance, -// a new instance hour begins and Amazon EC2 charges you for another full instance -// hour even if you are still within the same 60-minute period when it was stopped. -// Every time you start your Linux instance, Amazon EC2 charges a one-minute +// time. Every time you start your instance, Amazon EC2 charges a one-minute // minimum for instance usage, and thereafter charges per second for instance // usage. // @@ -41497,12 +42565,8 @@ func (c *EC2) StopInstancesRequest(input *StopInstancesInput) (req *request.Requ // We don't charge usage for a stopped instance, or data transfer fees; however, // your root partition Amazon EBS volume remains and continues to persist your // data, and you are charged for Amazon EBS volume usage. Every time you start -// your Windows instance, Amazon EC2 charges you for a full instance hour. If -// you stop and restart your Windows instance, a new instance hour begins and -// Amazon EC2 charges you for another full instance hour even if you are still -// within the same 60-minute period when it was stopped. Every time you start -// your Linux instance, Amazon EC2 charges a one-minute minimum for instance -// usage, and thereafter charges per second for instance usage. +// your instance, Amazon EC2 charges a one-minute minimum for instance usage, +// and thereafter charges per second for instance usage. // // You can't stop or hibernate instance store-backed instances. You can't use // the Stop action to hibernate Spot Instances, but you can specify that Amazon @@ -41686,6 +42750,36 @@ func (c *EC2) TerminateInstancesRequest(input *TerminateInstancesInput) (req *re // If you specify multiple instances and the request fails (for example, because // of a single incorrect instance ID), none of the instances are terminated. // +// If you terminate multiple instances across multiple Availability Zones, and +// one or more of the specified instances are enabled for termination protection, +// the request fails with the following results: +// +// * The specified instances that are in the same Availability Zone as the +// protected instance are not terminated. +// +// * The specified instances that are in different Availability Zones, where +// no other specified instances are protected, are successfully terminated. +// +// For example, say you have the following instances: +// +// * Instance A: us-east-1a; Not protected +// +// * Instance B: us-east-1a; Not protected +// +// * Instance C: us-east-1b; Protected +// +// * Instance D: us-east-1b; not protected +// +// If you attempt to terminate all of these instances in the same request, the +// request reports failure with the following results: +// +// * Instance A and Instance B are successfully terminated because none of +// the specified instances in us-east-1a are enabled for termination protection. +// +// * Instance C and Instance D fail to terminate because at least one of +// the specified instances in us-east-1b (Instance C) is enabled for termination +// protection. +// // Terminated instances remain visible after termination (for approximately // one hour). // @@ -41778,7 +42872,8 @@ func (c *EC2) UnassignIpv6AddressesRequest(input *UnassignIpv6AddressesInput) (r // UnassignIpv6Addresses API operation for Amazon Elastic Compute Cloud. // -// Unassigns one or more IPv6 addresses from a network interface. +// Unassigns one or more IPv6 addresses IPv4 Prefix Delegation prefixes from +// a network interface. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -41853,7 +42948,8 @@ func (c *EC2) UnassignPrivateIpAddressesRequest(input *UnassignPrivateIpAddresse // UnassignPrivateIpAddresses API operation for Amazon Elastic Compute Cloud. // -// Unassigns one or more secondary private IP addresses from a network interface. +// Unassigns one or more secondary private IP addresses, or IPv4 Prefix Delegation +// prefixes from a network interface. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -42005,11 +43101,8 @@ func (c *EC2) UpdateSecurityGroupRuleDescriptionsEgressRequest(input *UpdateSecu // // [VPC only] Updates the description of an egress (outbound) security group // rule. You can replace an existing description, or add a description to a -// rule that did not have one previously. -// -// You specify the description as part of the IP permissions structure. You -// can remove a description for a security group rule by omitting the description -// parameter in the request. +// rule that did not have one previously. You can remove a description for a +// security group rule by omitting the description parameter in the request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -42085,11 +43178,8 @@ func (c *EC2) UpdateSecurityGroupRuleDescriptionsIngressRequest(input *UpdateSec // // Updates the description of an ingress (inbound) security group rule. You // can replace an existing description, or add a description to a rule that -// did not have one previously. -// -// You specify the description as part of the IP permissions structure. You -// can remove a description for a security group rule by omitting the description -// parameter in the request. +// did not have one previously. You can remove a description for a security +// group rule by omitting the description parameter in the request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about @@ -42859,7 +43949,7 @@ type Address struct { // The ID of the network interface. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` - // The ID of the account that owns the network interface. + // The ID of the Amazon Web Services account that owns the network interface. NetworkInterfaceOwnerId *string `locationName:"networkInterfaceOwnerId" type:"string"` // The private IP address associated with the Elastic IP address. @@ -43758,7 +44848,7 @@ type AnalysisRouteTableRoute struct { // The destination IPv4 address, in CIDR notation. DestinationCidr *string `locationName:"destinationCidr" type:"string"` - // The prefix of the AWS service. + // The prefix of the Amazon Web Service. DestinationPrefixListId *string `locationName:"destinationPrefixListId" type:"string"` // The ID of an egress-only internet gateway. @@ -44052,6 +45142,15 @@ type AssignIpv6AddressesInput struct { // You can't use this option if you're specifying a number of IPv6 addresses. Ipv6Addresses []*string `locationName:"ipv6Addresses" locationNameList:"item" type:"list"` + // The number of IPv6 prefixes that Amazon Web Services automatically assigns + // to the network interface. You cannot use this option if you use the Ipv6Prefixes + // option. + Ipv6PrefixCount *int64 `type:"integer"` + + // One or more IPv6 prefixes assigned to the network interface. You cannot use + // this option if you use the Ipv6PrefixCount option. + Ipv6Prefixes []*string `locationName:"Ipv6Prefix" locationNameList:"item" type:"list"` + // The ID of the network interface. // // NetworkInterfaceId is a required field @@ -44093,6 +45192,18 @@ func (s *AssignIpv6AddressesInput) SetIpv6Addresses(v []*string) *AssignIpv6Addr return s } +// SetIpv6PrefixCount sets the Ipv6PrefixCount field's value. +func (s *AssignIpv6AddressesInput) SetIpv6PrefixCount(v int64) *AssignIpv6AddressesInput { + s.Ipv6PrefixCount = &v + return s +} + +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *AssignIpv6AddressesInput) SetIpv6Prefixes(v []*string) *AssignIpv6AddressesInput { + s.Ipv6Prefixes = v + return s +} + // SetNetworkInterfaceId sets the NetworkInterfaceId field's value. func (s *AssignIpv6AddressesInput) SetNetworkInterfaceId(v string) *AssignIpv6AddressesInput { s.NetworkInterfaceId = &v @@ -44106,6 +45217,9 @@ type AssignIpv6AddressesOutput struct { // that were assigned to the network interface before the request are not included. AssignedIpv6Addresses []*string `locationName:"assignedIpv6Addresses" locationNameList:"item" type:"list"` + // The IPv6 prefixes that are assigned to the network interface. + AssignedIpv6Prefixes []*string `locationName:"assignedIpv6PrefixSet" locationNameList:"item" type:"list"` + // The ID of the network interface. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` } @@ -44126,6 +45240,12 @@ func (s *AssignIpv6AddressesOutput) SetAssignedIpv6Addresses(v []*string) *Assig return s } +// SetAssignedIpv6Prefixes sets the AssignedIpv6Prefixes field's value. +func (s *AssignIpv6AddressesOutput) SetAssignedIpv6Prefixes(v []*string) *AssignIpv6AddressesOutput { + s.AssignedIpv6Prefixes = v + return s +} + // SetNetworkInterfaceId sets the NetworkInterfaceId field's value. func (s *AssignIpv6AddressesOutput) SetNetworkInterfaceId(v string) *AssignIpv6AddressesOutput { s.NetworkInterfaceId = &v @@ -44140,6 +45260,15 @@ type AssignPrivateIpAddressesInput struct { // network interface or instance to be reassigned to the specified network interface. AllowReassignment *bool `locationName:"allowReassignment" type:"boolean"` + // The number of IPv4 prefixes that Amazon Web Services automatically assigns + // to the network interface. You cannot use this option if you use the Ipv4 + // Prefixes option. + Ipv4PrefixCount *int64 `type:"integer"` + + // One or more IPv4 prefixes assigned to the network interface. You cannot use + // this option if you use the Ipv4PrefixCount option. + Ipv4Prefixes []*string `locationName:"Ipv4Prefix" locationNameList:"item" type:"list"` + // The ID of the network interface. // // NetworkInterfaceId is a required field @@ -44187,6 +45316,18 @@ func (s *AssignPrivateIpAddressesInput) SetAllowReassignment(v bool) *AssignPriv return s } +// SetIpv4PrefixCount sets the Ipv4PrefixCount field's value. +func (s *AssignPrivateIpAddressesInput) SetIpv4PrefixCount(v int64) *AssignPrivateIpAddressesInput { + s.Ipv4PrefixCount = &v + return s +} + +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *AssignPrivateIpAddressesInput) SetIpv4Prefixes(v []*string) *AssignPrivateIpAddressesInput { + s.Ipv4Prefixes = v + return s +} + // SetNetworkInterfaceId sets the NetworkInterfaceId field's value. func (s *AssignPrivateIpAddressesInput) SetNetworkInterfaceId(v string) *AssignPrivateIpAddressesInput { s.NetworkInterfaceId = &v @@ -44208,6 +45349,9 @@ func (s *AssignPrivateIpAddressesInput) SetSecondaryPrivateIpAddressCount(v int6 type AssignPrivateIpAddressesOutput struct { _ struct{} `type:"structure"` + // The IPv4 prefixes that are assigned to the network interface. + AssignedIpv4Prefixes []*Ipv4PrefixSpecification `locationName:"assignedIpv4PrefixSet" locationNameList:"item" type:"list"` + // The private IP addresses assigned to the network interface. AssignedPrivateIpAddresses []*AssignedPrivateIpAddress `locationName:"assignedPrivateIpAddressesSet" locationNameList:"item" type:"list"` @@ -44225,6 +45369,12 @@ func (s AssignPrivateIpAddressesOutput) GoString() string { return s.String() } +// SetAssignedIpv4Prefixes sets the AssignedIpv4Prefixes field's value. +func (s *AssignPrivateIpAddressesOutput) SetAssignedIpv4Prefixes(v []*Ipv4PrefixSpecification) *AssignPrivateIpAddressesOutput { + s.AssignedIpv4Prefixes = v + return s +} + // SetAssignedPrivateIpAddresses sets the AssignedPrivateIpAddresses field's value. func (s *AssignPrivateIpAddressesOutput) SetAssignedPrivateIpAddresses(v []*AssignedPrivateIpAddress) *AssignPrivateIpAddressesOutput { s.AssignedPrivateIpAddresses = v @@ -44636,7 +45786,7 @@ type AssociateEnclaveCertificateIamRoleOutput struct { // private key bundle are stored. The object key is formatted as follows: role_arn/certificate_arn. CertificateS3ObjectKey *string `locationName:"certificateS3ObjectKey" type:"string"` - // The ID of the AWS KMS CMK used to encrypt the private key of the certificate. + // The ID of the KMS key used to encrypt the private key of the certificate. EncryptionKmsKeyId *string `locationName:"encryptionKmsKeyId" type:"string"` } @@ -44743,6 +45893,93 @@ func (s *AssociateIamInstanceProfileOutput) SetIamInstanceProfileAssociation(v * return s } +type AssociateInstanceEventWindowInput struct { + _ struct{} `type:"structure"` + + // One or more targets associated with the specified event window. + // + // AssociationTarget is a required field + AssociationTarget *InstanceEventWindowAssociationRequest `type:"structure" required:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the event window. + // + // InstanceEventWindowId is a required field + InstanceEventWindowId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s AssociateInstanceEventWindowInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssociateInstanceEventWindowInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *AssociateInstanceEventWindowInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "AssociateInstanceEventWindowInput"} + if s.AssociationTarget == nil { + invalidParams.Add(request.NewErrParamRequired("AssociationTarget")) + } + if s.InstanceEventWindowId == nil { + invalidParams.Add(request.NewErrParamRequired("InstanceEventWindowId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAssociationTarget sets the AssociationTarget field's value. +func (s *AssociateInstanceEventWindowInput) SetAssociationTarget(v *InstanceEventWindowAssociationRequest) *AssociateInstanceEventWindowInput { + s.AssociationTarget = v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *AssociateInstanceEventWindowInput) SetDryRun(v bool) *AssociateInstanceEventWindowInput { + s.DryRun = &v + return s +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *AssociateInstanceEventWindowInput) SetInstanceEventWindowId(v string) *AssociateInstanceEventWindowInput { + s.InstanceEventWindowId = &v + return s +} + +type AssociateInstanceEventWindowOutput struct { + _ struct{} `type:"structure"` + + // Information about the event window. + InstanceEventWindow *InstanceEventWindow `locationName:"instanceEventWindow" type:"structure"` +} + +// String returns the string representation +func (s AssociateInstanceEventWindowOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s AssociateInstanceEventWindowOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindow sets the InstanceEventWindow field's value. +func (s *AssociateInstanceEventWindowOutput) SetInstanceEventWindow(v *InstanceEventWindow) *AssociateInstanceEventWindowOutput { + s.InstanceEventWindow = v + return s +} + type AssociateRouteTableInput struct { _ struct{} `type:"structure"` @@ -46298,6 +47535,9 @@ type AuthorizeSecurityGroupEgressInput struct { // group. SourceSecurityGroupOwnerId *string `locationName:"sourceSecurityGroupOwnerId" type:"string"` + // The tags applied to the security group rule. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + // Not supported. Use a set of IP permissions to specify the port. ToPort *int64 `locationName:"toPort" type:"integer"` } @@ -46373,6 +47613,12 @@ func (s *AuthorizeSecurityGroupEgressInput) SetSourceSecurityGroupOwnerId(v stri return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *AuthorizeSecurityGroupEgressInput) SetTagSpecifications(v []*TagSpecification) *AuthorizeSecurityGroupEgressInput { + s.TagSpecifications = v + return s +} + // SetToPort sets the ToPort field's value. func (s *AuthorizeSecurityGroupEgressInput) SetToPort(v int64) *AuthorizeSecurityGroupEgressInput { s.ToPort = &v @@ -46381,6 +47627,12 @@ func (s *AuthorizeSecurityGroupEgressInput) SetToPort(v int64) *AuthorizeSecurit type AuthorizeSecurityGroupEgressOutput struct { _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, returns an error. + Return *bool `locationName:"return" type:"boolean"` + + // Information about the outbound (egress) security group rules that were added. + SecurityGroupRules []*SecurityGroupRule `locationName:"securityGroupRuleSet" locationNameList:"item" type:"list"` } // String returns the string representation @@ -46393,6 +47645,18 @@ func (s AuthorizeSecurityGroupEgressOutput) GoString() string { return s.String() } +// SetReturn sets the Return field's value. +func (s *AuthorizeSecurityGroupEgressOutput) SetReturn(v bool) *AuthorizeSecurityGroupEgressOutput { + s.Return = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *AuthorizeSecurityGroupEgressOutput) SetSecurityGroupRules(v []*SecurityGroupRule) *AuthorizeSecurityGroupEgressOutput { + s.SecurityGroupRules = v + return s +} + type AuthorizeSecurityGroupIngressInput struct { _ struct{} `type:"structure"` @@ -46450,14 +47714,18 @@ type AuthorizeSecurityGroupIngressInput struct { // be in the same VPC. SourceSecurityGroupName *string `type:"string"` - // [nondefault VPC] The AWS account ID for the source security group, if the - // source security group is in a different account. You can't specify this parameter - // in combination with the following parameters: the CIDR IP address range, - // the IP protocol, the start of the port range, and the end of the port range. - // Creates rules that grant full ICMP, UDP, and TCP access. To create a rule - // with a specific IP protocol and port range, use a set of IP permissions instead. + // [nondefault VPC] The Amazon Web Services account ID for the source security + // group, if the source security group is in a different account. You can't + // specify this parameter in combination with the following parameters: the + // CIDR IP address range, the IP protocol, the start of the port range, and + // the end of the port range. Creates rules that grant full ICMP, UDP, and TCP + // access. To create a rule with a specific IP protocol and port range, use + // a set of IP permissions instead. SourceSecurityGroupOwnerId *string `type:"string"` + // [VPC Only] The tags applied to the security group rule. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + // The end of port range for the TCP and UDP protocols, or an ICMP code number. // For the ICMP code number, use -1 to specify all codes. If you specify all // ICMP types, you must specify all codes. @@ -46531,6 +47799,12 @@ func (s *AuthorizeSecurityGroupIngressInput) SetSourceSecurityGroupOwnerId(v str return s } +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *AuthorizeSecurityGroupIngressInput) SetTagSpecifications(v []*TagSpecification) *AuthorizeSecurityGroupIngressInput { + s.TagSpecifications = v + return s +} + // SetToPort sets the ToPort field's value. func (s *AuthorizeSecurityGroupIngressInput) SetToPort(v int64) *AuthorizeSecurityGroupIngressInput { s.ToPort = &v @@ -46539,6 +47813,12 @@ func (s *AuthorizeSecurityGroupIngressInput) SetToPort(v int64) *AuthorizeSecuri type AuthorizeSecurityGroupIngressOutput struct { _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, returns an error. + Return *bool `locationName:"return" type:"boolean"` + + // Information about the inbound (ingress) security group rules that were added. + SecurityGroupRules []*SecurityGroupRule `locationName:"securityGroupRuleSet" locationNameList:"item" type:"list"` } // String returns the string representation @@ -46551,6 +47831,18 @@ func (s AuthorizeSecurityGroupIngressOutput) GoString() string { return s.String() } +// SetReturn sets the Return field's value. +func (s *AuthorizeSecurityGroupIngressOutput) SetReturn(v bool) *AuthorizeSecurityGroupIngressOutput { + s.Return = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *AuthorizeSecurityGroupIngressOutput) SetSecurityGroupRules(v []*SecurityGroupRule) *AuthorizeSecurityGroupIngressOutput { + s.SecurityGroupRules = v + return s +} + // Describes Availability Zones, Local Zones, and Wavelength Zones. type AvailabilityZone struct { _ struct{} `type:"structure"` @@ -46761,7 +48053,8 @@ func (s *BlobAttributeValue) SetValue(v []byte) *BlobAttributeValue { return s } -// Describes a block device mapping. +// Describes a block device mapping, which defines the EBS volumes and instance +// store volumes to attach to an instance at launch. type BlockDeviceMapping struct { _ struct{} `type:"structure"` @@ -46773,6 +48066,8 @@ type BlockDeviceMapping struct { Ebs *EbsBlockDevice `locationName:"ebs" type:"structure"` // To omit the device from the block device mapping, specify an empty string. + // When this property is specified, the device is removed from the block device + // mapping regardless of the assigned value. NoDevice *string `locationName:"noDevice" type:"string"` // The virtual device name (ephemeralN). Instance store volumes are numbered @@ -47906,7 +49201,7 @@ type CapacityReservation struct { // was created. OutpostArn *string `locationName:"outpostArn" type:"string"` - // The ID of the AWS account that owns the Capacity Reservation. + // The ID of the Amazon Web Services account that owns the Capacity Reservation. OwnerId *string `locationName:"ownerId" type:"string"` // The date and time at which the Capacity Reservation was started. @@ -47940,10 +49235,10 @@ type CapacityReservation struct { // can have one of the following tenancy settings: // // * default - The Capacity Reservation is created on hardware that is shared - // with other AWS accounts. + // with other Amazon Web Services accounts. // // * dedicated - The Capacity Reservation is created on single-tenant hardware - // that is dedicated to a single AWS account. + // that is dedicated to a single Amazon Web Services account. Tenancy *string `locationName:"tenancy" type:"string" enum:"CapacityReservationTenancy"` // The total number of instances for which the Capacity Reservation reserves @@ -48088,7 +49383,7 @@ type CapacityReservationGroup struct { // The ARN of the resource group. GroupArn *string `locationName:"groupArn" type:"string"` - // The ID of the AWS account that owns the resource group. + // The ID of the Amazon Web Services account that owns the resource group. OwnerId *string `locationName:"ownerId" type:"string"` } @@ -48373,7 +49668,7 @@ type CarrierGateway struct { // The ID of the carrier gateway. CarrierGatewayId *string `locationName:"carrierGatewayId" type:"string"` - // The AWS account ID of the owner of the carrier gateway. + // The Amazon Web Services account ID of the owner of the carrier gateway. OwnerId *string `locationName:"ownerId" type:"string"` // The state of the carrier gateway. @@ -48476,8 +49771,8 @@ func (s *CertificateAuthenticationRequest) SetClientRootCertificateChainArn(v st } // Provides authorization for Amazon to bring a specific IP address range to -// a specific account using bring your own IP addresses (BYOIP). For more information, -// see Configuring your BYOIP address range (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip) +// a specific Amazon Web Services account using bring your own IP addresses +// (BYOIP). For more information, see Configuring your BYOIP address range (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-byoip.html#prepare-for-byoip) // in the Amazon Elastic Compute Cloud User Guide. type CidrAuthorizationContext struct { _ struct{} `type:"structure"` @@ -49767,8 +51062,8 @@ func (s *ConfirmProductInstanceInput) SetProductCode(v string) *ConfirmProductIn type ConfirmProductInstanceOutput struct { _ struct{} `type:"structure"` - // The AWS account ID of the instance owner. This is only present if the product - // code is attached to the instance. + // The Amazon Web Services account ID of the instance owner. This is only present + // if the product code is attached to the instance. OwnerId *string `locationName:"ownerId" type:"string"` // The return value of the request. Returns true if the specified product code @@ -50353,13 +51648,13 @@ type CopySnapshotInput struct { Description *string `type:"string"` // The Amazon Resource Name (ARN) of the Outpost to which to copy the snapshot. - // Only specify this parameter when copying a snapshot from an AWS Region to - // an Outpost. The snapshot must be in the Region for the destination Outpost. - // You cannot copy a snapshot from an Outpost to a Region, from one Outpost - // to another, or within the same Outpost. + // Only specify this parameter when copying a snapshot from an Amazon Web Services + // Region to an Outpost. The snapshot must be in the Region for the destination + // Outpost. You cannot copy a snapshot from an Outpost to a Region, from one + // Outpost to another, or within the same Outpost. // - // For more information, see Copying snapshots from an AWS Region to an Outpost - // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-snapshots) + // For more information, see Copy snapshots from an Amazon Web Services Region + // to an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#copy-snapshots) // in the Amazon Elastic Compute Cloud User Guide. DestinationOutpostArn *string `type:"string"` @@ -50368,9 +51663,9 @@ type CopySnapshotInput struct { // Region in a PresignedUrl parameter, where it is required. // // The snapshot copy is sent to the regional endpoint that you sent the HTTP - // request to (for example, ec2.us-east-1.amazonaws.com). With the AWS CLI, - // this is specified using the --region parameter or the default Region in your - // AWS configuration file. + // request to (for example, ec2.us-east-1.amazonaws.com). With the CLI, this + // is specified using the --region parameter or the default Region in your Amazon + // Web Services configuration file. DestinationRegion *string `locationName:"destinationRegion" type:"string"` // Checks whether you have the required permissions for the action, without @@ -50387,12 +51682,11 @@ type CopySnapshotInput struct { // in the Amazon Elastic Compute Cloud User Guide. Encrypted *bool `locationName:"encrypted" type:"boolean"` - // The identifier of the AWS Key Management Service (AWS KMS) customer master - // key (CMK) to use for Amazon EBS encryption. If this parameter is not specified, - // your AWS managed CMK for EBS is used. If KmsKeyId is specified, the encrypted - // state must be true. + // The identifier of the Key Management Service (KMS) KMS key to use for Amazon + // EBS encryption. If this parameter is not specified, your KMS key for Amazon + // EBS is used. If KmsKeyId is specified, the encrypted state must be true. // - // You can specify the CMK using any of the following: + // You can specify the KMS key using any of the following: // // * Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. // @@ -50402,9 +51696,9 @@ type CopySnapshotInput struct { // // * Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // - // AWS authenticates the CMK asynchronously. Therefore, if you specify an ID, - // alias, or ARN that is not valid, the action can appear to complete, but eventually - // fails. + // Amazon Web Services authenticates the KMS key asynchronously. Therefore, + // if you specify an ID, alias, or ARN that is not valid, the action can appear + // to complete, but eventually fails. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // When you copy an encrypted source snapshot using the Amazon EC2 Query API, @@ -50413,10 +51707,11 @@ type CopySnapshotInput struct { // // The PresignedUrl should use the snapshot source endpoint, the CopySnapshot // action, and include the SourceRegion, SourceSnapshotId, and DestinationRegion - // parameters. The PresignedUrl must be signed using AWS Signature Version 4. - // Because EBS snapshots are stored in Amazon S3, the signing algorithm for - // this parameter uses the same logic that is described in Authenticating Requests: - // Using Query Parameters (AWS Signature Version 4) (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) + // parameters. The PresignedUrl must be signed using Amazon Web Services Signature + // Version 4. Because EBS snapshots are stored in Amazon S3, the signing algorithm + // for this parameter uses the same logic that is described in Authenticating + // Requests: Using Query Parameters (Amazon Web Services Signature Version 4) + // (https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html) // in the Amazon Simple Storage Service API Reference. An invalid or improperly // signed PresignedUrl will cause the copy operation to fail asynchronously, // and the snapshot will move to an error state. @@ -50679,6 +51974,8 @@ type CreateCapacityReservationInput struct { // The number of instances for which to reserve capacity. // + // Valid range: 1 - 1000 + // // InstanceCount is a required field InstanceCount *int64 `type:"integer" required:"true"` @@ -50721,10 +52018,10 @@ type CreateCapacityReservationInput struct { // can have one of the following tenancy settings: // // * default - The Capacity Reservation is created on hardware that is shared - // with other AWS accounts. + // with other Amazon Web Services accounts. // // * dedicated - The Capacity Reservation is created on single-tenant hardware - // that is dedicated to a single AWS account. + // that is dedicated to a single Amazon Web Services account. Tenancy *string `type:"string" enum:"CapacityReservationTenancy"` } @@ -50874,7 +52171,7 @@ type CreateCarrierGatewayInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). ClientToken *string `type:"string" idempotencyToken:"true"` // Checks whether you have the required permissions for the action, without @@ -51700,7 +52997,7 @@ type CreateEgressOnlyInternetGatewayInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). ClientToken *string `type:"string"` // Checks whether you have the required permissions for the action, without @@ -51861,6 +53158,9 @@ type CreateFleetInput struct { // of the request. For more information, see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string"` + // Reserved. + Context *string `type:"string"` + // Checks whether you have the required permissions for the action, without // actually making the request, and provides an error response. If you have // the required permissions, the error response is DryRunOperation. Otherwise, @@ -51889,10 +53189,15 @@ type CreateFleetInput struct { // Describes the configuration of Spot Instances in an EC2 Fleet. SpotOptions *SpotOptionsRequest `type:"structure"` - // The key-value pair for tagging the EC2 Fleet request on creation. The value - // for ResourceType must be fleet, otherwise the fleet request fails. To tag - // instances at launch, specify the tags in the launch template (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template). - // For information about tagging after launch, see Tagging your resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources). + // The key-value pair for tagging the EC2 Fleet request on creation. For more + // information, see Tagging your resources (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html#tag-resources). + // + // If the fleet type is instant, specify a resource type of fleet to tag the + // fleet or instance to tag the instances at launch. + // + // If the fleet type is maintain or request, specify a resource type of fleet + // to tag the fleet. You cannot specify a resource type of instance. To tag + // instances at launch, specify the tags in a launch template (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-launch-templates.html#create-launch-template). TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` // The number of units to request. @@ -51904,7 +53209,7 @@ type CreateFleetInput struct { // expires. TerminateInstancesWithExpiration *bool `type:"boolean"` - // The type of request. The default value is maintain. + // The fleet type. The default value is maintain. // // * maintain - The EC2 Fleet places an asynchronous request for your desired // capacity, and continues to maintain your desired Spot capacity by replenishing @@ -51980,6 +53285,12 @@ func (s *CreateFleetInput) SetClientToken(v string) *CreateFleetInput { return s } +// SetContext sets the Context field's value. +func (s *CreateFleetInput) SetContext(v string) *CreateFleetInput { + s.Context = &v + return s +} + // SetDryRun sets the DryRun field's value. func (s *CreateFleetInput) SetDryRun(v bool) *CreateFleetInput { s.DryRun = &v @@ -52119,14 +53430,14 @@ type CreateFleetOutput struct { _ struct{} `type:"structure"` // Information about the instances that could not be launched by the fleet. - // Valid only when Type is set to instant. + // Supported only for fleets of type instant. Errors []*CreateFleetError `locationName:"errorSet" locationNameList:"item" type:"list"` // The ID of the EC2 Fleet. FleetId *string `locationName:"fleetId" type:"string"` - // Information about the instances that were launched by the fleet. Valid only - // when Type is set to instant. + // Information about the instances that were launched by the fleet. Supported + // only for fleets of type instant. Instances []*CreateFleetInstance `locationName:"fleetInstanceSet" locationNameList:"item" type:"list"` } @@ -52162,7 +53473,7 @@ type CreateFlowLogsInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Run_Instance_Idempotency.html). ClientToken *string `type:"string"` // The ARN for the IAM role that permits Amazon EC2 to publish flow logs to @@ -52208,12 +53519,12 @@ type CreateFlowLogsInput struct { LogDestinationType *string `type:"string" enum:"LogDestinationType"` // The fields to include in the flow log record, in the order in which they - // should appear. For a list of available fields, see Flow Log Records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records). + // should appear. For a list of available fields, see Flow log records (https://docs.aws.amazon.com/vpc/latest/userguide/flow-logs.html#flow-log-records). // If you omit this parameter, the flow log is created using the default format. // If you specify this parameter, you must specify at least one field. // // Specify the fields using the ${field-id} format, separated by spaces. For - // the AWS CLI, use single quotation marks (' ') to surround the parameter value. + // the CLI, use single quotation marks (' ') to surround the parameter value. LogFormat *string `type:"string"` // The name of a new or existing CloudWatch Logs log group where Amazon EC2 @@ -52674,6 +53985,113 @@ func (s *CreateImageOutput) SetImageId(v string) *CreateImageOutput { return s } +type CreateInstanceEventWindowInput struct { + _ struct{} `type:"structure"` + + // The cron expression for the event window, for example, * 0-4,20-23 * * 1,5. + // If you specify a cron expression, you can't specify a time range. + // + // Constraints: + // + // * Only hour and day of the week values are supported. + // + // * For day of the week values, you can specify either integers 0 through + // 6, or alternative single values SUN through SAT. + // + // * The minute, month, and year must be specified by *. + // + // * The hour value must be one or a multiple range, for example, 0-4 or + // 0-4,20-23. + // + // * Each hour range must be >= 2 hours, for example, 0-2 or 20-23. + // + // * The event window must be >= 4 hours. The combined total time ranges + // in the event window must be >= 4 hours. + // + // For more information about cron expressions, see cron (https://en.wikipedia.org/wiki/Cron) + // on the Wikipedia website. + CronExpression *string `type:"string"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The name of the event window. + Name *string `type:"string"` + + // The tags to apply to the event window. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + + // The time range for the event window. If you specify a time range, you can't + // specify a cron expression. + TimeRanges []*InstanceEventWindowTimeRangeRequest `locationName:"TimeRange" type:"list"` +} + +// String returns the string representation +func (s CreateInstanceEventWindowInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateInstanceEventWindowInput) GoString() string { + return s.String() +} + +// SetCronExpression sets the CronExpression field's value. +func (s *CreateInstanceEventWindowInput) SetCronExpression(v string) *CreateInstanceEventWindowInput { + s.CronExpression = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *CreateInstanceEventWindowInput) SetDryRun(v bool) *CreateInstanceEventWindowInput { + s.DryRun = &v + return s +} + +// SetName sets the Name field's value. +func (s *CreateInstanceEventWindowInput) SetName(v string) *CreateInstanceEventWindowInput { + s.Name = &v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateInstanceEventWindowInput) SetTagSpecifications(v []*TagSpecification) *CreateInstanceEventWindowInput { + s.TagSpecifications = v + return s +} + +// SetTimeRanges sets the TimeRanges field's value. +func (s *CreateInstanceEventWindowInput) SetTimeRanges(v []*InstanceEventWindowTimeRangeRequest) *CreateInstanceEventWindowInput { + s.TimeRanges = v + return s +} + +type CreateInstanceEventWindowOutput struct { + _ struct{} `type:"structure"` + + // Information about the event window. + InstanceEventWindow *InstanceEventWindow `locationName:"instanceEventWindow" type:"structure"` +} + +// String returns the string representation +func (s CreateInstanceEventWindowOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateInstanceEventWindowOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindow sets the InstanceEventWindow field's value. +func (s *CreateInstanceEventWindowOutput) SetInstanceEventWindow(v *InstanceEventWindow) *CreateInstanceEventWindowOutput { + s.InstanceEventWindow = v + return s +} + type CreateInstanceExportTaskInput struct { _ struct{} `type:"structure"` @@ -52856,6 +54274,12 @@ type CreateKeyPairInput struct { // KeyName is a required field KeyName *string `type:"string" required:"true"` + // The type of key pair. Note that ED25519 keys are not supported for Windows + // instances, EC2 Instance Connect, and EC2 Serial Console. + // + // Default: rsa + KeyType *string `type:"string" enum:"KeyType"` + // The tags to apply to the new key pair. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` } @@ -52895,6 +54319,12 @@ func (s *CreateKeyPairInput) SetKeyName(v string) *CreateKeyPairInput { return s } +// SetKeyType sets the KeyType field's value. +func (s *CreateKeyPairInput) SetKeyType(v string) *CreateKeyPairInput { + s.KeyType = &v + return s +} + // SetTagSpecifications sets the TagSpecifications field's value. func (s *CreateKeyPairInput) SetTagSpecifications(v []*TagSpecification) *CreateKeyPairInput { s.TagSpecifications = v @@ -52908,7 +54338,7 @@ type CreateKeyPairOutput struct { // The SHA-1 digest of the DER encoded private key. KeyFingerprint *string `locationName:"keyFingerprint" type:"string"` - // An unencrypted PEM encoded RSA private key. + // An unencrypted PEM encoded RSA or ED25519 private key. KeyMaterial *string `locationName:"keyMaterial" type:"string" sensitive:"true"` // The name of the key pair. @@ -53596,7 +55026,7 @@ type CreateNatGatewayInput struct { AllocationId *string `type:"string"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). // // Constraint: Maximum 64 ASCII characters. ClientToken *string `type:"string" idempotencyToken:"true"` @@ -53969,15 +55399,16 @@ type CreateNetworkInsightsPathInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string" idempotencyToken:"true"` - // The AWS resource that is the destination of the path. + // The Amazon Web Services resource that is the destination of the path. // // Destination is a required field Destination *string `type:"string" required:"true"` - // The IP address of the AWS resource that is the destination of the path. + // The IP address of the Amazon Web Services resource that is the destination + // of the path. DestinationIp *string `type:"string"` // The destination port. @@ -53994,12 +55425,13 @@ type CreateNetworkInsightsPathInput struct { // Protocol is a required field Protocol *string `type:"string" required:"true" enum:"Protocol"` - // The AWS resource that is the source of the path. + // The Amazon Web Services resource that is the source of the path. // // Source is a required field Source *string `type:"string" required:"true"` - // The IP address of the AWS resource that is the source of the path. + // The IP address of the Amazon Web Services resource that is the source of + // the path. SourceIp *string `type:"string"` // The tags to add to the path. @@ -54143,6 +55575,15 @@ type CreateNetworkInterfaceInput struct { // the Amazon Elastic Compute Cloud User Guide. InterfaceType *string `type:"string" enum:"NetworkInterfaceCreationType"` + // The number of IPv4 prefixes that Amazon Web Services automatically assigns + // to the network interface. You cannot use this option if you use the Ipv4 + // Prefixes option. + Ipv4PrefixCount *int64 `type:"integer"` + + // One or more IPv4 prefixes assigned to the network interface. You cannot use + // this option if you use the Ipv4PrefixCount option. + Ipv4Prefixes []*Ipv4PrefixSpecificationRequest `locationName:"Ipv4Prefix" locationNameList:"item" type:"list"` + // The number of IPv6 addresses to assign to a network interface. Amazon EC2 // automatically selects the IPv6 addresses from the subnet range. You can't // use this option if specifying specific IPv6 addresses. If your subnet has @@ -54154,6 +55595,15 @@ type CreateNetworkInterfaceInput struct { // subnet. You can't use this option if you're specifying a number of IPv6 addresses. Ipv6Addresses []*InstanceIpv6Address `locationName:"ipv6Addresses" locationNameList:"item" type:"list"` + // The number of IPv6 prefixes that Amazon Web Services automatically assigns + // to the network interface. You cannot use this option if you use the Ipv6Prefixes + // option. + Ipv6PrefixCount *int64 `type:"integer"` + + // One or more IPv6 prefixes assigned to the network interface. You cannot use + // this option if you use the Ipv6PrefixCount option. + Ipv6Prefixes []*Ipv6PrefixSpecificationRequest `locationName:"Ipv6Prefix" locationNameList:"item" type:"list"` + // The primary private IPv4 address of the network interface. If you don't specify // an IPv4 address, Amazon EC2 selects one for you from the subnet's IPv4 CIDR // range. If you specify an IP address, you cannot indicate any IP addresses @@ -54237,6 +55687,18 @@ func (s *CreateNetworkInterfaceInput) SetInterfaceType(v string) *CreateNetworkI return s } +// SetIpv4PrefixCount sets the Ipv4PrefixCount field's value. +func (s *CreateNetworkInterfaceInput) SetIpv4PrefixCount(v int64) *CreateNetworkInterfaceInput { + s.Ipv4PrefixCount = &v + return s +} + +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *CreateNetworkInterfaceInput) SetIpv4Prefixes(v []*Ipv4PrefixSpecificationRequest) *CreateNetworkInterfaceInput { + s.Ipv4Prefixes = v + return s +} + // SetIpv6AddressCount sets the Ipv6AddressCount field's value. func (s *CreateNetworkInterfaceInput) SetIpv6AddressCount(v int64) *CreateNetworkInterfaceInput { s.Ipv6AddressCount = &v @@ -54249,6 +55711,18 @@ func (s *CreateNetworkInterfaceInput) SetIpv6Addresses(v []*InstanceIpv6Address) return s } +// SetIpv6PrefixCount sets the Ipv6PrefixCount field's value. +func (s *CreateNetworkInterfaceInput) SetIpv6PrefixCount(v int64) *CreateNetworkInterfaceInput { + s.Ipv6PrefixCount = &v + return s +} + +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *CreateNetworkInterfaceInput) SetIpv6Prefixes(v []*Ipv6PrefixSpecificationRequest) *CreateNetworkInterfaceInput { + s.Ipv6Prefixes = v + return s +} + // SetPrivateIpAddress sets the PrivateIpAddress field's value. func (s *CreateNetworkInterfaceInput) SetPrivateIpAddress(v string) *CreateNetworkInterfaceInput { s.PrivateIpAddress = &v @@ -54317,7 +55791,7 @@ func (s *CreateNetworkInterfaceOutput) SetNetworkInterface(v *NetworkInterface) type CreateNetworkInterfacePermissionInput struct { _ struct{} `type:"structure"` - // The account ID. + // The Amazon Web Services account ID. AwsAccountId *string `type:"string"` // The Amazon Web Service. Currently not supported. @@ -54514,7 +55988,7 @@ type CreateReplaceRootVolumeTaskInput struct { // Unique, case-sensitive identifier you provide to ensure the idempotency of // the request. If you do not specify a client token, a randomly generated token // is used for the request to ensure idempotency. For more information, see - // Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // Ensuring idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string" idempotencyToken:"true"` // Checks whether you have the required permissions for the action, without @@ -55256,7 +56730,7 @@ type CreateSnapshotInput struct { // it is UnauthorizedOperation. DryRun *bool `locationName:"dryRun" type:"boolean"` - // The Amazon Resource Name (ARN) of the AWS Outpost on which to create a local + // The Amazon Resource Name (ARN) of the Outpost on which to create a local // snapshot. // // * To create a snapshot of a volume in a Region, omit this parameter. The @@ -55270,7 +56744,7 @@ type CreateSnapshotInput struct { // on an Outpost, specify the ARN of the destination Outpost. The snapshot // must be created on the same Outpost as the volume. // - // For more information, see Creating local snapshots from volumes on an Outpost + // For more information, see Create local snapshots from volumes on an Outpost // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#create-snapshot) // in the Amazon Elastic Compute Cloud User Guide. OutpostArn *string `type:"string"` @@ -55278,7 +56752,7 @@ type CreateSnapshotInput struct { // The tags to apply to the snapshot during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` - // The ID of the EBS volume. + // The ID of the Amazon EBS volume. // // VolumeId is a required field VolumeId *string `type:"string" required:"true"` @@ -55357,8 +56831,8 @@ type CreateSnapshotsInput struct { // InstanceSpecification is a required field InstanceSpecification *InstanceSpecification `type:"structure" required:"true"` - // The Amazon Resource Name (ARN) of the AWS Outpost on which to create the - // local snapshots. + // The Amazon Resource Name (ARN) of the Outpost on which to create the local + // snapshots. // // * To create snapshots from an instance in a Region, omit this parameter. // The snapshots are created in the same Region as the instance. @@ -55371,7 +56845,7 @@ type CreateSnapshotsInput struct { // on an Outpost, specify the ARN of the destination Outpost. The snapshots // must be created on the same Outpost as the instance. // - // For more information, see Creating multi-volume local snapshots from instances + // For more information, see Create multi-volume local snapshots from instances // on an Outpost (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html#create-multivol-snapshot) // in the Amazon Elastic Compute Cloud User Guide. OutpostArn *string `type:"string"` @@ -55647,13 +57121,144 @@ func (s *CreateStoreImageTaskOutput) SetObjectKey(v string) *CreateStoreImageTas return s } +type CreateSubnetCidrReservationInput struct { + _ struct{} `type:"structure"` + + // The IPv4 or IPV6 CIDR range to reserve. + // + // Cidr is a required field + Cidr *string `type:"string" required:"true"` + + // The description to assign to the subnet CIDR reservation. + Description *string `type:"string"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The type of reservation. + // + // The following are valid values: + // + // * prefix: The Amazon EC2 Prefix Delegation feature assigns the IP addresses + // to network interfaces that are associated with an instance. For information + // about Prefix Delegation, see Prefix Delegation for Amazon EC2 network + // interfaces (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-delegation.html) + // in the Amazon Elastic Compute Cloud User Guide. + // + // * explicit: You manually assign the IP addresses to resources that reside + // in your subnet. + // + // ReservationType is a required field + ReservationType *string `type:"string" required:"true" enum:"SubnetCidrReservationType"` + + // The ID of the subnet. + // + // SubnetId is a required field + SubnetId *string `type:"string" required:"true"` + + // The tags to assign to the subnet CIDR reservation. + TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s CreateSubnetCidrReservationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateSubnetCidrReservationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *CreateSubnetCidrReservationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "CreateSubnetCidrReservationInput"} + if s.Cidr == nil { + invalidParams.Add(request.NewErrParamRequired("Cidr")) + } + if s.ReservationType == nil { + invalidParams.Add(request.NewErrParamRequired("ReservationType")) + } + if s.SubnetId == nil { + invalidParams.Add(request.NewErrParamRequired("SubnetId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCidr sets the Cidr field's value. +func (s *CreateSubnetCidrReservationInput) SetCidr(v string) *CreateSubnetCidrReservationInput { + s.Cidr = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *CreateSubnetCidrReservationInput) SetDescription(v string) *CreateSubnetCidrReservationInput { + s.Description = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *CreateSubnetCidrReservationInput) SetDryRun(v bool) *CreateSubnetCidrReservationInput { + s.DryRun = &v + return s +} + +// SetReservationType sets the ReservationType field's value. +func (s *CreateSubnetCidrReservationInput) SetReservationType(v string) *CreateSubnetCidrReservationInput { + s.ReservationType = &v + return s +} + +// SetSubnetId sets the SubnetId field's value. +func (s *CreateSubnetCidrReservationInput) SetSubnetId(v string) *CreateSubnetCidrReservationInput { + s.SubnetId = &v + return s +} + +// SetTagSpecifications sets the TagSpecifications field's value. +func (s *CreateSubnetCidrReservationInput) SetTagSpecifications(v []*TagSpecification) *CreateSubnetCidrReservationInput { + s.TagSpecifications = v + return s +} + +type CreateSubnetCidrReservationOutput struct { + _ struct{} `type:"structure"` + + // Information about the created subnet CIDR reservation. + SubnetCidrReservation *SubnetCidrReservation `locationName:"subnetCidrReservation" type:"structure"` +} + +// String returns the string representation +func (s CreateSubnetCidrReservationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s CreateSubnetCidrReservationOutput) GoString() string { + return s.String() +} + +// SetSubnetCidrReservation sets the SubnetCidrReservation field's value. +func (s *CreateSubnetCidrReservationOutput) SetSubnetCidrReservation(v *SubnetCidrReservation) *CreateSubnetCidrReservationOutput { + s.SubnetCidrReservation = v + return s +} + type CreateSubnetInput struct { _ struct{} `type:"structure"` // The Availability Zone or Local Zone for the subnet. // - // Default: AWS selects one for you. If you create more than one subnet in your - // VPC, we do not necessarily select a different zone for each subnet. + // Default: Amazon Web Services selects one for you. If you create more than + // one subnet in your VPC, we do not necessarily select a different zone for + // each subnet. // // To create a subnet in a Local Zone, set this value to the Local Zone ID, // for example us-west-2-lax-1a. For information about the Regions that support @@ -56477,7 +58082,7 @@ type CreateTransitGatewayConnectInput struct { TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` // The ID of the transit gateway attachment. You can specify a VPC attachment - // or a AWS Direct Connect attachment. + // or Amazon Web Services Direct Connect attachment. // // TransportTransitGatewayAttachmentId is a required field TransportTransitGatewayAttachmentId *string `type:"string" required:"true"` @@ -56957,7 +58562,7 @@ type CreateTransitGatewayPeeringAttachmentInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // The AWS account ID of the owner of the peer transit gateway. + // The ID of the Amazon Web Services account that owns the peer transit gateway. // // PeerAccountId is a required field PeerAccountId *string `type:"string" required:"true"` @@ -57539,6 +59144,10 @@ type CreateVolumeInput struct { // AvailabilityZone is a required field AvailabilityZone *string `type:"string" required:"true"` + // Unique, case-sensitive identifier that you provide to ensure the idempotency + // of the request. For more information, see Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + ClientToken *string `type:"string" idempotencyToken:"true"` + // Checks whether you have the required permissions for the action, without // actually making the request, and provides an error response. If you have // the required permissions, the error response is DryRunOperation. Otherwise, @@ -57568,21 +59177,20 @@ type CreateVolumeInput struct { // // * io2: 100-64,000 IOPS // - // For io1 and io2 volumes, we guarantee 64,000 IOPS only for Instances built - // on the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). - // Other instance families guarantee performance up to 32,000 IOPS. + // io1 and io2 volumes support up to 64,000 IOPS only on Instances built on + // the Nitro System (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-types.html#ec2-nitro-instances). + // Other instance families support performance up to 32,000 IOPS. // // This parameter is required for io1 and io2 volumes. The default for gp3 volumes // is 3,000 IOPS. This parameter is not supported for gp2, st1, sc1, or standard // volumes. Iops *int64 `type:"integer"` - // The identifier of the AWS Key Management Service (AWS KMS) customer master - // key (CMK) to use for Amazon EBS encryption. If this parameter is not specified, - // your AWS managed CMK for EBS is used. If KmsKeyId is specified, the encrypted - // state must be true. + // The identifier of the Key Management Service (KMS) KMS key to use for Amazon + // EBS encryption. If this parameter is not specified, your KMS key for Amazon + // EBS is used. If KmsKeyId is specified, the encrypted state must be true. // - // You can specify the CMK using any of the following: + // You can specify the KMS key using any of the following: // // * Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. // @@ -57592,9 +59200,9 @@ type CreateVolumeInput struct { // // * Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // - // AWS authenticates the CMK asynchronously. Therefore, if you specify an ID, - // alias, or ARN that is not valid, the action can appear to complete, but eventually - // fails. + // Amazon Web Services authenticates the KMS key asynchronously. Therefore, + // if you specify an ID, alias, or ARN that is not valid, the action can appear + // to complete, but eventually fails. KmsKeyId *string `type:"string"` // Indicates whether to enable Amazon EBS Multi-Attach. If you enable Multi-Attach, @@ -57686,6 +59294,12 @@ func (s *CreateVolumeInput) SetAvailabilityZone(v string) *CreateVolumeInput { return s } +// SetClientToken sets the ClientToken field's value. +func (s *CreateVolumeInput) SetClientToken(v string) *CreateVolumeInput { + s.ClientToken = &v + return s +} + // SetDryRun sets the DryRun field's value. func (s *CreateVolumeInput) SetDryRun(v bool) *CreateVolumeInput { s.DryRun = &v @@ -57760,7 +59374,7 @@ type CreateVolumePermission struct { // The group to be added or removed. The possible value is all. Group *string `locationName:"group" type:"string" enum:"PermissionGroup"` - // The AWS account ID to be added or removed. + // The ID of the Amazon Web Services account to be added or removed. UserId *string `locationName:"userId" type:"string"` } @@ -57790,10 +59404,10 @@ func (s *CreateVolumePermission) SetUserId(v string) *CreateVolumePermission { type CreateVolumePermissionModifications struct { _ struct{} `type:"structure"` - // Adds the specified AWS account ID or group to the list. + // Adds the specified Amazon Web Services account ID or group to the list. Add []*CreateVolumePermission `locationNameList:"item" type:"list"` - // Removes the specified AWS account ID or group from the list. + // Removes the specified Amazon Web Services account ID or group from the list. Remove []*CreateVolumePermission `locationNameList:"item" type:"list"` } @@ -58410,9 +60024,9 @@ type CreateVpcPeeringConnectionInput struct { // it is UnauthorizedOperation. DryRun *bool `locationName:"dryRun" type:"boolean"` - // The AWS account ID of the owner of the accepter VPC. + // The Amazon Web Services account ID of the owner of the accepter VPC. // - // Default: Your AWS account ID + // Default: Your Amazon Web Services account ID PeerOwnerId *string `locationName:"peerOwnerId" type:"string"` // The Region code for the accepter VPC, if the accepter VPC is located in a @@ -59758,6 +61372,89 @@ func (s *DeleteFpgaImageOutput) SetReturn(v bool) *DeleteFpgaImageOutput { return s } +type DeleteInstanceEventWindowInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // Specify true to force delete the event window. Use the force delete parameter + // if the event window is currently associated with targets. + ForceDelete *bool `type:"boolean"` + + // The ID of the event window. + // + // InstanceEventWindowId is a required field + InstanceEventWindowId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteInstanceEventWindowInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteInstanceEventWindowInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteInstanceEventWindowInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteInstanceEventWindowInput"} + if s.InstanceEventWindowId == nil { + invalidParams.Add(request.NewErrParamRequired("InstanceEventWindowId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteInstanceEventWindowInput) SetDryRun(v bool) *DeleteInstanceEventWindowInput { + s.DryRun = &v + return s +} + +// SetForceDelete sets the ForceDelete field's value. +func (s *DeleteInstanceEventWindowInput) SetForceDelete(v bool) *DeleteInstanceEventWindowInput { + s.ForceDelete = &v + return s +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *DeleteInstanceEventWindowInput) SetInstanceEventWindowId(v string) *DeleteInstanceEventWindowInput { + s.InstanceEventWindowId = &v + return s +} + +type DeleteInstanceEventWindowOutput struct { + _ struct{} `type:"structure"` + + // The state of the event window. + InstanceEventWindowState *InstanceEventWindowStateChange `locationName:"instanceEventWindowState" type:"structure"` +} + +// String returns the string representation +func (s DeleteInstanceEventWindowOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteInstanceEventWindowOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindowState sets the InstanceEventWindowState field's value. +func (s *DeleteInstanceEventWindowOutput) SetInstanceEventWindowState(v *InstanceEventWindowStateChange) *DeleteInstanceEventWindowOutput { + s.InstanceEventWindowState = v + return s +} + type DeleteInternetGatewayInput struct { _ struct{} `type:"structure"` @@ -61422,6 +63119,79 @@ func (s DeleteSpotDatafeedSubscriptionOutput) GoString() string { return s.String() } +type DeleteSubnetCidrReservationInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the subnet CIDR reservation. + // + // SubnetCidrReservationId is a required field + SubnetCidrReservationId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DeleteSubnetCidrReservationInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteSubnetCidrReservationInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DeleteSubnetCidrReservationInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DeleteSubnetCidrReservationInput"} + if s.SubnetCidrReservationId == nil { + invalidParams.Add(request.NewErrParamRequired("SubnetCidrReservationId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DeleteSubnetCidrReservationInput) SetDryRun(v bool) *DeleteSubnetCidrReservationInput { + s.DryRun = &v + return s +} + +// SetSubnetCidrReservationId sets the SubnetCidrReservationId field's value. +func (s *DeleteSubnetCidrReservationInput) SetSubnetCidrReservationId(v string) *DeleteSubnetCidrReservationInput { + s.SubnetCidrReservationId = &v + return s +} + +type DeleteSubnetCidrReservationOutput struct { + _ struct{} `type:"structure"` + + // Information about the deleted subnet CIDR reservation. + DeletedSubnetCidrReservation *SubnetCidrReservation `locationName:"deletedSubnetCidrReservation" type:"structure"` +} + +// String returns the string representation +func (s DeleteSubnetCidrReservationOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DeleteSubnetCidrReservationOutput) GoString() string { + return s.String() +} + +// SetDeletedSubnetCidrReservation sets the DeletedSubnetCidrReservation field's value. +func (s *DeleteSubnetCidrReservationOutput) SetDeletedSubnetCidrReservation(v *SubnetCidrReservation) *DeleteSubnetCidrReservationOutput { + s.DeletedSubnetCidrReservation = v + return s +} + type DeleteSubnetInput struct { _ struct{} `type:"structure"` @@ -61510,7 +63280,8 @@ type DeleteTagsInput struct { // an empty string. // // If you omit this parameter, we delete all user-defined tags for the specified - // resources. We do not delete AWS-generated tags (tags that have the aws: prefix). + // resources. We do not delete Amazon Web Services-generated tags (tags that + // have the aws: prefix). Tags []*Tag `locationName:"tag" locationNameList:"item" type:"list"` } @@ -63748,7 +65519,8 @@ type DescribeAddressesInput struct { // * network-interface-id - [EC2-VPC] The ID of the network interface that // the address is associated with, if any. // - // * network-interface-owner-id - The account ID of the owner. + // * network-interface-owner-id - The Amazon Web Services account ID of the + // owner. // // * private-ip-address - [EC2-VPC] The private IP address associated with // the Elastic IP address. @@ -64214,7 +65986,8 @@ type DescribeCapacityReservationsInput struct { // * instance-type - The type of instance for which the Capacity Reservation // reserves capacity. // - // * owner-id - The ID of the AWS account that owns the Capacity Reservation. + // * owner-id - The ID of the Amazon Web Services account that owns the Capacity + // Reservation. // // * availability-zone-id - The Availability Zone ID of the Capacity Reservation. // @@ -64226,8 +65999,9 @@ type DescribeCapacityReservationsInput struct { // * tenancy - Indicates the tenancy of the Capacity Reservation. A Capacity // Reservation can have one of the following tenancy settings: default - // The Capacity Reservation is created on hardware that is shared with other - // AWS accounts. dedicated - The Capacity Reservation is created on single-tenant - // hardware that is dedicated to a single AWS account. + // Amazon Web Services accounts. dedicated - The Capacity Reservation is + // created on single-tenant hardware that is dedicated to a single Amazon + // Web Services account. // // * outpost-arn - The Amazon Resource Name (ARN) of the Outpost on which // the Capacity Reservation was created. @@ -64384,7 +66158,8 @@ type DescribeCarrierGatewaysInput struct { // * state - The state of the carrier gateway (pending | failed | available // | deleting | deleted). // - // * owner-id - The AWS account ID of the owner of the carrier gateway. + // * owner-id - The Amazon Web Services account ID of the owner of the carrier + // gateway. // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. @@ -65519,7 +67294,8 @@ type DescribeDhcpOptionsInput struct { // // * value - The value for one of the options. // - // * owner-id - The ID of the AWS account that owns the DHCP options set. + // * owner-id - The ID of the Amazon Web Services account that owns the DHCP + // options set. // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. @@ -66066,11 +67842,12 @@ type DescribeFastSnapshotRestoreSuccessItem struct { // The time at which fast snapshot restores entered the optimizing state. OptimizingTime *time.Time `locationName:"optimizingTime" type:"timestamp"` - // The AWS owner alias that enabled fast snapshot restores on the snapshot. - // This is intended for future use. + // The Amazon Web Services owner alias that enabled fast snapshot restores on + // the snapshot. This is intended for future use. OwnerAlias *string `locationName:"ownerAlias" type:"string"` - // The ID of the AWS account that enabled fast snapshot restores on the snapshot. + // The ID of the Amazon Web Services account that enabled fast snapshot restores + // on the snapshot. OwnerId *string `locationName:"ownerId" type:"string"` // The ID of the snapshot. @@ -66178,8 +67955,8 @@ type DescribeFastSnapshotRestoresInput struct { // // * availability-zone: The Availability Zone of the snapshot. // - // * owner-id: The ID of the AWS account that enabled fast snapshot restore - // on the snapshot. + // * owner-id: The ID of the Amazon Web Services account that enabled fast + // snapshot restore on the snapshot. // // * snapshot-id: The ID of the snapshot. // @@ -68327,8 +70104,8 @@ type DescribeInstanceAttributeOutput struct { // Indicates whether enhanced networking with ENA is enabled. EnaSupport *AttributeBooleanValue `locationName:"enaSupport" type:"structure"` - // To enable the instance for AWS Nitro Enclaves, set this parameter to true; - // otherwise, set it to false. + // To enable the instance for Amazon Web Services Nitro Enclaves, set this parameter + // to true; otherwise, set it to false. EnclaveOptions *EnclaveOptions `locationName:"enclaveOptions" type:"structure"` // The security groups associated with the instance. @@ -68644,6 +70421,150 @@ func (s *DescribeInstanceEventNotificationAttributesOutput) SetInstanceTagAttrib return s } +// Describe instance event windows by InstanceEventWindow. +type DescribeInstanceEventWindowsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. + // + // * dedicated-host-id - The event windows associated with the specified + // Dedicated Host ID. + // + // * event-window-name - The event windows associated with the specified + // names. + // + // * instance-id - The event windows associated with the specified instance + // ID. + // + // * instance-tag - The event windows associated with the specified tag and + // value. + // + // * instance-tag-key - The event windows associated with the specified tag + // key, regardless of the value. + // + // * instance-tag-value - The event windows associated with the specified + // tag value, regardless of the key. + // + // * tag: - The key/value combination of a tag assigned to the event + // window. Use the tag key in the filter name and the tag value as the filter + // value. For example, to find all resources that have a tag with the key + // Owner and the value CMX, specify tag:Owner for the filter name and CMX + // for the filter value. + // + // * tag-key - The key of a tag assigned to the event window. Use this filter + // to find all event windows that have a tag with a specific key, regardless + // of the tag value. + // + // * tag-value - The value of a tag assigned to the event window. Use this + // filter to find all event windows that have a tag with a specific value, + // regardless of the tag key. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The IDs of the event windows. + InstanceEventWindowIds []*string `locationName:"InstanceEventWindowId" locationNameList:"InstanceEventWindowId" type:"list"` + + // The maximum number of results to return in a single call. To retrieve the + // remaining results, make another call with the returned NextToken value. This + // value can be between 20 and 500. You cannot specify this parameter and the + // event window IDs parameter in the same call. + MaxResults *int64 `min:"20" type:"integer"` + + // The token to request the next page of results. + NextToken *string `type:"string"` +} + +// String returns the string representation +func (s DescribeInstanceEventWindowsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeInstanceEventWindowsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeInstanceEventWindowsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeInstanceEventWindowsInput"} + if s.MaxResults != nil && *s.MaxResults < 20 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 20)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeInstanceEventWindowsInput) SetDryRun(v bool) *DescribeInstanceEventWindowsInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeInstanceEventWindowsInput) SetFilters(v []*Filter) *DescribeInstanceEventWindowsInput { + s.Filters = v + return s +} + +// SetInstanceEventWindowIds sets the InstanceEventWindowIds field's value. +func (s *DescribeInstanceEventWindowsInput) SetInstanceEventWindowIds(v []*string) *DescribeInstanceEventWindowsInput { + s.InstanceEventWindowIds = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeInstanceEventWindowsInput) SetMaxResults(v int64) *DescribeInstanceEventWindowsInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeInstanceEventWindowsInput) SetNextToken(v string) *DescribeInstanceEventWindowsInput { + s.NextToken = &v + return s +} + +type DescribeInstanceEventWindowsOutput struct { + _ struct{} `type:"structure"` + + // Information about the event windows. + InstanceEventWindows []*InstanceEventWindow `locationName:"instanceEventWindowSet" locationNameList:"item" type:"list"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` +} + +// String returns the string representation +func (s DescribeInstanceEventWindowsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeInstanceEventWindowsOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindows sets the InstanceEventWindows field's value. +func (s *DescribeInstanceEventWindowsOutput) SetInstanceEventWindows(v []*InstanceEventWindow) *DescribeInstanceEventWindowsOutput { + s.InstanceEventWindows = v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeInstanceEventWindowsOutput) SetNextToken(v string) *DescribeInstanceEventWindowsOutput { + s.NextToken = &v + return s +} + type DescribeInstanceStatusInput struct { _ struct{} `type:"structure"` @@ -69003,6 +70924,9 @@ type DescribeInstanceTypesInput struct { // * network-info.ena-support - Indicates whether Elastic Network Adapter // (ENA) is supported or required (required | supported | unsupported). // + // * network-info.encryption-in-transit-supported - Indicates whether the + // instance type automatically encrypts in-transit traffic between instances. + // // * network-info.ipv4-addresses-per-interface - The maximum number of private // IPv4 addresses per network interface. // @@ -69320,7 +71244,7 @@ type DescribeInstancesInput struct { // * network-interface.requester-id - The requester ID for the network interface. // // * network-interface.requester-managed - Indicates whether the network - // interface is being managed by AWS. + // interface is being managed by Amazon Web Services. // // * network-interface.status - The status of the network interface (available) // | in-use). @@ -69337,7 +71261,7 @@ type DescribeInstancesInput struct { // // * outpost-arn - The Amazon Resource Name (ARN) of the Outpost. // - // * owner-id - The AWS account ID of the instance owner. + // * owner-id - The Amazon Web Services account ID of the instance owner. // // * placement-group-name - The name of the placement group for the instance. // @@ -69362,7 +71286,8 @@ type DescribeInstancesInput struct { // Similar to the state-reason-code filter. // // * requester-id - The ID of the entity that launched the instance on your - // behalf (for example, AWS Management Console, Auto Scaling, and so on). + // behalf (for example, Amazon Web Services Management Console, Auto Scaling, + // and so on). // // * reservation-id - The ID of the instance's reservation. A reservation // ID is created any time you launch an instance. A reservation ID has a @@ -69514,7 +71439,8 @@ type DescribeInternetGatewaysInput struct { // // * internet-gateway-id - The ID of the Internet gateway. // - // * owner-id - The ID of the AWS account that owns the internet gateway. + // * owner-id - The ID of the Amazon Web Services account that owns the internet + // gateway. // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. @@ -69775,7 +71701,7 @@ type DescribeKeyPairsInput struct { // The key pair names. // - // Default: Describes all your key pairs. + // Default: Describes all of your key pairs. KeyNames []*string `locationName:"KeyName" locationNameList:"KeyName" type:"list"` // The IDs of the key pairs. @@ -71261,7 +73187,8 @@ type DescribeNetworkAclsInput struct { // // * network-acl-id - The ID of the network ACL. // - // * owner-id - The ID of the AWS account that owns the network ACL. + // * owner-id - The ID of the Amazon Web Services account that owns the network + // ACL. // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. @@ -71768,7 +73695,8 @@ type DescribeNetworkInterfacePermissionsInput struct { // * network-interface-permission.network-interface-id - The ID of the network // interface. // - // * network-interface-permission.aws-account-id - The account ID. + // * network-interface-permission.aws-account-id - The Amazon Web Services + // account ID. // // * network-interface-permission.aws-service - The Amazon Web Service. // @@ -71943,19 +73871,20 @@ type DescribeNetworkInterfacesInput struct { // // * network-interface-id - The ID of the network interface. // - // * owner-id - The account ID of the network interface owner. + // * owner-id - The Amazon Web Services account ID of the network interface + // owner. // // * private-ip-address - The private IPv4 address or addresses of the network // interface. // // * private-dns-name - The private DNS name of the network interface (IPv4). // - // * requester-id - The alias or account ID of the principal or service that - // created the network interface. + // * requester-id - The alias or Amazon Web Services account ID of the principal + // or service that created the network interface. // // * requester-managed - Indicates whether the network interface is being - // managed by an Amazon Web Service (for example, Management Console, Auto - // Scaling, and so on). + // managed by an Amazon Web Service (for example, Amazon Web Services Management + // Console, Auto Scaling, and so on). // // * source-dest-check - Indicates whether the network interface performs // source/destination checking. A value of true means checking is enabled, @@ -73015,8 +74944,8 @@ type DescribeReservedInstancesOfferingsInput struct { // // * marketplace - Set to true to show only Reserved Instance Marketplace // offerings. When this filter is not used, which is the default behavior, - // all offerings from both AWS and the Reserved Instance Marketplace are - // listed. + // all offerings from both Amazon Web Services and the Reserved Instance + // Marketplace are listed. // // * product-description - The Reserved Instance product platform description. // Instances that include (Amazon VPC) in the product platform description @@ -73277,7 +75206,8 @@ type DescribeRouteTablesInput struct { // table for the VPC (true | false). Route tables that do not have an association // ID are not returned in the response. // - // * owner-id - The ID of the AWS account that owns the route table. + // * owner-id - The ID of the Amazon Web Services account that owns the route + // table. // // * route-table-id - The ID of the route table. // @@ -73287,8 +75217,8 @@ type DescribeRouteTablesInput struct { // * route.destination-ipv6-cidr-block - The IPv6 CIDR range specified in // a route in the route table. // - // * route.destination-prefix-list-id - The ID (prefix) of the AWS service - // specified in a route in the table. + // * route.destination-prefix-list-id - The ID (prefix) of the Amazon Web + // Service specified in a route in the table. // // * route.egress-only-internet-gateway-id - The ID of an egress-only Internet // gateway specified in a route in the route table. @@ -73784,6 +75714,127 @@ func (s *DescribeSecurityGroupReferencesOutput) SetSecurityGroupReferenceSet(v [ return s } +type DescribeSecurityGroupRulesInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. + // + // * group-id - The ID of the security group. + // + // * security-group-rule-id - The ID of the security group rule. + // + // * tag: - The key/value combination of a tag assigned to the resource. + // Use the tag key in the filter name and the tag value as the filter value. + // For example, to find all resources that have a tag with the key Owner + // and the value TeamA, specify tag:Owner for the filter name and TeamA for + // the filter value. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return in a single call. To retrieve the + // remaining results, make another request with the returned NextToken value. + // This value can be between 5 and 1000. If this parameter is not specified, + // then all results are returned. + MaxResults *int64 `min:"5" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` + + // The IDs of the security group rules. + SecurityGroupRuleIds []*string `locationName:"SecurityGroupRuleId" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s DescribeSecurityGroupRulesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeSecurityGroupRulesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DescribeSecurityGroupRulesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DescribeSecurityGroupRulesInput"} + if s.MaxResults != nil && *s.MaxResults < 5 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5)) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *DescribeSecurityGroupRulesInput) SetDryRun(v bool) *DescribeSecurityGroupRulesInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *DescribeSecurityGroupRulesInput) SetFilters(v []*Filter) *DescribeSecurityGroupRulesInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *DescribeSecurityGroupRulesInput) SetMaxResults(v int64) *DescribeSecurityGroupRulesInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeSecurityGroupRulesInput) SetNextToken(v string) *DescribeSecurityGroupRulesInput { + s.NextToken = &v + return s +} + +// SetSecurityGroupRuleIds sets the SecurityGroupRuleIds field's value. +func (s *DescribeSecurityGroupRulesInput) SetSecurityGroupRuleIds(v []*string) *DescribeSecurityGroupRulesInput { + s.SecurityGroupRuleIds = v + return s +} + +type DescribeSecurityGroupRulesOutput struct { + _ struct{} `type:"structure"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` + + // Information about security group rules. + SecurityGroupRules []*SecurityGroupRule `locationName:"securityGroupRuleSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s DescribeSecurityGroupRulesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DescribeSecurityGroupRulesOutput) GoString() string { + return s.String() +} + +// SetNextToken sets the NextToken field's value. +func (s *DescribeSecurityGroupRulesOutput) SetNextToken(v string) *DescribeSecurityGroupRulesOutput { + s.NextToken = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *DescribeSecurityGroupRulesOutput) SetSecurityGroupRules(v []*SecurityGroupRule) *DescribeSecurityGroupRulesOutput { + s.SecurityGroupRules = v + return s +} + type DescribeSecurityGroupsInput struct { _ struct{} `type:"structure"` @@ -73823,8 +75874,8 @@ type DescribeSecurityGroupsInput struct { // * egress.ip-permission.to-port - For an outbound rule, the end of port // range for the TCP and UDP protocols, or an ICMP code. // - // * egress.ip-permission.user-id - The ID of an AWS account that has been - // referenced in an outbound security group rule. + // * egress.ip-permission.user-id - The ID of an Amazon Web Services account + // that has been referenced in an outbound security group rule. // // * group-id - The ID of the security group. // @@ -73854,10 +75905,11 @@ type DescribeSecurityGroupsInput struct { // * ip-permission.to-port - For an inbound rule, the end of port range for // the TCP and UDP protocols, or an ICMP code. // - // * ip-permission.user-id - The ID of an AWS account that has been referenced - // in an inbound security group rule. + // * ip-permission.user-id - The ID of an Amazon Web Services account that + // has been referenced in an inbound security group rule. // - // * owner-id - The AWS account ID of the owner of the security group. + // * owner-id - The Amazon Web Services account ID of the owner of the security + // group. // // * tag: - The key/value combination of a tag assigned to the resource. // Use the tag key in the filter name and the tag value as the filter value. @@ -73875,7 +75927,7 @@ type DescribeSecurityGroupsInput struct { // The IDs of the security groups. Required for security groups in a nondefault // VPC. // - // Default: Describes all your security groups. + // Default: Describes all of your security groups. GroupIds []*string `locationName:"GroupId" locationNameList:"groupId" type:"list"` // [EC2-Classic and default VPC only] The names of the security groups. You @@ -73883,7 +75935,7 @@ type DescribeSecurityGroupsInput struct { // security groups in a nondefault VPC, use the group-name filter to describe // security groups by name. // - // Default: Describes all your security groups. + // Default: Describes all of your security groups. GroupNames []*string `locationName:"GroupName" locationNameList:"GroupName" type:"list"` // The maximum number of results to return in a single call. To retrieve the @@ -74110,11 +76162,12 @@ type DescribeSnapshotsInput struct { // * encrypted - Indicates whether the snapshot is encrypted (true | false) // // * owner-alias - The owner alias, from an Amazon-maintained list (amazon). - // This is not the user-configured AWS account alias set using the IAM console. - // We recommend that you use the related parameter instead of this filter. + // This is not the user-configured Amazon Web Services account alias set + // using the IAM console. We recommend that you use the related parameter + // instead of this filter. // - // * owner-id - The AWS account ID of the owner. We recommend that you use - // the related parameter instead of this filter. + // * owner-id - The Amazon Web Services account ID of the owner. We recommend + // that you use the related parameter instead of this filter. // // * progress - The progress of the snapshot, as a percentage (for example, // 80%). @@ -74159,10 +76212,11 @@ type DescribeSnapshotsInput struct { NextToken *string `type:"string"` // Scopes the results to snapshots with the specified owners. You can specify - // a combination of AWS account IDs, self, and amazon. + // a combination of Amazon Web Services account IDs, self, and amazon. OwnerIds []*string `locationName:"Owner" locationNameList:"Owner" type:"list"` - // The IDs of the AWS accounts that can create volumes from the snapshot. + // The IDs of the Amazon Web Services accounts that can create volumes from + // the snapshot. RestorableByUserIds []*string `locationName:"RestorableBy" type:"list"` // The snapshot IDs. @@ -75303,7 +77357,7 @@ type DescribeSubnetsInput struct { // // * outpost-arn - The Amazon Resource Name (ARN) of the Outpost. // - // * owner-id - The ID of the AWS account that owns the subnet. + // * owner-id - The ID of the Amazon Web Services account that owns the subnet. // // * state - The state of the subnet (pending | available). // @@ -75909,7 +77963,8 @@ type DescribeTransitGatewayAttachmentsInput struct { // // * resource-id - The ID of the resource. // - // * resource-owner-id - The ID of the AWS account that owns the resource. + // * resource-owner-id - The ID of the Amazon Web Services account that owns + // the resource. // // * resource-type - The resource type. Valid values are vpc | vpn | direct-connect-gateway // | peering | connect. @@ -75922,8 +77977,8 @@ type DescribeTransitGatewayAttachmentsInput struct { // // * transit-gateway-id - The ID of the transit gateway. // - // * transit-gateway-owner-id - The ID of the AWS account that owns the transit - // gateway. + // * transit-gateway-owner-id - The ID of the Amazon Web Services account + // that owns the transit gateway. Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` // The maximum number of results to return with a single call. To retrieve the @@ -76391,10 +78446,10 @@ type DescribeTransitGatewayPeeringAttachmentsInput struct { // // * transit-gateway-attachment-id - The ID of the transit gateway attachment. // - // * local-owner-id - The ID of your AWS account. + // * local-owner-id - The ID of your Amazon Web Services account. // - // * remote-owner-id - The ID of the AWS account in the remote Region that - // owns the transit gateway. + // * remote-owner-id - The ID of the Amazon Web Services account in the remote + // Region that owns the transit gateway. // // * state - The state of the peering attachment. Valid values are available // | deleted | deleting | failed | failing | initiatingRequest | modifying @@ -76789,7 +78844,8 @@ type DescribeTransitGatewaysInput struct { // * options.vpn-ecmp-support - Indicates whether Equal Cost Multipath Protocol // support is enabled (enable | disable). // - // * owner-id - The ID of the AWS account that owns the transit gateway. + // * owner-id - The ID of the Amazon Web Services account that owns the transit + // gateway. // // * state - The state of the transit gateway (available | deleted | deleting // | modifying | pending). @@ -78512,8 +80568,8 @@ type DescribeVpcPeeringConnectionsInput struct { // // * accepter-vpc-info.cidr-block - The IPv4 CIDR block of the accepter VPC. // - // * accepter-vpc-info.owner-id - The AWS account ID of the owner of the - // accepter VPC. + // * accepter-vpc-info.owner-id - The ID of the Amazon Web Services account + // that owns the accepter VPC. // // * accepter-vpc-info.vpc-id - The ID of the accepter VPC. // @@ -78522,8 +80578,8 @@ type DescribeVpcPeeringConnectionsInput struct { // * requester-vpc-info.cidr-block - The IPv4 CIDR block of the requester's // VPC. // - // * requester-vpc-info.owner-id - The AWS account ID of the owner of the - // requester VPC. + // * requester-vpc-info.owner-id - The ID of the Amazon Web Services account + // that owns the requester VPC. // // * requester-vpc-info.vpc-id - The ID of the requester VPC. // @@ -78684,9 +80740,9 @@ type DescribeVpcsInput struct { // * ipv6-cidr-block-association.state - The state of an IPv6 CIDR block // associated with the VPC. // - // * isDefault - Indicates whether the VPC is the default VPC. + // * is-default - Indicates whether the VPC is the default VPC. // - // * owner-id - The ID of the AWS account that owns the VPC. + // * owner-id - The ID of the Amazon Web Services account that owns the VPC. // // * state - The state of the VPC (pending | available). // @@ -79471,7 +81527,7 @@ type DhcpOptions struct { // The ID of the set of DHCP options. DhcpOptionsId *string `locationName:"dhcpOptionsId" type:"string"` - // The ID of the AWS account that owns the DHCP options set. + // The ID of the Amazon Web Services account that owns the DHCP options set. OwnerId *string `locationName:"ownerId" type:"string"` // Any tags assigned to the DHCP options set. @@ -79732,11 +81788,12 @@ type DisableFastSnapshotRestoreSuccessItem struct { // The time at which fast snapshot restores entered the optimizing state. OptimizingTime *time.Time `locationName:"optimizingTime" type:"timestamp"` - // The AWS owner alias that enabled fast snapshot restores on the snapshot. - // This is intended for future use. + // The Amazon Web Services owner alias that enabled fast snapshot restores on + // the snapshot. This is intended for future use. OwnerAlias *string `locationName:"ownerAlias" type:"string"` - // The ID of the AWS account that enabled fast snapshot restores on the snapshot. + // The ID of the Amazon Web Services account that enabled fast snapshot restores + // on the snapshot. OwnerId *string `locationName:"ownerId" type:"string"` // The ID of the snapshot. @@ -80636,6 +82693,93 @@ func (s *DisassociateIamInstanceProfileOutput) SetIamInstanceProfileAssociation( return s } +type DisassociateInstanceEventWindowInput struct { + _ struct{} `type:"structure"` + + // One or more targets to disassociate from the specified event window. + // + // AssociationTarget is a required field + AssociationTarget *InstanceEventWindowDisassociationRequest `type:"structure" required:"true"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the event window. + // + // InstanceEventWindowId is a required field + InstanceEventWindowId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s DisassociateInstanceEventWindowInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisassociateInstanceEventWindowInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *DisassociateInstanceEventWindowInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "DisassociateInstanceEventWindowInput"} + if s.AssociationTarget == nil { + invalidParams.Add(request.NewErrParamRequired("AssociationTarget")) + } + if s.InstanceEventWindowId == nil { + invalidParams.Add(request.NewErrParamRequired("InstanceEventWindowId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetAssociationTarget sets the AssociationTarget field's value. +func (s *DisassociateInstanceEventWindowInput) SetAssociationTarget(v *InstanceEventWindowDisassociationRequest) *DisassociateInstanceEventWindowInput { + s.AssociationTarget = v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *DisassociateInstanceEventWindowInput) SetDryRun(v bool) *DisassociateInstanceEventWindowInput { + s.DryRun = &v + return s +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *DisassociateInstanceEventWindowInput) SetInstanceEventWindowId(v string) *DisassociateInstanceEventWindowInput { + s.InstanceEventWindowId = &v + return s +} + +type DisassociateInstanceEventWindowOutput struct { + _ struct{} `type:"structure"` + + // Information about the event window. + InstanceEventWindow *InstanceEventWindow `locationName:"instanceEventWindow" type:"structure"` +} + +// String returns the string representation +func (s DisassociateInstanceEventWindowOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s DisassociateInstanceEventWindowOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindow sets the InstanceEventWindow field's value. +func (s *DisassociateInstanceEventWindowOutput) SetInstanceEventWindow(v *InstanceEventWindow) *DisassociateInstanceEventWindowOutput { + s.InstanceEventWindow = v + return s +} + type DisassociateRouteTableInput struct { _ struct{} `type:"structure"` @@ -80937,7 +83081,7 @@ func (s *DisassociateTransitGatewayRouteTableOutput) SetAssociation(v *TransitGa type DisassociateTrunkInterfaceInput struct { _ struct{} `type:"structure"` - // The ID ofthe association + // The ID of the association // // AssociationId is a required field AssociationId *string `type:"string" required:"true"` @@ -82376,11 +84520,12 @@ type EnableFastSnapshotRestoreSuccessItem struct { // The time at which fast snapshot restores entered the optimizing state. OptimizingTime *time.Time `locationName:"optimizingTime" type:"timestamp"` - // The AWS owner alias that enabled fast snapshot restores on the snapshot. - // This is intended for future use. + // The Amazon Web Services owner alias that enabled fast snapshot restores on + // the snapshot. This is intended for future use. OwnerAlias *string `locationName:"ownerAlias" type:"string"` - // The ID of the AWS account that enabled fast snapshot restores on the snapshot. + // The ID of the Amazon Web Services account that enabled fast snapshot restores + // on the snapshot. OwnerId *string `locationName:"ownerId" type:"string"` // The ID of the snapshot. @@ -82490,7 +84635,8 @@ type EnableFastSnapshotRestoresInput struct { DryRun *bool `type:"boolean"` // The IDs of one or more snapshots. For example, snap-1234567890abcdef0. You - // can specify a snapshot that was shared with you from another AWS account. + // can specify a snapshot that was shared with you from another Amazon Web Services + // account. // // SourceSnapshotIds is a required field SourceSnapshotIds []*string `locationName:"SourceSnapshotId" locationNameList:"SnapshotId" type:"list" required:"true"` @@ -83069,12 +85215,13 @@ func (s *EnableVpcClassicLinkOutput) SetReturn(v bool) *EnableVpcClassicLinkOutp return s } -// Indicates whether the instance is enabled for AWS Nitro Enclaves. +// Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. type EnclaveOptions struct { _ struct{} `type:"structure"` - // If this parameter is set to true, the instance is enabled for AWS Nitro Enclaves; - // otherwise, it is not enabled for AWS Nitro Enclaves. + // If this parameter is set to true, the instance is enabled for Amazon Web + // Services Nitro Enclaves; otherwise, it is not enabled for Amazon Web Services + // Nitro Enclaves. Enabled *bool `locationName:"enabled" type:"boolean"` } @@ -83094,13 +85241,14 @@ func (s *EnclaveOptions) SetEnabled(v bool) *EnclaveOptions { return s } -// Indicates whether the instance is enabled for AWS Nitro Enclaves. For more -// information, see What is AWS Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) -// in the AWS Nitro Enclaves User Guide. +// Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. +// For more information, see What is Amazon Web Services Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) +// in the Amazon Web Services Nitro Enclaves User Guide. type EnclaveOptionsRequest struct { _ struct{} `type:"structure"` - // To enable the instance for AWS Nitro Enclaves, set this parameter to true. + // To enable the instance for Amazon Web Services Nitro Enclaves, set this parameter + // to true. Enabled *bool `type:"boolean"` } @@ -83164,7 +85312,7 @@ type EventInformation struct { // * modify_in_progress - A request to modify the EC2 Fleet or Spot Fleet // request was accepted and is in progress. // - // * modify_successful - The EC2 Fleet or Spot Fleet request was modified. + // * modify_succeeded - The EC2 Fleet or Spot Fleet request was modified. // // * price_update - The price for a launch configuration was adjusted because // it was too high. This change is permanent. @@ -83836,7 +85984,8 @@ type ExportImageInput struct { RoleName *string `type:"string"` // Information about the destination Amazon S3 bucket. The bucket must exist - // and grant WRITE and READ_ACP permissions to the AWS account vm-import-export@amazon.com. + // and grant WRITE and READ_ACP permissions to the Amazon Web Services account + // vm-import-export@amazon.com. // // S3ExportLocation is a required field S3ExportLocation *ExportTaskS3LocationRequest `type:"structure" required:"true"` @@ -84292,7 +86441,8 @@ type ExportToS3Task struct { DiskImageFormat *string `locationName:"diskImageFormat" type:"string" enum:"DiskImageFormat"` // The Amazon S3 bucket for the destination image. The destination bucket must - // exist and grant WRITE and READ_ACP permissions to the AWS account vm-import-export@amazon.com. + // exist and grant WRITE and READ_ACP permissions to the Amazon Web Services + // account vm-import-export@amazon.com. S3Bucket *string `locationName:"s3Bucket" type:"string"` // The encryption key for your S3 bucket. @@ -84345,7 +86495,8 @@ type ExportToS3TaskSpecification struct { DiskImageFormat *string `locationName:"diskImageFormat" type:"string" enum:"DiskImageFormat"` // The Amazon S3 bucket for the destination image. The destination bucket must - // exist and grant WRITE and READ_ACP permissions to the AWS account vm-import-export@amazon.com. + // exist and grant WRITE and READ_ACP permissions to the Amazon Web Services + // account vm-import-export@amazon.com. S3Bucket *string `locationName:"s3Bucket" type:"string"` // The image is written to a single object in the Amazon S3 bucket at the S3 @@ -84660,6 +86811,9 @@ type FleetData struct { // Constraints: Maximum 64 ASCII characters ClientToken *string `locationName:"clientToken" type:"string"` + // Reserved. + Context *string `locationName:"context" type:"string"` + // The creation date and time of the EC2 Fleet. CreateTime *time.Time `locationName:"createTime" type:"timestamp"` @@ -84760,6 +86914,12 @@ func (s *FleetData) SetClientToken(v string) *FleetData { return s } +// SetContext sets the Context field's value. +func (s *FleetData) SetContext(v string) *FleetData { + s.Context = &v + return s +} + // SetCreateTime sets the CreateTime field's value. func (s *FleetData) SetCreateTime(v time.Time) *FleetData { s.CreateTime = &v @@ -86691,7 +88851,7 @@ func (s *GetEbsDefaultKmsKeyIdInput) SetDryRun(v bool) *GetEbsDefaultKmsKeyIdInp type GetEbsDefaultKmsKeyIdOutput struct { _ struct{} `type:"structure"` - // The Amazon Resource Name (ARN) of the default CMK for encryption by default. + // The Amazon Resource Name (ARN) of the default KMS key for encryption by default. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` } @@ -87682,6 +89842,143 @@ func (s *GetSerialConsoleAccessStatusOutput) SetSerialConsoleAccessEnabled(v boo return s } +type GetSubnetCidrReservationsInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // One or more filters. + // + // * reservationType - The type of reservation (prefix | explicit). + // + // * subnet-id - The ID of the subnet. + // + // * tag: - The key/value combination of a tag assigned to the resource. + // Use the tag key in the filter name and the tag value as the filter value. + // For example, to find all resources that have a tag with the key Owner + // and the value TeamA, specify tag:Owner for the filter name and TeamA for + // the filter value. + // + // * tag-key - The key of a tag assigned to the resource. Use this filter + // to find all resources assigned a tag with a specific key, regardless of + // the tag value. + Filters []*Filter `locationName:"Filter" locationNameList:"Filter" type:"list"` + + // The maximum number of results to return with a single call. To retrieve the + // remaining results, make another call with the returned nextToken value. + MaxResults *int64 `min:"5" type:"integer"` + + // The token for the next page of results. + NextToken *string `type:"string"` + + // The ID of the subnet. + // + // SubnetId is a required field + SubnetId *string `type:"string" required:"true"` +} + +// String returns the string representation +func (s GetSubnetCidrReservationsInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetSubnetCidrReservationsInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *GetSubnetCidrReservationsInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "GetSubnetCidrReservationsInput"} + if s.MaxResults != nil && *s.MaxResults < 5 { + invalidParams.Add(request.NewErrParamMinValue("MaxResults", 5)) + } + if s.SubnetId == nil { + invalidParams.Add(request.NewErrParamRequired("SubnetId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *GetSubnetCidrReservationsInput) SetDryRun(v bool) *GetSubnetCidrReservationsInput { + s.DryRun = &v + return s +} + +// SetFilters sets the Filters field's value. +func (s *GetSubnetCidrReservationsInput) SetFilters(v []*Filter) *GetSubnetCidrReservationsInput { + s.Filters = v + return s +} + +// SetMaxResults sets the MaxResults field's value. +func (s *GetSubnetCidrReservationsInput) SetMaxResults(v int64) *GetSubnetCidrReservationsInput { + s.MaxResults = &v + return s +} + +// SetNextToken sets the NextToken field's value. +func (s *GetSubnetCidrReservationsInput) SetNextToken(v string) *GetSubnetCidrReservationsInput { + s.NextToken = &v + return s +} + +// SetSubnetId sets the SubnetId field's value. +func (s *GetSubnetCidrReservationsInput) SetSubnetId(v string) *GetSubnetCidrReservationsInput { + s.SubnetId = &v + return s +} + +type GetSubnetCidrReservationsOutput struct { + _ struct{} `type:"structure"` + + // The token to use to retrieve the next page of results. This value is null + // when there are no more results to return. + NextToken *string `locationName:"nextToken" type:"string"` + + // Information about the IPv4 subnet CIDR reservations. + SubnetIpv4CidrReservations []*SubnetCidrReservation `locationName:"subnetIpv4CidrReservationSet" locationNameList:"item" type:"list"` + + // Information about the IPv6 subnet CIDR reservations. + SubnetIpv6CidrReservations []*SubnetCidrReservation `locationName:"subnetIpv6CidrReservationSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s GetSubnetCidrReservationsOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s GetSubnetCidrReservationsOutput) GoString() string { + return s.String() +} + +// SetNextToken sets the NextToken field's value. +func (s *GetSubnetCidrReservationsOutput) SetNextToken(v string) *GetSubnetCidrReservationsOutput { + s.NextToken = &v + return s +} + +// SetSubnetIpv4CidrReservations sets the SubnetIpv4CidrReservations field's value. +func (s *GetSubnetCidrReservationsOutput) SetSubnetIpv4CidrReservations(v []*SubnetCidrReservation) *GetSubnetCidrReservationsOutput { + s.SubnetIpv4CidrReservations = v + return s +} + +// SetSubnetIpv6CidrReservations sets the SubnetIpv6CidrReservations field's value. +func (s *GetSubnetCidrReservationsOutput) SetSubnetIpv6CidrReservations(v []*SubnetCidrReservation) *GetSubnetCidrReservationsOutput { + s.SubnetIpv6CidrReservations = v + return s +} + type GetTransitGatewayAttachmentPropagationsInput struct { _ struct{} `type:"structure"` @@ -88634,7 +90931,7 @@ type Host struct { // is true, the host is in a host resource group; otherwise, it is not. MemberOfServiceLinkedResourceGroup *bool `locationName:"memberOfServiceLinkedResourceGroup" type:"boolean"` - // The ID of the AWS account that owns the Dedicated Host. + // The ID of the Amazon Web Services account that owns the Dedicated Host. OwnerId *string `locationName:"ownerId" type:"string"` // The time that the Dedicated Host was released. @@ -88769,7 +91066,7 @@ type HostInstance struct { // The instance type (for example, m3.medium) of the running instance. InstanceType *string `locationName:"instanceType" type:"string"` - // The ID of the AWS account that owns the instance. + // The ID of the Amazon Web Services account that owns the instance. OwnerId *string `locationName:"ownerId" type:"string"` } @@ -89792,6 +92089,9 @@ type ImportImageInput struct { // Valid values: i386 | x86_64 | arm64 Architecture *string `type:"string"` + // The boot mode of the virtual machine. + BootMode *string `type:"string" enum:"BootModeValues"` + // The client-specific data. ClientData *ClientData `type:"structure"` @@ -89811,9 +92111,8 @@ type ImportImageInput struct { DryRun *bool `type:"boolean"` // Specifies whether the destination AMI of the imported image should be encrypted. - // The default CMK for EBS is used unless you specify a non-default AWS Key - // Management Service (AWS KMS) CMK using KmsKeyId. For more information, see - // Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) + // The default KMS key for EBS is used unless you specify a non-default KMS + // key using KmsKeyId. For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. Encrypted *bool `type:"boolean"` @@ -89822,35 +92121,36 @@ type ImportImageInput struct { // Valid values: xen Hypervisor *string `type:"string"` - // An identifier for the symmetric AWS Key Management Service (AWS KMS) customer - // master key (CMK) to use when creating the encrypted AMI. This parameter is - // only required if you want to use a non-default CMK; if this parameter is - // not specified, the default CMK for EBS is used. If a KmsKeyId is specified, - // the Encrypted flag must also be set. + // An identifier for the symmetric KMS key to use when creating the encrypted + // AMI. This parameter is only required if you want to use a non-default KMS + // key; if this parameter is not specified, the default KMS key for EBS is used. + // If a KmsKeyId is specified, the Encrypted flag must also be set. // - // The CMK identifier may be provided in any of the following formats: + // The KMS key identifier may be provided in any of the following formats: // // * Key ID // // * Key alias. The alias ARN contains the arn:aws:kms namespace, followed - // by the Region of the CMK, the AWS account ID of the CMK owner, the alias - // namespace, and then the CMK alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. + // by the Region of the key, the Amazon Web Services account ID of the key + // owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // // * ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed - // by the Region of the CMK, the AWS account ID of the CMK owner, the key - // namespace, and then the CMK ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. + // by the Region of the key, the Amazon Web Services account ID of the key + // owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. // // * ARN using key alias. The alias ARN contains the arn:aws:kms namespace, - // followed by the Region of the CMK, the AWS account ID of the CMK owner, - // the alias namespace, and then the CMK alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. + // followed by the Region of the key, the Amazon Web Services account ID + // of the key owner, the alias namespace, and then the key alias. For example, + // arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // - // AWS parses KmsKeyId asynchronously, meaning that the action you call may - // appear to complete even though you provided an invalid identifier. This action - // will eventually report failure. + // Amazon Web Services parses KmsKeyId asynchronously, meaning that the action + // you call may appear to complete even though you provided an invalid identifier. + // This action will eventually report failure. // - // The specified CMK must exist in the Region that the AMI is being copied to. + // The specified KMS key must exist in the Region that the AMI is being copied + // to. // - // Amazon EBS does not support asymmetric CMKs. + // Amazon EBS does not support asymmetric KMS keys. KmsKeyId *string `type:"string"` // The ARNs of the license configurations. @@ -89860,12 +92160,12 @@ type ImportImageInput struct { // // By default, we detect the source-system operating system (OS) and apply the // appropriate license. Specify AWS to replace the source-system license with - // an AWS license, if appropriate. Specify BYOL to retain the source-system - // license, if appropriate. + // an Amazon Web Services license, if appropriate. Specify BYOL to retain the + // source-system license, if appropriate. // // To use BYOL, you must have existing licenses with rights to use these licenses - // in a third party cloud, such as AWS. For more information, see Prerequisites - // (https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#prerequisites-image) + // in a third party cloud, such as Amazon Web Services. For more information, + // see Prerequisites (https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-image-import.html#prerequisites-image) // in the VM Import/Export User Guide. LicenseType *string `type:"string"` @@ -89879,6 +92179,11 @@ type ImportImageInput struct { // The tags to apply to the import image task during creation. TagSpecifications []*TagSpecification `locationName:"TagSpecification" locationNameList:"item" type:"list"` + + // The usage operation value. For more information, see AMI billing information + // fields (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/billing-info-fields.html) + // in the Amazon Elastic Compute Cloud User Guide. + UsageOperation *string `type:"string"` } // String returns the string representation @@ -89897,6 +92202,12 @@ func (s *ImportImageInput) SetArchitecture(v string) *ImportImageInput { return s } +// SetBootMode sets the BootMode field's value. +func (s *ImportImageInput) SetBootMode(v string) *ImportImageInput { + s.BootMode = &v + return s +} + // SetClientData sets the ClientData field's value. func (s *ImportImageInput) SetClientData(v *ClientData) *ImportImageInput { s.ClientData = v @@ -89975,6 +92286,12 @@ func (s *ImportImageInput) SetTagSpecifications(v []*TagSpecification) *ImportIm return s } +// SetUsageOperation sets the UsageOperation field's value. +func (s *ImportImageInput) SetUsageOperation(v string) *ImportImageInput { + s.UsageOperation = &v + return s +} + // The request information of license configurations. type ImportImageLicenseConfigurationRequest struct { _ struct{} `type:"structure"` @@ -90044,8 +92361,8 @@ type ImportImageOutput struct { // The task ID of the import image task. ImportTaskId *string `locationName:"importTaskId" type:"string"` - // The identifier for the symmetric AWS Key Management Service (AWS KMS) customer - // master key (CMK) that was used to create the encrypted AMI. + // The identifier for the symmetric KMS key that was used to create the encrypted + // AMI. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // The ARNs of the license configurations. @@ -90071,6 +92388,9 @@ type ImportImageOutput struct { // Any tags assigned to the import image task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The usage operation value. + UsageOperation *string `locationName:"usageOperation" type:"string"` } // String returns the string representation @@ -90173,6 +92493,12 @@ func (s *ImportImageOutput) SetTags(v []*Tag) *ImportImageOutput { return s } +// SetUsageOperation sets the UsageOperation field's value. +func (s *ImportImageOutput) SetUsageOperation(v string) *ImportImageOutput { + s.UsageOperation = &v + return s +} + // Describes an import image task. type ImportImageTask struct { _ struct{} `type:"structure"` @@ -90182,6 +92508,9 @@ type ImportImageTask struct { // Valid values: i386 | x86_64 | arm64 Architecture *string `locationName:"architecture" type:"string"` + // The boot mode of the virtual machine. + BootMode *string `locationName:"bootMode" type:"string" enum:"BootModeValues"` + // A description of the import task. Description *string `locationName:"description" type:"string"` @@ -90199,8 +92528,7 @@ type ImportImageTask struct { // The ID of the import image task. ImportTaskId *string `locationName:"importTaskId" type:"string"` - // The identifier for the AWS Key Management Service (AWS KMS) customer master - // key (CMK) that was used to create the encrypted image. + // The identifier for the KMS key that was used to create the encrypted image. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // The ARNs of the license configurations that are associated with the import @@ -90227,6 +92555,9 @@ type ImportImageTask struct { // The tags for the import image task. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The usage operation value. + UsageOperation *string `locationName:"usageOperation" type:"string"` } // String returns the string representation @@ -90245,6 +92576,12 @@ func (s *ImportImageTask) SetArchitecture(v string) *ImportImageTask { return s } +// SetBootMode sets the BootMode field's value. +func (s *ImportImageTask) SetBootMode(v string) *ImportImageTask { + s.BootMode = &v + return s +} + // SetDescription sets the Description field's value. func (s *ImportImageTask) SetDescription(v string) *ImportImageTask { s.Description = &v @@ -90329,6 +92666,12 @@ func (s *ImportImageTask) SetTags(v []*Tag) *ImportImageTask { return s } +// SetUsageOperation sets the UsageOperation field's value. +func (s *ImportImageTask) SetUsageOperation(v string) *ImportImageTask { + s.UsageOperation = &v + return s +} + type ImportInstanceInput struct { _ struct{} `type:"structure"` @@ -90767,7 +93110,7 @@ type ImportKeyPairOutput struct { // The MD5 public key fingerprint as specified in section 4 of RFC 4716. KeyFingerprint *string `locationName:"keyFingerprint" type:"string"` - // The key pair name you provided. + // The key pair name that you provided. KeyName *string `locationName:"keyName" type:"string"` // The ID of the resulting key pair. @@ -90833,42 +93176,41 @@ type ImportSnapshotInput struct { DryRun *bool `type:"boolean"` // Specifies whether the destination snapshot of the imported image should be - // encrypted. The default CMK for EBS is used unless you specify a non-default - // AWS Key Management Service (AWS KMS) CMK using KmsKeyId. For more information, - // see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) + // encrypted. The default KMS key for EBS is used unless you specify a non-default + // KMS key using KmsKeyId. For more information, see Amazon EBS Encryption (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html) // in the Amazon Elastic Compute Cloud User Guide. Encrypted *bool `type:"boolean"` - // An identifier for the symmetric AWS Key Management Service (AWS KMS) customer - // master key (CMK) to use when creating the encrypted snapshot. This parameter - // is only required if you want to use a non-default CMK; if this parameter - // is not specified, the default CMK for EBS is used. If a KmsKeyId is specified, - // the Encrypted flag must also be set. + // An identifier for the symmetric KMS key to use when creating the encrypted + // snapshot. This parameter is only required if you want to use a non-default + // KMS key; if this parameter is not specified, the default KMS key for EBS + // is used. If a KmsKeyId is specified, the Encrypted flag must also be set. // - // The CMK identifier may be provided in any of the following formats: + // The KMS key identifier may be provided in any of the following formats: // // * Key ID // // * Key alias. The alias ARN contains the arn:aws:kms namespace, followed - // by the Region of the CMK, the AWS account ID of the CMK owner, the alias - // namespace, and then the CMK alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. + // by the Region of the key, the Amazon Web Services account ID of the key + // owner, the alias namespace, and then the key alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // // * ARN using key ID. The ID ARN contains the arn:aws:kms namespace, followed - // by the Region of the CMK, the AWS account ID of the CMK owner, the key - // namespace, and then the CMK ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. + // by the Region of the key, the Amazon Web Services account ID of the key + // owner, the key namespace, and then the key ID. For example, arn:aws:kms:us-east-1:012345678910:key/abcd1234-a123-456a-a12b-a123b4cd56ef. // // * ARN using key alias. The alias ARN contains the arn:aws:kms namespace, - // followed by the Region of the CMK, the AWS account ID of the CMK owner, - // the alias namespace, and then the CMK alias. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. + // followed by the Region of the key, the Amazon Web Services account ID + // of the key owner, the alias namespace, and then the key alias. For example, + // arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // - // AWS parses KmsKeyId asynchronously, meaning that the action you call may - // appear to complete even though you provided an invalid identifier. This action - // will eventually report failure. + // Amazon Web Services parses KmsKeyId asynchronously, meaning that the action + // you call may appear to complete even though you provided an invalid identifier. + // This action will eventually report failure. // - // The specified CMK must exist in the Region that the snapshot is being copied - // to. + // The specified KMS key must exist in the Region that the snapshot is being + // copied to. // - // Amazon EBS does not support asymmetric CMKs. + // Amazon EBS does not support asymmetric KMS keys. KmsKeyId *string `type:"string"` // The name of the role to use when not using the default role, 'vmimport'. @@ -91335,7 +93677,7 @@ type Instance struct { // Specifies whether enhanced networking with ENA is enabled. EnaSupport *bool `locationName:"enaSupport" type:"boolean"` - // Indicates whether the instance is enabled for AWS Nitro Enclaves. + // Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. EnclaveOptions *EnclaveOptions `locationName:"enclaveOptions" type:"structure"` // Indicates whether the instance is enabled for hibernation. @@ -92000,6 +94342,352 @@ func (s *InstanceCreditSpecificationRequest) SetInstanceId(v string) *InstanceCr return s } +// The event window. +type InstanceEventWindow struct { + _ struct{} `type:"structure"` + + // One or more targets associated with the event window. + AssociationTarget *InstanceEventWindowAssociationTarget `locationName:"associationTarget" type:"structure"` + + // The cron expression defined for the event window. + CronExpression *string `locationName:"cronExpression" type:"string"` + + // The ID of the event window. + InstanceEventWindowId *string `locationName:"instanceEventWindowId" type:"string"` + + // The name of the event window. + Name *string `locationName:"name" type:"string"` + + // The current state of the event window. + State *string `locationName:"state" type:"string" enum:"InstanceEventWindowState"` + + // The instance tags associated with the event window. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // One or more time ranges defined for the event window. + TimeRanges []*InstanceEventWindowTimeRange `locationName:"timeRangeSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s InstanceEventWindow) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindow) GoString() string { + return s.String() +} + +// SetAssociationTarget sets the AssociationTarget field's value. +func (s *InstanceEventWindow) SetAssociationTarget(v *InstanceEventWindowAssociationTarget) *InstanceEventWindow { + s.AssociationTarget = v + return s +} + +// SetCronExpression sets the CronExpression field's value. +func (s *InstanceEventWindow) SetCronExpression(v string) *InstanceEventWindow { + s.CronExpression = &v + return s +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *InstanceEventWindow) SetInstanceEventWindowId(v string) *InstanceEventWindow { + s.InstanceEventWindowId = &v + return s +} + +// SetName sets the Name field's value. +func (s *InstanceEventWindow) SetName(v string) *InstanceEventWindow { + s.Name = &v + return s +} + +// SetState sets the State field's value. +func (s *InstanceEventWindow) SetState(v string) *InstanceEventWindow { + s.State = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *InstanceEventWindow) SetTags(v []*Tag) *InstanceEventWindow { + s.Tags = v + return s +} + +// SetTimeRanges sets the TimeRanges field's value. +func (s *InstanceEventWindow) SetTimeRanges(v []*InstanceEventWindowTimeRange) *InstanceEventWindow { + s.TimeRanges = v + return s +} + +// One or more targets associated with the specified event window. Only one +// type of target (instance ID, instance tag, or Dedicated Host ID) can be associated +// with an event window. +type InstanceEventWindowAssociationRequest struct { + _ struct{} `type:"structure"` + + // The IDs of the Dedicated Hosts to associate with the event window. + DedicatedHostIds []*string `locationName:"DedicatedHostId" locationNameList:"item" type:"list"` + + // The IDs of the instances to associate with the event window. If the instance + // is on a Dedicated Host, you can't specify the Instance ID parameter; you + // must use the Dedicated Host ID parameter. + InstanceIds []*string `locationName:"InstanceId" locationNameList:"item" type:"list"` + + // The instance tags to associate with the event window. Any instances associated + // with the tags will be associated with the event window. + InstanceTags []*Tag `locationName:"InstanceTag" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s InstanceEventWindowAssociationRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowAssociationRequest) GoString() string { + return s.String() +} + +// SetDedicatedHostIds sets the DedicatedHostIds field's value. +func (s *InstanceEventWindowAssociationRequest) SetDedicatedHostIds(v []*string) *InstanceEventWindowAssociationRequest { + s.DedicatedHostIds = v + return s +} + +// SetInstanceIds sets the InstanceIds field's value. +func (s *InstanceEventWindowAssociationRequest) SetInstanceIds(v []*string) *InstanceEventWindowAssociationRequest { + s.InstanceIds = v + return s +} + +// SetInstanceTags sets the InstanceTags field's value. +func (s *InstanceEventWindowAssociationRequest) SetInstanceTags(v []*Tag) *InstanceEventWindowAssociationRequest { + s.InstanceTags = v + return s +} + +// One or more targets associated with the event window. +type InstanceEventWindowAssociationTarget struct { + _ struct{} `type:"structure"` + + // The IDs of the Dedicated Hosts associated with the event window. + DedicatedHostIds []*string `locationName:"dedicatedHostIdSet" locationNameList:"item" type:"list"` + + // The IDs of the instances associated with the event window. + InstanceIds []*string `locationName:"instanceIdSet" locationNameList:"item" type:"list"` + + // The instance tags associated with the event window. Any instances associated + // with the tags will be associated with the event window. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s InstanceEventWindowAssociationTarget) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowAssociationTarget) GoString() string { + return s.String() +} + +// SetDedicatedHostIds sets the DedicatedHostIds field's value. +func (s *InstanceEventWindowAssociationTarget) SetDedicatedHostIds(v []*string) *InstanceEventWindowAssociationTarget { + s.DedicatedHostIds = v + return s +} + +// SetInstanceIds sets the InstanceIds field's value. +func (s *InstanceEventWindowAssociationTarget) SetInstanceIds(v []*string) *InstanceEventWindowAssociationTarget { + s.InstanceIds = v + return s +} + +// SetTags sets the Tags field's value. +func (s *InstanceEventWindowAssociationTarget) SetTags(v []*Tag) *InstanceEventWindowAssociationTarget { + s.Tags = v + return s +} + +// The targets to disassociate from the specified event window. +type InstanceEventWindowDisassociationRequest struct { + _ struct{} `type:"structure"` + + // The IDs of the Dedicated Hosts to disassociate from the event window. + DedicatedHostIds []*string `locationName:"DedicatedHostId" locationNameList:"item" type:"list"` + + // The IDs of the instances to disassociate from the event window. + InstanceIds []*string `locationName:"InstanceId" locationNameList:"item" type:"list"` + + // The instance tags to disassociate from the event window. Any instances associated + // with the tags will be disassociated from the event window. + InstanceTags []*Tag `locationName:"InstanceTag" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s InstanceEventWindowDisassociationRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowDisassociationRequest) GoString() string { + return s.String() +} + +// SetDedicatedHostIds sets the DedicatedHostIds field's value. +func (s *InstanceEventWindowDisassociationRequest) SetDedicatedHostIds(v []*string) *InstanceEventWindowDisassociationRequest { + s.DedicatedHostIds = v + return s +} + +// SetInstanceIds sets the InstanceIds field's value. +func (s *InstanceEventWindowDisassociationRequest) SetInstanceIds(v []*string) *InstanceEventWindowDisassociationRequest { + s.InstanceIds = v + return s +} + +// SetInstanceTags sets the InstanceTags field's value. +func (s *InstanceEventWindowDisassociationRequest) SetInstanceTags(v []*Tag) *InstanceEventWindowDisassociationRequest { + s.InstanceTags = v + return s +} + +// The state of the event window. +type InstanceEventWindowStateChange struct { + _ struct{} `type:"structure"` + + // The ID of the event window. + InstanceEventWindowId *string `locationName:"instanceEventWindowId" type:"string"` + + // The current state of the event window. + State *string `locationName:"state" type:"string" enum:"InstanceEventWindowState"` +} + +// String returns the string representation +func (s InstanceEventWindowStateChange) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowStateChange) GoString() string { + return s.String() +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *InstanceEventWindowStateChange) SetInstanceEventWindowId(v string) *InstanceEventWindowStateChange { + s.InstanceEventWindowId = &v + return s +} + +// SetState sets the State field's value. +func (s *InstanceEventWindowStateChange) SetState(v string) *InstanceEventWindowStateChange { + s.State = &v + return s +} + +// The start day and time and the end day and time of the time range, in UTC. +type InstanceEventWindowTimeRange struct { + _ struct{} `type:"structure"` + + // The hour when the time range ends. + EndHour *int64 `locationName:"endHour" type:"integer"` + + // The day on which the time range ends. + EndWeekDay *string `locationName:"endWeekDay" type:"string" enum:"WeekDay"` + + // The hour when the time range begins. + StartHour *int64 `locationName:"startHour" type:"integer"` + + // The day on which the time range begins. + StartWeekDay *string `locationName:"startWeekDay" type:"string" enum:"WeekDay"` +} + +// String returns the string representation +func (s InstanceEventWindowTimeRange) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowTimeRange) GoString() string { + return s.String() +} + +// SetEndHour sets the EndHour field's value. +func (s *InstanceEventWindowTimeRange) SetEndHour(v int64) *InstanceEventWindowTimeRange { + s.EndHour = &v + return s +} + +// SetEndWeekDay sets the EndWeekDay field's value. +func (s *InstanceEventWindowTimeRange) SetEndWeekDay(v string) *InstanceEventWindowTimeRange { + s.EndWeekDay = &v + return s +} + +// SetStartHour sets the StartHour field's value. +func (s *InstanceEventWindowTimeRange) SetStartHour(v int64) *InstanceEventWindowTimeRange { + s.StartHour = &v + return s +} + +// SetStartWeekDay sets the StartWeekDay field's value. +func (s *InstanceEventWindowTimeRange) SetStartWeekDay(v string) *InstanceEventWindowTimeRange { + s.StartWeekDay = &v + return s +} + +// The start day and time and the end day and time of the time range, in UTC. +type InstanceEventWindowTimeRangeRequest struct { + _ struct{} `type:"structure"` + + // The hour when the time range ends. + EndHour *int64 `type:"integer"` + + // The day on which the time range ends. + EndWeekDay *string `type:"string" enum:"WeekDay"` + + // The hour when the time range begins. + StartHour *int64 `type:"integer"` + + // The day on which the time range begins. + StartWeekDay *string `type:"string" enum:"WeekDay"` +} + +// String returns the string representation +func (s InstanceEventWindowTimeRangeRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceEventWindowTimeRangeRequest) GoString() string { + return s.String() +} + +// SetEndHour sets the EndHour field's value. +func (s *InstanceEventWindowTimeRangeRequest) SetEndHour(v int64) *InstanceEventWindowTimeRangeRequest { + s.EndHour = &v + return s +} + +// SetEndWeekDay sets the EndWeekDay field's value. +func (s *InstanceEventWindowTimeRangeRequest) SetEndWeekDay(v string) *InstanceEventWindowTimeRangeRequest { + s.EndWeekDay = &v + return s +} + +// SetStartHour sets the StartHour field's value. +func (s *InstanceEventWindowTimeRangeRequest) SetStartHour(v int64) *InstanceEventWindowTimeRangeRequest { + s.StartHour = &v + return s +} + +// SetStartWeekDay sets the StartWeekDay field's value. +func (s *InstanceEventWindowTimeRangeRequest) SetStartWeekDay(v string) *InstanceEventWindowTimeRangeRequest { + s.StartWeekDay = &v + return s +} + // Describes an instance to export. type InstanceExportDetails struct { _ struct{} `type:"structure"` @@ -92068,6 +94756,30 @@ func (s *InstanceFamilyCreditSpecification) SetInstanceFamily(v string) *Instanc return s } +// Information about an IPv4 prefix. +type InstanceIpv4Prefix struct { + _ struct{} `type:"structure"` + + // One or more IPv4 prefixes assigned to the network interface. + Ipv4Prefix *string `locationName:"ipv4Prefix" type:"string"` +} + +// String returns the string representation +func (s InstanceIpv4Prefix) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceIpv4Prefix) GoString() string { + return s.String() +} + +// SetIpv4Prefix sets the Ipv4Prefix field's value. +func (s *InstanceIpv4Prefix) SetIpv4Prefix(v string) *InstanceIpv4Prefix { + s.Ipv4Prefix = &v + return s +} + // Describes an IPv6 address. type InstanceIpv6Address struct { _ struct{} `type:"structure"` @@ -92116,6 +94828,30 @@ func (s *InstanceIpv6AddressRequest) SetIpv6Address(v string) *InstanceIpv6Addre return s } +// Information about an IPv6 prefix. +type InstanceIpv6Prefix struct { + _ struct{} `type:"structure"` + + // One or more IPv6 prefixes assigned to the network interface. + Ipv6Prefix *string `locationName:"ipv6Prefix" type:"string"` +} + +// String returns the string representation +func (s InstanceIpv6Prefix) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s InstanceIpv6Prefix) GoString() string { + return s.String() +} + +// SetIpv6Prefix sets the Ipv6Prefix field's value. +func (s *InstanceIpv6Prefix) SetIpv6Prefix(v string) *InstanceIpv6Prefix { + s.Ipv6Prefix = &v + return s +} + // Describes the market (purchasing) option for the instances. type InstanceMarketOptionsRequest struct { _ struct{} `type:"structure"` @@ -92160,6 +94896,9 @@ type InstanceMetadataOptionsRequest struct { // metadata. HttpEndpoint *string `type:"string" enum:"InstanceMetadataEndpointState"` + // Enables or disables the IPv6 endpoint for the instance metadata service. + HttpProtocolIpv6 *string `type:"string" enum:"InstanceMetadataProtocolState"` + // The desired HTTP PUT response hop limit for instance metadata requests. The // larger the number, the further instance metadata requests can travel. // @@ -92200,6 +94939,12 @@ func (s *InstanceMetadataOptionsRequest) SetHttpEndpoint(v string) *InstanceMeta return s } +// SetHttpProtocolIpv6 sets the HttpProtocolIpv6 field's value. +func (s *InstanceMetadataOptionsRequest) SetHttpProtocolIpv6(v string) *InstanceMetadataOptionsRequest { + s.HttpProtocolIpv6 = &v + return s +} + // SetHttpPutResponseHopLimit sets the HttpPutResponseHopLimit field's value. func (s *InstanceMetadataOptionsRequest) SetHttpPutResponseHopLimit(v int64) *InstanceMetadataOptionsRequest { s.HttpPutResponseHopLimit = &v @@ -92223,6 +94968,10 @@ type InstanceMetadataOptionsResponse struct { // metadata. HttpEndpoint *string `locationName:"httpEndpoint" type:"string" enum:"InstanceMetadataEndpointState"` + // Whether or not the IPv6 endpoint for the instance metadata service is enabled + // or disabled. + HttpProtocolIpv6 *string `locationName:"httpProtocolIpv6" type:"string" enum:"InstanceMetadataProtocolState"` + // The desired HTTP PUT response hop limit for instance metadata requests. The // larger the number, the further instance metadata requests can travel. // @@ -92271,6 +95020,12 @@ func (s *InstanceMetadataOptionsResponse) SetHttpEndpoint(v string) *InstanceMet return s } +// SetHttpProtocolIpv6 sets the HttpProtocolIpv6 field's value. +func (s *InstanceMetadataOptionsResponse) SetHttpProtocolIpv6(v string) *InstanceMetadataOptionsResponse { + s.HttpProtocolIpv6 = &v + return s +} + // SetHttpPutResponseHopLimit sets the HttpPutResponseHopLimit field's value. func (s *InstanceMetadataOptionsResponse) SetHttpPutResponseHopLimit(v int64) *InstanceMetadataOptionsResponse { s.HttpPutResponseHopLimit = &v @@ -92344,16 +95099,22 @@ type InstanceNetworkInterface struct { // Valid values: interface | efa | trunk InterfaceType *string `locationName:"interfaceType" type:"string"` + // The IPv4 delegated prefixes that are assigned to the network interface. + Ipv4Prefixes []*InstanceIpv4Prefix `locationName:"ipv4PrefixSet" locationNameList:"item" type:"list"` + // One or more IPv6 addresses associated with the network interface. Ipv6Addresses []*InstanceIpv6Address `locationName:"ipv6AddressesSet" locationNameList:"item" type:"list"` + // The IPv6 delegated prefixes that are assigned to the network interface. + Ipv6Prefixes []*InstanceIpv6Prefix `locationName:"ipv6PrefixSet" locationNameList:"item" type:"list"` + // The MAC address. MacAddress *string `locationName:"macAddress" type:"string"` // The ID of the network interface. NetworkInterfaceId *string `locationName:"networkInterfaceId" type:"string"` - // The ID of the account that created the network interface. + // The ID of the Amazon Web Services account that created the network interface. OwnerId *string `locationName:"ownerId" type:"string"` // The private DNS name. @@ -92418,12 +95179,24 @@ func (s *InstanceNetworkInterface) SetInterfaceType(v string) *InstanceNetworkIn return s } +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *InstanceNetworkInterface) SetIpv4Prefixes(v []*InstanceIpv4Prefix) *InstanceNetworkInterface { + s.Ipv4Prefixes = v + return s +} + // SetIpv6Addresses sets the Ipv6Addresses field's value. func (s *InstanceNetworkInterface) SetIpv6Addresses(v []*InstanceIpv6Address) *InstanceNetworkInterface { s.Ipv6Addresses = v return s } +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *InstanceNetworkInterface) SetIpv6Prefixes(v []*InstanceIpv6Prefix) *InstanceNetworkInterface { + s.Ipv6Prefixes = v + return s +} + // SetMacAddress sets the MacAddress field's value. func (s *InstanceNetworkInterface) SetMacAddress(v string) *InstanceNetworkInterface { s.MacAddress = &v @@ -92652,6 +95425,14 @@ type InstanceNetworkInterfaceSpecification struct { // Valid values: interface | efa InterfaceType *string `type:"string"` + // The number of IPv4 delegated prefixes to be automatically assigned to the + // network interface. You cannot use this option if you use the Ipv4Prefix option. + Ipv4PrefixCount *int64 `type:"integer"` + + // One or more IPv4 delegated prefixes to be assigned to the network interface. + // You cannot use this option if you use the Ipv4PrefixCount option. + Ipv4Prefixes []*Ipv4PrefixSpecificationRequest `locationName:"Ipv4Prefix" locationNameList:"item" type:"list"` + // A number of IPv6 addresses to assign to the network interface. Amazon EC2 // chooses the IPv6 addresses from the range of the subnet. You cannot specify // this option and the option to assign specific IPv6 addresses in the same @@ -92665,9 +95446,22 @@ type InstanceNetworkInterfaceSpecification struct { // number of instances to launch. Ipv6Addresses []*InstanceIpv6Address `locationName:"ipv6AddressesSet" queryName:"Ipv6Addresses" locationNameList:"item" type:"list"` + // The number of IPv6 delegated prefixes to be automatically assigned to the + // network interface. You cannot use this option if you use the Ipv6Prefix option. + Ipv6PrefixCount *int64 `type:"integer"` + + // One or more IPv6 delegated prefixes to be assigned to the network interface. + // You cannot use this option if you use the Ipv6PrefixCount option. + Ipv6Prefixes []*Ipv6PrefixSpecificationRequest `locationName:"Ipv6Prefix" locationNameList:"item" type:"list"` + // The index of the network card. Some instance types support multiple network // cards. The primary network interface must be assigned to network card index // 0. The default is network card index 0. + // + // If you are using RequestSpotInstances (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RequestSpotInstances.html) + // to create Spot Instances, omit this parameter because you can’t specify + // the network card index when using this API. To specify the network card index, + // use RunInstances (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_RunInstances.html). NetworkCardIndex *int64 `type:"integer"` // The ID of the network interface. @@ -92753,6 +95547,18 @@ func (s *InstanceNetworkInterfaceSpecification) SetInterfaceType(v string) *Inst return s } +// SetIpv4PrefixCount sets the Ipv4PrefixCount field's value. +func (s *InstanceNetworkInterfaceSpecification) SetIpv4PrefixCount(v int64) *InstanceNetworkInterfaceSpecification { + s.Ipv4PrefixCount = &v + return s +} + +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *InstanceNetworkInterfaceSpecification) SetIpv4Prefixes(v []*Ipv4PrefixSpecificationRequest) *InstanceNetworkInterfaceSpecification { + s.Ipv4Prefixes = v + return s +} + // SetIpv6AddressCount sets the Ipv6AddressCount field's value. func (s *InstanceNetworkInterfaceSpecification) SetIpv6AddressCount(v int64) *InstanceNetworkInterfaceSpecification { s.Ipv6AddressCount = &v @@ -92765,6 +95571,18 @@ func (s *InstanceNetworkInterfaceSpecification) SetIpv6Addresses(v []*InstanceIp return s } +// SetIpv6PrefixCount sets the Ipv6PrefixCount field's value. +func (s *InstanceNetworkInterfaceSpecification) SetIpv6PrefixCount(v int64) *InstanceNetworkInterfaceSpecification { + s.Ipv6PrefixCount = &v + return s +} + +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *InstanceNetworkInterfaceSpecification) SetIpv6Prefixes(v []*Ipv6PrefixSpecificationRequest) *InstanceNetworkInterfaceSpecification { + s.Ipv6Prefixes = v + return s +} + // SetNetworkCardIndex sets the NetworkCardIndex field's value. func (s *InstanceNetworkInterfaceSpecification) SetNetworkCardIndex(v int64) *InstanceNetworkInterfaceSpecification { s.NetworkCardIndex = &v @@ -93577,10 +96395,12 @@ func (s *InstanceTypeOffering) SetLocationType(v string) *InstanceTypeOffering { type InstanceUsage struct { _ struct{} `type:"structure"` - // The ID of the AWS account that is making use of the Capacity Reservation. + // The ID of the Amazon Web Services account that is making use of the Capacity + // Reservation. AccountId *string `locationName:"accountId" type:"string"` - // The number of instances the AWS account currently has in the Capacity Reservation. + // The number of instances the Amazon Web Services account currently has in + // the Capacity Reservation. UsedInstanceCount *int64 `locationName:"usedInstanceCount" type:"integer"` } @@ -93663,7 +96483,7 @@ type InternetGateway struct { // The ID of the internet gateway. InternetGatewayId *string `locationName:"internetGatewayId" type:"string"` - // The ID of the AWS account that owns the internet gateway. + // The ID of the Amazon Web Services account that owns the internet gateway. OwnerId *string `locationName:"ownerId" type:"string"` // Any tags assigned to the internet gateway. @@ -93773,7 +96593,7 @@ type IpPermission struct { // types, you must specify all codes. ToPort *int64 `locationName:"toPort" type:"integer"` - // The security group and AWS account ID pairs. + // The security group and Amazon Web Services account ID pairs. UserIdGroupPairs []*UserIdGroupPair `locationName:"groups" locationNameList:"item" type:"list"` } @@ -93867,6 +96687,82 @@ func (s *IpRange) SetDescription(v string) *IpRange { return s } +// Describes an IPv4 prefix. +type Ipv4PrefixSpecification struct { + _ struct{} `type:"structure"` + + // The IPv4 prefix. For information, see Assigning prefixes to Amazon EC2 network + // interfaces (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) + // in the Amazon Elastic Compute Cloud User Guide. + Ipv4Prefix *string `locationName:"ipv4Prefix" type:"string"` +} + +// String returns the string representation +func (s Ipv4PrefixSpecification) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv4PrefixSpecification) GoString() string { + return s.String() +} + +// SetIpv4Prefix sets the Ipv4Prefix field's value. +func (s *Ipv4PrefixSpecification) SetIpv4Prefix(v string) *Ipv4PrefixSpecification { + s.Ipv4Prefix = &v + return s +} + +// Describes the IPv4 prefix option for a network interface. +type Ipv4PrefixSpecificationRequest struct { + _ struct{} `type:"structure"` + + // The IPv4 prefix. For information, see Assigning prefixes to Amazon EC2 network + // interfaces (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-prefix-eni.html) + // in the Amazon Elastic Compute Cloud User Guide. + Ipv4Prefix *string `type:"string"` +} + +// String returns the string representation +func (s Ipv4PrefixSpecificationRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv4PrefixSpecificationRequest) GoString() string { + return s.String() +} + +// SetIpv4Prefix sets the Ipv4Prefix field's value. +func (s *Ipv4PrefixSpecificationRequest) SetIpv4Prefix(v string) *Ipv4PrefixSpecificationRequest { + s.Ipv4Prefix = &v + return s +} + +// Information about the IPv4 delegated prefixes assigned to a network interface. +type Ipv4PrefixSpecificationResponse struct { + _ struct{} `type:"structure"` + + // One or more IPv4 delegated prefixes assigned to the network interface. + Ipv4Prefix *string `locationName:"ipv4Prefix" type:"string"` +} + +// String returns the string representation +func (s Ipv4PrefixSpecificationResponse) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv4PrefixSpecificationResponse) GoString() string { + return s.String() +} + +// SetIpv4Prefix sets the Ipv4Prefix field's value. +func (s *Ipv4PrefixSpecificationResponse) SetIpv4Prefix(v string) *Ipv4PrefixSpecificationResponse { + s.Ipv4Prefix = &v + return s +} + // Describes an IPv6 CIDR block association. type Ipv6CidrAssociation struct { _ struct{} `type:"structure"` @@ -93975,6 +96871,78 @@ func (s *Ipv6Pool) SetTags(v []*Tag) *Ipv6Pool { return s } +// Describes the IPv6 prefix. +type Ipv6PrefixSpecification struct { + _ struct{} `type:"structure"` + + // The IPv6 prefix. + Ipv6Prefix *string `locationName:"ipv6Prefix" type:"string"` +} + +// String returns the string representation +func (s Ipv6PrefixSpecification) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv6PrefixSpecification) GoString() string { + return s.String() +} + +// SetIpv6Prefix sets the Ipv6Prefix field's value. +func (s *Ipv6PrefixSpecification) SetIpv6Prefix(v string) *Ipv6PrefixSpecification { + s.Ipv6Prefix = &v + return s +} + +// Describes the IPv4 prefix option for a network interface. +type Ipv6PrefixSpecificationRequest struct { + _ struct{} `type:"structure"` + + // The IPv6 prefix. + Ipv6Prefix *string `type:"string"` +} + +// String returns the string representation +func (s Ipv6PrefixSpecificationRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv6PrefixSpecificationRequest) GoString() string { + return s.String() +} + +// SetIpv6Prefix sets the Ipv6Prefix field's value. +func (s *Ipv6PrefixSpecificationRequest) SetIpv6Prefix(v string) *Ipv6PrefixSpecificationRequest { + s.Ipv6Prefix = &v + return s +} + +// Information about the IPv6 delegated prefixes assigned to a network interface. +type Ipv6PrefixSpecificationResponse struct { + _ struct{} `type:"structure"` + + // One or more IPv6 delegated prefixes assigned to the network interface. + Ipv6Prefix *string `locationName:"ipv6Prefix" type:"string"` +} + +// String returns the string representation +func (s Ipv6PrefixSpecificationResponse) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s Ipv6PrefixSpecificationResponse) GoString() string { + return s.String() +} + +// SetIpv6Prefix sets the Ipv6Prefix field's value. +func (s *Ipv6PrefixSpecificationResponse) SetIpv6Prefix(v string) *Ipv6PrefixSpecificationResponse { + s.Ipv6Prefix = &v + return s +} + // [EC2-VPC only] Describes an IPv6 range. type Ipv6Range struct { _ struct{} `type:"structure"` @@ -94017,10 +96985,21 @@ func (s *Ipv6Range) SetDescription(v string) *Ipv6Range { type KeyPairInfo struct { _ struct{} `type:"structure"` - // If you used CreateKeyPair to create the key pair, this is the SHA-1 digest - // of the DER encoded private key. If you used ImportKeyPair to provide AWS - // the public key, this is the MD5 public key fingerprint as specified in section - // 4 of RFC4716. + // If you used CreateKeyPair to create the key pair: + // + // * For RSA key pairs, the key fingerprint is the SHA-1 digest of the DER + // encoded private key. + // + // * For ED25519 key pairs, the key fingerprint is the base64-encoded SHA-256 + // digest, which is the default for OpenSSH, starting with OpenSSH 6.8 (http://www.openssh.com/txt/release-6.8). + // + // If you used ImportKeyPair to provide Amazon Web Services the public key: + // + // * For RSA key pairs, the key fingerprint is the MD5 public key fingerprint + // as specified in section 4 of RFC4716. + // + // * For ED25519 key pairs, the key fingerprint is the base64-encoded SHA-256 + // digest, which is the default for OpenSSH, starting with OpenSSH 6.8 (http://www.openssh.com/txt/release-6.8). KeyFingerprint *string `locationName:"keyFingerprint" type:"string"` // The name of the key pair. @@ -94029,6 +97008,9 @@ type KeyPairInfo struct { // The ID of the key pair. KeyPairId *string `locationName:"keyPairId" type:"string"` + // The type of key pair. + KeyType *string `locationName:"keyType" type:"string" enum:"KeyType"` + // Any tags applied to the key pair. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` } @@ -94061,6 +97043,12 @@ func (s *KeyPairInfo) SetKeyPairId(v string) *KeyPairInfo { return s } +// SetKeyType sets the KeyType field's value. +func (s *KeyPairInfo) SetKeyType(v string) *KeyPairInfo { + s.KeyType = &v + return s +} + // SetTags sets the Tags field's value. func (s *KeyPairInfo) SetTags(v []*Tag) *KeyPairInfo { s.Tags = v @@ -94764,7 +97752,7 @@ type LaunchTemplateEbsBlockDevice struct { // The number of I/O operations per second (IOPS) that the volume supports. Iops *int64 `locationName:"iops" type:"integer"` - // The ARN of the AWS Key Management Service (AWS KMS) CMK used for encryption. + // The ARN of the Key Management Service (KMS) CMK used for encryption. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // The ID of the snapshot. @@ -94871,8 +97859,7 @@ type LaunchTemplateEbsBlockDeviceRequest struct { // is not supported for gp2, st1, sc1, or standard volumes. Iops *int64 `type:"integer"` - // The ARN of the symmetric AWS Key Management Service (AWS KMS) CMK used for - // encryption. + // The ARN of the symmetric Key Management Service (KMS) CMK used for encryption. KmsKeyId *string `type:"string"` // The ID of the snapshot. @@ -95049,12 +98036,13 @@ func (s *LaunchTemplateElasticInferenceAcceleratorResponse) SetType(v string) *L return s } -// Indicates whether the instance is enabled for AWS Nitro Enclaves. +// Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. type LaunchTemplateEnclaveOptions struct { _ struct{} `type:"structure"` - // If this parameter is set to true, the instance is enabled for AWS Nitro Enclaves; - // otherwise, it is not enabled for AWS Nitro Enclaves. + // If this parameter is set to true, the instance is enabled for Amazon Web + // Services Nitro Enclaves; otherwise, it is not enabled for Amazon Web Services + // Nitro Enclaves. Enabled *bool `locationName:"enabled" type:"boolean"` } @@ -95074,13 +98062,14 @@ func (s *LaunchTemplateEnclaveOptions) SetEnabled(v bool) *LaunchTemplateEnclave return s } -// Indicates whether the instance is enabled for AWS Nitro Enclaves. For more -// information, see What is AWS Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) -// in the AWS Nitro Enclaves User Guide. +// Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. +// For more information, see What is Amazon Web Services Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) +// in the Amazon Web Services Nitro Enclaves User Guide. type LaunchTemplateEnclaveOptionsRequest struct { _ struct{} `type:"structure"` - // To enable the instance for AWS Nitro Enclaves, set this parameter to true. + // To enable the instance for Amazon Web Services Nitro Enclaves, set this parameter + // to true. Enabled *bool `type:"boolean"` } @@ -95438,7 +98427,7 @@ type LaunchTemplateInstanceNetworkInterfaceSpecification struct { // Use this option when you launch an instance in a Wavelength Zone and want // to associate a Carrier IP address with the network interface. For more information // about Carrier IP addresses, see Carrier IP addresses (https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) - // in the AWS Wavelength Developer Guide. + // in the Wavelength Developer Guide. AssociateCarrierIpAddress *bool `locationName:"associateCarrierIpAddress" type:"boolean"` // Indicates whether to associate a public IPv4 address with eth0 for a new @@ -95460,12 +98449,26 @@ type LaunchTemplateInstanceNetworkInterfaceSpecification struct { // The type of network interface. InterfaceType *string `locationName:"interfaceType" type:"string"` + // The number of IPv4 delegated prefixes that AWS automatically assigned to + // the network interface. + Ipv4PrefixCount *int64 `locationName:"ipv4PrefixCount" type:"integer"` + + // One or more IPv4 delegated prefixes assigned to the network interface. + Ipv4Prefixes []*Ipv4PrefixSpecificationResponse `locationName:"ipv4PrefixSet" locationNameList:"item" type:"list"` + // The number of IPv6 addresses for the network interface. Ipv6AddressCount *int64 `locationName:"ipv6AddressCount" type:"integer"` // The IPv6 addresses for the network interface. Ipv6Addresses []*InstanceIpv6Address `locationName:"ipv6AddressesSet" locationNameList:"item" type:"list"` + // The number of IPv6 delegated prefixes that AWS automatically assigned to + // the network interface. + Ipv6PrefixCount *int64 `locationName:"ipv6PrefixCount" type:"integer"` + + // One or more IPv6 delegated prefixes assigned to the network interface. + Ipv6Prefixes []*Ipv6PrefixSpecificationResponse `locationName:"ipv6PrefixSet" locationNameList:"item" type:"list"` + // The index of the network card. NetworkCardIndex *int64 `locationName:"networkCardIndex" type:"integer"` @@ -95537,6 +98540,18 @@ func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetInterfaceType(v return s } +// SetIpv4PrefixCount sets the Ipv4PrefixCount field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv4PrefixCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecification { + s.Ipv4PrefixCount = &v + return s +} + +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv4Prefixes(v []*Ipv4PrefixSpecificationResponse) *LaunchTemplateInstanceNetworkInterfaceSpecification { + s.Ipv4Prefixes = v + return s +} + // SetIpv6AddressCount sets the Ipv6AddressCount field's value. func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv6AddressCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecification { s.Ipv6AddressCount = &v @@ -95549,6 +98564,18 @@ func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv6Addresses(v return s } +// SetIpv6PrefixCount sets the Ipv6PrefixCount field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv6PrefixCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecification { + s.Ipv6PrefixCount = &v + return s +} + +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetIpv6Prefixes(v []*Ipv6PrefixSpecificationResponse) *LaunchTemplateInstanceNetworkInterfaceSpecification { + s.Ipv6Prefixes = v + return s +} + // SetNetworkCardIndex sets the NetworkCardIndex field's value. func (s *LaunchTemplateInstanceNetworkInterfaceSpecification) SetNetworkCardIndex(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecification { s.NetworkCardIndex = &v @@ -95594,7 +98621,7 @@ type LaunchTemplateInstanceNetworkInterfaceSpecificationRequest struct { // Use this option when you launch an instance in a Wavelength Zone and want // to associate a Carrier IP address with the network interface. For more information // about Carrier IP addresses, see Carrier IP addresses (https://docs.aws.amazon.com/wavelength/latest/developerguide/how-wavelengths-work.html#provider-owned-ip) - // in the AWS Wavelength Developer Guide. + // in the Wavelength Developer Guide. AssociateCarrierIpAddress *bool `type:"boolean"` // Associates a public IPv4 address with eth0 for a new network interface. @@ -95621,6 +98648,14 @@ type LaunchTemplateInstanceNetworkInterfaceSpecificationRequest struct { // Valid values: interface | efa InterfaceType *string `type:"string"` + // The number of IPv4 delegated prefixes to be automatically assigned to the + // network interface. You cannot use this option if you use the Ipv4Prefix option. + Ipv4PrefixCount *int64 `type:"integer"` + + // One or more IPv4 delegated prefixes to be assigned to the network interface. + // You cannot use this option if you use the Ipv4PrefixCount option. + Ipv4Prefixes []*Ipv4PrefixSpecificationRequest `locationName:"Ipv4Prefix" locationNameList:"item" type:"list"` + // The number of IPv6 addresses to assign to a network interface. Amazon EC2 // automatically selects the IPv6 addresses from the subnet range. You can't // use this option if specifying specific IPv6 addresses. @@ -95630,6 +98665,14 @@ type LaunchTemplateInstanceNetworkInterfaceSpecificationRequest struct { // subnet. You can't use this option if you're specifying a number of IPv6 addresses. Ipv6Addresses []*InstanceIpv6AddressRequest `locationNameList:"InstanceIpv6Address" type:"list"` + // The number of IPv6 delegated prefixes to be automatically assigned to the + // network interface. You cannot use this option if you use the Ipv6Prefix option. + Ipv6PrefixCount *int64 `type:"integer"` + + // One or more IPv6 delegated prefixes to be assigned to the network interface. + // You cannot use this option if you use the Ipv6PrefixCount option. + Ipv6Prefixes []*Ipv6PrefixSpecificationRequest `locationName:"Ipv6Prefix" locationNameList:"item" type:"list"` + // The index of the network card. Some instance types support multiple network // cards. The primary network interface must be assigned to network card index // 0. The default is network card index 0. @@ -95703,6 +98746,18 @@ func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetInterfac return s } +// SetIpv4PrefixCount sets the Ipv4PrefixCount field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv4PrefixCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { + s.Ipv4PrefixCount = &v + return s +} + +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv4Prefixes(v []*Ipv4PrefixSpecificationRequest) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { + s.Ipv4Prefixes = v + return s +} + // SetIpv6AddressCount sets the Ipv6AddressCount field's value. func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv6AddressCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { s.Ipv6AddressCount = &v @@ -95715,6 +98770,18 @@ func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv6Addr return s } +// SetIpv6PrefixCount sets the Ipv6PrefixCount field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv6PrefixCount(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { + s.Ipv6PrefixCount = &v + return s +} + +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetIpv6Prefixes(v []*Ipv6PrefixSpecificationRequest) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { + s.Ipv6Prefixes = v + return s +} + // SetNetworkCardIndex sets the NetworkCardIndex field's value. func (s *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest) SetNetworkCardIndex(v int64) *LaunchTemplateInstanceNetworkInterfaceSpecificationRequest { s.NetworkCardIndex = &v @@ -97535,6 +100602,8 @@ type ModifyCapacityReservationInput struct { EndDateType *string `type:"string" enum:"EndDateType"` // The number of instances for which to reserve capacity. + // + // Valid range: 1 - 1000 InstanceCount *int64 `type:"integer"` } @@ -97902,12 +100971,11 @@ type ModifyEbsDefaultKmsKeyIdInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` - // The identifier of the AWS Key Management Service (AWS KMS) customer master - // key (CMK) to use for Amazon EBS encryption. If this parameter is not specified, - // your AWS managed CMK for EBS is used. If KmsKeyId is specified, the encrypted - // state must be true. + // The identifier of the Key Management Service (KMS) KMS key to use for Amazon + // EBS encryption. If this parameter is not specified, your KMS key for Amazon + // EBS is used. If KmsKeyId is specified, the encrypted state must be true. // - // You can specify the CMK using any of the following: + // You can specify the KMS key using any of the following: // // * Key ID. For example, 1234abcd-12ab-34cd-56ef-1234567890ab. // @@ -97917,11 +100985,11 @@ type ModifyEbsDefaultKmsKeyIdInput struct { // // * Alias ARN. For example, arn:aws:kms:us-east-1:012345678910:alias/ExampleAlias. // - // AWS authenticates the CMK asynchronously. Therefore, if you specify an ID, - // alias, or ARN that is not valid, the action can appear to complete, but eventually - // fails. + // Amazon Web Services authenticates the KMS key asynchronously. Therefore, + // if you specify an ID, alias, or ARN that is not valid, the action can appear + // to complete, but eventually fails. // - // Amazon EBS does not support asymmetric CMKs. + // Amazon EBS does not support asymmetric KMS keys. // // KmsKeyId is a required field KmsKeyId *string `type:"string" required:"true"` @@ -97965,7 +101033,7 @@ func (s *ModifyEbsDefaultKmsKeyIdInput) SetKmsKeyId(v string) *ModifyEbsDefaultK type ModifyEbsDefaultKmsKeyIdOutput struct { _ struct{} `type:"structure"` - // The Amazon Resource Name (ARN) of the default CMK for encryption by default. + // The Amazon Resource Name (ARN) of the default KMS key for encryption by default. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` } @@ -97988,6 +101056,9 @@ func (s *ModifyEbsDefaultKmsKeyIdOutput) SetKmsKeyId(v string) *ModifyEbsDefault type ModifyFleetInput struct { _ struct{} `type:"structure"` + // Reserved. + Context *string `type:"string"` + // Checks whether you have the required permissions for the action, without // actually making the request, and provides an error response. If you have // the required permissions, the error response is DryRunOperation. Otherwise, @@ -98049,6 +101120,12 @@ func (s *ModifyFleetInput) Validate() error { return nil } +// SetContext sets the Context field's value. +func (s *ModifyFleetInput) SetContext(v string) *ModifyFleetInput { + s.Context = &v + return s +} + // SetDryRun sets the DryRun field's value. func (s *ModifyFleetInput) SetDryRun(v bool) *ModifyFleetInput { s.DryRun = &v @@ -98771,9 +101848,9 @@ type ModifyInstanceAttributeInput struct { SriovNetSupport *AttributeValue `locationName:"sriovNetSupport" type:"structure"` // Changes the instance's user data to the specified value. If you are using - // an AWS SDK or command line tool, base64-encoding is performed for you, and - // you can load the text from a file. Otherwise, you must provide base64-encoded - // text. + // an Amazon Web Services SDK or command line tool, base64-encoding is performed + // for you, and you can load the text from a file. Otherwise, you must provide + // base64-encoded text. UserData *BlobAttributeValue `locationName:"userData" type:"structure"` // A new value for the attribute. Use only with the kernel, ramdisk, userData, @@ -99197,6 +102274,126 @@ func (s *ModifyInstanceEventStartTimeOutput) SetEvent(v *InstanceStatusEvent) *M return s } +type ModifyInstanceEventWindowInput struct { + _ struct{} `type:"structure"` + + // The cron expression of the event window, for example, * 0-4,20-23 * * 1,5. + // + // Constraints: + // + // * Only hour and day of the week values are supported. + // + // * For day of the week values, you can specify either integers 0 through + // 6, or alternative single values SUN through SAT. + // + // * The minute, month, and year must be specified by *. + // + // * The hour value must be one or a multiple range, for example, 0-4 or + // 0-4,20-23. + // + // * Each hour range must be >= 2 hours, for example, 0-2 or 20-23. + // + // * The event window must be >= 4 hours. The combined total time ranges + // in the event window must be >= 4 hours. + // + // For more information about cron expressions, see cron (https://en.wikipedia.org/wiki/Cron) + // on the Wikipedia website. + CronExpression *string `type:"string"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the event window. + // + // InstanceEventWindowId is a required field + InstanceEventWindowId *string `type:"string" required:"true"` + + // The name of the event window. + Name *string `type:"string"` + + // The time ranges of the event window. + TimeRanges []*InstanceEventWindowTimeRangeRequest `locationName:"TimeRange" type:"list"` +} + +// String returns the string representation +func (s ModifyInstanceEventWindowInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyInstanceEventWindowInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ModifyInstanceEventWindowInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ModifyInstanceEventWindowInput"} + if s.InstanceEventWindowId == nil { + invalidParams.Add(request.NewErrParamRequired("InstanceEventWindowId")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetCronExpression sets the CronExpression field's value. +func (s *ModifyInstanceEventWindowInput) SetCronExpression(v string) *ModifyInstanceEventWindowInput { + s.CronExpression = &v + return s +} + +// SetDryRun sets the DryRun field's value. +func (s *ModifyInstanceEventWindowInput) SetDryRun(v bool) *ModifyInstanceEventWindowInput { + s.DryRun = &v + return s +} + +// SetInstanceEventWindowId sets the InstanceEventWindowId field's value. +func (s *ModifyInstanceEventWindowInput) SetInstanceEventWindowId(v string) *ModifyInstanceEventWindowInput { + s.InstanceEventWindowId = &v + return s +} + +// SetName sets the Name field's value. +func (s *ModifyInstanceEventWindowInput) SetName(v string) *ModifyInstanceEventWindowInput { + s.Name = &v + return s +} + +// SetTimeRanges sets the TimeRanges field's value. +func (s *ModifyInstanceEventWindowInput) SetTimeRanges(v []*InstanceEventWindowTimeRangeRequest) *ModifyInstanceEventWindowInput { + s.TimeRanges = v + return s +} + +type ModifyInstanceEventWindowOutput struct { + _ struct{} `type:"structure"` + + // Information about the event window. + InstanceEventWindow *InstanceEventWindow `locationName:"instanceEventWindow" type:"structure"` +} + +// String returns the string representation +func (s ModifyInstanceEventWindowOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifyInstanceEventWindowOutput) GoString() string { + return s.String() +} + +// SetInstanceEventWindow sets the InstanceEventWindow field's value. +func (s *ModifyInstanceEventWindowOutput) SetInstanceEventWindow(v *InstanceEventWindow) *ModifyInstanceEventWindowOutput { + s.InstanceEventWindow = v + return s +} + type ModifyInstanceMetadataOptionsInput struct { _ struct{} `type:"structure"` @@ -99213,6 +102410,9 @@ type ModifyInstanceMetadataOptionsInput struct { // metadata. HttpEndpoint *string `type:"string" enum:"InstanceMetadataEndpointState"` + // Enables or disables the IPv6 endpoint for the instance metadata service. + HttpProtocolIpv6 *string `type:"string" enum:"InstanceMetadataProtocolState"` + // The desired HTTP PUT response hop limit for instance metadata requests. The // larger the number, the further instance metadata requests can travel. If // no parameter is specified, the existing state is maintained. @@ -99276,6 +102476,12 @@ func (s *ModifyInstanceMetadataOptionsInput) SetHttpEndpoint(v string) *ModifyIn return s } +// SetHttpProtocolIpv6 sets the HttpProtocolIpv6 field's value. +func (s *ModifyInstanceMetadataOptionsInput) SetHttpProtocolIpv6(v string) *ModifyInstanceMetadataOptionsInput { + s.HttpProtocolIpv6 = &v + return s +} + // SetHttpPutResponseHopLimit sets the HttpPutResponseHopLimit field's value. func (s *ModifyInstanceMetadataOptionsInput) SetHttpPutResponseHopLimit(v int64) *ModifyInstanceMetadataOptionsInput { s.HttpPutResponseHopLimit = &v @@ -99564,6 +102770,11 @@ type ModifyManagedPrefixListInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` + // The maximum number of entries for the prefix list. You cannot modify the + // entries of a prefix list and modify the size of a prefix list at the same + // time. + MaxEntries *int64 `type:"integer"` + // The ID of the prefix list. // // PrefixListId is a required field @@ -99637,6 +102848,12 @@ func (s *ModifyManagedPrefixListInput) SetDryRun(v bool) *ModifyManagedPrefixLis return s } +// SetMaxEntries sets the MaxEntries field's value. +func (s *ModifyManagedPrefixListInput) SetMaxEntries(v int64) *ModifyManagedPrefixListInput { + s.MaxEntries = &v + return s +} + // SetPrefixListId sets the PrefixListId field's value. func (s *ModifyManagedPrefixListInput) SetPrefixListId(v string) *ModifyManagedPrefixListInput { s.PrefixListId = &v @@ -99875,6 +103092,93 @@ func (s *ModifyReservedInstancesOutput) SetReservedInstancesModificationId(v str return s } +type ModifySecurityGroupRulesInput struct { + _ struct{} `type:"structure"` + + // Checks whether you have the required permissions for the action, without + // actually making the request, and provides an error response. If you have + // the required permissions, the error response is DryRunOperation. Otherwise, + // it is UnauthorizedOperation. + DryRun *bool `type:"boolean"` + + // The ID of the security group. + // + // GroupId is a required field + GroupId *string `type:"string" required:"true"` + + // Information about the security group properties to update. + // + // SecurityGroupRules is a required field + SecurityGroupRules []*SecurityGroupRuleUpdate `locationName:"SecurityGroupRule" locationNameList:"item" type:"list" required:"true"` +} + +// String returns the string representation +func (s ModifySecurityGroupRulesInput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifySecurityGroupRulesInput) GoString() string { + return s.String() +} + +// Validate inspects the fields of the type to determine if they are valid. +func (s *ModifySecurityGroupRulesInput) Validate() error { + invalidParams := request.ErrInvalidParams{Context: "ModifySecurityGroupRulesInput"} + if s.GroupId == nil { + invalidParams.Add(request.NewErrParamRequired("GroupId")) + } + if s.SecurityGroupRules == nil { + invalidParams.Add(request.NewErrParamRequired("SecurityGroupRules")) + } + + if invalidParams.Len() > 0 { + return invalidParams + } + return nil +} + +// SetDryRun sets the DryRun field's value. +func (s *ModifySecurityGroupRulesInput) SetDryRun(v bool) *ModifySecurityGroupRulesInput { + s.DryRun = &v + return s +} + +// SetGroupId sets the GroupId field's value. +func (s *ModifySecurityGroupRulesInput) SetGroupId(v string) *ModifySecurityGroupRulesInput { + s.GroupId = &v + return s +} + +// SetSecurityGroupRules sets the SecurityGroupRules field's value. +func (s *ModifySecurityGroupRulesInput) SetSecurityGroupRules(v []*SecurityGroupRuleUpdate) *ModifySecurityGroupRulesInput { + s.SecurityGroupRules = v + return s +} + +type ModifySecurityGroupRulesOutput struct { + _ struct{} `type:"structure"` + + // Returns true if the request succeeds; otherwise, returns an error. + Return *bool `locationName:"return" type:"boolean"` +} + +// String returns the string representation +func (s ModifySecurityGroupRulesOutput) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ModifySecurityGroupRulesOutput) GoString() string { + return s.String() +} + +// SetReturn sets the Return field's value. +func (s *ModifySecurityGroupRulesOutput) SetReturn(v bool) *ModifySecurityGroupRulesOutput { + s.Return = &v + return s +} + type ModifySnapshotAttributeInput struct { _ struct{} `type:"structure"` @@ -99989,6 +103293,9 @@ func (s ModifySnapshotAttributeOutput) GoString() string { type ModifySpotFleetRequestInput struct { _ struct{} `type:"structure"` + // Reserved. + Context *string `type:"string"` + // Indicates whether running Spot Instances should be terminated if the target // capacity of the Spot Fleet request is decreased below the current size of // the Spot Fleet. @@ -100045,6 +103352,12 @@ func (s *ModifySpotFleetRequestInput) Validate() error { return nil } +// SetContext sets the Context field's value. +func (s *ModifySpotFleetRequestInput) SetContext(v string) *ModifySpotFleetRequestInput { + s.Context = &v + return s +} + // SetExcessCapacityTerminationPolicy sets the ExcessCapacityTerminationPolicy field's value. func (s *ModifySpotFleetRequestInput) SetExcessCapacityTerminationPolicy(v string) *ModifySpotFleetRequestInput { s.ExcessCapacityTerminationPolicy = &v @@ -100917,8 +104230,6 @@ type ModifyTransitGatewayVpcAttachmentInput struct { DryRun *bool `type:"boolean"` // The new VPC attachment options. - // - // You cannot modify the IPv6 options. Options *ModifyTransitGatewayVpcAttachmentRequestOptions `type:"structure"` // The IDs of one or more subnets to remove. @@ -101143,8 +104454,8 @@ type ModifyVolumeInput struct { // // * io2: 100-64,000 IOPS // - // Default: If no IOPS value is specified, the existing value is retained, unless - // a volume type is modified that supports different values. + // Default: The existing value is retained if you keep the same volume type. + // If you change the volume type to io1, io2, or gp3, the default is 3,000. Iops *int64 `type:"integer"` // Specifies whether to enable Amazon EBS Multi-Attach. If you enable Multi-Attach, @@ -101167,13 +104478,14 @@ type ModifyVolumeInput struct { // // * standard: 1-1,024 // - // Default: If no size is specified, the existing size is retained. + // Default: The existing size is retained. Size *int64 `type:"integer"` // The target throughput of the volume, in MiB/s. This parameter is valid only // for gp3 volumes. The maximum value is 1,000. // - // Default: If no throughput value is specified, the existing value is retained. + // Default: The existing value is retained if the source and target volume type + // is gp3. Otherwise, the default value is 125. // // Valid Range: Minimum value of 125. Maximum value of 1000. Throughput *int64 `type:"integer"` @@ -101187,7 +104499,7 @@ type ModifyVolumeInput struct { // EBS volume types (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumeTypes.html) // in the Amazon Elastic Compute Cloud User Guide. // - // Default: If no type is specified, the existing type is retained. + // Default: The existing type is retained. VolumeType *string `type:"string" enum:"VolumeType"` } @@ -103153,7 +106465,7 @@ type NetworkAcl struct { // The ID of the network ACL. NetworkAclId *string `locationName:"networkAclId" type:"string"` - // The ID of the AWS account that owns the network ACL. + // The ID of the Amazon Web Services account that owns the network ACL. OwnerId *string `locationName:"ownerId" type:"string"` // Any tags assigned to the network ACL. @@ -103404,6 +106716,10 @@ type NetworkInfo struct { // Indicates whether Elastic Network Adapter (ENA) is supported. EnaSupport *string `locationName:"enaSupport" type:"string" enum:"EnaSupport"` + // Indicates whether the instance type automatically encrypts in-transit traffic + // between instances. + EncryptionInTransitSupported *bool `locationName:"encryptionInTransitSupported" type:"boolean"` + // The maximum number of IPv4 addresses per network interface. Ipv4AddressesPerInterface *int64 `locationName:"ipv4AddressesPerInterface" type:"integer"` @@ -103461,6 +106777,12 @@ func (s *NetworkInfo) SetEnaSupport(v string) *NetworkInfo { return s } +// SetEncryptionInTransitSupported sets the EncryptionInTransitSupported field's value. +func (s *NetworkInfo) SetEncryptionInTransitSupported(v bool) *NetworkInfo { + s.EncryptionInTransitSupported = &v + return s +} + // SetIpv4AddressesPerInterface sets the Ipv4AddressesPerInterface field's value. func (s *NetworkInfo) SetIpv4AddressesPerInterface(v int64) *NetworkInfo { s.Ipv4AddressesPerInterface = &v @@ -103514,7 +106836,8 @@ type NetworkInsightsAnalysis struct { // codes (https://docs.aws.amazon.com/vpc/latest/reachability/explanation-codes.html). Explanations []*Explanation `locationName:"explanationSet" locationNameList:"item" type:"list"` - // The Amazon Resource Names (ARN) of the AWS resources that the path must traverse. + // The Amazon Resource Names (ARN) of the Amazon Web Services resources that + // the path must traverse. FilterInArns []*string `locationName:"filterInArnSet" locationNameList:"item" type:"list"` // The components in the path from source to destination. @@ -103643,10 +106966,11 @@ type NetworkInsightsPath struct { // The time stamp when the path was created. CreatedDate *time.Time `locationName:"createdDate" type:"timestamp"` - // The AWS resource that is the destination of the path. + // The Amazon Web Services resource that is the destination of the path. Destination *string `locationName:"destination" type:"string"` - // The IP address of the AWS resource that is the destination of the path. + // The IP address of the Amazon Web Services resource that is the destination + // of the path. DestinationIp *string `locationName:"destinationIp" type:"string"` // The destination port. @@ -103661,10 +106985,11 @@ type NetworkInsightsPath struct { // The protocol. Protocol *string `locationName:"protocol" type:"string" enum:"Protocol"` - // The AWS resource that is the source of the path. + // The Amazon Web Services resource that is the source of the path. Source *string `locationName:"source" type:"string"` - // The IP address of the AWS resource that is the source of the path. + // The IP address of the Amazon Web Services resource that is the source of + // the path. SourceIp *string `locationName:"sourceIp" type:"string"` // The tags associated with the path. @@ -103764,9 +107089,15 @@ type NetworkInterface struct { // The type of network interface. InterfaceType *string `locationName:"interfaceType" type:"string" enum:"NetworkInterfaceType"` + // The IPv4 prefixes that are assigned to the network interface. + Ipv4Prefixes []*Ipv4PrefixSpecification `locationName:"ipv4PrefixSet" locationNameList:"item" type:"list"` + // The IPv6 addresses associated with the network interface. Ipv6Addresses []*NetworkInterfaceIpv6Address `locationName:"ipv6AddressesSet" locationNameList:"item" type:"list"` + // The IPv6 prefixes that are assigned to the network interface. + Ipv6Prefixes []*Ipv6PrefixSpecification `locationName:"ipv6PrefixSet" locationNameList:"item" type:"list"` + // The MAC address. MacAddress *string `locationName:"macAddress" type:"string"` @@ -103776,7 +107107,7 @@ type NetworkInterface struct { // The Amazon Resource Name (ARN) of the Outpost. OutpostArn *string `locationName:"outpostArn" type:"string"` - // The account ID of the owner of the network interface. + // The Amazon Web Services account ID of the owner of the network interface. OwnerId *string `locationName:"ownerId" type:"string"` // The private DNS name. @@ -103788,8 +107119,8 @@ type NetworkInterface struct { // The private IPv4 addresses associated with the network interface. PrivateIpAddresses []*NetworkInterfacePrivateIpAddress `locationName:"privateIpAddressesSet" locationNameList:"item" type:"list"` - // The alias or account ID of the principal or service that created the network - // interface. + // The alias or Amazon Web Services account ID of the principal or service that + // created the network interface. RequesterId *string `locationName:"requesterId" type:"string"` // Indicates whether the network interface is being managed by Amazon Web Services. @@ -103857,12 +107188,24 @@ func (s *NetworkInterface) SetInterfaceType(v string) *NetworkInterface { return s } +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *NetworkInterface) SetIpv4Prefixes(v []*Ipv4PrefixSpecification) *NetworkInterface { + s.Ipv4Prefixes = v + return s +} + // SetIpv6Addresses sets the Ipv6Addresses field's value. func (s *NetworkInterface) SetIpv6Addresses(v []*NetworkInterfaceIpv6Address) *NetworkInterface { s.Ipv6Addresses = v return s } +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *NetworkInterface) SetIpv6Prefixes(v []*Ipv6PrefixSpecification) *NetworkInterface { + s.Ipv6Prefixes = v + return s +} + // SetMacAddress sets the MacAddress field's value. func (s *NetworkInterface) SetMacAddress(v string) *NetworkInterface { s.MacAddress = &v @@ -104049,7 +107392,7 @@ type NetworkInterfaceAttachment struct { // The ID of the instance. InstanceId *string `locationName:"instanceId" type:"string"` - // The account ID of the owner of the instance. + // The Amazon Web Services account ID of the owner of the instance. InstanceOwnerId *string `locationName:"instanceOwnerId" type:"string"` // The index of the network card. @@ -104178,7 +107521,7 @@ func (s *NetworkInterfaceIpv6Address) SetIpv6Address(v string) *NetworkInterface type NetworkInterfacePermission struct { _ struct{} `type:"structure"` - // The account ID. + // The Amazon Web Services account ID. AwsAccountId *string `locationName:"awsAccountId" type:"string"` // The Amazon Web Service. @@ -104810,7 +108153,7 @@ func (s *PeeringConnectionOptionsRequest) SetAllowEgressFromLocalVpcToRemoteClas type PeeringTgwInfo struct { _ struct{} `type:"structure"` - // The AWS account ID of the owner of the transit gateway. + // The ID of the Amazon Web Services account that owns the transit gateway. OwnerId *string `locationName:"ownerId" type:"string"` // The Region of the transit gateway. @@ -105974,6 +109317,9 @@ type ProvisionByoipCidrInput struct { // it is UnauthorizedOperation. DryRun *bool `type:"boolean"` + // Reserved. + MultiRegion *bool `type:"boolean"` + // The tags to apply to the address pool. PoolTagSpecifications []*TagSpecification `locationName:"PoolTagSpecification" locationNameList:"item" type:"list"` @@ -106036,6 +109382,12 @@ func (s *ProvisionByoipCidrInput) SetDryRun(v bool) *ProvisionByoipCidrInput { return s } +// SetMultiRegion sets the MultiRegion field's value. +func (s *ProvisionByoipCidrInput) SetMultiRegion(v bool) *ProvisionByoipCidrInput { + s.MultiRegion = &v + return s +} + // SetPoolTagSpecifications sets the PoolTagSpecifications field's value. func (s *ProvisionByoipCidrInput) SetPoolTagSpecifications(v []*TagSpecification) *ProvisionByoipCidrInput { s.PoolTagSpecifications = v @@ -106704,7 +110056,10 @@ func (s *PurchaseReservedInstancesOfferingInput) SetReservedInstancesOfferingId( type PurchaseReservedInstancesOfferingOutput struct { _ struct{} `type:"structure"` - // The IDs of the purchased Reserved Instances. + // The IDs of the purchased Reserved Instances. If your purchase crosses into + // a discounted pricing tier, the final Reserved Instances IDs might change. + // For more information, see Crossing pricing tiers (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts-reserved-instances-application.html#crossing-pricing-tiers) + // in the Amazon Elastic Compute Cloud User Guide. ReservedInstancesId *string `locationName:"reservedInstancesId" type:"string"` } @@ -106919,6 +110274,66 @@ func (s *RecurringCharge) SetFrequency(v string) *RecurringCharge { return s } +// Describes the security group that is referenced in the security group rule. +type ReferencedSecurityGroup struct { + _ struct{} `type:"structure"` + + // The ID of the security group. + GroupId *string `locationName:"groupId" type:"string"` + + // The status of a VPC peering connection, if applicable. + PeeringStatus *string `locationName:"peeringStatus" type:"string"` + + // The Amazon Web Services account ID. + UserId *string `locationName:"userId" type:"string"` + + // The ID of the VPC. + VpcId *string `locationName:"vpcId" type:"string"` + + // The ID of the VPC peering connection. + VpcPeeringConnectionId *string `locationName:"vpcPeeringConnectionId" type:"string"` +} + +// String returns the string representation +func (s ReferencedSecurityGroup) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s ReferencedSecurityGroup) GoString() string { + return s.String() +} + +// SetGroupId sets the GroupId field's value. +func (s *ReferencedSecurityGroup) SetGroupId(v string) *ReferencedSecurityGroup { + s.GroupId = &v + return s +} + +// SetPeeringStatus sets the PeeringStatus field's value. +func (s *ReferencedSecurityGroup) SetPeeringStatus(v string) *ReferencedSecurityGroup { + s.PeeringStatus = &v + return s +} + +// SetUserId sets the UserId field's value. +func (s *ReferencedSecurityGroup) SetUserId(v string) *ReferencedSecurityGroup { + s.UserId = &v + return s +} + +// SetVpcId sets the VpcId field's value. +func (s *ReferencedSecurityGroup) SetVpcId(v string) *ReferencedSecurityGroup { + s.VpcId = &v + return s +} + +// SetVpcPeeringConnectionId sets the VpcPeeringConnectionId field's value. +func (s *ReferencedSecurityGroup) SetVpcPeeringConnectionId(v string) *ReferencedSecurityGroup { + s.VpcPeeringConnectionId = &v + return s +} + // Describes a Region. type Region struct { _ struct{} `type:"structure"` @@ -108989,16 +112404,17 @@ type RequestLaunchTemplateData struct { // The elastic inference accelerator for the instance. ElasticInferenceAccelerators []*LaunchTemplateElasticInferenceAccelerator `locationName:"ElasticInferenceAccelerator" locationNameList:"item" type:"list"` - // Indicates whether the instance is enabled for AWS Nitro Enclaves. For more - // information, see What is AWS Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) - // in the AWS Nitro Enclaves User Guide. + // Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. + // For more information, see What is Amazon Web Services Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) + // in the Amazon Web Services Nitro Enclaves User Guide. // - // You can't enable AWS Nitro Enclaves and hibernation on the same instance. + // You can't enable Amazon Web Services Nitro Enclaves and hibernation on the + // same instance. EnclaveOptions *LaunchTemplateEnclaveOptionsRequest `type:"structure"` // Indicates whether an instance is enabled for hibernation. This parameter // is valid only if the instance meets the hibernation prerequisites (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html#hibernating-prerequisites). - // For more information, see Hibernate Your Instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) + // For more information, see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) // in the Amazon Elastic Compute Cloud User Guide. HibernationOptions *LaunchTemplateHibernationOptionsRequest `type:"structure"` @@ -109039,7 +112455,7 @@ type RequestLaunchTemplateData struct { LicenseSpecifications []*LaunchTemplateLicenseConfigurationRequest `locationName:"LicenseSpecification" locationNameList:"item" type:"list"` // The metadata options for the instance. For more information, see Instance - // Metadata and User Data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) + // metadata and user data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) // in the Amazon Elastic Compute Cloud User Guide. MetadataOptions *LaunchTemplateInstanceMetadataOptionsRequest `type:"structure"` @@ -109396,20 +112812,7 @@ type RequestSpotInstancesInput struct { // Default: Instances are launched in any available Availability Zone. AvailabilityZoneGroup *string `locationName:"availabilityZoneGroup" type:"string"` - // The required duration for the Spot Instances (also known as Spot blocks), - // in minutes. This value must be a multiple of 60 (60, 120, 180, 240, 300, - // or 360). - // - // The duration period starts as soon as your Spot Instance receives its instance - // ID. At the end of the duration period, Amazon EC2 marks the Spot Instance - // for termination and provides a Spot Instance termination notice, which gives - // the instance a two-minute warning before it terminates. - // - // You can't specify an Availability Zone group or a launch group if you specify - // a duration. - // - // New accounts or accounts with no previous billing history with AWS are not - // eligible for Spot Instances with a defined duration (also known as Spot blocks). + // Deprecated. BlockDurationMinutes *int64 `locationName:"blockDurationMinutes" type:"integer"` // Unique, case-sensitive identifier that you provide to ensure the idempotency @@ -109807,11 +113210,11 @@ type Reservation struct { // The instances. Instances []*Instance `locationName:"instancesSet" locationNameList:"item" type:"list"` - // The ID of the AWS account that owns the reservation. + // The ID of the Amazon Web Services account that owns the reservation. OwnerId *string `locationName:"ownerId" type:"string"` // The ID of the requester that launched the instances on your behalf (for example, - // AWS Management Console or Auto Scaling). + // Amazon Web Services Management Console or Auto Scaling). RequesterId *string `locationName:"requesterId" type:"string"` // The ID of the reservation. @@ -110500,8 +113903,8 @@ type ReservedInstancesOffering struct { InstanceType *string `locationName:"instanceType" type:"string" enum:"InstanceType"` // Indicates whether the offering is available through the Reserved Instance - // Marketplace (resale) or AWS. If it's a Reserved Instance Marketplace offering, - // this is true. + // Marketplace (resale) or Amazon Web Services. If it's a Reserved Instance + // Marketplace offering, this is true. Marketplace *bool `locationName:"marketplace" type:"boolean"` // If convertible it can be exchanged for Reserved Instances of the same or @@ -110749,7 +114152,8 @@ func (s *ResetEbsDefaultKmsKeyIdInput) SetDryRun(v bool) *ResetEbsDefaultKmsKeyI type ResetEbsDefaultKmsKeyIdOutput struct { _ struct{} `type:"structure"` - // The Amazon Resource Name (ARN) of the default CMK for EBS encryption by default. + // The Amazon Resource Name (ARN) of the default KMS key for EBS encryption + // by default. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` } @@ -111210,7 +114614,7 @@ type ResponseLaunchTemplateData struct { CapacityReservationSpecification *LaunchTemplateCapacityReservationSpecificationResponse `locationName:"capacityReservationSpecification" type:"structure"` // The CPU options for the instance. For more information, see Optimizing CPU - // Options (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) + // options (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-optimize-cpu.html) // in the Amazon Elastic Compute Cloud User Guide. CpuOptions *LaunchTemplateCpuOptions `locationName:"cpuOptions" type:"structure"` @@ -111230,11 +114634,11 @@ type ResponseLaunchTemplateData struct { // The elastic inference accelerator for the instance. ElasticInferenceAccelerators []*LaunchTemplateElasticInferenceAcceleratorResponse `locationName:"elasticInferenceAcceleratorSet" locationNameList:"item" type:"list"` - // Indicates whether the instance is enabled for AWS Nitro Enclaves. + // Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. EnclaveOptions *LaunchTemplateEnclaveOptions `locationName:"enclaveOptions" type:"structure"` // Indicates whether an instance is configured for hibernation. For more information, - // see Hibernate Your Instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) + // see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) // in the Amazon Elastic Compute Cloud User Guide. HibernationOptions *LaunchTemplateHibernationOptions `locationName:"hibernationOptions" type:"structure"` @@ -111264,7 +114668,7 @@ type ResponseLaunchTemplateData struct { LicenseSpecifications []*LaunchTemplateLicenseConfiguration `locationName:"licenseSet" locationNameList:"item" type:"list"` // The metadata options for the instance. For more information, see Instance - // Metadata and User Data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) + // metadata and user data (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html) // in the Amazon Elastic Compute Cloud User Guide. MetadataOptions *LaunchTemplateInstanceMetadataOptions `locationName:"metadataOptions" type:"structure"` @@ -111782,6 +115186,9 @@ type RevokeSecurityGroupEgressInput struct { // number. IpProtocol *string `locationName:"ipProtocol" type:"string"` + // The IDs of the security group rules. + SecurityGroupRuleIds []*string `locationName:"SecurityGroupRuleId" locationNameList:"item" type:"list"` + // Not supported. Use a set of IP permissions to specify a destination security // group. SourceSecurityGroupName *string `locationName:"sourceSecurityGroupName" type:"string"` @@ -111853,6 +115260,12 @@ func (s *RevokeSecurityGroupEgressInput) SetIpProtocol(v string) *RevokeSecurity return s } +// SetSecurityGroupRuleIds sets the SecurityGroupRuleIds field's value. +func (s *RevokeSecurityGroupEgressInput) SetSecurityGroupRuleIds(v []*string) *RevokeSecurityGroupEgressInput { + s.SecurityGroupRuleIds = v + return s +} + // SetSourceSecurityGroupName sets the SourceSecurityGroupName field's value. func (s *RevokeSecurityGroupEgressInput) SetSourceSecurityGroupName(v string) *RevokeSecurityGroupEgressInput { s.SourceSecurityGroupName = &v @@ -111938,6 +115351,9 @@ type RevokeSecurityGroupIngressInput struct { // Use -1 to specify all. IpProtocol *string `type:"string"` + // The IDs of the security group rules. + SecurityGroupRuleIds []*string `locationName:"SecurityGroupRuleId" locationNameList:"item" type:"list"` + // [EC2-Classic, default VPC] The name of the source security group. You can't // specify this parameter in combination with the following parameters: the // CIDR IP address range, the start of the port range, the IP protocol, and @@ -111946,12 +115362,12 @@ type RevokeSecurityGroupIngressInput struct { // use a set of IP permissions instead. SourceSecurityGroupName *string `type:"string"` - // [EC2-Classic] The AWS account ID of the source security group, if the source - // security group is in a different account. You can't specify this parameter - // in combination with the following parameters: the CIDR IP address range, - // the IP protocol, the start of the port range, and the end of the port range. - // To revoke a specific rule for an IP protocol and port range, use a set of - // IP permissions instead. + // [EC2-Classic] The Amazon Web Services account ID of the source security group, + // if the source security group is in a different account. You can't specify + // this parameter in combination with the following parameters: the CIDR IP + // address range, the IP protocol, the start of the port range, and the end + // of the port range. To revoke a specific rule for an IP protocol and port + // range, use a set of IP permissions instead. SourceSecurityGroupOwnerId *string `type:"string"` // The end of port range for the TCP and UDP protocols, or an ICMP code number. @@ -112011,6 +115427,12 @@ func (s *RevokeSecurityGroupIngressInput) SetIpProtocol(v string) *RevokeSecurit return s } +// SetSecurityGroupRuleIds sets the SecurityGroupRuleIds field's value. +func (s *RevokeSecurityGroupIngressInput) SetSecurityGroupRuleIds(v []*string) *RevokeSecurityGroupIngressInput { + s.SecurityGroupRuleIds = v + return s +} + // SetSourceSecurityGroupName sets the SourceSecurityGroupName field's value. func (s *RevokeSecurityGroupIngressInput) SetSourceSecurityGroupName(v string) *RevokeSecurityGroupIngressInput { s.SourceSecurityGroupName = &v @@ -112075,7 +115497,7 @@ type Route struct { // The IPv6 CIDR block used for the destination match. DestinationIpv6CidrBlock *string `locationName:"destinationIpv6CidrBlock" type:"string"` - // The prefix of the AWS service. + // The prefix of the Amazon Web Service. DestinationPrefixListId *string `locationName:"destinationPrefixListId" type:"string"` // The ID of the egress-only internet gateway. @@ -112087,7 +115509,7 @@ type Route struct { // The ID of a NAT instance in your VPC. InstanceId *string `locationName:"instanceId" type:"string"` - // The AWS account ID of the owner of the instance. + // The ID of Amazon Web Services account that owns the instance. InstanceOwnerId *string `locationName:"instanceOwnerId" type:"string"` // The ID of the local gateway. @@ -112228,7 +115650,7 @@ type RouteTable struct { // The associations between the route table and one or more subnets or a gateway. Associations []*RouteTableAssociation `locationName:"associationSet" locationNameList:"item" type:"list"` - // The ID of the AWS account that owns the route table. + // The ID of the Amazon Web Services account that owns the route table. OwnerId *string `locationName:"ownerId" type:"string"` // Any virtual private gateway (VGW) propagating routes. @@ -112408,7 +115830,10 @@ type RunInstancesInput struct { // Reserved. AdditionalInfo *string `locationName:"additionalInfo" type:"string"` - // The block device mapping entries. + // The block device mapping, which defines the EBS volumes and instance store + // volumes to attach to the instance at launch. For more information, see Block + // device mappings (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html) + // in the Amazon EC2 User Guide. BlockDeviceMappings []*BlockDeviceMapping `locationName:"BlockDeviceMapping" locationNameList:"BlockDeviceMapping" type:"list"` // Information about the Capacity Reservation targeting option. If you do not @@ -112477,18 +115902,20 @@ type RunInstancesInput struct { // You cannot specify accelerators from different generations in the same request. ElasticInferenceAccelerators []*ElasticInferenceAccelerator `locationName:"ElasticInferenceAccelerator" locationNameList:"item" type:"list"` - // Indicates whether the instance is enabled for AWS Nitro Enclaves. For more - // information, see What is AWS Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) - // in the AWS Nitro Enclaves User Guide. + // Indicates whether the instance is enabled for Amazon Web Services Nitro Enclaves. + // For more information, see What is Amazon Web Services Nitro Enclaves? (https://docs.aws.amazon.com/enclaves/latest/user/nitro-enclave.html) + // in the Amazon Web Services Nitro Enclaves User Guide. // - // You can't enable AWS Nitro Enclaves and hibernation on the same instance. + // You can't enable Amazon Web Services Nitro Enclaves and hibernation on the + // same instance. EnclaveOptions *EnclaveOptionsRequest `type:"structure"` // Indicates whether an instance is enabled for hibernation. For more information, // see Hibernate your instance (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Hibernate.html) // in the Amazon EC2 User Guide. // - // You can't enable hibernation and AWS Nitro Enclaves on the same instance. + // You can't enable hibernation and Amazon Web Services Nitro Enclaves on the + // same instance. HibernationOptions *HibernationOptionsRequest `type:"structure"` // The name or Amazon Resource Name (ARN) of an IAM instance profile. @@ -112610,8 +116037,8 @@ type RunInstancesInput struct { // The ID of the RAM disk to select. Some kernels require additional drivers // at launch. Check the kernel requirements for information about whether you - // need to specify a RAM disk. To find kernel requirements, go to the AWS Resource - // Center and search for the kernel ID. + // need to specify a RAM disk. To find kernel requirements, go to the Amazon + // Web Services Resource Center and search for the kernel ID. // // We recommend that you use PV-GRUB instead of kernels and RAM disks. For more // information, see PV-GRUB (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/UserProvidedkernels.html) @@ -114345,9 +117772,6 @@ type SearchTransitGatewayMulticastGroupsInput struct { // // * source-type - The source type. Valid values are igmp | static. // - // * state - The state of the subnet association. Valid values are associated - // | associated | disassociated | disassociating. - // // * subnet-id - The ID of the subnet. // // * transit-gateway-attachment-id - The id of the transit gateway attachment. @@ -114585,7 +118009,7 @@ func (s *SearchTransitGatewayRoutesOutput) SetRoutes(v []*TransitGatewayRoute) * return s } -// Describes a security group +// Describes a security group. type SecurityGroup struct { _ struct{} `type:"structure"` @@ -114604,7 +118028,7 @@ type SecurityGroup struct { // [VPC only] The outbound rules associated with the security group. IpPermissionsEgress []*IpPermission `locationName:"ipPermissionsEgress" locationNameList:"item" type:"list"` - // The AWS account ID of the owner of the security group. + // The Amazon Web Services account ID of the owner of the security group. OwnerId *string `locationName:"ownerId" type:"string"` // Any tags assigned to the security group. @@ -114747,6 +118171,325 @@ func (s *SecurityGroupReference) SetVpcPeeringConnectionId(v string) *SecurityGr return s } +// Describes a security group rule. +type SecurityGroupRule struct { + _ struct{} `type:"structure"` + + // The IPv4 CIDR range. + CidrIpv4 *string `locationName:"cidrIpv4" type:"string"` + + // The IPv6 CIDR range. + CidrIpv6 *string `locationName:"cidrIpv6" type:"string"` + + // The security group rule description. + Description *string `locationName:"description" type:"string"` + + // The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 + // type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 + // types, you must specify all codes. + FromPort *int64 `locationName:"fromPort" type:"integer"` + + // The ID of the security group. + GroupId *string `locationName:"groupId" type:"string"` + + // The ID of the Amazon Web Services account that owns the security group. + GroupOwnerId *string `locationName:"groupOwnerId" type:"string"` + + // The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers + // (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). + // + // Use -1 to specify all protocols. + IpProtocol *string `locationName:"ipProtocol" type:"string"` + + // Indicates whether the security group rule is an outbound rule. + IsEgress *bool `locationName:"isEgress" type:"boolean"` + + // The ID of the prefix list. + PrefixListId *string `locationName:"prefixListId" type:"string"` + + // Describes the security group that is referenced in the rule. + ReferencedGroupInfo *ReferencedSecurityGroup `locationName:"referencedGroupInfo" type:"structure"` + + // The ID of the security group rule. + SecurityGroupRuleId *string `locationName:"securityGroupRuleId" type:"string"` + + // The tags applied to the security group rule. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` + + // The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. + // A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 + // types, you must specify all codes. + ToPort *int64 `locationName:"toPort" type:"integer"` +} + +// String returns the string representation +func (s SecurityGroupRule) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SecurityGroupRule) GoString() string { + return s.String() +} + +// SetCidrIpv4 sets the CidrIpv4 field's value. +func (s *SecurityGroupRule) SetCidrIpv4(v string) *SecurityGroupRule { + s.CidrIpv4 = &v + return s +} + +// SetCidrIpv6 sets the CidrIpv6 field's value. +func (s *SecurityGroupRule) SetCidrIpv6(v string) *SecurityGroupRule { + s.CidrIpv6 = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *SecurityGroupRule) SetDescription(v string) *SecurityGroupRule { + s.Description = &v + return s +} + +// SetFromPort sets the FromPort field's value. +func (s *SecurityGroupRule) SetFromPort(v int64) *SecurityGroupRule { + s.FromPort = &v + return s +} + +// SetGroupId sets the GroupId field's value. +func (s *SecurityGroupRule) SetGroupId(v string) *SecurityGroupRule { + s.GroupId = &v + return s +} + +// SetGroupOwnerId sets the GroupOwnerId field's value. +func (s *SecurityGroupRule) SetGroupOwnerId(v string) *SecurityGroupRule { + s.GroupOwnerId = &v + return s +} + +// SetIpProtocol sets the IpProtocol field's value. +func (s *SecurityGroupRule) SetIpProtocol(v string) *SecurityGroupRule { + s.IpProtocol = &v + return s +} + +// SetIsEgress sets the IsEgress field's value. +func (s *SecurityGroupRule) SetIsEgress(v bool) *SecurityGroupRule { + s.IsEgress = &v + return s +} + +// SetPrefixListId sets the PrefixListId field's value. +func (s *SecurityGroupRule) SetPrefixListId(v string) *SecurityGroupRule { + s.PrefixListId = &v + return s +} + +// SetReferencedGroupInfo sets the ReferencedGroupInfo field's value. +func (s *SecurityGroupRule) SetReferencedGroupInfo(v *ReferencedSecurityGroup) *SecurityGroupRule { + s.ReferencedGroupInfo = v + return s +} + +// SetSecurityGroupRuleId sets the SecurityGroupRuleId field's value. +func (s *SecurityGroupRule) SetSecurityGroupRuleId(v string) *SecurityGroupRule { + s.SecurityGroupRuleId = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *SecurityGroupRule) SetTags(v []*Tag) *SecurityGroupRule { + s.Tags = v + return s +} + +// SetToPort sets the ToPort field's value. +func (s *SecurityGroupRule) SetToPort(v int64) *SecurityGroupRule { + s.ToPort = &v + return s +} + +// Describes the description of a security group rule. +// +// You can use this when you want to update the security group rule description +// for either an inbound or outbound rule. +type SecurityGroupRuleDescription struct { + _ struct{} `type:"structure"` + + // The description of the security group rule. + Description *string `type:"string"` + + // The ID of the security group rule. + SecurityGroupRuleId *string `type:"string"` +} + +// String returns the string representation +func (s SecurityGroupRuleDescription) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SecurityGroupRuleDescription) GoString() string { + return s.String() +} + +// SetDescription sets the Description field's value. +func (s *SecurityGroupRuleDescription) SetDescription(v string) *SecurityGroupRuleDescription { + s.Description = &v + return s +} + +// SetSecurityGroupRuleId sets the SecurityGroupRuleId field's value. +func (s *SecurityGroupRuleDescription) SetSecurityGroupRuleId(v string) *SecurityGroupRuleDescription { + s.SecurityGroupRuleId = &v + return s +} + +// Describes a security group rule. +// +// You must specify exactly one of the following parameters, based on the rule +// type: +// +// * CidrIpv4 +// +// * CidrIpv6 +// +// * PrefixListId +// +// * ReferencedGroupId +// +// When you modify a rule, you cannot change the rule type. For example, if +// the rule uses an IPv4 address range, you must use CidrIpv4 to specify a new +// IPv4 address range. +type SecurityGroupRuleRequest struct { + _ struct{} `type:"structure"` + + // The IPv4 CIDR range. To specify a single IPv4 address, use the /32 prefix + // length. + CidrIpv4 *string `type:"string"` + + // The IPv6 CIDR range. To specify a single IPv6 address, use the /128 prefix + // length. + CidrIpv6 *string `type:"string"` + + // The description of the security group rule. + Description *string `type:"string"` + + // The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 + // type. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 + // types, you must specify all codes. + FromPort *int64 `type:"integer"` + + // The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers + // (http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml)). + // + // Use -1 to specify all protocols. + IpProtocol *string `type:"string"` + + // The ID of the prefix list. + PrefixListId *string `type:"string"` + + // The ID of the security group that is referenced in the security group rule. + ReferencedGroupId *string `type:"string"` + + // The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. + // A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 + // types, you must specify all codes. + ToPort *int64 `type:"integer"` +} + +// String returns the string representation +func (s SecurityGroupRuleRequest) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SecurityGroupRuleRequest) GoString() string { + return s.String() +} + +// SetCidrIpv4 sets the CidrIpv4 field's value. +func (s *SecurityGroupRuleRequest) SetCidrIpv4(v string) *SecurityGroupRuleRequest { + s.CidrIpv4 = &v + return s +} + +// SetCidrIpv6 sets the CidrIpv6 field's value. +func (s *SecurityGroupRuleRequest) SetCidrIpv6(v string) *SecurityGroupRuleRequest { + s.CidrIpv6 = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *SecurityGroupRuleRequest) SetDescription(v string) *SecurityGroupRuleRequest { + s.Description = &v + return s +} + +// SetFromPort sets the FromPort field's value. +func (s *SecurityGroupRuleRequest) SetFromPort(v int64) *SecurityGroupRuleRequest { + s.FromPort = &v + return s +} + +// SetIpProtocol sets the IpProtocol field's value. +func (s *SecurityGroupRuleRequest) SetIpProtocol(v string) *SecurityGroupRuleRequest { + s.IpProtocol = &v + return s +} + +// SetPrefixListId sets the PrefixListId field's value. +func (s *SecurityGroupRuleRequest) SetPrefixListId(v string) *SecurityGroupRuleRequest { + s.PrefixListId = &v + return s +} + +// SetReferencedGroupId sets the ReferencedGroupId field's value. +func (s *SecurityGroupRuleRequest) SetReferencedGroupId(v string) *SecurityGroupRuleRequest { + s.ReferencedGroupId = &v + return s +} + +// SetToPort sets the ToPort field's value. +func (s *SecurityGroupRuleRequest) SetToPort(v int64) *SecurityGroupRuleRequest { + s.ToPort = &v + return s +} + +// Describes an update to a security group rule. +type SecurityGroupRuleUpdate struct { + _ struct{} `type:"structure"` + + // Information about the security group rule. + SecurityGroupRule *SecurityGroupRuleRequest `type:"structure"` + + // The ID of the security group rule. + SecurityGroupRuleId *string `type:"string"` +} + +// String returns the string representation +func (s SecurityGroupRuleUpdate) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SecurityGroupRuleUpdate) GoString() string { + return s.String() +} + +// SetSecurityGroupRule sets the SecurityGroupRule field's value. +func (s *SecurityGroupRuleUpdate) SetSecurityGroupRule(v *SecurityGroupRuleRequest) *SecurityGroupRuleUpdate { + s.SecurityGroupRule = v + return s +} + +// SetSecurityGroupRuleId sets the SecurityGroupRuleId field's value. +func (s *SecurityGroupRuleUpdate) SetSecurityGroupRuleId(v string) *SecurityGroupRuleUpdate { + s.SecurityGroupRuleId = &v + return s +} + type SendDiagnosticInterruptInput struct { _ struct{} `type:"structure"` @@ -115213,21 +118956,21 @@ type Snapshot struct { // Indicates whether the snapshot is encrypted. Encrypted *bool `locationName:"encrypted" type:"boolean"` - // The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) - // customer master key (CMK) that was used to protect the volume encryption - // key for the parent volume. + // The Amazon Resource Name (ARN) of the Key Management Service (KMS) KMS key + // that was used to protect the volume encryption key for the parent volume. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` - // The ARN of the AWS Outpost on which the snapshot is stored. For more information, - // see EBS Local Snapshot on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) + // The ARN of the Outpost on which the snapshot is stored. For more information, + // see Amazon EBS local snapshots on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) // in the Amazon Elastic Compute Cloud User Guide. OutpostArn *string `locationName:"outpostArn" type:"string"` - // The AWS owner alias, from an Amazon-maintained list (amazon). This is not - // the user-configured AWS account alias set using the IAM console. + // The Amazon Web Services owner alias, from an Amazon-maintained list (amazon). + // This is not the user-configured Amazon Web Services account alias set using + // the IAM console. OwnerAlias *string `locationName:"ownerAlias" type:"string"` - // The AWS account ID of the EBS snapshot owner. + // The ID of the Amazon Web Services account that owns the EBS snapshot. OwnerId *string `locationName:"ownerId" type:"string"` // The progress of the snapshot, as a percentage. @@ -115244,9 +118987,9 @@ type Snapshot struct { State *string `locationName:"status" type:"string" enum:"SnapshotState"` // Encrypted Amazon EBS snapshots are copied asynchronously. If a snapshot copy - // operation fails (for example, if the proper AWS Key Management Service (AWS - // KMS) permissions are not obtained) this field displays error state details - // to help you diagnose why the error occurred. This parameter is only returned + // operation fails (for example, if the proper Key Management Service (KMS) + // permissions are not obtained) this field displays error state details to + // help you diagnose why the error occurred. This parameter is only returned // by DescribeSnapshots. StateMessage *string `locationName:"statusMessage" type:"string"` @@ -115532,8 +119275,8 @@ type SnapshotInfo struct { // Indicates whether the snapshot is encrypted. Encrypted *bool `locationName:"encrypted" type:"boolean"` - // The ARN of the AWS Outpost on which the snapshot is stored. For more information, - // see EBS Local Snapshot on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) + // The ARN of the Outpost on which the snapshot is stored. For more information, + // see Amazon EBS local snapshots on Outposts (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/snapshots-outposts.html) // in the Amazon Elastic Compute Cloud User Guide. OutpostArn *string `locationName:"outpostArn" type:"string"` @@ -115655,8 +119398,7 @@ type SnapshotTaskDetail struct { // The format of the disk image from which the snapshot is created. Format *string `locationName:"format" type:"string"` - // The identifier for the AWS Key Management Service (AWS KMS) customer master - // key (CMK) that was used to create the encrypted snapshot. + // The identifier for the KMS key that was used to create the encrypted snapshot. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // The percentage of completion for the import snapshot task. @@ -115800,7 +119542,7 @@ type SpotDatafeedSubscription struct { // The fault codes for the Spot Instance request, if any. Fault *SpotInstanceStateFault `locationName:"fault" type:"structure"` - // The AWS account ID of the account. + // The Amazon Web Services account ID of the account. OwnerId *string `locationName:"ownerId" type:"string"` // The prefix for the data feed files. @@ -115906,8 +119648,8 @@ type SpotFleetLaunchSpecification struct { // The ID of the RAM disk. Some kernels require additional drivers at launch. // Check the kernel requirements for information about whether you need to specify - // a RAM disk. To find kernel requirements, refer to the AWS Resource Center - // and search for the kernel ID. + // a RAM disk. To find kernel requirements, refer to the Amazon Web Services + // Resource Center and search for the kernel ID. RamdiskId *string `locationName:"ramdiskId" type:"string"` // One or more security groups. When requesting instances in a VPC, you must @@ -116190,6 +119932,9 @@ type SpotFleetRequestConfigData struct { // see Ensuring Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `locationName:"clientToken" type:"string"` + // Reserved. + Context *string `locationName:"context" type:"string"` + // Indicates whether running Spot Instances should be terminated if you decrease // the target capacity of the Spot Fleet request below the current size of the // Spot Fleet. @@ -116199,7 +119944,7 @@ type SpotFleetRequestConfigData struct { // capacity. You cannot set this value. FulfilledCapacity *float64 `locationName:"fulfilledCapacity" type:"double"` - // The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) + // The Amazon Resource Name (ARN) of an Identity and Access Management (IAM) // role that grants the Spot Fleet the permission to request, launch, terminate, // and tag instances on your behalf. For more information, see Spot Fleet prerequisites // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/spot-fleet-requests.html#spot-fleet-prerequisites) @@ -116218,6 +119963,15 @@ type SpotFleetRequestConfigData struct { // Valid only when Spot AllocationStrategy is set to lowest-price. Spot Fleet // selects the cheapest Spot pools and evenly allocates your target Spot capacity // across the number of Spot pools that you specify. + // + // Note that Spot Fleet attempts to draw Spot Instances from the number of pools + // that you specify on a best effort basis. If a pool runs out of Spot capacity + // before fulfilling your target capacity, Spot Fleet will continue to fulfill + // your request by drawing from the next cheapest pool. To ensure that your + // target capacity is met, you might receive Spot Instances from more than the + // number of pools that you specified. Similarly, if most of the pools have + // no Spot capacity, you might receive your full target capacity from fewer + // than the number of pools that you specified. InstancePoolsToUseCount *int64 `locationName:"instancePoolsToUseCount" type:"integer"` // The launch specifications for the Spot Fleet request. If you specify LaunchSpecifications, @@ -116386,6 +120140,12 @@ func (s *SpotFleetRequestConfigData) SetClientToken(v string) *SpotFleetRequestC return s } +// SetContext sets the Context field's value. +func (s *SpotFleetRequestConfigData) SetContext(v string) *SpotFleetRequestConfigData { + s.Context = &v + return s +} + // SetExcessCapacityTerminationPolicy sets the ExcessCapacityTerminationPolicy field's value. func (s *SpotFleetRequestConfigData) SetExcessCapacityTerminationPolicy(v string) *SpotFleetRequestConfigData { s.ExcessCapacityTerminationPolicy = &v @@ -116557,8 +120317,7 @@ func (s *SpotFleetTagSpecification) SetTags(v []*Tag) *SpotFleetTagSpecification type SpotInstanceRequest struct { _ struct{} `type:"structure"` - // If you specified a duration and your Spot Instance request was fulfilled, - // this is the fixed hourly price in effect for the Spot Instance while it runs. + // Deprecated. ActualBlockHourlyPrice *string `locationName:"actualBlockHourlyPrice" type:"string"` // The Availability Zone group. If you specify the same Availability Zone group @@ -116566,7 +120325,7 @@ type SpotInstanceRequest struct { // Availability Zone. AvailabilityZoneGroup *string `locationName:"availabilityZoneGroup" type:"string"` - // The duration for the Spot Instance, in minutes. + // Deprecated. BlockDurationMinutes *int64 `locationName:"blockDurationMinutes" type:"integer"` // The date and time when the Spot Instance request was created, in UTC format @@ -116864,20 +120623,7 @@ func (s *SpotMaintenanceStrategies) SetCapacityRebalance(v *SpotCapacityRebalanc type SpotMarketOptions struct { _ struct{} `type:"structure"` - // The required duration for the Spot Instances (also known as Spot blocks), - // in minutes. This value must be a multiple of 60 (60, 120, 180, 240, 300, - // or 360). - // - // The duration period starts as soon as your Spot Instance receives its instance - // ID. At the end of the duration period, Amazon EC2 marks the Spot Instance - // for termination and provides a Spot Instance termination notice, which gives - // the instance a two-minute warning before it terminates. - // - // You can't specify an Availability Zone group or a launch group if you specify - // a duration. - // - // New accounts or accounts with no previous billing history with AWS are not - // eligible for Spot Instances with a defined duration (also known as Spot blocks). + // Deprecated. BlockDurationMinutes *int64 `type:"integer"` // The behavior when a Spot Instance is interrupted. The default is terminate. @@ -116977,6 +120723,15 @@ type SpotOptions struct { // Valid only when AllocationStrategy is set to lowest-price. EC2 Fleet selects // the cheapest Spot pools and evenly allocates your target Spot capacity across // the number of Spot pools that you specify. + // + // Note that EC2 Fleet attempts to draw Spot Instances from the number of pools + // that you specify on a best effort basis. If a pool runs out of Spot capacity + // before fulfilling your target capacity, EC2 Fleet will continue to fulfill + // your request by drawing from the next cheapest pool. To ensure that your + // target capacity is met, you might receive Spot Instances from more than the + // number of pools that you specified. Similarly, if most of the pools have + // no Spot capacity, you might receive your full target capacity from fewer + // than the number of pools that you specified. InstancePoolsToUseCount *int64 `locationName:"instancePoolsToUseCount" type:"integer"` // The strategies for managing your workloads on your Spot Instances that will @@ -117090,6 +120845,15 @@ type SpotOptionsRequest struct { // Valid only when Spot AllocationStrategy is set to lowest-price. EC2 Fleet // selects the cheapest Spot pools and evenly allocates your target Spot capacity // across the number of Spot pools that you specify. + // + // Note that EC2 Fleet attempts to draw Spot Instances from the number of pools + // that you specify on a best effort basis. If a pool runs out of Spot capacity + // before fulfilling your target capacity, EC2 Fleet will continue to fulfill + // your request by drawing from the next cheapest pool. To ensure that your + // target capacity is met, you might receive Spot Instances from more than the + // number of pools that you specified. Similarly, if most of the pools have + // no Spot capacity, you might receive your full target capacity from fewer + // than the number of pools that you specified. InstancePoolsToUseCount *int64 `type:"integer"` // The strategies for managing your Spot Instances that are at an elevated risk @@ -117506,7 +121270,7 @@ type StartNetworkInsightsAnalysisInput struct { _ struct{} `type:"structure"` // Unique, case-sensitive identifier that you provide to ensure the idempotency - // of the request. For more information, see How to Ensure Idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). + // of the request. For more information, see How to ensure idempotency (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/Run_Instance_Idempotency.html). ClientToken *string `type:"string" idempotencyToken:"true"` // Checks whether you have the required permissions for the action, without @@ -118026,7 +121790,7 @@ type Subnet struct { // The Amazon Resource Name (ARN) of the Outpost. OutpostArn *string `locationName:"outpostArn" type:"string"` - // The ID of the AWS account that owns the subnet. + // The ID of the Amazon Web Services account that owns the subnet. OwnerId *string `locationName:"ownerId" type:"string"` // The current state of the subnet. @@ -118223,6 +121987,84 @@ func (s *SubnetCidrBlockState) SetStatusMessage(v string) *SubnetCidrBlockState return s } +// Describes a subnet CIDR reservation. +type SubnetCidrReservation struct { + _ struct{} `type:"structure"` + + // The CIDR that has been reserved. + Cidr *string `locationName:"cidr" type:"string"` + + // The description assigned to the subnet CIDR reservation. + Description *string `locationName:"description" type:"string"` + + // The ID of the account that owns the subnet CIDR reservation. + OwnerId *string `locationName:"ownerId" type:"string"` + + // The type of reservation. + ReservationType *string `locationName:"reservationType" type:"string" enum:"SubnetCidrReservationType"` + + // The ID of the subnet CIDR reservation. + SubnetCidrReservationId *string `locationName:"subnetCidrReservationId" type:"string"` + + // The ID of the subnet. + SubnetId *string `locationName:"subnetId" type:"string"` + + // The tags assigned to the subnet CIDR reservation. + Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` +} + +// String returns the string representation +func (s SubnetCidrReservation) String() string { + return awsutil.Prettify(s) +} + +// GoString returns the string representation +func (s SubnetCidrReservation) GoString() string { + return s.String() +} + +// SetCidr sets the Cidr field's value. +func (s *SubnetCidrReservation) SetCidr(v string) *SubnetCidrReservation { + s.Cidr = &v + return s +} + +// SetDescription sets the Description field's value. +func (s *SubnetCidrReservation) SetDescription(v string) *SubnetCidrReservation { + s.Description = &v + return s +} + +// SetOwnerId sets the OwnerId field's value. +func (s *SubnetCidrReservation) SetOwnerId(v string) *SubnetCidrReservation { + s.OwnerId = &v + return s +} + +// SetReservationType sets the ReservationType field's value. +func (s *SubnetCidrReservation) SetReservationType(v string) *SubnetCidrReservation { + s.ReservationType = &v + return s +} + +// SetSubnetCidrReservationId sets the SubnetCidrReservationId field's value. +func (s *SubnetCidrReservation) SetSubnetCidrReservationId(v string) *SubnetCidrReservation { + s.SubnetCidrReservationId = &v + return s +} + +// SetSubnetId sets the SubnetId field's value. +func (s *SubnetCidrReservation) SetSubnetId(v string) *SubnetCidrReservation { + s.SubnetId = &v + return s +} + +// SetTags sets the Tags field's value. +func (s *SubnetCidrReservation) SetTags(v []*Tag) *SubnetCidrReservation { + s.Tags = v + return s +} + // Describes an IPv6 CIDR block associated with a subnet. type SubnetIpv6CidrBlockAssociation struct { _ struct{} `type:"structure"` @@ -118413,15 +122255,16 @@ type TagSpecification struct { // | customer-gateway | dedicated-host | dhcp-options | egress-only-internet-gateway // | elastic-ip | elastic-gpu | export-image-task | export-instance-task | fleet // | fpga-image | host-reservation | image| import-image-task | import-snapshot-task - // | instance | internet-gateway | ipv4pool-ec2 | ipv6pool-ec2 | key-pair | - // launch-template | local-gateway-route-table-vpc-association | placement-group - // | prefix-list | natgateway | network-acl | network-interface | reserved-instances - // |route-table | security-group| snapshot | spot-fleet-request | spot-instances-request - // | snapshot | subnet | traffic-mirror-filter | traffic-mirror-session | traffic-mirror-target - // | transit-gateway | transit-gateway-attachment | transit-gateway-multicast-domain - // | transit-gateway-route-table | volume |vpc | vpc-peering-connection | vpc-endpoint - // (for interface and gateway endpoints) | vpc-endpoint-service (for AWS PrivateLink) - // | vpc-flow-log | vpn-connection | vpn-gateway. + // | instance | instance-event-window | internet-gateway | ipv4pool-ec2 | ipv6pool-ec2 + // | key-pair | launch-template | local-gateway-route-table-vpc-association + // | placement-group | prefix-list | natgateway | network-acl | network-interface + // | reserved-instances |route-table | security-group| snapshot | spot-fleet-request + // | spot-instances-request | snapshot | subnet | traffic-mirror-filter | traffic-mirror-session + // | traffic-mirror-target | transit-gateway | transit-gateway-attachment | + // transit-gateway-multicast-domain | transit-gateway-route-table | volume |vpc + // | vpc-peering-connection | vpc-endpoint (for interface and gateway endpoints) + // | vpc-endpoint-service (for Amazon Web Services PrivateLink) | vpc-flow-log + // | vpn-connection | vpn-gateway. // // To tag a resource after it has been created, see CreateTags (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_CreateTags.html). ResourceType *string `locationName:"resourceType" type:"string" enum:"ResourceType"` @@ -119537,7 +123380,7 @@ type TransitGateway struct { // The transit gateway options. Options *TransitGatewayOptions `locationName:"options" type:"structure"` - // The ID of the AWS account ID that owns the transit gateway. + // The ID of the Amazon Web Services account that owns the transit gateway. OwnerId *string `locationName:"ownerId" type:"string"` // The state of the transit gateway. @@ -119685,7 +123528,7 @@ type TransitGatewayAttachment struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` - // The ID of the AWS account that owns the resource. + // The ID of the Amazon Web Services account that owns the resource. ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` // The resource type. Note that the tgw-peering resource type has been deprecated. @@ -119703,7 +123546,7 @@ type TransitGatewayAttachment struct { // The ID of the transit gateway. TransitGatewayId *string `locationName:"transitGatewayId" type:"string"` - // The ID of the AWS account that owns the transit gateway. + // The ID of the Amazon Web Services account that owns the transit gateway. TransitGatewayOwnerId *string `locationName:"transitGatewayOwnerId" type:"string"` } @@ -120252,7 +124095,8 @@ type TransitGatewayMulticastDomain struct { // The options for the transit gateway multicast domain. Options *TransitGatewayMulticastDomainOptions `locationName:"options" type:"structure"` - // The ID of the AWS account that owns the transit gateway multiicast domain. + // The ID of the Amazon Web Services account that owns the transit gateway multicast + // domain. OwnerId *string `locationName:"ownerId" type:"string"` // The state of the transit gateway multicast domain. @@ -120336,8 +124180,8 @@ type TransitGatewayMulticastDomainAssociation struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` - // The ID of the AWS account that owns the transit gateway multicast domain - // association resource. + // The ID of the Amazon Web Services account that owns the transit gateway multicast + // domain association resource. ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` // The type of resource, for example a VPC attachment. @@ -120397,7 +124241,7 @@ type TransitGatewayMulticastDomainAssociations struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` - // The ID of the AWS account that owns the resource. + // The ID of the Amazon Web Services account that owns the resource. ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` // The type of resource, for example a VPC attachment. @@ -120526,8 +124370,8 @@ type TransitGatewayMulticastGroup struct { // The ID of the resource. ResourceId *string `locationName:"resourceId" type:"string"` - // The ID of the AWS account that owns the transit gateway multicast domain - // group resource. + // The ID of the Amazon Web Services account that owns the transit gateway multicast + // domain group resource. ResourceOwnerId *string `locationName:"resourceOwnerId" type:"string"` // The type of resource, for example a VPC attachment. @@ -121470,7 +125314,7 @@ type TransitGatewayVpcAttachment struct { // The ID of the VPC. VpcId *string `locationName:"vpcId" type:"string"` - // The ID of the AWS account that owns the VPC. + // The ID of the Amazon Web Services account that owns the VPC. VpcOwnerId *string `locationName:"vpcOwnerId" type:"string"` } @@ -121580,6 +125424,10 @@ func (s *TransitGatewayVpcAttachmentOptions) SetIpv6Support(v string) *TransitGa return s } +// +// Currently available in limited preview only. If you are interested in using +// this feature, contact your account manager. +// // Information about an association between a branch network interface with // a trunk network interface. type TrunkInterfaceAssociation struct { @@ -121597,7 +125445,7 @@ type TrunkInterfaceAssociation struct { // The interface protocol. Valid values are VLAN and GRE. InterfaceProtocol *string `locationName:"interfaceProtocol" type:"string" enum:"InterfaceProtocolType"` - // The tags. + // The tags for the trunk interface association. Tags []*Tag `locationName:"tagSet" locationNameList:"item" type:"list"` // The ID of the trunk network interface. @@ -121854,9 +125702,10 @@ type UnassignIpv6AddressesInput struct { _ struct{} `type:"structure"` // The IPv6 addresses to unassign from the network interface. - // - // Ipv6Addresses is a required field - Ipv6Addresses []*string `locationName:"ipv6Addresses" locationNameList:"item" type:"list" required:"true"` + Ipv6Addresses []*string `locationName:"ipv6Addresses" locationNameList:"item" type:"list"` + + // One or more IPv6 prefixes to unassign from the network interface. + Ipv6Prefixes []*string `locationName:"Ipv6Prefix" locationNameList:"item" type:"list"` // The ID of the network interface. // @@ -121877,9 +125726,6 @@ func (s UnassignIpv6AddressesInput) GoString() string { // Validate inspects the fields of the type to determine if they are valid. func (s *UnassignIpv6AddressesInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "UnassignIpv6AddressesInput"} - if s.Ipv6Addresses == nil { - invalidParams.Add(request.NewErrParamRequired("Ipv6Addresses")) - } if s.NetworkInterfaceId == nil { invalidParams.Add(request.NewErrParamRequired("NetworkInterfaceId")) } @@ -121896,6 +125742,12 @@ func (s *UnassignIpv6AddressesInput) SetIpv6Addresses(v []*string) *UnassignIpv6 return s } +// SetIpv6Prefixes sets the Ipv6Prefixes field's value. +func (s *UnassignIpv6AddressesInput) SetIpv6Prefixes(v []*string) *UnassignIpv6AddressesInput { + s.Ipv6Prefixes = v + return s +} + // SetNetworkInterfaceId sets the NetworkInterfaceId field's value. func (s *UnassignIpv6AddressesInput) SetNetworkInterfaceId(v string) *UnassignIpv6AddressesInput { s.NetworkInterfaceId = &v @@ -121910,6 +125762,9 @@ type UnassignIpv6AddressesOutput struct { // The IPv6 addresses that have been unassigned from the network interface. UnassignedIpv6Addresses []*string `locationName:"unassignedIpv6Addresses" locationNameList:"item" type:"list"` + + // The IPv4 prefixes that have been unassigned from the network interface. + UnassignedIpv6Prefixes []*string `locationName:"unassignedIpv6PrefixSet" locationNameList:"item" type:"list"` } // String returns the string representation @@ -121934,10 +125789,19 @@ func (s *UnassignIpv6AddressesOutput) SetUnassignedIpv6Addresses(v []*string) *U return s } +// SetUnassignedIpv6Prefixes sets the UnassignedIpv6Prefixes field's value. +func (s *UnassignIpv6AddressesOutput) SetUnassignedIpv6Prefixes(v []*string) *UnassignIpv6AddressesOutput { + s.UnassignedIpv6Prefixes = v + return s +} + // Contains the parameters for UnassignPrivateIpAddresses. type UnassignPrivateIpAddressesInput struct { _ struct{} `type:"structure"` + // The IPv4 prefixes to unassign from the network interface. + Ipv4Prefixes []*string `locationName:"Ipv4Prefix" locationNameList:"item" type:"list"` + // The ID of the network interface. // // NetworkInterfaceId is a required field @@ -121945,9 +125809,7 @@ type UnassignPrivateIpAddressesInput struct { // The secondary private IP addresses to unassign from the network interface. // You can specify this option multiple times to unassign more than one IP address. - // - // PrivateIpAddresses is a required field - PrivateIpAddresses []*string `locationName:"privateIpAddress" locationNameList:"PrivateIpAddress" type:"list" required:"true"` + PrivateIpAddresses []*string `locationName:"privateIpAddress" locationNameList:"PrivateIpAddress" type:"list"` } // String returns the string representation @@ -121966,9 +125828,6 @@ func (s *UnassignPrivateIpAddressesInput) Validate() error { if s.NetworkInterfaceId == nil { invalidParams.Add(request.NewErrParamRequired("NetworkInterfaceId")) } - if s.PrivateIpAddresses == nil { - invalidParams.Add(request.NewErrParamRequired("PrivateIpAddresses")) - } if invalidParams.Len() > 0 { return invalidParams @@ -121976,6 +125835,12 @@ func (s *UnassignPrivateIpAddressesInput) Validate() error { return nil } +// SetIpv4Prefixes sets the Ipv4Prefixes field's value. +func (s *UnassignPrivateIpAddressesInput) SetIpv4Prefixes(v []*string) *UnassignPrivateIpAddressesInput { + s.Ipv4Prefixes = v + return s +} + // SetNetworkInterfaceId sets the NetworkInterfaceId field's value. func (s *UnassignPrivateIpAddressesInput) SetNetworkInterfaceId(v string) *UnassignPrivateIpAddressesInput { s.NetworkInterfaceId = &v @@ -122178,7 +126043,7 @@ func (s *UnsuccessfulItem) SetResourceId(v string) *UnsuccessfulItem { } // Information about the error that occurred. For more information about errors, -// see Error Codes (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html). +// see Error codes (https://docs.aws.amazon.com/AWSEC2/latest/APIReference/errors-overview.html). type UnsuccessfulItemError struct { _ struct{} `type:"structure"` @@ -122229,10 +126094,13 @@ type UpdateSecurityGroupRuleDescriptionsEgressInput struct { // security group ID or the security group name in the request. GroupName *string `type:"string"` - // The IP permissions for the security group rule. - // - // IpPermissions is a required field - IpPermissions []*IpPermission `locationNameList:"item" type:"list" required:"true"` + // The IP permissions for the security group rule. You must specify either the + // IP permissions or the description. + IpPermissions []*IpPermission `locationNameList:"item" type:"list"` + + // The description for the egress security group rules. You must specify either + // the description or the IP permissions. + SecurityGroupRuleDescriptions []*SecurityGroupRuleDescription `locationName:"SecurityGroupRuleDescription" locationNameList:"item" type:"list"` } // String returns the string representation @@ -122245,19 +126113,6 @@ func (s UpdateSecurityGroupRuleDescriptionsEgressInput) GoString() string { return s.String() } -// Validate inspects the fields of the type to determine if they are valid. -func (s *UpdateSecurityGroupRuleDescriptionsEgressInput) Validate() error { - invalidParams := request.ErrInvalidParams{Context: "UpdateSecurityGroupRuleDescriptionsEgressInput"} - if s.IpPermissions == nil { - invalidParams.Add(request.NewErrParamRequired("IpPermissions")) - } - - if invalidParams.Len() > 0 { - return invalidParams - } - return nil -} - // SetDryRun sets the DryRun field's value. func (s *UpdateSecurityGroupRuleDescriptionsEgressInput) SetDryRun(v bool) *UpdateSecurityGroupRuleDescriptionsEgressInput { s.DryRun = &v @@ -122282,6 +126137,12 @@ func (s *UpdateSecurityGroupRuleDescriptionsEgressInput) SetIpPermissions(v []*I return s } +// SetSecurityGroupRuleDescriptions sets the SecurityGroupRuleDescriptions field's value. +func (s *UpdateSecurityGroupRuleDescriptionsEgressInput) SetSecurityGroupRuleDescriptions(v []*SecurityGroupRuleDescription) *UpdateSecurityGroupRuleDescriptionsEgressInput { + s.SecurityGroupRuleDescriptions = v + return s +} + type UpdateSecurityGroupRuleDescriptionsEgressOutput struct { _ struct{} `type:"structure"` @@ -122323,10 +126184,13 @@ type UpdateSecurityGroupRuleDescriptionsIngressInput struct { // either the security group ID or the security group name in the request. GroupName *string `type:"string"` - // The IP permissions for the security group rule. - // - // IpPermissions is a required field - IpPermissions []*IpPermission `locationNameList:"item" type:"list" required:"true"` + // The IP permissions for the security group rule. You must specify either IP + // permissions or a description. + IpPermissions []*IpPermission `locationNameList:"item" type:"list"` + + // [VPC only] The description for the ingress security group rules. You must + // specify either a description or IP permissions. + SecurityGroupRuleDescriptions []*SecurityGroupRuleDescription `locationName:"SecurityGroupRuleDescription" locationNameList:"item" type:"list"` } // String returns the string representation @@ -122339,19 +126203,6 @@ func (s UpdateSecurityGroupRuleDescriptionsIngressInput) GoString() string { return s.String() } -// Validate inspects the fields of the type to determine if they are valid. -func (s *UpdateSecurityGroupRuleDescriptionsIngressInput) Validate() error { - invalidParams := request.ErrInvalidParams{Context: "UpdateSecurityGroupRuleDescriptionsIngressInput"} - if s.IpPermissions == nil { - invalidParams.Add(request.NewErrParamRequired("IpPermissions")) - } - - if invalidParams.Len() > 0 { - return invalidParams - } - return nil -} - // SetDryRun sets the DryRun field's value. func (s *UpdateSecurityGroupRuleDescriptionsIngressInput) SetDryRun(v bool) *UpdateSecurityGroupRuleDescriptionsIngressInput { s.DryRun = &v @@ -122376,6 +126227,12 @@ func (s *UpdateSecurityGroupRuleDescriptionsIngressInput) SetIpPermissions(v []* return s } +// SetSecurityGroupRuleDescriptions sets the SecurityGroupRuleDescriptions field's value. +func (s *UpdateSecurityGroupRuleDescriptionsIngressInput) SetSecurityGroupRuleDescriptions(v []*SecurityGroupRuleDescription) *UpdateSecurityGroupRuleDescriptionsIngressInput { + s.SecurityGroupRuleDescriptions = v + return s +} + type UpdateSecurityGroupRuleDescriptionsIngressOutput struct { _ struct{} `type:"structure"` @@ -122469,9 +126326,9 @@ func (s *UserBucketDetails) SetS3Key(v string) *UserBucketDetails { type UserData struct { _ struct{} `type:"structure" sensitive:"true"` - // The user data. If you are using an AWS SDK or command line tool, Base64-encoding - // is performed for you, and you can load the text from a file. Otherwise, you - // must provide Base64-encoded text. + // The user data. If you are using an Amazon Web Services SDK or command line + // tool, Base64-encoding is performed for you, and you can load the text from + // a file. Otherwise, you must provide Base64-encoded text. Data *string `locationName:"data" type:"string"` } @@ -122491,7 +126348,7 @@ func (s *UserData) SetData(v string) *UserData { return s } -// Describes a security group and AWS account ID pair. +// Describes a security group and Amazon Web Services account ID pair. type UserIdGroupPair struct { _ struct{} `type:"structure"` @@ -122516,14 +126373,14 @@ type UserIdGroupPair struct { // The status of a VPC peering connection, if applicable. PeeringStatus *string `locationName:"peeringStatus" type:"string"` - // The ID of an AWS account. + // The ID of an Amazon Web Services account. // // For a referenced security group in another VPC, the account ID of the referenced // security group is returned in the response. If the referenced security group // is deleted, this value is not returned. // // [EC2-Classic] Required when adding or removing rules that reference a security - // group in another AWS account. + // group in another Amazon Web Services account. UserId *string `locationName:"userId" type:"string"` // The ID of the VPC for the referenced security group, if applicable. @@ -122805,9 +126662,8 @@ type Volume struct { // rate at which the volume accumulates I/O credits for bursting. Iops *int64 `locationName:"iops" type:"integer"` - // The Amazon Resource Name (ARN) of the AWS Key Management Service (AWS KMS) - // customer master key (CMK) that was used to protect the volume encryption - // key for the volume. + // The Amazon Resource Name (ARN) of the Key Management Service (KMS) KMS key + // that was used to protect the volume encryption key for the volume. KmsKeyId *string `locationName:"kmsKeyId" type:"string"` // Indicates whether Amazon EBS Multi-Attach is enabled. @@ -123533,7 +127389,7 @@ type Vpc struct { // Indicates whether the VPC is the default VPC. IsDefault *bool `locationName:"isDefault" type:"boolean"` - // The ID of the AWS account that owns the VPC. + // The ID of the Amazon Web Services account that owns the VPC. OwnerId *string `locationName:"ownerId" type:"string"` // The current state of the VPC. @@ -124246,7 +128102,7 @@ type VpcPeeringConnectionVpcInfo struct { // The IPv6 CIDR block for the VPC. Ipv6CidrBlockSet []*Ipv6CidrBlock `locationName:"ipv6CidrBlockSet" locationNameList:"item" type:"list"` - // The AWS account ID of the VPC owner. + // The ID of the Amazon Web Services account that owns the VPC. OwnerId *string `locationName:"ownerId" type:"string"` // Information about the VPC peering connection options for the accepter or @@ -127055,6 +130911,30 @@ func InstanceAttributeName_Values() []string { } } +const ( + // InstanceEventWindowStateCreating is a InstanceEventWindowState enum value + InstanceEventWindowStateCreating = "creating" + + // InstanceEventWindowStateDeleting is a InstanceEventWindowState enum value + InstanceEventWindowStateDeleting = "deleting" + + // InstanceEventWindowStateActive is a InstanceEventWindowState enum value + InstanceEventWindowStateActive = "active" + + // InstanceEventWindowStateDeleted is a InstanceEventWindowState enum value + InstanceEventWindowStateDeleted = "deleted" +) + +// InstanceEventWindowState_Values returns all elements of the InstanceEventWindowState enum +func InstanceEventWindowState_Values() []string { + return []string{ + InstanceEventWindowStateCreating, + InstanceEventWindowStateDeleting, + InstanceEventWindowStateActive, + InstanceEventWindowStateDeleted, + } +} + const ( // InstanceHealthStatusHealthy is a InstanceHealthStatus enum value InstanceHealthStatusHealthy = "healthy" @@ -127171,6 +131051,22 @@ func InstanceMetadataOptionsState_Values() []string { } } +const ( + // InstanceMetadataProtocolStateDisabled is a InstanceMetadataProtocolState enum value + InstanceMetadataProtocolStateDisabled = "disabled" + + // InstanceMetadataProtocolStateEnabled is a InstanceMetadataProtocolState enum value + InstanceMetadataProtocolStateEnabled = "enabled" +) + +// InstanceMetadataProtocolState_Values returns all elements of the InstanceMetadataProtocolState enum +func InstanceMetadataProtocolState_Values() []string { + return []string{ + InstanceMetadataProtocolStateDisabled, + InstanceMetadataProtocolStateEnabled, + } +} + const ( // InstanceStateNamePending is a InstanceStateName enum value InstanceStateNamePending = "pending" @@ -127909,6 +131805,12 @@ const ( // InstanceTypeG3sXlarge is a InstanceType enum value InstanceTypeG3sXlarge = "g3s.xlarge" + // InstanceTypeG4adXlarge is a InstanceType enum value + InstanceTypeG4adXlarge = "g4ad.xlarge" + + // InstanceTypeG4ad2xlarge is a InstanceType enum value + InstanceTypeG4ad2xlarge = "g4ad.2xlarge" + // InstanceTypeG4ad4xlarge is a InstanceType enum value InstanceTypeG4ad4xlarge = "g4ad.4xlarge" @@ -128392,6 +132294,33 @@ const ( // InstanceTypeM6gd16xlarge is a InstanceType enum value InstanceTypeM6gd16xlarge = "m6gd.16xlarge" + // InstanceTypeM6iLarge is a InstanceType enum value + InstanceTypeM6iLarge = "m6i.large" + + // InstanceTypeM6iXlarge is a InstanceType enum value + InstanceTypeM6iXlarge = "m6i.xlarge" + + // InstanceTypeM6i2xlarge is a InstanceType enum value + InstanceTypeM6i2xlarge = "m6i.2xlarge" + + // InstanceTypeM6i4xlarge is a InstanceType enum value + InstanceTypeM6i4xlarge = "m6i.4xlarge" + + // InstanceTypeM6i8xlarge is a InstanceType enum value + InstanceTypeM6i8xlarge = "m6i.8xlarge" + + // InstanceTypeM6i12xlarge is a InstanceType enum value + InstanceTypeM6i12xlarge = "m6i.12xlarge" + + // InstanceTypeM6i16xlarge is a InstanceType enum value + InstanceTypeM6i16xlarge = "m6i.16xlarge" + + // InstanceTypeM6i24xlarge is a InstanceType enum value + InstanceTypeM6i24xlarge = "m6i.24xlarge" + + // InstanceTypeM6i32xlarge is a InstanceType enum value + InstanceTypeM6i32xlarge = "m6i.32xlarge" + // InstanceTypeMac1Metal is a InstanceType enum value InstanceTypeMac1Metal = "mac1.metal" @@ -128661,6 +132590,8 @@ func InstanceType_Values() []string { InstanceTypeG38xlarge, InstanceTypeG316xlarge, InstanceTypeG3sXlarge, + InstanceTypeG4adXlarge, + InstanceTypeG4ad2xlarge, InstanceTypeG4ad4xlarge, InstanceTypeG4ad8xlarge, InstanceTypeG4ad16xlarge, @@ -128822,6 +132753,15 @@ func InstanceType_Values() []string { InstanceTypeM6gd8xlarge, InstanceTypeM6gd12xlarge, InstanceTypeM6gd16xlarge, + InstanceTypeM6iLarge, + InstanceTypeM6iXlarge, + InstanceTypeM6i2xlarge, + InstanceTypeM6i4xlarge, + InstanceTypeM6i8xlarge, + InstanceTypeM6i12xlarge, + InstanceTypeM6i16xlarge, + InstanceTypeM6i24xlarge, + InstanceTypeM6i32xlarge, InstanceTypeMac1Metal, InstanceTypeX2gdMedium, InstanceTypeX2gdLarge, @@ -128899,6 +132839,22 @@ func Ipv6SupportValue_Values() []string { } } +const ( + // KeyTypeRsa is a KeyType enum value + KeyTypeRsa = "rsa" + + // KeyTypeEd25519 is a KeyType enum value + KeyTypeEd25519 = "ed25519" +) + +// KeyType_Values returns all elements of the KeyType enum +func KeyType_Values() []string { + return []string{ + KeyTypeRsa, + KeyTypeEd25519, + } +} + const ( // LaunchTemplateErrorCodeLaunchTemplateIdDoesNotExist is a LaunchTemplateErrorCode enum value LaunchTemplateErrorCodeLaunchTemplateIdDoesNotExist = "launchTemplateIdDoesNotExist" @@ -129968,6 +133924,9 @@ const ( // ResourceTypeInstance is a ResourceType enum value ResourceTypeInstance = "instance" + // ResourceTypeInstanceEventWindow is a ResourceType enum value + ResourceTypeInstanceEventWindow = "instance-event-window" + // ResourceTypeInternetGateway is a ResourceType enum value ResourceTypeInternetGateway = "internet-gateway" @@ -130007,6 +133966,9 @@ const ( // ResourceTypeSecurityGroup is a ResourceType enum value ResourceTypeSecurityGroup = "security-group" + // ResourceTypeSecurityGroupRule is a ResourceType enum value + ResourceTypeSecurityGroupRule = "security-group-rule" + // ResourceTypeSnapshot is a ResourceType enum value ResourceTypeSnapshot = "snapshot" @@ -130081,6 +134043,7 @@ func ResourceType_Values() []string { ResourceTypeImportImageTask, ResourceTypeImportSnapshotTask, ResourceTypeInstance, + ResourceTypeInstanceEventWindow, ResourceTypeInternetGateway, ResourceTypeKeyPair, ResourceTypeLaunchTemplate, @@ -130094,6 +134057,7 @@ func ResourceType_Values() []string { ResourceTypeReservedInstances, ResourceTypeRouteTable, ResourceTypeSecurityGroup, + ResourceTypeSecurityGroupRule, ResourceTypeSnapshot, ResourceTypeSpotFleetRequest, ResourceTypeSpotInstancesRequest, @@ -130575,6 +134539,22 @@ func SubnetCidrBlockStateCode_Values() []string { } } +const ( + // SubnetCidrReservationTypePrefix is a SubnetCidrReservationType enum value + SubnetCidrReservationTypePrefix = "prefix" + + // SubnetCidrReservationTypeExplicit is a SubnetCidrReservationType enum value + SubnetCidrReservationTypeExplicit = "explicit" +) + +// SubnetCidrReservationType_Values returns all elements of the SubnetCidrReservationType enum +func SubnetCidrReservationType_Values() []string { + return []string{ + SubnetCidrReservationTypePrefix, + SubnetCidrReservationTypeExplicit, + } +} + const ( // SubnetStatePending is a SubnetState enum value SubnetStatePending = "pending" @@ -131610,3 +135590,39 @@ func VpnStaticRouteSource_Values() []string { VpnStaticRouteSourceStatic, } } + +const ( + // WeekDaySunday is a WeekDay enum value + WeekDaySunday = "sunday" + + // WeekDayMonday is a WeekDay enum value + WeekDayMonday = "monday" + + // WeekDayTuesday is a WeekDay enum value + WeekDayTuesday = "tuesday" + + // WeekDayWednesday is a WeekDay enum value + WeekDayWednesday = "wednesday" + + // WeekDayThursday is a WeekDay enum value + WeekDayThursday = "thursday" + + // WeekDayFriday is a WeekDay enum value + WeekDayFriday = "friday" + + // WeekDaySaturday is a WeekDay enum value + WeekDaySaturday = "saturday" +) + +// WeekDay_Values returns all elements of the WeekDay enum +func WeekDay_Values() []string { + return []string{ + WeekDaySunday, + WeekDayMonday, + WeekDayTuesday, + WeekDayWednesday, + WeekDayThursday, + WeekDayFriday, + WeekDaySaturday, + } +} diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go index 1f3b5eae7..1d827662d 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/kms/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/api.go @@ -57,19 +57,19 @@ func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *requ // CancelKeyDeletion API operation for AWS Key Management Service. // -// Cancels the deletion of a customer master key (CMK). When this operation -// succeeds, the key state of the CMK is Disabled. To enable the CMK, use EnableKey. +// Cancels the deletion of a KMS key. When this operation succeeds, the key +// state of the KMS key is Disabled. To enable the KMS key, use EnableKey. // -// For more information about scheduling and canceling deletion of a CMK, see -// Deleting Customer Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) -// in the AWS Key Management Service Developer Guide. +// For more information about scheduling and canceling deletion of a KMS key, +// see Deleting KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:CancelKeyDeletion (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -104,9 +104,9 @@ func (c *KMS) CancelKeyDeletionRequest(input *CancelKeyDeletionInput) (req *requ // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CancelKeyDeletion func (c *KMS) CancelKeyDeletion(input *CancelKeyDeletionInput) (*CancelKeyDeletionOutput, error) { @@ -176,19 +176,19 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // ConnectCustomKeyStore API operation for AWS Key Management Service. // // Connects or reconnects a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// to its associated AWS CloudHSM cluster. +// to its associated CloudHSM cluster. // -// The custom key store must be connected before you can create customer master -// keys (CMKs) in the key store or use the CMKs it contains. You can disconnect -// and reconnect a custom key store at any time. +// The custom key store must be connected before you can create KMS keys in +// the key store or use the KMS keys it contains. You can disconnect and reconnect +// a custom key store at any time. // -// To connect a custom key store, its associated AWS CloudHSM cluster must have +// To connect a custom key store, its associated CloudHSM cluster must have // at least one active HSM. To get the number of active HSMs in a cluster, use // the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) // operation. To add HSMs to the cluster, use the CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. Also, the kmsuser crypto user (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) -// (CU) must not be logged into the cluster. This prevents AWS KMS from using -// this account to log in. +// (CU) must not be logged into the cluster. This prevents KMS from using this +// account to log in. // // The connection process can take an extended amount of time to complete; up // to 20 minutes. This operation starts the connection process, but it does @@ -198,10 +198,10 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // the connection state of the custom key store, use the DescribeCustomKeyStores // operation. // -// During the connection process, AWS KMS finds the AWS CloudHSM cluster that -// is associated with the custom key store, creates the connection infrastructure, -// connects to the cluster, logs into the AWS CloudHSM client as the kmsuser -// CU, and rotates its password. +// During the connection process, KMS finds the CloudHSM cluster that is associated +// with the custom key store, creates the connection infrastructure, connects +// to the cluster, logs into the CloudHSM client as the kmsuser CU, and rotates +// its password. // // The ConnectCustomKeyStore operation might fail for various reasons. To find // the reason, use the DescribeCustomKeyStores operation and see the ConnectionErrorCode @@ -213,10 +213,10 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // // If you are having trouble connecting or disconnecting a custom key store, // see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:ConnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -242,11 +242,11 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // // Returned Error Types: // * CloudHsmClusterNotActiveException -// The request was rejected because the AWS CloudHSM cluster that is associated +// The request was rejected because the CloudHSM cluster that is associated // with the custom key store is not active. Initialize and activate the cluster // and try the command again. For detailed instructions, see Getting Started // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) -// in the AWS CloudHSM User Guide. +// in the CloudHSM User Guide. // // * CustomKeyStoreInvalidStateException // The request was rejected because of the ConnectionState of the custom key @@ -268,7 +268,7 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // for all other ConnectionState values. // // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * InternalException @@ -276,8 +276,8 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // can be retried. // // * CloudHsmClusterInvalidConfigurationException -// The request was rejected because the associated AWS CloudHSM cluster did -// not meet the configuration requirements for a custom key store. +// The request was rejected because the associated CloudHSM cluster did not +// meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -292,20 +292,19 @@ func (c *KMS) ConnectCustomKeyStoreRequest(input *ConnectCustomKeyStoreInput) (r // operation. // // * The cluster must contain at least as many HSMs as the operation requires. -// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey -// operations, the AWS CloudHSM cluster must have at least two active HSMs, -// each in a different Availability Zone. For the ConnectCustomKeyStore operation, -// the AWS CloudHSM must contain at least one active HSM. +// operations, the CloudHSM cluster must have at least two active HSMs, each +// in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the CloudHSM must contain at least one active HSM. // -// For information about the requirements for an AWS CloudHSM cluster that is -// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. For information about -// creating a private subnet for an AWS CloudHSM cluster, see Create a Private -// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the AWS CloudHSM User Guide. For information about cluster security groups, +// For information about the requirements for an CloudHSM cluster that is associated +// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the Key Management Service Developer Guide. For information about creating +// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the AWS CloudHSM User Guide . +// in the CloudHSM User Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ConnectCustomKeyStore func (c *KMS) ConnectCustomKeyStore(input *ConnectCustomKeyStoreInput) (*ConnectCustomKeyStoreOutput, error) { @@ -374,37 +373,37 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, // CreateAlias API operation for AWS Key Management Service. // -// Creates a friendly name for a customer master key (CMK). +// Creates a friendly name for a KMS key. // // Adding, deleting, or updating an alias can allow or deny permission to the -// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the AWS Key Management Service Developer Guide. +// KMS key. For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the Key Management Service Developer Guide. // -// You can use an alias to identify a CMK in the AWS KMS console, in the DescribeKey +// You can use an alias to identify a KMS key in the KMS console, in the DescribeKey // operation and in cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations), -// such as Encrypt and GenerateDataKey. You can also change the CMK that's associated -// with the alias (UpdateAlias) or delete the alias (DeleteAlias) at any time. -// These operations don't affect the underlying CMK. +// such as Encrypt and GenerateDataKey. You can also change the KMS key that's +// associated with the alias (UpdateAlias) or delete the alias (DeleteAlias) +// at any time. These operations don't affect the underlying KMS key. // -// You can associate the alias with any customer managed CMK in the same AWS -// Region. Each alias is associated with only one CMK at a time, but a CMK can -// have multiple aliases. A valid CMK is required. You can't create an alias -// without a CMK. +// You can associate the alias with any customer managed key in the same Amazon +// Web Services Region. Each alias is associated with only one KMS key at a +// time, but a KMS key can have multiple aliases. A valid KMS key is required. +// You can't create an alias without a KMS key. // // The alias must be unique in the account and Region, but you can have aliases // with the same name in different Regions. For detailed information about aliases, // see Using aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // This operation does not return a response. To get the alias that you created, // use the ListAliases operation. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on an alias in a -// different AWS account. +// different Amazon Web Services account. // // Required permissions // @@ -412,10 +411,10 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, // on the alias (IAM policy). // // * kms:CreateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the CMK (key policy). +// on the KMS key (key policy). // // For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Related operations: // @@ -455,15 +454,15 @@ func (c *KMS) CreateAliasRequest(input *CreateAliasInput) (req *request.Request, // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * InvalidStateException // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateAlias func (c *KMS) CreateAlias(input *CreateAliasInput) (*CreateAliasOutput, error) { @@ -532,31 +531,31 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req // CreateCustomKeyStore API operation for AWS Key Management Service. // // Creates a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// that is associated with an AWS CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) +// that is associated with an CloudHSM cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/clusters.html) // that you own and manage. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in AWS KMS, which combines the convenience and extensive integration -// of AWS KMS with the isolation and control of a single-tenant key store. +// feature in KMS, which combines the convenience and extensive integration +// of KMS with the isolation and control of a single-tenant key store. // // Before you create the custom key store, you must assemble the required elements, -// including an AWS CloudHSM cluster that fulfills the requirements for a custom +// including an CloudHSM cluster that fulfills the requirements for a custom // key store. For details about the required elements, see Assemble the Prerequisites // (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // When the operation completes successfully, it returns the ID of the new custom // key store. Before you can use your new custom key store, you need to use -// the ConnectCustomKeyStore operation to connect the new key store to its AWS -// CloudHSM cluster. Even if you are not going to use your custom key store -// immediately, you might want to connect it to verify that all settings are -// correct and then disconnect it until you are ready to use it. +// the ConnectCustomKeyStore operation to connect the new key store to its CloudHSM +// cluster. Even if you are not going to use your custom key store immediately, +// you might want to connect it to verify that all settings are correct and +// then disconnect it until you are ready to use it. // // For help with failures, see Troubleshooting a Custom Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:CreateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy). @@ -582,10 +581,10 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req // // Returned Error Types: // * CloudHsmClusterInUseException -// The request was rejected because the specified AWS CloudHSM cluster is already +// The request was rejected because the specified CloudHSM cluster is already // associated with a custom key store or it shares a backup history with a cluster // that is associated with a custom key store. Each custom key store must be -// associated with a different AWS CloudHSM cluster. +// associated with a different CloudHSM cluster. // // Clusters that share a backup history have the same cluster certificate. To // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) @@ -597,32 +596,31 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req // key store name that is unique in the account. // // * CloudHsmClusterNotFoundException -// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster -// with the specified cluster ID. Retry the request with a different cluster -// ID. +// The request was rejected because KMS cannot find the CloudHSM cluster with +// the specified cluster ID. Retry the request with a different cluster ID. // // * InternalException // The request was rejected because an internal exception occurred. The request // can be retried. // // * CloudHsmClusterNotActiveException -// The request was rejected because the AWS CloudHSM cluster that is associated +// The request was rejected because the CloudHSM cluster that is associated // with the custom key store is not active. Initialize and activate the cluster // and try the command again. For detailed instructions, see Getting Started // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) -// in the AWS CloudHSM User Guide. +// in the CloudHSM User Guide. // // * IncorrectTrustAnchorException // The request was rejected because the trust anchor certificate in the request -// is not the trust anchor certificate for the specified AWS CloudHSM cluster. +// is not the trust anchor certificate for the specified CloudHSM cluster. // // When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), // you create the trust anchor certificate and save it in the customerCA.crt // file. // // * CloudHsmClusterInvalidConfigurationException -// The request was rejected because the associated AWS CloudHSM cluster did -// not meet the configuration requirements for a custom key store. +// The request was rejected because the associated CloudHSM cluster did not +// meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -637,20 +635,19 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req // operation. // // * The cluster must contain at least as many HSMs as the operation requires. -// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey -// operations, the AWS CloudHSM cluster must have at least two active HSMs, -// each in a different Availability Zone. For the ConnectCustomKeyStore operation, -// the AWS CloudHSM must contain at least one active HSM. +// operations, the CloudHSM cluster must have at least two active HSMs, each +// in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the CloudHSM must contain at least one active HSM. // -// For information about the requirements for an AWS CloudHSM cluster that is -// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. For information about -// creating a private subnet for an AWS CloudHSM cluster, see Create a Private -// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the AWS CloudHSM User Guide. For information about cluster security groups, +// For information about the requirements for an CloudHSM cluster that is associated +// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the Key Management Service Developer Guide. For information about creating +// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the AWS CloudHSM User Guide . +// in the CloudHSM User Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateCustomKeyStore func (c *KMS) CreateCustomKeyStore(input *CreateCustomKeyStoreInput) (*CreateCustomKeyStoreOutput, error) { @@ -718,49 +715,44 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, // CreateGrant API operation for AWS Key Management Service. // -// Adds a grant to a customer master key (CMK). +// Adds a grant to a KMS key. // -// A grant is a policy instrument that allows AWS principals to use AWS KMS -// customer master keys (CMKs) in cryptographic operations. It also can allow -// them to view a CMK (DescribeKey) and create and manage grants. When authorizing -// access to a CMK, grants are considered along with key policies and IAM policies. +// A grant is a policy instrument that allows Amazon Web Services principals +// to use KMS keys in cryptographic operations. It also can allow them to view +// a KMS key (DescribeKey) and create and manage grants. When authorizing access +// to a KMS key, grants are considered along with key policies and IAM policies. // Grants are often used for temporary permissions because you can create one, // use its permissions, and delete it without changing your key policies or // IAM policies. // // For detailed information about grants, including grant terminology, see Using // grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the AWS Key Management Service Developer Guide . For examples of working -// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). +// in the Key Management Service Developer Guide . For examples of working with +// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // // The CreateGrant operation returns a GrantToken and a GrantId. // // * When you create, retire, or revoke a grant, there might be a brief delay, // usually less than five minutes, until the grant is available throughout -// AWS KMS. This state is known as eventual consistency. Once the grant has -// achieved eventual consistency, the grantee principal can use the permissions -// in the grant without identifying the grant. However, to use the permissions +// KMS. This state is known as eventual consistency. Once the grant has achieved +// eventual consistency, the grantee principal can use the permissions in +// the grant without identifying the grant. However, to use the permissions // in the grant immediately, use the GrantToken that CreateGrant returns. -// For details, see Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/using-grant-token.html) -// in the AWS Key Management Service Developer Guide . +// For details, see Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) +// in the Key Management Service Developer Guide . // // * The CreateGrant operation also returns a GrantId. You can use the GrantId // and a key identifier to identify the grant in the RetireGrant and RevokeGrant // operations. To find the grant ID, use the ListGrants or ListRetirableGrants // operations. // -// For information about symmetric and asymmetric CMKs, see Using Symmetric -// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. For more information about -// grants, see Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the AWS Key Management Service Developer Guide . +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. -// -// Cross-account use: Yes. To perform this operation on a CMK in a different -// AWS account, specify the key ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. // // Required permissions: kms:CreateGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -788,7 +780,7 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -808,15 +800,15 @@ func (c *KMS) CreateGrantRequest(input *CreateGrantInput) (req *request.Request, // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * InvalidStateException // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateGrant func (c *KMS) CreateGrant(input *CreateGrantInput) (*CreateGrantOutput, error) { @@ -884,106 +876,111 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // CreateKey API operation for AWS Key Management Service. // -// Creates a unique customer managed customer master key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master-keys) -// (CMK) in your AWS account and Region. +// Creates a unique customer managed KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms-keys) +// in your Amazon Web Services account and Region. // -// You can use the CreateKey operation to create symmetric or asymmetric CMKs. +// KMS is replacing the term customer master key (CMK) with KMS key and KMS +// key. The concept has not changed. To prevent breaking changes, KMS is keeping +// some variations of this term. // -// * Symmetric CMKs contain a 256-bit symmetric key that never leaves AWS -// KMS unencrypted. To use the CMK, you must call AWS KMS. You can use a -// symmetric CMK to encrypt and decrypt small amounts of data, but they are -// typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) +// You can use the CreateKey operation to create symmetric or asymmetric KMS +// keys. +// +// * Symmetric KMS keys contain a 256-bit symmetric key that never leaves +// KMS unencrypted. To use the KMS key, you must call KMS. You can use a +// symmetric KMS key to encrypt and decrypt small amounts of data, but they +// are typically used to generate data keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-keys) // and data keys pairs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#data-key-pairs). // For details, see GenerateDataKey and GenerateDataKeyPair. // -// * Asymmetric CMKs can contain an RSA key pair or an Elliptic Curve (ECC) -// key pair. The private key in an asymmetric CMK never leaves AWS KMS unencrypted. -// However, you can use the GetPublicKey operation to download the public -// key so it can be used outside of AWS KMS. CMKs with RSA key pairs can -// be used to encrypt or decrypt data or sign and verify messages (but not -// both). CMKs with ECC key pairs can be used only to sign and verify messages. +// * Asymmetric KMS keys can contain an RSA key pair or an Elliptic Curve +// (ECC) key pair. The private key in an asymmetric KMS key never leaves +// KMS unencrypted. However, you can use the GetPublicKey operation to download +// the public key so it can be used outside of KMS. KMS keys with RSA key +// pairs can be used to encrypt or decrypt data or sign and verify messages +// (but not both). KMS keys with ECC key pairs can be used only to sign and +// verify messages. // -// For information about symmetric and asymmetric CMKs, see Using Symmetric -// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. +// For information about symmetric and asymmetric KMS keys, see Using Symmetric +// and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the Key Management Service Developer Guide. // -// To create different types of CMKs, use the following guidance: +// To create different types of KMS keys, use the following guidance: // -// Asymmetric CMKs +// Asymmetric KMS keys // -// To create an asymmetric CMK, use the CustomerMasterKeySpec parameter to specify -// the type of key material in the CMK. Then, use the KeyUsage parameter to -// determine whether the CMK will be used to encrypt and decrypt or sign and -// verify. You can't change these properties after the CMK is created. +// To create an asymmetric KMS key, use the KeySpec parameter to specify the +// type of key material in the KMS key. Then, use the KeyUsage parameter to +// determine whether the KMS key will be used to encrypt and decrypt or sign +// and verify. You can't change these properties after the KMS key is created. // -// Symmetric CMKs +// Symmetric KMS keys // -// When creating a symmetric CMK, you don't need to specify the CustomerMasterKeySpec -// or KeyUsage parameters. The default value for CustomerMasterKeySpec, SYMMETRIC_DEFAULT, +// When creating a symmetric KMS key, you don't need to specify the KeySpec +// or KeyUsage parameters. The default value for KeySpec, SYMMETRIC_DEFAULT, // and the default value for KeyUsage, ENCRYPT_DECRYPT, are the only valid values -// for symmetric CMKs. +// for symmetric KMS keys. // // Multi-Region primary keys // // Imported key material // -// To create a multi-Region primary key in the local AWS Region, use the MultiRegion -// parameter with a value of True. To create a multi-Region replica key, that -// is, a CMK with the same key ID and key material as a primary key, but in -// a different AWS Region, use the ReplicateKey operation. To change a replica -// key to a primary key, and its primary key to a replica key, use the UpdatePrimaryRegion -// operation. +// To create a multi-Region primary key in the local Amazon Web Services Region, +// use the MultiRegion parameter with a value of True. To create a multi-Region +// replica key, that is, a KMS key with the same key ID and key material as +// a primary key, but in a different Amazon Web Services Region, use the ReplicateKey +// operation. To change a replica key to a primary key, and its primary key +// to a replica key, use the UpdatePrimaryRegion operation. // -// This operation supports multi-Region keys, an AWS KMS feature that lets you -// create multiple interoperable CMKs in different AWS Regions. Because these -// CMKs have the same key ID, key material, and other metadata, you can use -// them to encrypt data in one AWS Region and decrypt it in a different AWS -// Region without making a cross-Region call or exposing the plaintext data. -// For more information about multi-Region keys, see Using multi-Region keys -// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the AWS Key Management Service Developer Guide. +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without re-encrypting +// the data or making a cross-Region call. For more information about multi-Region +// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the Key Management Service Developer Guide. // // You can create symmetric and asymmetric multi-Region keys and multi-Region // keys with imported key material. You cannot create multi-Region keys in a // custom key store. // -// To import your own key material, begin by creating a symmetric CMK with no -// key material. To do this, use the Origin parameter of CreateKey with a value -// of EXTERNAL. Next, use GetParametersForImport operation to get a public key -// and import token, and use the public key to encrypt your key material. Then, -// use ImportKeyMaterial with your import token to import the key material. +// To import your own key material, begin by creating a symmetric KMS key with +// no key material. To do this, use the Origin parameter of CreateKey with a +// value of EXTERNAL. Next, use GetParametersForImport operation to get a public +// key and import token, and use the public key to encrypt your key material. +// Then, use ImportKeyMaterial with your import token to import the key material. // For step-by-step instructions, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the AWS Key Management Service Developer Guide . You cannot import the -// key material into an asymmetric CMK. +// in the Key Management Service Developer Guide . You cannot import the key +// material into an asymmetric KMS key. // // To create a multi-Region primary key with imported key material, use the // Origin parameter of CreateKey with a value of EXTERNAL and the MultiRegion // parameter with a value of True. To create replicas of the multi-Region primary // key, use the ReplicateKey operation. For more information about multi-Region // keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Custom key store // -// To create a symmetric CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// To create a symmetric KMS key in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), // use the CustomKeyStoreId parameter to specify the custom key store. You must -// also use the Origin parameter with a value of AWS_CLOUDHSM. The AWS CloudHSM +// also use the Origin parameter with a value of AWS_CLOUDHSM. The CloudHSM // cluster that is associated with the custom key store must have at least two -// active HSMs in different Availability Zones in the AWS Region. +// active HSMs in different Availability Zones in the Amazon Web Services Region. // -// You cannot create an asymmetric CMK or a multi-Region CMK in a custom key -// store. For information about custom key stores in AWS KMS see Using Custom -// Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// in the AWS Key Management Service Developer Guide . +// You cannot create an asymmetric KMS key in a custom key store. For information +// about custom key stores in KMS see Using Custom Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) +// in the Key Management Service Developer Guide . // -// Cross-account use: No. You cannot use this operation to create a CMK in a -// different AWS account. +// Cross-account use: No. You cannot use this operation to create a KMS key +// in a different Amazon Web Services account. // // Required permissions: kms:CreateKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy). To use the Tags parameter, kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy). For examples and information about related permissions, see -// Allow a user to create CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key) -// in the AWS Key Management Service Developer Guide. +// Allow a user to create KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policy-example-create-key) +// in the Key Management Service Developer Guide. // // Related operations: // @@ -1024,13 +1021,13 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * TagException // The request was rejected because one or more tags are not valid. // // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * CustomKeyStoreInvalidStateException @@ -1053,8 +1050,8 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // for all other ConnectionState values. // // * CloudHsmClusterInvalidConfigurationException -// The request was rejected because the associated AWS CloudHSM cluster did -// not meet the configuration requirements for a custom key store. +// The request was rejected because the associated CloudHSM cluster did not +// meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -1069,20 +1066,19 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out // operation. // // * The cluster must contain at least as many HSMs as the operation requires. -// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey -// operations, the AWS CloudHSM cluster must have at least two active HSMs, -// each in a different Availability Zone. For the ConnectCustomKeyStore operation, -// the AWS CloudHSM must contain at least one active HSM. +// operations, the CloudHSM cluster must have at least two active HSMs, each +// in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the CloudHSM must contain at least one active HSM. // -// For information about the requirements for an AWS CloudHSM cluster that is -// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. For information about -// creating a private subnet for an AWS CloudHSM cluster, see Create a Private -// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the AWS CloudHSM User Guide. For information about cluster security groups, +// For information about the requirements for an CloudHSM cluster that is associated +// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the Key Management Service Developer Guide. For information about creating +// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the AWS CloudHSM User Guide . +// in the CloudHSM User Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/CreateKey func (c *KMS) CreateKey(input *CreateKeyInput) (*CreateKeyOutput, error) { @@ -1150,8 +1146,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // Decrypt API operation for AWS Key Management Service. // -// Decrypts ciphertext that was encrypted by a AWS KMS customer master key (CMK) -// using any of the following operations: +// Decrypts ciphertext that was encrypted by a KMS key using any of the following +// operations: // // * Encrypt // @@ -1164,46 +1160,52 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // * GenerateDataKeyPairWithoutPlaintext // // You can use this operation to decrypt ciphertext that was encrypted under -// a symmetric or asymmetric CMK. When the CMK is asymmetric, you must specify -// the CMK and the encryption algorithm that was used to encrypt the ciphertext. -// For information about symmetric and asymmetric CMKs, see Using Symmetric -// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. +// a symmetric or asymmetric KMS key. When the KMS key is asymmetric, you must +// specify the KMS key and the encryption algorithm that was used to encrypt +// the ciphertext. For information about symmetric and asymmetric KMS keys, +// see Using Symmetric and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the Key Management Service Developer Guide. // // The Decrypt operation also decrypts ciphertext that was encrypted outside -// of AWS KMS by the public key in an AWS KMS asymmetric CMK. However, it cannot -// decrypt ciphertext produced by other libraries, such as the AWS Encryption -// SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) +// of KMS by the public key in an KMS asymmetric KMS key. However, it cannot +// decrypt ciphertext produced by other libraries, such as the Amazon Web Services +// Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) // or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). -// These libraries return a ciphertext format that is incompatible with AWS -// KMS. +// These libraries return a ciphertext format that is incompatible with KMS. // -// If the ciphertext was encrypted under a symmetric CMK, the KeyId parameter -// is optional. AWS KMS can get this information from metadata that it adds -// to the symmetric ciphertext blob. This feature adds durability to your implementation +// If the ciphertext was encrypted under a symmetric KMS key, the KeyId parameter +// is optional. KMS can get this information from metadata that it adds to the +// symmetric ciphertext blob. This feature adds durability to your implementation // by ensuring that authorized users can decrypt ciphertext decades after it -// was encrypted, even if they've lost track of the CMK ID. However, specifying -// the CMK is always recommended as a best practice. When you use the KeyId -// parameter to specify a CMK, AWS KMS only uses the CMK you specify. If the -// ciphertext was encrypted under a different CMK, the Decrypt operation fails. -// This practice ensures that you use the CMK that you intend. +// was encrypted, even if they've lost track of the key ID. However, specifying +// the KMS key is always recommended as a best practice. When you use the KeyId +// parameter to specify a KMS key, KMS only uses the KMS key you specify. If +// the ciphertext was encrypted under a different KMS key, the Decrypt operation +// fails. This practice ensures that you use the KMS key that you intend. // // Whenever possible, use key policies to give users permission to call the -// Decrypt operation on a particular CMK, instead of using IAM policies. Otherwise, -// you might create an IAM user policy that gives the user Decrypt permission -// on all CMKs. This user could decrypt ciphertext that was encrypted by CMKs -// in other accounts if the key policy for the cross-account CMK permits it. -// If you must use an IAM policy for Decrypt permissions, limit the user to -// particular CMKs or particular trusted accounts. For details, see Best practices -// for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices) -// in the AWS Key Management Service Developer Guide. +// Decrypt operation on a particular KMS key, instead of using IAM policies. +// Otherwise, you might create an IAM user policy that gives the user Decrypt +// permission on all KMS keys. This user could decrypt ciphertext that was encrypted +// by KMS keys in other accounts if the key policy for the cross-account KMS +// key permits it. If you must use an IAM policy for Decrypt permissions, limit +// the user to particular KMS keys or particular trusted accounts. For details, +// see Best practices for IAM policies (https://docs.aws.amazon.com/kms/latest/developerguide/iam-policies.html#iam-policies-best-practices) +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// Applications in Amazon Web Services Nitro Enclaves can call this operation +// by using the Amazon Web Services Nitro Enclaves Development Kit (https://github.com/aws/aws-nitro-enclaves-sdk-c). +// For information about the supporting parameters, see How Amazon Web Services +// Nitro Enclaves use KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. You can decrypt a ciphertext using a CMK in a different -// AWS account. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. +// +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:Decrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -1231,7 +1233,7 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidCiphertextException // From the Decrypt or ReEncrypt operation, the request was rejected because @@ -1239,32 +1241,33 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // the ciphertext, such as the encryption context, is corrupted, missing, or // otherwise invalid. // -// From the ImportKeyMaterial operation, the request was rejected because AWS -// KMS could not decrypt the encrypted (wrapped) key material. +// From the ImportKeyMaterial operation, the request was rejected because KMS +// could not decrypt the encrypted (wrapped) key material. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * IncorrectKeyException -// The request was rejected because the specified CMK cannot decrypt the data. -// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request -// must identify the same CMK that was used to encrypt the ciphertext. +// The request was rejected because the specified KMS key cannot decrypt the +// data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same KMS key that was used to encrypt the ciphertext. // // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -1281,9 +1284,9 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Decrypt func (c *KMS) Decrypt(input *DecryptInput) (*DecryptOutput, error) { @@ -1355,20 +1358,20 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, // Deletes the specified alias. // // Adding, deleting, or updating an alias can allow or deny permission to the -// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the AWS Key Management Service Developer Guide. +// KMS key. For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the Key Management Service Developer Guide. // -// Because an alias is not a property of a CMK, you can delete and change the -// aliases of a CMK without affecting the CMK. Also, aliases do not appear in -// the response from the DescribeKey operation. To get the aliases of all CMKs, -// use the ListAliases operation. +// Because an alias is not a property of a KMS key, you can delete and change +// the aliases of a KMS key without affecting the KMS key. Also, aliases do +// not appear in the response from the DescribeKey operation. To get the aliases +// of all KMS keys, use the ListAliases operation. // -// Each CMK can have multiple aliases. To change the alias of a CMK, use DeleteAlias -// to delete the current alias and CreateAlias to create a new alias. To associate -// an existing alias with a different customer master key (CMK), call UpdateAlias. +// Each KMS key can have multiple aliases. To change the alias of a KMS key, +// use DeleteAlias to delete the current alias and CreateAlias to create a new +// alias. To associate an existing alias with a different KMS key, call UpdateAlias. // // Cross-account use: No. You cannot perform this operation on an alias in a -// different AWS account. +// different Amazon Web Services account. // // Required permissions // @@ -1376,10 +1379,10 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, // on the alias (IAM policy). // // * kms:DeleteAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the CMK (key policy). +// on the KMS key (key policy). // // For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Related operations: // @@ -1413,9 +1416,9 @@ func (c *KMS) DeleteAliasRequest(input *DeleteAliasInput) (req *request.Request, // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteAlias func (c *KMS) DeleteAlias(input *DeleteAliasInput) (*DeleteAliasOutput, error) { @@ -1485,37 +1488,35 @@ func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req // DeleteCustomKeyStore API operation for AWS Key Management Service. // // Deletes a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). -// This operation does not delete the AWS CloudHSM cluster that is associated -// with the custom key store, or affect any users or keys in the cluster. +// This operation does not delete the CloudHSM cluster that is associated with +// the custom key store, or affect any users or keys in the cluster. // -// The custom key store that you delete cannot contain any AWS KMS customer -// master keys (CMKs) (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). +// The custom key store that you delete cannot contain any KMS KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys). // Before deleting the key store, verify that you will never need to use any -// of the CMKs in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). -// Then, use ScheduleKeyDeletion to delete the AWS KMS customer master keys -// (CMKs) from the key store. When the scheduled waiting period expires, the -// ScheduleKeyDeletion operation deletes the CMKs. Then it makes a best effort -// to delete the key material from the associated cluster. However, you might -// need to manually delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// of the KMS keys in the key store for any cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// Then, use ScheduleKeyDeletion to delete the KMS keys from the key store. +// When the scheduled waiting period expires, the ScheduleKeyDeletion operation +// deletes the KMS keys. Then it makes a best effort to delete the key material +// from the associated cluster. However, you might need to manually delete the +// orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) // from the cluster and its backups. // -// After all CMKs are deleted from AWS KMS, use DisconnectCustomKeyStore to -// disconnect the key store from AWS KMS. Then, you can delete the custom key -// store. +// After all KMS keys are deleted from KMS, use DisconnectCustomKeyStore to +// disconnect the key store from KMS. Then, you can delete the custom key store. // // Instead of deleting the custom key store, consider using DisconnectCustomKeyStore -// to disconnect it from AWS KMS. While the key store is disconnected, you cannot -// create or use the CMKs in the key store. But, you do not need to delete CMKs -// and you can reconnect a disconnected custom key store at any time. +// to disconnect it from KMS. While the key store is disconnected, you cannot +// create or use the KMS keys in the key store. But, you do not need to delete +// KMS keys and you can reconnect a disconnected custom key store at any time. // // If the operation succeeds, it returns a JSON object with no properties. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in AWS KMS, which combines the convenience and extensive integration -// of AWS KMS with the isolation and control of a single-tenant key store. +// feature in KMS, which combines the convenience and extensive integration +// of KMS with the isolation and control of a single-tenant key store. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:DeleteCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -1541,10 +1542,10 @@ func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req // // Returned Error Types: // * CustomKeyStoreHasCMKsException -// The request was rejected because the custom key store contains AWS KMS customer -// master keys (CMKs). After verifying that you do not need to use the CMKs, -// use the ScheduleKeyDeletion operation to delete the CMKs. After they are -// deleted, you can delete the custom key store. +// The request was rejected because the custom key store contains KMS keys. +// After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion +// operation to delete the KMS keys. After they are deleted, you can delete +// the custom key store. // // * CustomKeyStoreInvalidStateException // The request was rejected because of the ConnectionState of the custom key @@ -1566,7 +1567,7 @@ func (c *KMS) DeleteCustomKeyStoreRequest(input *DeleteCustomKeyStoreInput) (req // for all other ConnectionState values. // // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * InternalException @@ -1641,22 +1642,23 @@ func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialI // DeleteImportedKeyMaterial API operation for AWS Key Management Service. // // Deletes key material that you previously imported. This operation makes the -// specified customer master key (CMK) unusable. For more information about -// importing key material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the AWS Key Management Service Developer Guide. +// specified KMS key unusable. For more information about importing key material +// into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the Key Management Service Developer Guide. // -// When the specified CMK is in the PendingDeletion state, this operation does -// not change the CMK's state. Otherwise, it changes the CMK's state to PendingImport. +// When the specified KMS key is in the PendingDeletion state, this operation +// does not change the KMS key's state. Otherwise, it changes the KMS key's +// state to PendingImport. // // After you delete key material, you can use ImportKeyMaterial to reimport -// the same key material into the CMK. +// the same key material into the KMS key. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:DeleteImportedKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -1699,9 +1701,9 @@ func (c *KMS) DeleteImportedKeyMaterialRequest(input *DeleteImportedKeyMaterialI // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeleteImportedKeyMaterial func (c *KMS) DeleteImportedKeyMaterial(input *DeleteImportedKeyMaterialInput) (*DeleteImportedKeyMaterialOutput, error) { @@ -1773,32 +1775,32 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput // in the account and Region. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in AWS KMS, which combines the convenience and extensive integration -// of AWS KMS with the isolation and control of a single-tenant key store. +// feature in KMS, which combines the convenience and extensive integration +// of KMS with the isolation and control of a single-tenant key store. // // By default, this operation returns information about all custom key stores // in the account and Region. To get only information about a particular custom // key store, use either the CustomKeyStoreName or CustomKeyStoreId parameter // (but not both). // -// To determine whether the custom key store is connected to its AWS CloudHSM -// cluster, use the ConnectionState element in the response. If an attempt to -// connect the custom key store failed, the ConnectionState value is FAILED -// and the ConnectionErrorCode element in the response indicates the cause of -// the failure. For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. +// To determine whether the custom key store is connected to its CloudHSM cluster, +// use the ConnectionState element in the response. If an attempt to connect +// the custom key store failed, the ConnectionState value is FAILED and the +// ConnectionErrorCode element in the response indicates the cause of the failure. +// For help interpreting the ConnectionErrorCode, see CustomKeyStoresListEntry. // // Custom key stores have a DISCONNECTED connection state if the key store has // never been connected or you use the DisconnectCustomKeyStore operation to // disconnect it. If your custom key store state is CONNECTED but you are having -// trouble using it, make sure that its associated AWS CloudHSM cluster is active +// trouble using it, make sure that its associated CloudHSM cluster is active // and contains the minimum number of HSMs required for the operation, if any. // // For help repairing your custom key store, see the Troubleshooting Custom // Key Stores (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) -// topic in the AWS Key Management Service Developer Guide. +// topic in the Key Management Service Developer Guide. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:DescribeCustomKeyStores (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -1824,7 +1826,7 @@ func (c *KMS) DescribeCustomKeyStoresRequest(input *DescribeCustomKeyStoresInput // // Returned Error Types: // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * InvalidMarkerException @@ -1901,41 +1903,45 @@ func (c *KMS) DescribeKeyRequest(input *DescribeKeyInput) (req *request.Request, // DescribeKey API operation for AWS Key Management Service. // -// Provides detailed information about a customer master key (CMK). You can -// run DescribeKey on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) -// or an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). +// Provides detailed information about a KMS key. You can run DescribeKey on +// a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) +// or an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). // // This detailed information includes the key ARN, creation date (and deletion // date, if applicable), the key state, and the origin and expiration date (if -// any) of the key material. For CMKs in custom key stores, it includes information -// about the custom key store, such as the key store ID and the AWS CloudHSM -// cluster ID. It includes fields, like KeySpec, that help you distinguish symmetric -// from asymmetric CMKs. It also provides information that is particularly important -// to asymmetric CMKs, such as the key usage (encryption or signing) and the -// encryption algorithms or signing algorithms that the CMK supports. +// any) of the key material. It includes fields, like KeySpec, that help you +// distinguish symmetric from asymmetric KMS keys. It also provides information +// that is particularly important to asymmetric keys, such as the key usage +// (encryption or signing) and the encryption algorithms or signing algorithms +// that the KMS key supports. For KMS keys in custom key stores, it includes +// information about the custom key store, such as the key store ID and the +// CloudHSM cluster ID. For multi-Region keys, it displays the primary key and +// all related replica keys. // // DescribeKey does not return the following information: // -// * Aliases associated with the CMK. To get this information, use ListAliases. +// * Aliases associated with the KMS key. To get this information, use ListAliases. // -// * Whether automatic key rotation is enabled on the CMK. To get this information, -// use GetKeyRotationStatus. Also, some key states prevent a CMK from being -// automatically rotated. For details, see How Automatic Key Rotation Works -// (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) -// in AWS Key Management Service Developer Guide. +// * Whether automatic key rotation is enabled on the KMS key. To get this +// information, use GetKeyRotationStatus. Also, some key states prevent a +// KMS key from being automatically rotated. For details, see How Automatic +// Key Rotation Works (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-how-it-works) +// in Key Management Service Developer Guide. // -// * Tags on the CMK. To get this information, use ListResourceTags. +// * Tags on the KMS key. To get this information, use ListResourceTags. // -// * Key policies and grants on the CMK. To get this information, use GetKeyPolicy -// and ListGrants. +// * Key policies and grants on the KMS key. To get this information, use +// GetKeyPolicy and ListGrants. // -// If you call the DescribeKey operation on a predefined AWS alias, that is, -// an AWS alias with no key ID, AWS KMS creates an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys). -// Then, it associates the alias with the new CMK, and returns the KeyId and -// Arn of the new CMK in the response. +// If you call the DescribeKey operation on a predefined Amazon Web Services +// alias, that is, an Amazon Web Services alias with no key ID, KMS creates +// an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). +// Then, it associates the alias with the new KMS key, and returns the KeyId +// and Arn of the new KMS key in the response. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:DescribeKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2047,19 +2053,19 @@ func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, o // DisableKey API operation for AWS Key Management Service. // -// Sets the state of a customer master key (CMK) to disabled. This change temporarily -// prevents use of the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// Sets the state of a KMS key to disabled. This change temporarily prevents +// use of the KMS key for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). // -// For more information about how key state affects the use of a CMK, see Key -// state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:DisableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2094,9 +2100,9 @@ func (c *KMS) DisableKeyRequest(input *DisableKeyInput) (req *request.Request, o // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DisableKey func (c *KMS) DisableKey(input *DisableKeyInput) (*DisableKeyOutput, error) { @@ -2166,21 +2172,21 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re // DisableKeyRotation API operation for AWS Key Management Service. // // Disables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// for the specified symmetric customer master key (CMK). +// for the specified symmetric KMS key. // -// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), -// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), -// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // To enable or disable automatic rotation of a set of related multi-Region // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), // set the property on the primary key. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:DisableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2204,7 +2210,7 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidArnException // The request was rejected because a specified ARN, or an ARN in a key policy, @@ -2222,9 +2228,9 @@ func (c *KMS) DisableKeyRotationRequest(input *DisableKeyRotationInput) (req *re // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * UnsupportedOperationException // The request was rejected because a specified parameter is not supported or @@ -2298,14 +2304,14 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp // DisconnectCustomKeyStore API operation for AWS Key Management Service. // // Disconnects the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// from its associated AWS CloudHSM cluster. While a custom key store is disconnected, -// you can manage the custom key store and its customer master keys (CMKs), -// but you cannot create or use CMKs in the custom key store. You can reconnect -// the custom key store at any time. +// from its associated CloudHSM cluster. While a custom key store is disconnected, +// you can manage the custom key store and its KMS keys, but you cannot create +// or use KMS keys in the custom key store. You can reconnect the custom key +// store at any time. // -// While a custom key store is disconnected, all attempts to create customer -// master keys (CMKs) in the custom key store or to use existing CMKs in cryptographic -// operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) +// While a custom key store is disconnected, all attempts to create KMS keys +// in the custom key store or to use existing KMS keys in cryptographic operations +// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) // will fail. This action can prevent users from storing and accessing sensitive // data. // @@ -2316,11 +2322,11 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp // If the operation succeeds, it returns a JSON object with no properties. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in AWS KMS, which combines the convenience and extensive integration -// of AWS KMS with the isolation and control of a single-tenant key store. +// feature in KMS, which combines the convenience and extensive integration +// of KMS with the isolation and control of a single-tenant key store. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:DisconnectCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -2365,7 +2371,7 @@ func (c *KMS) DisconnectCustomKeyStoreRequest(input *DisconnectCustomKeyStoreInp // for all other ConnectionState values. // // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * InternalException @@ -2439,15 +2445,15 @@ func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, out // EnableKey API operation for AWS Key Management Service. // -// Sets the key state of a customer master key (CMK) to enabled. This allows -// you to use the CMK for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). +// Sets the key state of a KMS key to enabled. This allows you to use the KMS +// key for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations). // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:EnableKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2481,15 +2487,15 @@ func (c *KMS) EnableKeyRequest(input *EnableKeyInput) (req *request.Request, out // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * InvalidStateException // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/EnableKey func (c *KMS) EnableKey(input *EnableKeyInput) (*EnableKeyOutput, error) { @@ -2559,21 +2565,21 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ // EnableKeyRotation API operation for AWS Key Management Service. // // Enables automatic rotation of the key material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// for the specified symmetric customer master key (CMK). +// for the specified symmetric KMS key. // -// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), -// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), -// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // To enable or disable automatic rotation of a set of related multi-Region // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), // set the property on the primary key. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:EnableKeyRotation (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2597,7 +2603,7 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidArnException // The request was rejected because a specified ARN, or an ARN in a key policy, @@ -2615,9 +2621,9 @@ func (c *KMS) EnableKeyRotationRequest(input *EnableKeyRotationInput) (req *requ // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * UnsupportedOperationException // The request was rejected because a specified parameter is not supported or @@ -2689,55 +2695,56 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // Encrypt API operation for AWS Key Management Service. // -// Encrypts plaintext into ciphertext by using a customer master key (CMK). -// The Encrypt operation has two primary use cases: +// Encrypts plaintext into ciphertext by using a KMS key. The Encrypt operation +// has two primary use cases: // // * You can encrypt small amounts of arbitrary data, such as a personal // identifier or database password, or other sensitive information. // -// * You can use the Encrypt operation to move encrypted data from one AWS -// Region to another. For example, in Region A, generate a data key and use -// the plaintext key to encrypt your data. Then, in Region A, use the Encrypt -// operation to encrypt the plaintext data key under a CMK in Region B. Now, -// you can move the encrypted data and the encrypted data key to Region B. -// When necessary, you can decrypt the encrypted data key and the encrypted -// data entirely within in Region B. +// * You can use the Encrypt operation to move encrypted data from one Amazon +// Web Services Region to another. For example, in Region A, generate a data +// key and use the plaintext key to encrypt your data. Then, in Region A, +// use the Encrypt operation to encrypt the plaintext data key under a KMS +// key in Region B. Now, you can move the encrypted data and the encrypted +// data key to Region B. When necessary, you can decrypt the encrypted data +// key and the encrypted data entirely within in Region B. // // You don't need to use the Encrypt operation to encrypt a data key. The GenerateDataKey // and GenerateDataKeyPair operations return a plaintext data key and an encrypted // copy of that data key. // -// When you encrypt data, you must specify a symmetric or asymmetric CMK to -// use in the encryption operation. The CMK must have a KeyUsage value of ENCRYPT_DECRYPT. -// To find the KeyUsage of a CMK, use the DescribeKey operation. +// When you encrypt data, you must specify a symmetric or asymmetric KMS key +// to use in the encryption operation. The KMS key must have a KeyUsage value +// of ENCRYPT_DECRYPT. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// If you use a symmetric CMK, you can use an encryption context to add additional -// security to your encryption operation. If you specify an EncryptionContext +// If you use a symmetric KMS key, you can use an encryption context to add +// additional security to your encryption operation. If you specify an EncryptionContext // when encrypting data, you must specify the same encryption context (a case-sensitive // exact match) when decrypting the data. Otherwise, the request to decrypt // fails with an InvalidCiphertextException. For more information, see Encryption // Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// If you specify an asymmetric CMK, you must also specify the encryption algorithm. -// The algorithm must be compatible with the CMK type. +// If you specify an asymmetric KMS key, you must also specify the encryption +// algorithm. The algorithm must be compatible with the KMS key type. // -// When you use an asymmetric CMK to encrypt or reencrypt data, be sure to record -// the CMK and encryption algorithm that you choose. You will be required to -// provide the same CMK and encryption algorithm when you decrypt the data. -// If the CMK and algorithm do not match the values used to encrypt the data, -// the decrypt operation fails. +// When you use an asymmetric KMS key to encrypt or reencrypt data, be sure +// to record the KMS key and encryption algorithm that you choose. You will +// be required to provide the same KMS key and encryption algorithm when you +// decrypt the data. If the KMS key and algorithm do not match the values used +// to encrypt the data, the decrypt operation fails. // -// You are not required to supply the CMK ID and encryption algorithm when you -// decrypt with symmetric CMKs because AWS KMS stores this information in the -// ciphertext blob. AWS KMS cannot store metadata in ciphertext generated with -// asymmetric keys. The standard format for asymmetric key ciphertext does not -// include configurable fields. +// You are not required to supply the key ID and encryption algorithm when you +// decrypt with symmetric KMS keys because KMS stores this information in the +// ciphertext blob. KMS cannot store metadata in ciphertext generated with asymmetric +// keys. The standard format for asymmetric key ciphertext does not include +// configurable fields. // // The maximum size of the data that you can encrypt varies with the type of -// CMK and the encryption algorithm that you choose. +// KMS key and the encryption algorithm that you choose. // -// * Symmetric CMKs SYMMETRIC_DEFAULT: 4096 bytes +// * Symmetric KMS keys SYMMETRIC_DEFAULT: 4096 bytes // // * RSA_2048 RSAES_OAEP_SHA_1: 214 bytes RSAES_OAEP_SHA_256: 190 bytes // @@ -2745,12 +2752,13 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // // * RSA_4096 RSAES_OAEP_SHA_1: 470 bytes RSAES_OAEP_SHA_256: 446 bytes // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:Encrypt (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2776,11 +2784,11 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -2789,17 +2797,18 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -2812,9 +2821,9 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Encrypt func (c *KMS) Encrypt(input *EncryptInput) (*EncryptOutput, error) { @@ -2884,18 +2893,18 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // // Generates a unique symmetric data key for client-side encryption. This operation // returns a plaintext copy of the data key and a copy that is encrypted under -// a customer master key (CMK) that you specify. You can use the plaintext key -// to encrypt your data outside of AWS KMS and store the encrypted data key -// with the encrypted data. +// a KMS key that you specify. You can use the plaintext key to encrypt your +// data outside of KMS and store the encrypted data key with the encrypted data. // // GenerateDataKey returns a unique data key for each request. The bytes in -// the plaintext key are not related to the caller or the CMK. +// the plaintext key are not related to the caller or the KMS key. // -// To generate a data key, specify the symmetric CMK that will be used to encrypt -// the data key. You cannot use an asymmetric CMK to generate data keys. To -// get the type of your CMK, use the DescribeKey operation. You must also specify -// the length of the data key. Use either the KeySpec or NumberOfBytes parameters -// (but not both). For 128-bit and 256-bit data keys, use the KeySpec parameter. +// To generate a data key, specify the symmetric KMS key that will be used to +// encrypt the data key. You cannot use an asymmetric KMS key to generate data +// keys. To get the type of your KMS key, use the DescribeKey operation. You +// must also specify the length of the data key. Use either the KeySpec or NumberOfBytes +// parameters (but not both). For 128-bit and 256-bit data keys, use the KeySpec +// parameter. // // To get only an encrypted copy of the data key, use GenerateDataKeyWithoutPlaintext. // To generate an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext @@ -2906,41 +2915,48 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // the same encryption context (a case-sensitive exact match) when decrypting // the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// Applications in Amazon Web Services Nitro Enclaves can call this operation +// by using the Amazon Web Services Nitro Enclaves Development Kit (https://github.com/aws/aws-nitro-enclaves-sdk-c). +// For information about the supporting parameters, see How Amazon Web Services +// Nitro Enclaves use KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) +// in the Key Management Service Developer Guide. +// +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // // How to use your data key // // We recommend that you use the following pattern to encrypt data locally in // your application. You can write your own code or use a client-side encryption -// library, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/), +// library, such as the Amazon Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/), // the Amazon DynamoDB Encryption Client (https://docs.aws.amazon.com/dynamodb-encryption-client/latest/devguide/), // or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html) // to do these tasks for you. // -// To encrypt data outside of AWS KMS: +// To encrypt data outside of KMS: // // Use the GenerateDataKey operation to get a data key. // // Use the plaintext data key (in the Plaintext field of the response) to encrypt -// your data outside of AWS KMS. Then erase the plaintext data key from memory. +// your data outside of KMS. Then erase the plaintext data key from memory. // // Store the encrypted data key (in the CiphertextBlob field of the response) // with the encrypted data. // -// To decrypt data outside of AWS KMS: +// To decrypt data outside of KMS: // // Use the Decrypt operation to decrypt the encrypted data key. The operation // returns a plaintext copy of the data key. // -// Use the plaintext data key to decrypt data outside of AWS KMS, then erase -// the plaintext data key from memory. +// Use the plaintext data key to decrypt data outside of KMS, then erase the +// plaintext data key from memory. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:GenerateDataKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -2970,11 +2986,11 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -2983,17 +2999,18 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -3006,9 +3023,9 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request. // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKey func (c *KMS) GenerateDataKey(input *GenerateDataKeyInput) (*GenerateDataKeyOutput, error) { @@ -3078,22 +3095,24 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // // Generates a unique asymmetric data key pair. The GenerateDataKeyPair operation // returns a plaintext public key, a plaintext private key, and a copy of the -// private key that is encrypted under the symmetric CMK you specify. You can -// use the data key pair to perform asymmetric cryptography outside of AWS KMS. -// -// GenerateDataKeyPair returns a unique data key pair for each request. The -// bytes in the keys are not related to the caller or the CMK that is used to -// encrypt the private key. +// private key that is encrypted under the symmetric KMS key you specify. You +// can use the data key pair to perform asymmetric cryptography and implement +// digital signatures outside of KMS. // // You can use the public key that GenerateDataKeyPair returns to encrypt data -// or verify a signature outside of AWS KMS. Then, store the encrypted private -// key with the data. When you are ready to decrypt data or sign a message, -// you can use the Decrypt operation to decrypt the encrypted private key. +// or verify a signature outside of KMS. Then, store the encrypted private key +// with the data. When you are ready to decrypt data or sign a message, you +// can use the Decrypt operation to decrypt the encrypted private key. // -// To generate a data key pair, you must specify a symmetric customer master -// key (CMK) to encrypt the private key in a data key pair. You cannot use an -// asymmetric CMK or a CMK in a custom key store. To get the type and origin -// of your CMK, use the DescribeKey operation. +// To generate a data key pair, you must specify a symmetric KMS key to encrypt +// the private key in a data key pair. You cannot use an asymmetric KMS key +// or a KMS key in a custom key store. To get the type and origin of your KMS +// key, use the DescribeKey operation. +// +// Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data +// key pair. KMS recommends that your use ECC key pairs for signing, and use +// RSA key pairs for either encryption or signing, but not both. However, KMS +// cannot enforce any restrictions on the use of data key pairs outside of KMS. // // If you are using the data key pair to encrypt data, or for any operation // where you don't immediately need a private key, consider using the GenerateDataKeyPairWithoutPlaintext @@ -3103,19 +3122,26 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // to decrypt the data or sign a message, use the Decrypt operation to decrypt // the encrypted private key in the data key pair. // +// GenerateDataKeyPair returns a unique data key pair for each request. The +// bytes in the keys are not related to the caller or the KMS key that is used +// to encrypt the private key. The public key is a DER-encoded X.509 SubjectPublicKeyInfo, +// as specified in RFC 5280 (https://tools.ietf.org/html/rfc5280). The private +// key is a DER-encoded PKCS8 PrivateKeyInfo, as specified in RFC 5958 (https://tools.ietf.org/html/rfc5958). +// // You can use the optional encryption context to add additional security to // the encryption operation. If you specify an EncryptionContext, you must specify // the same encryption context (a case-sensitive exact match) when decrypting // the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:GenerateDataKeyPair (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -3145,11 +3171,11 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -3158,17 +3184,18 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -3181,9 +3208,9 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req * // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * UnsupportedOperationException // The request was rejected because a specified parameter is not supported or @@ -3257,37 +3284,43 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP // // Generates a unique asymmetric data key pair. The GenerateDataKeyPairWithoutPlaintext // operation returns a plaintext public key and a copy of the private key that -// is encrypted under the symmetric CMK you specify. Unlike GenerateDataKeyPair, +// is encrypted under the symmetric KMS key you specify. Unlike GenerateDataKeyPair, // this operation does not return a plaintext private key. // -// To generate a data key pair, you must specify a symmetric customer master -// key (CMK) to encrypt the private key in the data key pair. You cannot use -// an asymmetric CMK or a CMK in a custom key store. To get the type and origin -// of your CMK, use the KeySpec field in the DescribeKey response. -// // You can use the public key that GenerateDataKeyPairWithoutPlaintext returns -// to encrypt data or verify a signature outside of AWS KMS. Then, store the -// encrypted private key with the data. When you are ready to decrypt data or -// sign a message, you can use the Decrypt operation to decrypt the encrypted -// private key. +// to encrypt data or verify a signature outside of KMS. Then, store the encrypted +// private key with the data. When you are ready to decrypt data or sign a message, +// you can use the Decrypt operation to decrypt the encrypted private key. +// +// To generate a data key pair, you must specify a symmetric KMS key to encrypt +// the private key in a data key pair. You cannot use an asymmetric KMS key +// or a KMS key in a custom key store. To get the type and origin of your KMS +// key, use the DescribeKey operation. +// +// Use the KeyPairSpec parameter to choose an RSA or Elliptic Curve (ECC) data +// key pair. KMS recommends that your use ECC key pairs for signing, and use +// RSA key pairs for either encryption or signing, but not both. However, KMS +// cannot enforce any restrictions on the use of data key pairs outside of KMS. // // GenerateDataKeyPairWithoutPlaintext returns a unique data key pair for each -// request. The bytes in the key are not related to the caller or CMK that is -// used to encrypt the private key. +// request. The bytes in the key are not related to the caller or KMS key that +// is used to encrypt the private key. The public key is a DER-encoded X.509 +// SubjectPublicKeyInfo, as specified in RFC 5280 (https://tools.ietf.org/html/rfc5280). // // You can use the optional encryption context to add additional security to // the encryption operation. If you specify an EncryptionContext, you must specify // the same encryption context (a case-sensitive exact match) when decrypting // the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:GenerateDataKeyPairWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -3317,11 +3350,11 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -3330,17 +3363,18 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -3353,9 +3387,9 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * UnsupportedOperationException // The request was rejected because a specified parameter is not supported or @@ -3428,8 +3462,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // GenerateDataKeyWithoutPlaintext API operation for AWS Key Management Service. // // Generates a unique symmetric data key. This operation returns a data key -// that is encrypted under a customer master key (CMK) that you specify. To -// request an asymmetric data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext +// that is encrypted under a KMS key that you specify. To request an asymmetric +// data key pair, use the GenerateDataKeyPair or GenerateDataKeyPairWithoutPlaintext // operations. // // GenerateDataKeyWithoutPlaintext is identical to the GenerateDataKey operation @@ -3448,13 +3482,12 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // never sees the plaintext data key. // // GenerateDataKeyWithoutPlaintext returns a unique data key for each request. -// The bytes in the keys are not related to the caller or CMK that is used to -// encrypt the private key. +// The bytes in the keys are not related to the caller or KMS key that is used +// to encrypt the private key. // -// To generate a data key, you must specify the symmetric customer master key -// (CMK) that is used to encrypt the data key. You cannot use an asymmetric -// CMK to generate a data key. To get the type of your CMK, use the DescribeKey -// operation. +// To generate a data key, you must specify the symmetric KMS key that is used +// to encrypt the data key. You cannot use an asymmetric KMS key to generate +// a data key. To get the type of your KMS key, use the DescribeKey operation. // // If the operation succeeds, you will find the encrypted copy of the data key // in the CiphertextBlob field. @@ -3464,14 +3497,15 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // the same encryption context (a case-sensitive exact match) when decrypting // the encrypted data key. Otherwise, the request to decrypt fails with an InvalidCiphertextException. // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:GenerateDataKeyWithoutPlaintext (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -3501,11 +3535,11 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -3514,17 +3548,18 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -3537,9 +3572,9 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GenerateDataKeyWithoutPlaintext func (c *KMS) GenerateDataKeyWithoutPlaintext(input *GenerateDataKeyWithoutPlaintextInput) (*GenerateDataKeyWithoutPlaintextOutput, error) { @@ -3609,13 +3644,19 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re // // Returns a random byte string that is cryptographically secure. // -// By default, the random byte string is generated in AWS KMS. To generate the -// byte string in the AWS CloudHSM cluster that is associated with a custom -// key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// By default, the random byte string is generated in KMS. To generate the byte +// string in the CloudHSM cluster that is associated with a custom key store +// (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), // specify the custom key store ID. // -// For more information about entropy and random number generation, see AWS -// Key Management Service Cryptographic Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/). +// Applications in Amazon Web Services Nitro Enclaves can call this operation +// by using the Amazon Web Services Nitro Enclaves Development Kit (https://github.com/aws/aws-nitro-enclaves-sdk-c). +// For information about the supporting parameters, see How Amazon Web Services +// Nitro Enclaves use KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html) +// in the Key Management Service Developer Guide. +// +// For more information about entropy and random number generation, see Key +// Management Service Cryptographic Details (https://docs.aws.amazon.com/kms/latest/cryptographic-details/). // // Required permissions: kms:GenerateRandom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -3637,7 +3678,7 @@ func (c *KMS) GenerateRandomRequest(input *GenerateRandomInput) (req *request.Re // can be retried. // // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * CustomKeyStoreInvalidStateException @@ -3725,10 +3766,10 @@ func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Reques // GetKeyPolicy API operation for AWS Key Management Service. // -// Gets a key policy attached to the specified customer master key (CMK). +// Gets a key policy attached to the specified KMS key. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:GetKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -3763,9 +3804,9 @@ func (c *KMS) GetKeyPolicyRequest(input *GetKeyPolicyInput) (req *request.Reques // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetKeyPolicy func (c *KMS) GetKeyPolicy(input *GetKeyPolicyInput) (*GetKeyPolicyOutput, error) { @@ -3835,30 +3876,31 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req // // Gets a Boolean value that indicates whether automatic rotation of the key // material (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html) -// is enabled for the specified customer master key (CMK). +// is enabled for the specified KMS key. // -// You cannot enable automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), -// CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), -// or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). +// You cannot enable automatic rotation of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), +// KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), +// or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // To enable or disable automatic rotation of a set of related multi-Region // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), -// set the property on the primary key. The key rotation status for these CMKs -// is always false. +// set the property on the primary key. The key rotation status for these KMS +// keys is always false. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // // * Disabled: The key rotation status does not change when you disable a -// CMK. However, while the CMK is disabled, AWS KMS does not rotate the backing -// key. +// KMS key. However, while the KMS key is disabled, KMS does not rotate the +// key material. // -// * Pending deletion: While a CMK is pending deletion, its key rotation -// status is false and AWS KMS does not rotate the backing key. If you cancel +// * Pending deletion: While a KMS key is pending deletion, its key rotation +// status is false and KMS does not rotate the key material. If you cancel // the deletion, the original key rotation status is restored. // -// Cross-account use: Yes. To perform this operation on a CMK in a different -// AWS account, specify the key ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. // // Required permissions: kms:GetKeyRotationStatus (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -3897,9 +3939,9 @@ func (c *KMS) GetKeyRotationStatusRequest(input *GetKeyRotationStatusInput) (req // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * UnsupportedOperationException // The request was rejected because a specified parameter is not supported or @@ -3972,19 +4014,20 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) // GetParametersForImport API operation for AWS Key Management Service. // // Returns the items you need to import key material into a symmetric, customer -// managed customer master key (CMK). For more information about importing key -// material into AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the AWS Key Management Service Developer Guide. +// managed KMS key. For more information about importing key material into KMS, +// see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the Key Management Service Developer Guide. // // This operation returns a public key and an import token. Use the public key // to encrypt the symmetric key material. Store the import token to send with // a subsequent ImportKeyMaterial request. // -// You must specify the key ID of the symmetric CMK into which you will import -// key material. This CMK's Origin must be EXTERNAL. You must also specify the -// wrapping algorithm and type of wrapping key (public key) that you will use -// to encrypt the key material. You cannot perform this operation on an asymmetric -// CMK or on any CMK in a different AWS account. +// You must specify the key ID of the symmetric KMS key into which you will +// import key material. This KMS key's Origin must be EXTERNAL. You must also +// specify the wrapping algorithm and type of wrapping key (public key) that +// you will use to encrypt the key material. You cannot perform this operation +// on an asymmetric KMS key or on any KMS key in a different Amazon Web Services +// account. // // To import key material, you must use the public key and import token from // the same response. These items are valid for 24 hours. The expiration date @@ -3992,12 +4035,12 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) // expired token in an ImportKeyMaterial request. If your key and token expire, // send another GetParametersForImport request. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:GetParametersForImport (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -4040,9 +4083,9 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput) // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetParametersForImport func (c *KMS) GetParametersForImport(input *GetParametersForImportInput) (*GetParametersForImportOutput, error) { @@ -4110,27 +4153,26 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // GetPublicKey API operation for AWS Key Management Service. // -// Returns the public key of an asymmetric CMK. Unlike the private key of a -// asymmetric CMK, which never leaves AWS KMS unencrypted, callers with kms:GetPublicKey -// permission can download the public key of an asymmetric CMK. You can share -// the public key to allow others to encrypt messages and verify signatures -// outside of AWS KMS. For information about symmetric and asymmetric CMKs, -// see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. +// Returns the public key of an asymmetric KMS key. Unlike the private key of +// a asymmetric KMS key, which never leaves KMS unencrypted, callers with kms:GetPublicKey +// permission can download the public key of an asymmetric KMS key. You can +// share the public key to allow others to encrypt messages and verify signatures +// outside of KMS. For information about symmetric and asymmetric KMS keys, +// see Using Symmetric and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the Key Management Service Developer Guide. // // You do not need to download the public key. Instead, you can use the public -// key within AWS KMS by calling the Encrypt, ReEncrypt, or Verify operations -// with the identifier of an asymmetric CMK. When you use the public key within -// AWS KMS, you benefit from the authentication, authorization, and logging -// that are part of every AWS KMS operation. You also reduce of risk of encrypting -// data that cannot be decrypted. These features are not effective outside of -// AWS KMS. For details, see Special Considerations for Downloading Public Keys -// (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations). +// key within KMS by calling the Encrypt, ReEncrypt, or Verify operations with +// the identifier of an asymmetric KMS key. When you use the public key within +// KMS, you benefit from the authentication, authorization, and logging that +// are part of every KMS operation. You also reduce of risk of encrypting data +// that cannot be decrypted. These features are not effective outside of KMS. +// For details, see Special Considerations for Downloading Public Keys (https://docs.aws.amazon.com/kms/latest/developerguide/download-public-key.html#download-public-key-considerations). // -// To help you use the public key safely outside of AWS KMS, GetPublicKey returns +// To help you use the public key safely outside of KMS, GetPublicKey returns // important information about the public key in the response, including: // -// * CustomerMasterKeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-CustomerMasterKeySpec): +// * KeySpec (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeySpec): // The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521. // // * KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage): @@ -4141,19 +4183,20 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // A list of the encryption algorithms or the signing algorithms for the // key. // -// Although AWS KMS cannot enforce these restrictions on external operations, -// it is crucial that you use this information to prevent the public key from -// being used improperly. For example, you can prevent a public signing key -// from being used encrypt data, or prevent a public key from being used with -// an encryption algorithm that is not supported by AWS KMS. You can also avoid -// errors, such as using the wrong signing algorithm in a verification operation. +// Although KMS cannot enforce these restrictions on external operations, it +// is crucial that you use this information to prevent the public key from being +// used improperly. For example, you can prevent a public signing key from being +// used encrypt data, or prevent a public key from being used with an encryption +// algorithm that is not supported by KMS. You can also avoid errors, such as +// using the wrong signing algorithm in a verification operation. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:GetPublicKey (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -4173,11 +4216,11 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -4197,17 +4240,18 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InternalException // The request was rejected because an internal exception occurred. The request @@ -4217,9 +4261,9 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/GetPublicKey func (c *KMS) GetPublicKey(input *GetPublicKeyInput) (*GetPublicKeyOutput, error) { @@ -4288,15 +4332,16 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // ImportKeyMaterial API operation for AWS Key Management Service. // -// Imports key material into an existing symmetric AWS KMS customer master key -// (CMK) that was created without key material. After you successfully import -// key material into a CMK, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) -// into that CMK, but you cannot import different key material. +// Imports key material into an existing symmetric KMS KMS key that was created +// without key material. After you successfully import key material into a KMS +// key, you can reimport the same key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#reimport-key-material) +// into that KMS key, but you cannot import different key material. // -// You cannot perform this operation on an asymmetric CMK or on any CMK in a -// different AWS account. For more information about creating CMKs with no key -// material and then importing key material, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) -// in the AWS Key Management Service Developer Guide. +// You cannot perform this operation on an asymmetric KMS key or on any KMS +// key in a different Amazon Web Services account. For more information about +// creating KMS keys with no key material and then importing key material, see +// Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) +// in the Key Management Service Developer Guide. // // Before using this operation, call GetParametersForImport. Its response includes // a public key and an import token. Use the public key to encrypt the key material. @@ -4304,10 +4349,10 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // // When calling this operation, you must specify the following values: // -// * The key ID or key ARN of a CMK with no key material. Its Origin must -// be EXTERNAL. To create a CMK with no key material, call CreateKey and -// set the value of its Origin parameter to EXTERNAL. To get the Origin of -// a CMK, call DescribeKey.) +// * The key ID or key ARN of a KMS key with no key material. Its Origin +// must be EXTERNAL. To create a KMS key with no key material, call CreateKey +// and set the value of its Origin parameter to EXTERNAL. To get the Origin +// of a KMS key, call DescribeKey.) // // * The encrypted key material. To get the public key to encrypt the key // material, call GetParametersForImport. @@ -4316,27 +4361,27 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // a public key and token from the same GetParametersForImport response. // // * Whether the key material expires and if so, when. If you set an expiration -// date, AWS KMS deletes the key material from the CMK on the specified date, -// and the CMK becomes unusable. To use the CMK again, you must reimport +// date, KMS deletes the key material from the KMS key on the specified date, +// and the KMS key becomes unusable. To use the KMS key again, you must reimport // the same key material. The only way to change an expiration date is by // reimporting the same key material and specifying a new expiration date. // -// When this operation is successful, the key state of the CMK changes from -// PendingImport to Enabled, and you can use the CMK. +// When this operation is successful, the key state of the KMS key changes from +// PendingImport to Enabled, and you can use the KMS key. // // If this operation fails, use the exception to help determine the problem. // If the error is related to the key material, the import token, or wrapping // key, use GetParametersForImport to get a new public key and import token -// for the CMK and repeat the import procedure. For help, see How To Import +// for the KMS key and repeat the import procedure. For help, see How To Import // Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html#importing-keys-overview) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:ImportKeyMaterial (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -4379,9 +4424,9 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * InvalidCiphertextException // From the Decrypt or ReEncrypt operation, the request was rejected because @@ -4389,13 +4434,13 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // the ciphertext, such as the encryption context, is corrupted, missing, or // otherwise invalid. // -// From the ImportKeyMaterial operation, the request was rejected because AWS -// KMS could not decrypt the encrypted (wrapped) key material. +// From the ImportKeyMaterial operation, the request was rejected because KMS +// could not decrypt the encrypted (wrapped) key material. // // * IncorrectKeyMaterialException // The request was rejected because the key material in the request is, expired, // invalid, or is not the same key material that was previously imported into -// this customer master key (CMK). +// this KMS key. // // * ExpiredImportTokenException // The request was rejected because the specified import token is expired. Use @@ -4404,7 +4449,7 @@ func (c *KMS) ImportKeyMaterialRequest(input *ImportKeyMaterialInput) (req *requ // // * InvalidImportTokenException // The request was rejected because the provided import token is invalid or -// is associated with a different customer master key (CMK). +// is associated with a different KMS key. // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ImportKeyMaterial func (c *KMS) ImportKeyMaterial(input *ImportKeyMaterialInput) (*ImportKeyMaterialOutput, error) { @@ -4478,30 +4523,33 @@ func (c *KMS) ListAliasesRequest(input *ListAliasesInput) (req *request.Request, // ListAliases API operation for AWS Key Management Service. // -// Gets a list of aliases in the caller's AWS account and region. For more information -// about aliases, see CreateAlias. +// Gets a list of aliases in the caller's Amazon Web Services account and region. +// For more information about aliases, see CreateAlias. // // By default, the ListAliases operation returns all aliases in the account -// and region. To get only the aliases associated with a particular customer -// master key (CMK), use the KeyId parameter. +// and region. To get only the aliases associated with a particular KMS key, +// use the KeyId parameter. // // The ListAliases response can include aliases that you created and associated -// with your customer managed CMKs, and aliases that AWS created and associated -// with AWS managed CMKs in your account. You can recognize AWS aliases because -// their names have the format aws/, such as aws/dynamodb. +// with your customer managed keys, and aliases that Amazon Web Services created +// and associated with Amazon Web Services managed keys in your account. You +// can recognize Amazon Web Services aliases because their names have the format +// aws/, such as aws/dynamodb. // // The response might also include aliases that have no TargetKeyId field. These -// are predefined aliases that AWS has created but has not yet associated with -// a CMK. Aliases that AWS creates in your account, including predefined aliases, -// do not count against your AWS KMS aliases quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). +// are predefined aliases that Amazon Web Services has created but has not yet +// associated with a KMS key. Aliases that Amazon Web Services creates in your +// account, including predefined aliases, do not count against your KMS aliases +// quota (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html#aliases-limit). // -// Cross-account use: No. ListAliases does not return aliases in other AWS accounts. +// Cross-account use: No. ListAliases does not return aliases in other Amazon +// Web Services accounts. // // Required permissions: kms:ListAliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) // // For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Related operations: // @@ -4663,19 +4711,25 @@ func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, o // ListGrants API operation for AWS Key Management Service. // -// Gets a list of all grants for the specified customer master key (CMK). +// Gets a list of all grants for the specified KMS key. // -// You must specify the CMK in all requests. You can filter the grant list by -// grant ID or grantee principal. +// You must specify the KMS key in all requests. You can filter the grant list +// by grant ID or grantee principal. +// +// For detailed information about grants, including grant terminology, see Using +// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the Key Management Service Developer Guide . For examples of working with +// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // // The GranteePrincipal field in the ListGrants response usually contains the // user or role designated as the grantee principal in the grant. However, when -// the grantee principal in the grant is an AWS service, the GranteePrincipal -// field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), +// the grantee principal in the grant is an Amazon Web Services service, the +// GranteePrincipal field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), // which might represent several different grantee principals. // -// Cross-account use: Yes. To perform this operation on a CMK in a different -// AWS account, specify the key ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. // // Required permissions: kms:ListGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -4725,9 +4779,9 @@ func (c *KMS) ListGrantsRequest(input *ListGrantsInput) (req *request.Request, o // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListGrants func (c *KMS) ListGrants(input *ListGrantsInput) (*ListGrantsResponse, error) { @@ -4853,12 +4907,12 @@ func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request. // ListKeyPolicies API operation for AWS Key Management Service. // -// Gets the names of the key policies that are attached to a customer master -// key (CMK). This operation is designed to get policy names that you can use -// in a GetKeyPolicy operation. However, the only valid policy name is default. +// Gets the names of the key policies that are attached to a KMS key. This operation +// is designed to get policy names that you can use in a GetKeyPolicy operation. +// However, the only valid policy name is default. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:ListKeyPolicies (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -4897,9 +4951,9 @@ func (c *KMS) ListKeyPoliciesRequest(input *ListKeyPoliciesInput) (req *request. // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ListKeyPolicies func (c *KMS) ListKeyPolicies(input *ListKeyPoliciesInput) (*ListKeyPoliciesOutput, error) { @@ -5025,11 +5079,11 @@ func (c *KMS) ListKeysRequest(input *ListKeysInput) (req *request.Request, outpu // ListKeys API operation for AWS Key Management Service. // -// Gets a list of all customer master keys (CMKs) in the caller's AWS account -// and Region. +// Gets a list of all KMS keys in the caller's Amazon Web Services account and +// Region. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:ListKeys (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -5182,15 +5236,15 @@ func (c *KMS) ListResourceTagsRequest(input *ListResourceTagsInput) (req *reques // ListResourceTags API operation for AWS Key Management Service. // -// Returns all tags on the specified customer master key (CMK). +// Returns all tags on the specified KMS key. // // For general information about tags, including the format and syntax, see -// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) // in the Amazon Web Services General Reference. For information about using -// tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// tags in KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:ListResourceTags (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -5295,24 +5349,28 @@ func (c *KMS) ListRetirableGrantsRequest(input *ListRetirableGrantsInput) (req * // ListRetirableGrants API operation for AWS Key Management Service. // -// Returns information about all grants in the AWS account and Region that have -// the specified retiring principal. For more information about grants, see -// Grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the AWS Key Management Service Developer Guide . +// Returns information about all grants in the Amazon Web Services account and +// Region that have the specified retiring principal. // -// You can specify any principal in your AWS account. The grants that are returned -// include grants for CMKs in your AWS account and other AWS accounts. +// You can specify any principal in your Amazon Web Services account. The grants +// that are returned include grants for KMS keys in your Amazon Web Services +// account and other Amazon Web Services accounts. You might use this operation +// to determine which grants you may retire. To retire a grant, use the RetireGrant +// operation. // -// You might use this operation to determine which grants you may retire. To -// retire a grant, use the RetireGrant operation. +// For detailed information about grants, including grant terminology, see Using +// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the Key Management Service Developer Guide . For examples of working with +// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // -// Cross-account use: You must specify a principal in your AWS account. However, -// this operation can return grants in any AWS account. You do not need kms:ListRetirableGrants -// permission (or any other additional permission) in any AWS account other -// than your own. +// Cross-account use: You must specify a principal in your Amazon Web Services +// account. However, this operation can return grants in any Amazon Web Services +// account. You do not need kms:ListRetirableGrants permission (or any other +// additional permission) in any Amazon Web Services account other than your +// own. // // Required permissions: kms:ListRetirableGrants (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// (IAM policy) in your AWS account. +// (IAM policy) in your Amazon Web Services account. // // Related operations: // @@ -5419,17 +5477,18 @@ func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Reques // PutKeyPolicy API operation for AWS Key Management Service. // -// Attaches a key policy to the specified customer master key (CMK). +// Attaches a key policy to the specified KMS key. // // For more information about key policies, see Key Policies (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html) -// in the AWS Key Management Service Developer Guide. For help writing and formatting +// in the Key Management Service Developer Guide. For help writing and formatting // a JSON policy document, see the IAM JSON Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) -// in the IAM User Guide . For examples of adding a key policy in multiple programming -// languages, see Setting a key policy (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy) -// in the AWS Key Management Service Developer Guide. +// in the Identity and Access Management User Guide . For examples of adding +// a key policy in multiple programming languages, see Setting a key policy +// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-key-policies.html#put-policy) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:PutKeyPolicy (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -5471,15 +5530,15 @@ func (c *KMS) PutKeyPolicyRequest(input *PutKeyPolicyInput) (req *request.Reques // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * InvalidStateException // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/PutKeyPolicy func (c *KMS) PutKeyPolicy(input *PutKeyPolicyInput) (*PutKeyPolicyOutput, error) { @@ -5547,80 +5606,80 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // ReEncrypt API operation for AWS Key Management Service. // -// Decrypts ciphertext and then reencrypts it entirely within AWS KMS. You can -// use this operation to change the customer master key (CMK) under which data -// is encrypted, such as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) -// a CMK or change the CMK that protects a ciphertext. You can also use it to -// reencrypt ciphertext under the same CMK, such as to change the encryption -// context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) +// Decrypts ciphertext and then reencrypts it entirely within KMS. You can use +// this operation to change the KMS key under which data is encrypted, such +// as when you manually rotate (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html#rotate-keys-manually) +// a KMS key or change the KMS key that protects a ciphertext. You can also +// use it to reencrypt ciphertext under the same KMS key, such as to change +// the encryption context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) // of a ciphertext. // // The ReEncrypt operation can decrypt ciphertext that was encrypted by using -// an AWS KMS CMK in an AWS KMS operation, such as Encrypt or GenerateDataKey. -// It can also decrypt ciphertext that was encrypted by using the public key -// of an asymmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) -// outside of AWS KMS. However, it cannot decrypt ciphertext produced by other -// libraries, such as the AWS Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) +// an KMS KMS key in an KMS operation, such as Encrypt or GenerateDataKey. It +// can also decrypt ciphertext that was encrypted by using the public key of +// an asymmetric KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks) +// outside of KMS. However, it cannot decrypt ciphertext produced by other libraries, +// such as the Amazon Web Services Encryption SDK (https://docs.aws.amazon.com/encryption-sdk/latest/developer-guide/) // or Amazon S3 client-side encryption (https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingClientSideEncryption.html). -// These libraries return a ciphertext format that is incompatible with AWS -// KMS. +// These libraries return a ciphertext format that is incompatible with KMS. // // When you use the ReEncrypt operation, you need to provide information for // the decrypt operation and the subsequent encrypt operation. // -// * If your ciphertext was encrypted under an asymmetric CMK, you must use -// the SourceKeyId parameter to identify the CMK that encrypted the ciphertext. -// You must also supply the encryption algorithm that was used. This information -// is required to decrypt the data. +// * If your ciphertext was encrypted under an asymmetric KMS key, you must +// use the SourceKeyId parameter to identify the KMS key that encrypted the +// ciphertext. You must also supply the encryption algorithm that was used. +// This information is required to decrypt the data. // -// * If your ciphertext was encrypted under a symmetric CMK, the SourceKeyId -// parameter is optional. AWS KMS can get this information from metadata -// that it adds to the symmetric ciphertext blob. This feature adds durability +// * If your ciphertext was encrypted under a symmetric KMS key, the SourceKeyId +// parameter is optional. KMS can get this information from metadata that +// it adds to the symmetric ciphertext blob. This feature adds durability // to your implementation by ensuring that authorized users can decrypt ciphertext -// decades after it was encrypted, even if they've lost track of the CMK -// ID. However, specifying the source CMK is always recommended as a best -// practice. When you use the SourceKeyId parameter to specify a CMK, AWS -// KMS uses only the CMK you specify. If the ciphertext was encrypted under -// a different CMK, the ReEncrypt operation fails. This practice ensures -// that you use the CMK that you intend. +// decades after it was encrypted, even if they've lost track of the key +// ID. However, specifying the source KMS key is always recommended as a +// best practice. When you use the SourceKeyId parameter to specify a KMS +// key, KMS uses only the KMS key you specify. If the ciphertext was encrypted +// under a different KMS key, the ReEncrypt operation fails. This practice +// ensures that you use the KMS key that you intend. // // * To reencrypt the data, you must use the DestinationKeyId parameter specify -// the CMK that re-encrypts the data after it is decrypted. You can select -// a symmetric or asymmetric CMK. If the destination CMK is an asymmetric -// CMK, you must also provide the encryption algorithm. The algorithm that -// you choose must be compatible with the CMK. When you use an asymmetric -// CMK to encrypt or reencrypt data, be sure to record the CMK and encryption -// algorithm that you choose. You will be required to provide the same CMK -// and encryption algorithm when you decrypt the data. If the CMK and algorithm -// do not match the values used to encrypt the data, the decrypt operation -// fails. You are not required to supply the CMK ID and encryption algorithm -// when you decrypt with symmetric CMKs because AWS KMS stores this information -// in the ciphertext blob. AWS KMS cannot store metadata in ciphertext generated -// with asymmetric keys. The standard format for asymmetric key ciphertext -// does not include configurable fields. +// the KMS key that re-encrypts the data after it is decrypted. You can select +// a symmetric or asymmetric KMS key. If the destination KMS key is an asymmetric +// KMS key, you must also provide the encryption algorithm. The algorithm +// that you choose must be compatible with the KMS key. When you use an asymmetric +// KMS key to encrypt or reencrypt data, be sure to record the KMS key and +// encryption algorithm that you choose. You will be required to provide +// the same KMS key and encryption algorithm when you decrypt the data. If +// the KMS key and algorithm do not match the values used to encrypt the +// data, the decrypt operation fails. You are not required to supply the +// key ID and encryption algorithm when you decrypt with symmetric KMS keys +// because KMS stores this information in the ciphertext blob. KMS cannot +// store metadata in ciphertext generated with asymmetric keys. The standard +// format for asymmetric key ciphertext does not include configurable fields. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. The source CMK and destination CMK can be in different -// AWS accounts. Either or both CMKs can be in a different account than the -// caller. +// Cross-account use: Yes. The source KMS key and destination KMS key can be +// in different Amazon Web Services accounts. Either or both KMS keys can be +// in a different account than the caller. To specify a KMS key in a different +// account, you must use its key ARN or alias ARN. // // Required permissions: // // * kms:ReEncryptFrom (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// permission on the source CMK (key policy) +// permission on the source KMS key (key policy) // // * kms:ReEncryptTo (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// permission on the destination CMK (key policy) +// permission on the destination KMS key (key policy) // -// To permit reencryption from or to a CMK, include the "kms:ReEncrypt*" permission -// in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). +// To permit reencryption from or to a KMS key, include the "kms:ReEncrypt*" +// permission in your key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html). // This permission is automatically included in the key policy when you use -// the console to create a CMK. But you must include it manually when you create -// a CMK programmatically or when you use the PutKeyPolicy operation to set -// a key policy. +// the console to create a KMS key. But you must include it manually when you +// create a KMS key programmatically or when you use the PutKeyPolicy operation +// to set a key policy. // // Related operations: // @@ -5645,7 +5704,7 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidCiphertextException // From the Decrypt or ReEncrypt operation, the request was rejected because @@ -5653,17 +5712,17 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // the ciphertext, such as the encryption context, is corrupted, missing, or // otherwise invalid. // -// From the ImportKeyMaterial operation, the request was rejected because AWS -// KMS could not decrypt the encrypted (wrapped) key material. +// From the ImportKeyMaterial operation, the request was rejected because KMS +// could not decrypt the encrypted (wrapped) key material. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * IncorrectKeyException -// The request was rejected because the specified CMK cannot decrypt the data. -// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request -// must identify the same CMK that was used to encrypt the ciphertext. +// The request was rejected because the specified KMS key cannot decrypt the +// data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same KMS key that was used to encrypt the ciphertext. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -5672,17 +5731,18 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -5695,9 +5755,9 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ReEncrypt func (c *KMS) ReEncrypt(input *ReEncryptInput) (*ReEncryptOutput, error) { @@ -5767,33 +5827,34 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques // // Replicates a multi-Region key into the specified Region. This operation creates // a multi-Region replica key based on a multi-Region primary key in a different -// Region of the same AWS partition. You can create multiple replicas of a primary -// key, but each must be in a different Region. To create a multi-Region primary -// key, use the CreateKey operation. +// Region of the same Amazon Web Services partition. You can create multiple +// replicas of a primary key, but each must be in a different Region. To create +// a multi-Region primary key, use the CreateKey operation. // -// This operation supports multi-Region keys, an AWS KMS feature that lets you -// create multiple interoperable CMKs in different AWS Regions. Because these -// CMKs have the same key ID, key material, and other metadata, you can use -// them to encrypt data in one AWS Region and decrypt it in a different AWS -// Region without making a cross-Region call or exposing the plaintext data. -// For more information about multi-Region keys, see Using multi-Region keys -// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the AWS Key Management Service Developer Guide. +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without re-encrypting +// the data or making a cross-Region call. For more information about multi-Region +// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the Key Management Service Developer Guide. // -// A replica key is a fully-functional CMK that can be used independently of -// its primary and peer replica keys. A primary key and its replica keys share -// properties that make them interoperable. They have the same key ID (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) +// A replica key is a fully-functional KMS key that can be used independently +// of its primary and peer replica keys. A primary key and its replica keys +// share properties that make them interoperable. They have the same key ID +// (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-id) // and key material. They also have the same key spec (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-spec), // key usage (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-usage), // key material origin (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-origin), // and automatic key rotation status (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). -// AWS KMS automatically synchronizes these shared properties among related -// multi-Region keys. All other properties of a replica key can differ, including -// its key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), +// KMS automatically synchronizes these shared properties among related multi-Region +// keys. All other properties of a replica key can differ, including its key +// policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html), // tags (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html), // aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html), // and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). -// AWS KMS pricing and quotas for CMKs apply to each primary key and replica +// KMS pricing and quotas for KMS keys apply to each primary key and replica // key. // // When this operation completes, the new replica key has a transient key state @@ -5803,31 +5864,31 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques // it in cryptographic operations. If you are creating and using the replica // key programmatically, retry on KMSInvalidStateException or call DescribeKey // to check its KeyState value before using it. For details about the Creating -// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// key state, see Key state: Effect on your KMS key (kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// The AWS CloudTrail log of a ReplicateKey operation records a ReplicateKey -// operation in the primary key's Region and a CreateKey operation in the replica -// key's Region. +// The CloudTrail log of a ReplicateKey operation records a ReplicateKey operation +// in the primary key's Region and a CreateKey operation in the replica key's +// Region. // // If you replicate a multi-Region primary key with imported key material, the // replica key is created with no key material. You must import the same key // material that you imported into the primary key. For details, see Importing // key material into multi-Region keys (kms/latest/developerguide/multi-region-keys-import.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // To convert a replica key to a primary key, use the UpdatePrimaryRegion operation. // // ReplicateKey uses different default values for the KeyPolicy and Tags parameters -// than those used in the AWS KMS console. For details, see the parameter descriptions. +// than those used in the KMS console. For details, see the parameter descriptions. // -// Cross-account use: No. You cannot use this operation to create a CMK in a -// different AWS account. +// Cross-account use: No. You cannot use this operation to create a replica +// key in a different Amazon Web Services account. // // Required permissions: // -// * kms:ReplicateKey on the primary CMK (in the primary CMK's Region). Include -// this permission in the primary CMK's key policy. +// * kms:ReplicateKey on the primary key (in the primary key's Region). Include +// this permission in the primary key's key policy. // // * kms:CreateKey in an IAM policy in the replica Region. // @@ -5853,7 +5914,7 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques // exists. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidArnException // The request was rejected because a specified ARN, or an ARN in a key policy, @@ -5863,9 +5924,9 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * InternalException // The request was rejected because an internal exception occurred. The request @@ -5874,7 +5935,7 @@ func (c *KMS) ReplicateKeyRequest(input *ReplicateKeyInput) (req *request.Reques // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * MalformedPolicyDocumentException // The request was rejected because the specified policy is not syntactically @@ -5960,27 +6021,27 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, // // Deletes a grant. Typically, you retire a grant when you no longer need its // permissions. To identify the grant to retire, use a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token), -// or both the grant ID and a key identifier (key ID or key ARN) of the customer -// master key (CMK). The CreateGrant operation returns both values. +// or both the grant ID and a key identifier (key ID or key ARN) of the KMS +// key. The CreateGrant operation returns both values. // // This operation can be called by the retiring principal for a grant, by the // grantee principal if the grant allows the RetireGrant operation, and by the -// AWS account (root user) in which the grant is created. It can also be called -// by principals to whom permission for retiring a grant is delegated. For details, -// see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) -// in the AWS Key Management Service Developer Guide. +// Amazon Web Services account (root user) in which the grant is created. It +// can also be called by principals to whom permission for retiring a grant +// is delegated. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) +// in the Key Management Service Developer Guide. // // For detailed information about grants, including grant terminology, see Using // grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) -// in the AWS Key Management Service Developer Guide . For examples of working -// with grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). +// in the Key Management Service Developer Guide . For examples of working with +// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). // -// Cross-account use: Yes. You can retire a grant on a CMK in a different AWS -// account. +// Cross-account use: Yes. You can retire a grant on a KMS key in a different +// Amazon Web Services account. // // Required permissions::Permission to retire a grant is determined primarily // by the grant. For details, see Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Related operations: // @@ -6026,9 +6087,9 @@ func (c *KMS) RetireGrantRequest(input *RetireGrantInput) (req *request.Request, // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RetireGrant func (c *KMS) RetireGrant(input *RetireGrantInput) (*RetireGrantOutput, error) { @@ -6100,16 +6161,22 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, // Deletes the specified grant. You revoke a grant to terminate the permissions // that the grant allows. For more information, see Retiring and revoking grants // (https://docs.aws.amazon.com/kms/latest/developerguide/managing-grants.html#grant-delete) -// in the AWS Key Management Service Developer Guide . +// in the Key Management Service Developer Guide . // // When you create, retire, or revoke a grant, there might be a brief delay, -// usually less than five minutes, until the grant is available throughout AWS -// KMS. This state is known as eventual consistency. For details, see Eventual -// consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) -// in the AWS Key Management Service Developer Guide . +// usually less than five minutes, until the grant is available throughout KMS. +// This state is known as eventual consistency. For details, see Eventual consistency +// (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) +// in the Key Management Service Developer Guide . // -// Cross-account use: Yes. To perform this operation on a CMK in a different -// AWS account, specify the key ARN in the value of the KeyId parameter. +// For detailed information about grants, including grant terminology, see Using +// grants (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html) +// in the Key Management Service Developer Guide . For examples of working with +// grants in several programming languages, see Programming grants (https://docs.aws.amazon.com/kms/latest/developerguide/programming-grants.html). +// +// Cross-account use: Yes. To perform this operation on a KMS key in a different +// Amazon Web Services account, specify the key ARN in the value of the KeyId +// parameter. // // Required permissions: kms:RevokeGrant (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy). @@ -6155,9 +6222,9 @@ func (c *KMS) RevokeGrantRequest(input *RevokeGrantInput) (req *request.Request, // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/RevokeGrant func (c *KMS) RevokeGrant(input *RevokeGrantInput) (*RevokeGrantOutput, error) { @@ -6225,49 +6292,49 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req * // ScheduleKeyDeletion API operation for AWS Key Management Service. // -// Schedules the deletion of a customer master key (CMK). By default, AWS KMS -// applies a waiting period of 30 days, but you can specify a waiting period -// of 7-30 days. When this operation is successful, the key state of the CMK -// changes to PendingDeletion and the key can't be used in any cryptographic -// operations. It remains in this state for the duration of the waiting period. -// Before the waiting period ends, you can use CancelKeyDeletion to cancel the -// deletion of the CMK. After the waiting period ends, AWS KMS deletes the CMK, -// its key material, and all AWS KMS data associated with it, including all -// aliases that refer to it. +// Schedules the deletion of a KMS key. By default, KMS applies a waiting period +// of 30 days, but you can specify a waiting period of 7-30 days. When this +// operation is successful, the key state of the KMS key changes to PendingDeletion +// and the key can't be used in any cryptographic operations. It remains in +// this state for the duration of the waiting period. Before the waiting period +// ends, you can use CancelKeyDeletion to cancel the deletion of the KMS key. +// After the waiting period ends, KMS deletes the KMS key, its key material, +// and all KMS data associated with it, including all aliases that refer to +// it. // -// Deleting a CMK is a destructive and potentially dangerous operation. When -// a CMK is deleted, all data that was encrypted under the CMK is unrecoverable. -// (The only exception is a multi-Region replica key.) To prevent the use of -// a CMK without deleting it, use DisableKey. +// Deleting a KMS key is a destructive and potentially dangerous operation. +// When a KMS key is deleted, all data that was encrypted under the KMS key +// is unrecoverable. (The only exception is a multi-Region replica key.) To +// prevent the use of a KMS key without deleting it, use DisableKey. // -// If you schedule deletion of a CMK from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), -// when the waiting period expires, ScheduleKeyDeletion deletes the CMK from -// AWS KMS. Then AWS KMS makes a best effort to delete the key material from -// the associated AWS CloudHSM cluster. However, you might need to manually -// delete the orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) +// If you schedule deletion of a KMS key from a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), +// when the waiting period expires, ScheduleKeyDeletion deletes the KMS key +// from KMS. Then KMS makes a best effort to delete the key material from the +// associated CloudHSM cluster. However, you might need to manually delete the +// orphaned key material (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-orphaned-key) // from the cluster and its backups. // // You can schedule the deletion of a multi-Region primary key and its replica -// keys at any time. However, AWS KMS will not delete a multi-Region primary -// key with existing replica keys. If you schedule the deletion of a primary -// key with replicas, its key state changes to PendingReplicaDeletion and it -// cannot be replicated or used in cryptographic operations. This status can -// continue indefinitely. When the last of its replicas keys is deleted (not -// just scheduled), the key state of the primary key changes to PendingDeletion -// and its waiting period (PendingWindowInDays) begins. For details, see Deleting -// multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) -// in the AWS Key Management Service Developer Guide. +// keys at any time. However, KMS will not delete a multi-Region primary key +// with existing replica keys. If you schedule the deletion of a primary key +// with replicas, its key state changes to PendingReplicaDeletion and it cannot +// be replicated or used in cryptographic operations. This status can continue +// indefinitely. When the last of its replicas keys is deleted (not just scheduled), +// the key state of the primary key changes to PendingDeletion and its waiting +// period (PendingWindowInDays) begins. For details, see Deleting multi-Region +// keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-delete.html) +// in the Key Management Service Developer Guide. // -// For more information about scheduling a CMK for deletion, see Deleting Customer -// Master Keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) -// in the AWS Key Management Service Developer Guide. +// For more information about scheduling a KMS key for deletion, see Deleting +// KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/deleting-keys.html) +// in the Key Management Service Developer Guide. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:ScheduleKeyDeletion (key policy) // @@ -6305,9 +6372,9 @@ func (c *KMS) ScheduleKeyDeletionRequest(input *ScheduleKeyDeletionInput) (req * // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/ScheduleKeyDeletion func (c *KMS) ScheduleKeyDeletion(input *ScheduleKeyDeletionInput) (*ScheduleKeyDeletionOutput, error) { @@ -6377,23 +6444,24 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // // Creates a digital signature (https://en.wikipedia.org/wiki/Digital_signature) // for a message or message digest by using the private key in an asymmetric -// CMK. To verify the signature, use the Verify operation, or use the public -// key in the same asymmetric CMK outside of AWS KMS. For information about -// symmetric and asymmetric CMKs, see Using Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. +// KMS key. To verify the signature, use the Verify operation, or use the public +// key in the same asymmetric KMS key outside of KMS. For information about +// symmetric and asymmetric KMS keys, see Using Symmetric and Asymmetric KMS +// keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the Key Management Service Developer Guide. // // Digital signatures are generated and verified by using asymmetric key pair, -// such as an RSA or ECC pair that is represented by an asymmetric customer -// master key (CMK). The key owner (or an authorized user) uses their private -// key to sign a message. Anyone with the public key can verify that the message -// was signed with that particular private key and that the message hasn't changed -// since it was signed. +// such as an RSA or ECC pair that is represented by an asymmetric KMS key. +// The key owner (or an authorized user) uses their private key to sign a message. +// Anyone with the public key can verify that the message was signed with that +// particular private key and that the message hasn't changed since it was signed. // // To use the Sign operation, provide the following information: // -// * Use the KeyId parameter to identify an asymmetric CMK with a KeyUsage -// value of SIGN_VERIFY. To get the KeyUsage value of a CMK, use the DescribeKey -// operation. The caller must have kms:Sign permission on the CMK. +// * Use the KeyId parameter to identify an asymmetric KMS key with a KeyUsage +// value of SIGN_VERIFY. To get the KeyUsage value of a KMS key, use the +// DescribeKey operation. The caller must have kms:Sign permission on the +// KMS key. // // * Use the Message parameter to specify the message or message digest to // sign. You can submit messages of up to 4096 bytes. To sign a larger message, @@ -6401,21 +6469,22 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // in the Message parameter. To indicate whether the message is a full message // or a digest, use the MessageType parameter. // -// * Choose a signing algorithm that is compatible with the CMK. +// * Choose a signing algorithm that is compatible with the KMS key. // -// When signing a message, be sure to record the CMK and the signing algorithm. +// When signing a message, be sure to record the KMS key and the signing algorithm. // This information is required to verify the signature. // // To verify the signature that this operation generates, use the Verify operation. // Or use the GetPublicKey operation to download the public key and then use -// the public key to verify the signature outside of AWS KMS. +// the public key to verify the signature outside of KMS. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:Sign (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -6435,11 +6504,11 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -6448,17 +6517,18 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -6471,9 +6541,9 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Sign func (c *KMS) Sign(input *SignInput) (*SignOutput, error) { @@ -6542,37 +6612,37 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, // TagResource API operation for AWS Key Management Service. // -// Adds or edits tags on a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). +// Adds or edits tags on a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). // -// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, -// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the AWS Key Management Service Developer Guide. +// Tagging or untagging a KMS key can allow or deny permission to the KMS key. +// For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the Key Management Service Developer Guide. // // Each tag consists of a tag key and a tag value, both of which are case-sensitive // strings. The tag value can be an empty (null) string. To add a tag, specify // a new tag key and a tag value. To edit a tag, specify an existing tag key // and a new tag value. // -// You can use this operation to tag a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk), -// but you cannot tag an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk), -// an AWS owned CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), +// You can use this operation to tag a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk), +// but you cannot tag an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk), +// an Amazon Web Services owned key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-owned-cmk), // a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#keystore-concept), // or an alias (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#alias-concept). // -// You can also add tags to a CMK while creating it (CreateKey) or replicating +// You can also add tags to a KMS key while creating it (CreateKey) or replicating // it (ReplicateKey). // -// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// For information about using tags in KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). // For general information about tags, including the format and syntax, see -// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) // in the Amazon Web Services General Reference. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -6611,14 +6681,14 @@ func (c *KMS) TagResourceRequest(input *TagResourceInput) (req *request.Request, // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * TagException // The request was rejected because one or more tags are not valid. @@ -6690,29 +6760,29 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ // UntagResource API operation for AWS Key Management Service. // -// Deletes tags from a customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). -// To delete a tag, specify the tag key and the CMK. +// Deletes tags from a customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). +// To delete a tag, specify the tag key and the KMS key. // -// Tagging or untagging a CMK can allow or deny permission to the CMK. For details, -// see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the AWS Key Management Service Developer Guide. +// Tagging or untagging a KMS key can allow or deny permission to the KMS key. +// For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the Key Management Service Developer Guide. // // When it succeeds, the UntagResource operation doesn't return any output. -// Also, if the specified tag key isn't found on the CMK, it doesn't throw an -// exception or return a response. To confirm that the operation worked, use -// the ListResourceTags operation. +// Also, if the specified tag key isn't found on the KMS key, it doesn't throw +// an exception or return a response. To confirm that the operation worked, +// use the ListResourceTags operation. // -// For information about using tags in AWS KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). +// For information about using tags in KMS, see Tagging keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). // For general information about tags, including the format and syntax, see -// Tagging AWS resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) +// Tagging Amazon Web Services resources (https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html) // in the Amazon Web Services General Reference. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:UntagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -6751,9 +6821,9 @@ func (c *KMS) UntagResourceRequest(input *UntagResourceInput) (req *request.Requ // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * TagException // The request was rejected because one or more tags are not valid. @@ -6825,35 +6895,35 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, // UpdateAlias API operation for AWS Key Management Service. // -// Associates an existing AWS KMS alias with a different customer master key -// (CMK). Each alias is associated with only one CMK at a time, although a CMK -// can have multiple aliases. The alias and the CMK must be in the same AWS +// Associates an existing KMS alias with a different KMS key. Each alias is +// associated with only one KMS key at a time, although a KMS key can have multiple +// aliases. The alias and the KMS key must be in the same Amazon Web Services // account and Region. // // Adding, deleting, or updating an alias can allow or deny permission to the -// CMK. For details, see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) -// in the AWS Key Management Service Developer Guide. +// KMS key. For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) +// in the Key Management Service Developer Guide. // -// The current and new CMK must be the same type (both symmetric or both asymmetric), -// and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). This -// restriction prevents errors in code that uses aliases. If you must assign -// an alias to a different type of CMK, use DeleteAlias to delete the old alias -// and CreateAlias to create a new alias. +// The current and new KMS key must be the same type (both symmetric or both +// asymmetric), and they must have the same key usage (ENCRYPT_DECRYPT or SIGN_VERIFY). +// This restriction prevents errors in code that uses aliases. If you must assign +// an alias to a different type of KMS key, use DeleteAlias to delete the old +// alias and CreateAlias to create a new alias. // // You cannot use UpdateAlias to change an alias name. To change an alias name, // use DeleteAlias to delete the old alias and CreateAlias to create a new alias. // -// Because an alias is not a property of a CMK, you can create, update, and -// delete the aliases of a CMK without affecting the CMK. Also, aliases do not -// appear in the response from the DescribeKey operation. To get the aliases -// of all CMKs in the account, use the ListAliases operation. +// Because an alias is not a property of a KMS key, you can create, update, +// and delete the aliases of a KMS key without affecting the KMS key. Also, +// aliases do not appear in the response from the DescribeKey operation. To +// get the aliases of all KMS keys in the account, use the ListAliases operation. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions // @@ -6861,13 +6931,13 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, // on the alias (IAM policy). // // * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the current CMK (key policy). +// on the current KMS key (key policy). // // * kms:UpdateAlias (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) -// on the new CMK (key policy). +// on the new KMS key (key policy). // // For details, see Controlling access to aliases (https://docs.aws.amazon.com/kms/latest/developerguide/kms-alias.html#alias-access) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // Related operations: // @@ -6900,15 +6970,15 @@ func (c *KMS) UpdateAliasRequest(input *UpdateAliasInput) (req *request.Request, // * LimitExceededException // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. // // * InvalidStateException // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateAlias func (c *KMS) UpdateAlias(input *UpdateAliasInput) (*UpdateAliasOutput, error) { @@ -6992,28 +7062,28 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // * Use the NewCustomKeyStoreName parameter to change the friendly name // of the custom key store to the value that you specify. // -// * Use the KeyStorePassword parameter tell AWS KMS the current password -// of the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) -// in the associated AWS CloudHSM cluster. You can use this parameter to -// fix connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) -// that occur when AWS KMS cannot log into the associated cluster because -// the kmsuser password has changed. This value does not change the password -// in the AWS CloudHSM cluster. +// * Use the KeyStorePassword parameter tell KMS the current password of +// the kmsuser crypto user (CU) (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) +// in the associated CloudHSM cluster. You can use this parameter to fix +// connection failures (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-password) +// that occur when KMS cannot log into the associated cluster because the +// kmsuser password has changed. This value does not change the password +// in the CloudHSM cluster. // // * Use the CloudHsmClusterId parameter to associate the custom key store -// with a different, but related, AWS CloudHSM cluster. You can use this -// parameter to repair a custom key store if its AWS CloudHSM cluster becomes -// corrupted or is deleted, or when you need to create or restore a cluster -// from a backup. +// with a different, but related, CloudHSM cluster. You can use this parameter +// to repair a custom key store if its CloudHSM cluster becomes corrupted +// or is deleted, or when you need to create or restore a cluster from a +// backup. // // If the operation succeeds, it returns a JSON object with no properties. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) -// feature in AWS KMS, which combines the convenience and extensive integration -// of AWS KMS with the isolation and control of a single-tenant key store. +// feature in KMS, which combines the convenience and extensive integration +// of KMS with the isolation and control of a single-tenant key store. // // Cross-account use: No. You cannot perform this operation on a custom key -// store in a different AWS account. +// store in a different Amazon Web Services account. // // Required permissions: kms:UpdateCustomKeyStore (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (IAM policy) @@ -7039,7 +7109,7 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // // Returned Error Types: // * CustomKeyStoreNotFoundException -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. // // * CustomKeyStoreNameInUseException @@ -7048,14 +7118,13 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // key store name that is unique in the account. // // * CloudHsmClusterNotFoundException -// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster -// with the specified cluster ID. Retry the request with a different cluster -// ID. +// The request was rejected because KMS cannot find the CloudHSM cluster with +// the specified cluster ID. Retry the request with a different cluster ID. // // * CloudHsmClusterNotRelatedException -// The request was rejected because the specified AWS CloudHSM cluster has a -// different cluster certificate than the original cluster. You cannot use the -// operation to specify an unrelated cluster. +// The request was rejected because the specified CloudHSM cluster has a different +// cluster certificate than the original cluster. You cannot use the operation +// to specify an unrelated cluster. // // Specify a cluster that shares a backup history with the original cluster. // This includes clusters that were created from a backup of the current cluster, @@ -7090,15 +7159,15 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // can be retried. // // * CloudHsmClusterNotActiveException -// The request was rejected because the AWS CloudHSM cluster that is associated +// The request was rejected because the CloudHSM cluster that is associated // with the custom key store is not active. Initialize and activate the cluster // and try the command again. For detailed instructions, see Getting Started // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) -// in the AWS CloudHSM User Guide. +// in the CloudHSM User Guide. // // * CloudHsmClusterInvalidConfigurationException -// The request was rejected because the associated AWS CloudHSM cluster did -// not meet the configuration requirements for a custom key store. +// The request was rejected because the associated CloudHSM cluster did not +// meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -7113,20 +7182,19 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req // operation. // // * The cluster must contain at least as many HSMs as the operation requires. -// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey -// operations, the AWS CloudHSM cluster must have at least two active HSMs, -// each in a different Availability Zone. For the ConnectCustomKeyStore operation, -// the AWS CloudHSM must contain at least one active HSM. +// operations, the CloudHSM cluster must have at least two active HSMs, each +// in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the CloudHSM must contain at least one active HSM. // -// For information about the requirements for an AWS CloudHSM cluster that is -// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. For information about -// creating a private subnet for an AWS CloudHSM cluster, see Create a Private -// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the AWS CloudHSM User Guide. For information about cluster security groups, +// For information about the requirements for an CloudHSM cluster that is associated +// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the Key Management Service Developer Guide. For information about creating +// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the AWS CloudHSM User Guide . +// in the CloudHSM User Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateCustomKeyStore func (c *KMS) UpdateCustomKeyStore(input *UpdateCustomKeyStoreInput) (*UpdateCustomKeyStoreOutput, error) { @@ -7195,15 +7263,15 @@ func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req // UpdateKeyDescription API operation for AWS Key Management Service. // -// Updates the description of a customer master key (CMK). To see the description -// of a CMK, use DescribeKey. +// Updates the description of a KMS key. To see the description of a KMS key, +// use DescribeKey. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: No. You cannot perform this operation on a CMK in a different -// AWS account. +// Cross-account use: No. You cannot perform this operation on a KMS key in +// a different Amazon Web Services account. // // Required permissions: kms:UpdateKeyDescription (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -7242,9 +7310,9 @@ func (c *KMS) UpdateKeyDescriptionRequest(input *UpdateKeyDescriptionInput) (req // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/UpdateKeyDescription func (c *KMS) UpdateKeyDescription(input *UpdateKeyDescriptionInput) (*UpdateKeyDescriptionOutput, error) { @@ -7320,16 +7388,17 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req * // you have a primary key in us-east-1 and a replica key in eu-west-2. If you // run UpdatePrimaryRegion with a PrimaryRegion value of eu-west-2, the primary // key is now the key in eu-west-2, and the key in us-east-1 becomes a replica -// key. For details, see +// key. For details, see Updating the primary Region (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-manage.html#multi-region-update) +// in the Key Management Service Developer Guide. // -// This operation supports multi-Region keys, an AWS KMS feature that lets you -// create multiple interoperable CMKs in different AWS Regions. Because these -// CMKs have the same key ID, key material, and other metadata, you can use -// them to encrypt data in one AWS Region and decrypt it in a different AWS -// Region without making a cross-Region call or exposing the plaintext data. -// For more information about multi-Region keys, see Using multi-Region keys -// (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) -// in the AWS Key Management Service Developer Guide. +// This operation supports multi-Region keys, an KMS feature that lets you create +// multiple interoperable KMS keys in different Amazon Web Services Regions. +// Because these KMS keys have the same key ID, key material, and other metadata, +// you can use them interchangeably to encrypt data in one Amazon Web Services +// Region and decrypt it in a different Amazon Web Services Region without re-encrypting +// the data or making a cross-Region call. For more information about multi-Region +// keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) +// in the Key Management Service Developer Guide. // // The primary key of a multi-Region key is the source for properties that are // always shared by primary and replica keys, including the key material, key @@ -7340,13 +7409,13 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req * // and automatic key rotation (https://docs.aws.amazon.com/kms/latest/developerguide/rotate-keys.html). // It's the only key that can be replicated. You cannot delete the primary key // (https://docs.aws.amazon.com/kms/latest/APIReference/API_ScheduleKeyDeletion.html) -// until all replicas are deleted. +// until all replica keys are deleted. // // The key ID and primary Region that you specify uniquely identify the replica // key that will become the primary key. The primary Region must already have -// a replica key. This operation does not create a CMK in the specified Region. -// To find the replica keys, use the DescribeKey operation on the primary key -// or any replica key. To create a replica key, use the ReplicateKey operation. +// a replica key. This operation does not create a KMS key in the specified +// Region. To find the replica keys, use the DescribeKey operation on the primary +// key or any replica key. To create a replica key, use the ReplicateKey operation. // // You can run this operation while using the affected multi-Region keys in // cryptographic operations. This operation should not delay, interrupt, or @@ -7360,21 +7429,22 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req * // state is Updating, you can use the keys in cryptographic operations, but // you cannot replicate the new primary key or perform certain management operations, // such as enabling or disabling these keys. For details about the Updating -// key state, see Key state: Effect on your CMK (kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// key state, see Key state: Effect on your KMS key (kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // // This operation does not return any output. To verify that primary key is // changed, use the DescribeKey operation. // -// Cross-account use: No. You cannot use this operation in a different AWS account. +// Cross-account use: No. You cannot use this operation in a different Amazon +// Web Services account. // // Required permissions: // -// * kms:UpdatePrimaryRegion on the current primary CMK (in the primary CMK's -// Region). Include this permission primary CMK's key policy. +// * kms:UpdatePrimaryRegion on the current primary key (in the primary key's +// Region). Include this permission primary key's key policy. // -// * kms:UpdatePrimaryRegion on the current replica CMK (in the replica CMK's -// Region). Include this permission in the replica CMK's key policy. +// * kms:UpdatePrimaryRegion on the current replica key (in the replica key's +// Region). Include this permission in the replica key's key policy. // // Related operations // @@ -7391,7 +7461,7 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req * // // Returned Error Types: // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * InvalidArnException // The request was rejected because a specified ARN, or an ARN in a key policy, @@ -7401,9 +7471,9 @@ func (c *KMS) UpdatePrimaryRegionRequest(input *UpdatePrimaryRegionInput) (req * // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * InternalException // The request was rejected because an internal exception occurred. The request @@ -7486,36 +7556,37 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V // Verifies a digital signature that was generated by the Sign operation. // // Verification confirms that an authorized user signed the message with the -// specified CMK and signing algorithm, and the message hasn't changed since +// specified KMS key and signing algorithm, and the message hasn't changed since // it was signed. If the signature is verified, the value of the SignatureValid // field in the response is True. If the signature verification fails, the Verify // operation fails with an KMSInvalidSignatureException exception. // // A digital signature is generated by using the private key in an asymmetric -// CMK. The signature is verified by using the public key in the same asymmetric -// CMK. For information about symmetric and asymmetric CMKs, see Using Symmetric -// and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) -// in the AWS Key Management Service Developer Guide. +// KMS key. The signature is verified by using the public key in the same asymmetric +// KMS key. For information about symmetric and asymmetric KMS keys, see Using +// Symmetric and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) +// in the Key Management Service Developer Guide. // // To verify a digital signature, you can use the Verify operation. Specify -// the same asymmetric CMK, message, and signing algorithm that were used to -// produce the signature. +// the same asymmetric KMS key, message, and signing algorithm that were used +// to produce the signature. // // You can also verify the digital signature by using the public key of the -// CMK outside of AWS KMS. Use the GetPublicKey operation to download the public -// key in the asymmetric CMK and then use the public key to verify the signature -// outside of AWS KMS. The advantage of using the Verify operation is that it -// is performed within AWS KMS. As a result, it's easy to call, the operation -// is performed within the FIPS boundary, it is logged in AWS CloudTrail, and -// you can use key policy and IAM policy to determine who is authorized to use -// the CMK to verify signatures. +// KMS key outside of KMS. Use the GetPublicKey operation to download the public +// key in the asymmetric KMS key and then use the public key to verify the signature +// outside of KMS. The advantage of using the Verify operation is that it is +// performed within KMS. As a result, it's easy to call, the operation is performed +// within the FIPS boundary, it is logged in CloudTrail, and you can use key +// policy and IAM policy to determine who is authorized to use the KMS key to +// verify signatures. // -// The CMK that you use for this operation must be in a compatible key state. -// For details, see Key state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide. +// The KMS key that you use for this operation must be in a compatible key state. +// For details, see Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide. // -// Cross-account use: Yes. To perform this operation with a CMK in a different -// AWS account, specify the key ARN or alias ARN in the value of the KeyId parameter. +// Cross-account use: Yes. To perform this operation with a KMS key in a different +// Amazon Web Services account, specify the key ARN or alias ARN in the value +// of the KeyId parameter. // // Required permissions: kms:Verify (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // (key policy) @@ -7535,11 +7606,11 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V // be found. // // * DisabledException -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. // // * KeyUnavailableException -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. // // * DependencyTimeoutException // The system timed out while trying to fulfill the request. The request can @@ -7548,17 +7619,18 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V // * InvalidKeyUsageException // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. // // * InvalidGrantTokenException // The request was rejected because the specified grant token is not valid. @@ -7571,14 +7643,14 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . // // * KMSInvalidSignatureException // The request was rejected because the signature verification failed. Signature // verification fails when it cannot confirm that signature was produced by -// signing the specified message with the specified CMK and signing algorithm. +// signing the specified message with the specified KMS key and signing algorithm. // // See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/Verify func (c *KMS) Verify(input *VerifyInput) (*VerifyOutput, error) { @@ -7616,11 +7688,12 @@ type AliasListEntry struct { // Region. Formatted as Unix time. CreationDate *time.Time `type:"timestamp"` - // Date and time that the alias was most recently associated with a CMK in the - // account and Region. Formatted as Unix time. + // Date and time that the alias was most recently associated with a KMS key + // in the account and Region. Formatted as Unix time. LastUpdatedDate *time.Time `type:"timestamp"` - // String that contains the key identifier of the CMK associated with the alias. + // String that contains the key identifier of the KMS key associated with the + // alias. TargetKeyId *string `min:"1" type:"string"` } @@ -7724,9 +7797,9 @@ func (s *AlreadyExistsException) RequestID() string { type CancelKeyDeletionInput struct { _ struct{} `type:"structure"` - // Identifies the customer master key (CMK) whose deletion is being canceled. + // Identifies the KMS key whose deletion is being canceled. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -7734,7 +7807,7 @@ type CancelKeyDeletionInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -7776,7 +7849,7 @@ type CancelKeyDeletionOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK whose deletion is canceled. + // of the KMS key whose deletion is canceled. KeyId *string `min:"1" type:"string"` } @@ -7796,10 +7869,10 @@ func (s *CancelKeyDeletionOutput) SetKeyId(v string) *CancelKeyDeletionOutput { return s } -// The request was rejected because the specified AWS CloudHSM cluster is already +// The request was rejected because the specified CloudHSM cluster is already // associated with a custom key store or it shares a backup history with a cluster // that is associated with a custom key store. Each custom key store must be -// associated with a different AWS CloudHSM cluster. +// associated with a different CloudHSM cluster. // // Clusters that share a backup history have the same cluster certificate. To // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) @@ -7859,8 +7932,8 @@ func (s *CloudHsmClusterInUseException) RequestID() string { return s.RespMetadata.RequestID } -// The request was rejected because the associated AWS CloudHSM cluster did -// not meet the configuration requirements for a custom key store. +// The request was rejected because the associated CloudHSM cluster did not +// meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -7875,20 +7948,19 @@ func (s *CloudHsmClusterInUseException) RequestID() string { // operation. // // * The cluster must contain at least as many HSMs as the operation requires. -// To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) +// To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey -// operations, the AWS CloudHSM cluster must have at least two active HSMs, -// each in a different Availability Zone. For the ConnectCustomKeyStore operation, -// the AWS CloudHSM must contain at least one active HSM. +// operations, the CloudHSM cluster must have at least two active HSMs, each +// in a different Availability Zone. For the ConnectCustomKeyStore operation, +// the CloudHSM must contain at least one active HSM. // -// For information about the requirements for an AWS CloudHSM cluster that is -// associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) -// in the AWS Key Management Service Developer Guide. For information about -// creating a private subnet for an AWS CloudHSM cluster, see Create a Private -// Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) -// in the AWS CloudHSM User Guide. For information about cluster security groups, +// For information about the requirements for an CloudHSM cluster that is associated +// with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) +// in the Key Management Service Developer Guide. For information about creating +// a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) +// in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) -// in the AWS CloudHSM User Guide . +// in the CloudHSM User Guide . type CloudHsmClusterInvalidConfigurationException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -7944,11 +8016,11 @@ func (s *CloudHsmClusterInvalidConfigurationException) RequestID() string { return s.RespMetadata.RequestID } -// The request was rejected because the AWS CloudHSM cluster that is associated +// The request was rejected because the CloudHSM cluster that is associated // with the custom key store is not active. Initialize and activate the cluster // and try the command again. For detailed instructions, see Getting Started // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) -// in the AWS CloudHSM User Guide. +// in the CloudHSM User Guide. type CloudHsmClusterNotActiveException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -8004,9 +8076,8 @@ func (s *CloudHsmClusterNotActiveException) RequestID() string { return s.RespMetadata.RequestID } -// The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster -// with the specified cluster ID. Retry the request with a different cluster -// ID. +// The request was rejected because KMS cannot find the CloudHSM cluster with +// the specified cluster ID. Retry the request with a different cluster ID. type CloudHsmClusterNotFoundException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -8062,9 +8133,9 @@ func (s *CloudHsmClusterNotFoundException) RequestID() string { return s.RespMetadata.RequestID } -// The request was rejected because the specified AWS CloudHSM cluster has a -// different cluster certificate than the original cluster. You cannot use the -// operation to specify an unrelated cluster. +// The request was rejected because the specified CloudHSM cluster has a different +// cluster certificate than the original cluster. You cannot use the operation +// to specify an unrelated cluster. // // Specify a cluster that shares a backup history with the original cluster. // This includes clusters that were created from a backup of the current cluster, @@ -8194,21 +8265,21 @@ type CreateAliasInput struct { // The AliasName value must be string of 1-256 characters. It can contain only // alphanumeric characters, forward slashes (/), underscores (_), and dashes // (-). The alias name cannot begin with alias/aws/. The alias/aws/ prefix is - // reserved for AWS managed CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). + // reserved for Amazon Web Services managed keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). // // AliasName is a required field AliasName *string `min:"1" type:"string" required:"true"` - // Associates the alias with the specified customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). - // The CMK must be in the same AWS Region. + // Associates the alias with the specified customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk). + // The KMS key must be in the same Amazon Web Services Region. // - // A valid CMK ID is required. If you supply a null or empty string value, this + // A valid key ID is required. If you supply a null or empty string value, this // operation returns an error. // // For help finding the key ID and ARN, see Finding the Key ID and ARN (https://docs.aws.amazon.com/kms/latest/developerguide/viewing-keys.html#find-cmk-id-arn) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide . // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -8216,7 +8287,7 @@ type CreateAliasInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // TargetKeyId is a required field TargetKeyId *string `min:"1" type:"string" required:"true"` @@ -8283,28 +8354,28 @@ func (s CreateAliasOutput) GoString() string { type CreateCustomKeyStoreInput struct { _ struct{} `type:"structure"` - // Identifies the AWS CloudHSM cluster for the custom key store. Enter the cluster - // ID of any active AWS CloudHSM cluster that is not already associated with - // a custom key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) + // Identifies the CloudHSM cluster for the custom key store. Enter the cluster + // ID of any active CloudHSM cluster that is not already associated with a custom + // key store. To find the cluster ID, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) // operation. // // CloudHsmClusterId is a required field CloudHsmClusterId *string `min:"19" type:"string" required:"true"` // Specifies a friendly name for the custom key store. The name must be unique - // in your AWS account. + // in your Amazon Web Services account. // // CustomKeyStoreName is a required field CustomKeyStoreName *string `min:"1" type:"string" required:"true"` // Enter the password of the kmsuser crypto user (CU) account (https://docs.aws.amazon.com/kms/latest/developerguide/key-store-concepts.html#concept-kmsuser) - // in the specified AWS CloudHSM cluster. AWS KMS logs into the cluster as this - // user to manage key material on your behalf. + // in the specified CloudHSM cluster. KMS logs into the cluster as this user + // to manage key material on your behalf. // // The password must be a string of 7 to 32 characters. Its value is case sensitive. // - // This parameter tells AWS KMS the kmsuser account password; it does not change - // the password in the AWS CloudHSM cluster. + // This parameter tells KMS the kmsuser account password; it does not change + // the password in the CloudHSM cluster. // // KeyStorePassword is a required field KeyStorePassword *string `min:"7" type:"string" required:"true" sensitive:"true"` @@ -8413,51 +8484,52 @@ type CreateGrantInput struct { // Specifies a grant constraint. // - // AWS KMS supports the EncryptionContextEquals and EncryptionContextSubset - // grant constraints. Each constraint value can include up to 8 encryption context + // KMS supports the EncryptionContextEquals and EncryptionContextSubset grant + // constraints. Each constraint value can include up to 8 encryption context // pairs. The encryption context value in each constraint cannot exceed 384 // characters. // - // These grant constraints allow a cryptographic operation (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // only when the encryption context in the request matches (EncryptionContextEquals) - // or includes (EncryptionContextSubset) the encryption context specified in - // this structure. For more information about encryption context, see Encryption - // Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide . For information about - // grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) - // in the AWS Key Management Service Developer Guide. + // These grant constraints allow the permissions in the grant only when the + // encryption context in the request matches (EncryptionContextEquals) or includes + // (EncryptionContextSubset) the encryption context specified in this structure. + // For information about grant constraints, see Using grant constraints (https://docs.aws.amazon.com/kms/latest/developerguide/create-grant-overview.html#grant-constraints) + // in the Key Management Service Developer Guide. For more information about + // encryption context, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) + // in the Key Management Service Developer Guide . // // The encryption context grant constraints are supported only on operations // that include an encryption context. You cannot use an encryption context - // grant constraint for cryptographic operations with asymmetric CMKs or for - // management operations, such as DescribeKey or RetireGrant. + // grant constraint for cryptographic operations with asymmetric KMS keys or + // for management operations, such as DescribeKey or RetireGrant. Constraints *GrantConstraints `type:"structure"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` // The identity that gets the permissions specified in the grant. // // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM - // users, IAM roles, federated users, and assumed role users. For examples of - // the ARN syntax to use for specifying a principal, see AWS Identity and Access - // Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) - // in the Example ARNs section of the AWS General Reference. + // of an Amazon Web Services principal. Valid Amazon Web Services principals + // include Amazon Web Services accounts (root), IAM users, IAM roles, federated + // users, and assumed role users. For examples of the ARN syntax to use for + // specifying a principal, see Amazon Web Services Identity and Access Management + // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the Amazon Web Services General Reference. // // GranteePrincipal is a required field GranteePrincipal *string `min:"1" type:"string" required:"true"` - // Identifies the customer master key (CMK) for the grant. The grant gives principals - // permission to use this CMK. + // Identifies the KMS key for the grant. The grant gives principals permission + // to use this KMS key. // - // Specify the key ID or key ARN of the CMK. To specify a CMK in a different - // AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different + // Amazon Web Services account, you must use the key ARN. // // For example: // @@ -8465,7 +8537,7 @@ type CreateGrantInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -8486,25 +8558,31 @@ type CreateGrantInput struct { // A list of operations that the grant permits. // - // The operation must be supported on the CMK. For example, you cannot create - // a grant for a symmetric CMK that allows the Sign operation, or a grant for - // an asymmetric CMK that allows the GenerateDataKey operation. If you try, - // AWS KMS returns a ValidationError exception. For details, see Grant operations + // The operation must be supported on the KMS key. For example, you cannot create + // a grant for a symmetric KMS key that allows the Sign operation, or a grant + // for an asymmetric KMS key that allows the GenerateDataKey operation. If you + // try, KMS returns a ValidationError exception. For details, see Grant operations // (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-grant-operations) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. // // Operations is a required field Operations []*string `type:"list" required:"true"` - // The principal that is given permission to retire the grant by using RetireGrant - // operation. + // The principal that has permission to use the RetireGrant operation to retire + // the grant. // // To specify the principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM - // users, federated users, and assumed role users. For examples of the ARN syntax - // to use for specifying a principal, see AWS Identity and Access Management - // (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) - // in the Example ARNs section of the AWS General Reference. + // of an Amazon Web Services principal. Valid Amazon Web Services principals + // include Amazon Web Services accounts (root), IAM users, federated users, + // and assumed role users. For examples of the ARN syntax to use for specifying + // a principal, see Amazon Web Services Identity and Access Management (IAM) + // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // in the Example ARNs section of the Amazon Web Services General Reference. + // + // The grant determines the retiring principal. Other principals might have + // permission to retire the grant or revoke the grant. For details, see RevokeGrant + // and Retiring and revoking grants (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#grant-delete) + // in the Key Management Service Developer Guide. RetiringPrincipal *string `min:"1" type:"string"` } @@ -8603,8 +8681,9 @@ type CreateGrantOutput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantToken *string `min:"1" type:"string"` } @@ -8635,61 +8714,79 @@ type CreateKeyInput struct { // A flag to indicate whether to bypass the key policy lockout safety check. // - // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Setting this value to true increases the risk that the KMS key becomes unmanageable. // Do not set this value to true indiscriminately. // // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section in the AWS Key Management Service Developer Guide . + // section in the Key Management Service Developer Guide . // // Use this parameter only when you include a policy in the request and you // intend to prevent the principal that is making the request from making a - // subsequent PutKeyPolicy request on the CMK. + // subsequent PutKeyPolicy request on the KMS key. // // The default value is false. BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` - // Creates the CMK in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // and the key material in its associated AWS CloudHSM cluster. To create a - // CMK in a custom key store, you must also specify the Origin parameter with - // a value of AWS_CLOUDHSM. The AWS CloudHSM cluster that is associated with - // the custom key store must have at least two active HSMs, each in a different + // Creates the KMS key in the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and the key material in its associated CloudHSM cluster. To create a KMS + // key in a custom key store, you must also specify the Origin parameter with + // a value of AWS_CLOUDHSM. The CloudHSM cluster that is associated with the + // custom key store must have at least two active HSMs, each in a different // Availability Zone in the Region. // - // This parameter is valid only for symmetric CMKs and regional CMKs. You cannot - // create an asymmetric CMK or a multi-Region CMK in a custom key store. + // This parameter is valid only for symmetric KMS keys and regional KMS keys. + // You cannot create an asymmetric KMS key or a multi-Region key in a custom + // key store. // // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. // - // The response includes the custom key store ID and the ID of the AWS CloudHSM + // The response includes the custom key store ID and the ID of the CloudHSM // cluster. // // This operation is part of the Custom Key Store feature (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // feature in AWS KMS, which combines the convenience and extensive integration - // of AWS KMS with the isolation and control of a single-tenant key store. + // feature in KMS, which combines the convenience and extensive integration + // of KMS with the isolation and control of a single-tenant key store. CustomKeyStoreId *string `min:"1" type:"string"` - // Specifies the type of CMK to create. The default value, SYMMETRIC_DEFAULT, - // creates a CMK with a 256-bit symmetric key for encryption and decryption. - // For help choosing a key spec for your CMK, see How to Choose Your CMK Configuration - // (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) - // in the AWS Key Management Service Developer Guide. + // Instead, use the KeySpec parameter. // - // The CustomerMasterKeySpec determines whether the CMK contains a symmetric - // key or an asymmetric key pair. It also determines the encryption algorithms - // or signing algorithms that the CMK supports. You can't change the CustomerMasterKeySpec - // after the CMK is created. To further restrict the algorithms that can be - // used with the CMK, use a condition key in its key policy or IAM policy. For + // The KeySpec and CustomerMasterKeySpec parameters work the same way. Only + // the names differ. We recommend that you use KeySpec parameter in your code. + // However, to avoid breaking changes, KMS will support both parameters. + // + // Deprecated: This parameter has been deprecated. Instead, use the KeySpec parameter. + CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"` + + // A description of the KMS key. + // + // Use a description that helps you decide whether the KMS key is appropriate + // for a task. The default value is an empty string (no description). + // + // To set or change the description after the key is created, use UpdateKeyDescription. + Description *string `type:"string"` + + // Specifies the type of KMS key to create. The default value, SYMMETRIC_DEFAULT, + // creates a KMS key with a 256-bit symmetric key for encryption and decryption. + // For help choosing a key spec for your KMS key, see How to Choose Your KMS + // key Configuration (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-choose.html) + // in the Key Management Service Developer Guide . + // + // The KeySpec determines whether the KMS key contains a symmetric key or an + // asymmetric key pair. It also determines the encryption algorithms or signing + // algorithms that the KMS key supports. You can't change the KeySpec after + // the KMS key is created. To further restrict the algorithms that can be used + // with the KMS key, use a condition key in its key policy or IAM policy. For // more information, see kms:EncryptionAlgorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-algorithm) // or kms:Signing Algorithm (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-signing-algorithm) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide . // - // AWS services that are integrated with AWS KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) - // use symmetric CMKs to protect your data. These services do not support asymmetric - // CMKs. For help determining whether a CMK is symmetric or asymmetric, see - // Identifying Symmetric and Asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) - // in the AWS Key Management Service Developer Guide. + // Amazon Web Services services that are integrated with KMS (http://aws.amazon.com/kms/features/#AWS_Service_Integration) + // use symmetric KMS keys to protect your data. These services do not support + // asymmetric KMS keys. For help determining whether a KMS key is symmetric + // or asymmetric, see Identifying Symmetric and Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/find-symm-asymm.html) + // in the Key Management Service Developer Guide. // - // AWS KMS supports the following key specs for CMKs: + // KMS supports the following key specs for KMS keys: // // * Symmetric key (default) SYMMETRIC_DEFAULT (AES-256-GCM) // @@ -8700,118 +8797,115 @@ type CreateKeyInput struct { // // * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1), // commonly used for cryptocurrencies. - CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` - - // A description of the CMK. - // - // Use a description that helps you decide whether the CMK is appropriate for - // a task. The default value is an empty string (no description). - Description *string `type:"string"` + KeySpec *string `type:"string" enum:"KeySpec"` // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // for which you can use the CMK. The default value is ENCRYPT_DECRYPT. This - // parameter is required only for asymmetric CMKs. You can't change the KeyUsage - // value after the CMK is created. + // for which you can use the KMS key. The default value is ENCRYPT_DECRYPT. + // This parameter is required only for asymmetric KMS keys. You can't change + // the KeyUsage value after the KMS key is created. // // Select only one valid value. // - // * For symmetric CMKs, omit the parameter or specify ENCRYPT_DECRYPT. + // * For symmetric KMS keys, omit the parameter or specify ENCRYPT_DECRYPT. // - // * For asymmetric CMKs with RSA key material, specify ENCRYPT_DECRYPT or - // SIGN_VERIFY. + // * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT + // or SIGN_VERIFY. // - // * For asymmetric CMKs with ECC key material, specify SIGN_VERIFY. + // * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. KeyUsage *string `type:"string" enum:"KeyUsageType"` - // Creates a multi-Region primary key that you can replicate into other AWS - // Regions. You cannot change this value after you create the CMK. + // Creates a multi-Region primary key that you can replicate into other Amazon + // Web Services Regions. You cannot change this value after you create the KMS + // key. // - // For a multi-Region key, set this parameter to True. For a single-Region CMK, - // omit this parameter or set it to False. The default value is False. + // For a multi-Region key, set this parameter to True. For a single-Region KMS + // key, omit this parameter or set it to False. The default value is False. // - // This operation supports multi-Region keys, an AWS KMS feature that lets you - // create multiple interoperable CMKs in different AWS Regions. Because these - // CMKs have the same key ID, key material, and other metadata, you can use - // them to encrypt data in one AWS Region and decrypt it in a different AWS - // Region without making a cross-Region call or exposing the plaintext data. - // For more information about multi-Region keys, see Using multi-Region keys - // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - // in the AWS Key Management Service Developer Guide. + // This operation supports multi-Region keys, an KMS feature that lets you create + // multiple interoperable KMS keys in different Amazon Web Services Regions. + // Because these KMS keys have the same key ID, key material, and other metadata, + // you can use them interchangeably to encrypt data in one Amazon Web Services + // Region and decrypt it in a different Amazon Web Services Region without re-encrypting + // the data or making a cross-Region call. For more information about multi-Region + // keys, see Using multi-Region keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) + // in the Key Management Service Developer Guide. // // This value creates a primary key, not a replica. To create a replica key, // use the ReplicateKey operation. // - // You can create a symmetric or asymmetric multi-Region CMK, and you can create - // a multi-Region CMK with imported key material. However, you cannot create - // a multi-Region CMK in a custom key store. + // You can create a symmetric or asymmetric multi-Region key, and you can create + // a multi-Region key with imported key material. However, you cannot create + // a multi-Region key in a custom key store. MultiRegion *bool `type:"boolean"` - // The source of the key material for the CMK. You cannot change the origin - // after you create the CMK. The default is AWS_KMS, which means that AWS KMS + // The source of the key material for the KMS key. You cannot change the origin + // after you create the KMS key. The default is AWS_KMS, which means that KMS // creates the key material. // - // To create a CMK with no key material (for imported key material), set the - // value to EXTERNAL. For more information about importing key material into - // AWS KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) - // in the AWS Key Management Service Developer Guide. This value is valid only - // for symmetric CMKs. + // To create a KMS key with no key material (for imported key material), set + // the value to EXTERNAL. For more information about importing key material + // into KMS, see Importing Key Material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html) + // in the Key Management Service Developer Guide. This value is valid only for + // symmetric KMS keys. // - // To create a CMK in an AWS KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // and create its key material in the associated AWS CloudHSM cluster, set this + // To create a KMS key in an KMS custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) + // and create its key material in the associated CloudHSM cluster, set this // value to AWS_CLOUDHSM. You must also use the CustomKeyStoreId parameter to - // identify the custom key store. This value is valid only for symmetric CMKs. + // identify the custom key store. This value is valid only for symmetric KMS + // keys. Origin *string `type:"string" enum:"OriginType"` - // The key policy to attach to the CMK. + // The key policy to attach to the KMS key. // // If you provide a key policy, it must meet the following criteria: // // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy // must allow the principal that is making the CreateKey request to make - // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that - // the CMK becomes unmanageable. For more information, refer to the scenario - // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section of the AWS Key Management Service Developer Guide . + // a subsequent PutKeyPolicy request on the KMS key. This reduces the risk + // that the KMS key becomes unmanageable. For more information, refer to + // the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the Key Management Service Developer Guide . // // * Each statement in the key policy must contain one or more principals. - // The principals in the key policy must exist and be visible to AWS KMS. - // When you create a new AWS principal (for example, an IAM user or role), - // you might need to enforce a delay before including the new principal in - // a key policy because the new principal might not be immediately visible - // to AWS KMS. For more information, see Changes that I make are not always - // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the AWS Identity and Access Management User Guide. + // The principals in the key policy must exist and be visible to KMS. When + // you create a new Amazon Web Services principal (for example, an IAM user + // or role), you might need to enforce a delay before including the new principal + // in a key policy because the new principal might not be immediately visible + // to KMS. For more information, see Changes that I make are not always immediately + // visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the Amazon Web Services Identity and Access Management User Guide. // - // If you do not provide a key policy, AWS KMS attaches a default key policy - // to the CMK. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - // in the AWS Key Management Service Developer Guide. + // If you do not provide a key policy, KMS attaches a default key policy to + // the KMS key. For more information, see Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) + // in the Key Management Service Developer Guide. // // The key policy size quota is 32 kilobytes (32768 bytes). // // For help writing and formatting a JSON policy document, see the IAM JSON // Policy Reference (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies.html) - // in the IAM User Guide . + // in the Identity and Access Management User Guide . Policy *string `min:"1" type:"string"` - // Assigns one or more tags to the CMK. Use this parameter to tag the CMK when - // it is created. To tag an existing CMK, use the TagResource operation. + // Assigns one or more tags to the KMS key. Use this parameter to tag the KMS + // key when it is created. To tag an existing KMS key, use the TagResource operation. // - // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, - // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the AWS Key Management Service Developer Guide. + // Tagging or untagging a KMS key can allow or deny permission to the KMS key. + // For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the Key Management Service Developer Guide. // // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // permission in an IAM policy. // // Each tag consists of a tag key and a tag value. Both the tag key and the // tag value are required, but the tag value can be an empty (null) string. - // You cannot have more than one tag on a CMK with the same tag key. If you - // specify an existing tag key with a different tag value, AWS KMS replaces + // You cannot have more than one tag on a KMS key with the same tag key. If + // you specify an existing tag key with a different tag value, KMS replaces // the current tag value with the specified one. // - // When you assign tags to an AWS resource, AWS generates a cost allocation - // report with usage and costs aggregated by tags. Tags can also be used to - // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). + // When you add tags to an Amazon Web Services resource, Amazon Web Services + // generates a cost allocation report with usage and costs aggregated by tags. + // Tags can also be used to control access to a KMS key. For details, see Tagging + // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). Tags []*Tag `type:"list"` } @@ -8875,6 +8969,12 @@ func (s *CreateKeyInput) SetDescription(v string) *CreateKeyInput { return s } +// SetKeySpec sets the KeySpec field's value. +func (s *CreateKeyInput) SetKeySpec(v string) *CreateKeyInput { + s.KeySpec = &v + return s +} + // SetKeyUsage sets the KeyUsage field's value. func (s *CreateKeyInput) SetKeyUsage(v string) *CreateKeyInput { s.KeyUsage = &v @@ -8908,7 +9008,7 @@ func (s *CreateKeyInput) SetTags(v []*Tag) *CreateKeyInput { type CreateKeyOutput struct { _ struct{} `type:"structure"` - // Metadata associated with the CMK. + // Metadata associated with the KMS key. KeyMetadata *KeyMetadata `type:"structure"` } @@ -8928,10 +9028,10 @@ func (s *CreateKeyOutput) SetKeyMetadata(v *KeyMetadata) *CreateKeyOutput { return s } -// The request was rejected because the custom key store contains AWS KMS customer -// master keys (CMKs). After verifying that you do not need to use the CMKs, -// use the ScheduleKeyDeletion operation to delete the CMKs. After they are -// deleted, you can delete the custom key store. +// The request was rejected because the custom key store contains KMS keys. +// After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion +// operation to delete the KMS keys. After they are deleted, you can delete +// the custom key store. type CustomKeyStoreHasCMKsException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -9117,7 +9217,7 @@ func (s *CustomKeyStoreNameInUseException) RequestID() string { return s.RespMetadata.RequestID } -// The request was rejected because AWS KMS cannot find a custom key store with +// The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. type CustomKeyStoreNotFoundException struct { _ struct{} `type:"structure"` @@ -9179,84 +9279,83 @@ func (s *CustomKeyStoreNotFoundException) RequestID() string { type CustomKeyStoresListEntry struct { _ struct{} `type:"structure"` - // A unique identifier for the AWS CloudHSM cluster that is associated with - // the custom key store. + // A unique identifier for the CloudHSM cluster that is associated with the + // custom key store. CloudHsmClusterId *string `min:"19" type:"string"` // Describes the connection error. This field appears in the response only when // the ConnectionState is FAILED. For help resolving these errors, see How to // Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) - // in AWS Key Management Service Developer Guide. + // in Key Management Service Developer Guide. // // Valid values are: // - // * CLUSTER_NOT_FOUND - AWS KMS cannot find the AWS CloudHSM cluster with - // the specified cluster ID. + // * CLUSTER_NOT_FOUND - KMS cannot find the CloudHSM cluster with the specified + // cluster ID. // - // * INSUFFICIENT_CLOUDHSM_HSMS - The associated AWS CloudHSM cluster does - // not contain any active HSMs. To connect a custom key store to its AWS - // CloudHSM cluster, the cluster must contain at least one active HSM. + // * INSUFFICIENT_CLOUDHSM_HSMS - The associated CloudHSM cluster does not + // contain any active HSMs. To connect a custom key store to its CloudHSM + // cluster, the cluster must contain at least one active HSM. // - // * INTERNAL_ERROR - AWS KMS could not complete the request due to an internal + // * INTERNAL_ERROR - KMS could not complete the request due to an internal // error. Retry the request. For ConnectCustomKeyStore requests, disconnect // the custom key store before trying to connect again. // - // * INVALID_CREDENTIALS - AWS KMS does not have the correct password for - // the kmsuser crypto user in the AWS CloudHSM cluster. Before you can connect - // your custom key store to its AWS CloudHSM cluster, you must change the - // kmsuser account password and update the key store password value for the - // custom key store. + // * INVALID_CREDENTIALS - KMS does not have the correct password for the + // kmsuser crypto user in the CloudHSM cluster. Before you can connect your + // custom key store to its CloudHSM cluster, you must change the kmsuser + // account password and update the key store password value for the custom + // key store. // - // * NETWORK_ERRORS - Network errors are preventing AWS KMS from connecting - // to the custom key store. + // * NETWORK_ERRORS - Network errors are preventing KMS from connecting to + // the custom key store. // - // * SUBNET_NOT_FOUND - A subnet in the AWS CloudHSM cluster configuration - // was deleted. If AWS KMS cannot find all of the subnets in the cluster - // configuration, attempts to connect the custom key store to the AWS CloudHSM - // cluster fail. To fix this error, create a cluster from a recent backup - // and associate it with your custom key store. (This process creates a new - // cluster configuration with a VPC and private subnets.) For details, see - // How to Fix a Connection Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) - // in the AWS Key Management Service Developer Guide. + // * SUBNET_NOT_FOUND - A subnet in the CloudHSM cluster configuration was + // deleted. If KMS cannot find all of the subnets in the cluster configuration, + // attempts to connect the custom key store to the CloudHSM cluster fail. + // To fix this error, create a cluster from a recent backup and associate + // it with your custom key store. (This process creates a new cluster configuration + // with a VPC and private subnets.) For details, see How to Fix a Connection + // Failure (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#fix-keystore-failed) + // in the Key Management Service Developer Guide. // // * USER_LOCKED_OUT - The kmsuser CU account is locked out of the associated - // AWS CloudHSM cluster due to too many failed password attempts. Before - // you can connect your custom key store to its AWS CloudHSM cluster, you - // must change the kmsuser account password and update the key store password - // value for the custom key store. + // CloudHSM cluster due to too many failed password attempts. Before you + // can connect your custom key store to its CloudHSM cluster, you must change + // the kmsuser account password and update the key store password value for + // the custom key store. // // * USER_LOGGED_IN - The kmsuser CU account is logged into the the associated - // AWS CloudHSM cluster. This prevents AWS KMS from rotating the kmsuser - // account password and logging into the cluster. Before you can connect - // your custom key store to its AWS CloudHSM cluster, you must log the kmsuser - // CU out of the cluster. If you changed the kmsuser password to log into - // the cluster, you must also and update the key store password value for - // the custom key store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2) - // in the AWS Key Management Service Developer Guide. + // CloudHSM cluster. This prevents KMS from rotating the kmsuser account + // password and logging into the cluster. Before you can connect your custom + // key store to its CloudHSM cluster, you must log the kmsuser CU out of + // the cluster. If you changed the kmsuser password to log into the cluster, + // you must also and update the key store password value for the custom key + // store. For help, see How to Log Out and Reconnect (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html#login-kmsuser-2) + // in the Key Management Service Developer Guide. // - // * USER_NOT_FOUND - AWS KMS cannot find a kmsuser CU account in the associated - // AWS CloudHSM cluster. Before you can connect your custom key store to - // its AWS CloudHSM cluster, you must create a kmsuser CU account in the - // cluster, and then update the key store password value for the custom key - // store. + // * USER_NOT_FOUND - KMS cannot find a kmsuser CU account in the associated + // CloudHSM cluster. Before you can connect your custom key store to its + // CloudHSM cluster, you must create a kmsuser CU account in the cluster, + // and then update the key store password value for the custom key store. ConnectionErrorCode *string `type:"string" enum:"ConnectionErrorCodeType"` - // Indicates whether the custom key store is connected to its AWS CloudHSM cluster. + // Indicates whether the custom key store is connected to its CloudHSM cluster. // - // You can create and use CMKs in your custom key stores only when its connection + // You can create and use KMS keys in your custom key stores only when its connection // state is CONNECTED. // // The value is DISCONNECTED if the key store has never been connected or you // use the DisconnectCustomKeyStore operation to disconnect it. If the value // is CONNECTED but you are having trouble using the custom key store, make - // sure that its associated AWS CloudHSM cluster is active and contains at least + // sure that its associated CloudHSM cluster is active and contains at least // one active HSM. // // A value of FAILED indicates that an attempt to connect was unsuccessful. // The ConnectionErrorCode field in the response indicates the cause of the // failure. For help resolving a connection failure, see Troubleshooting a Custom // Key Store (https://docs.aws.amazon.com/kms/latest/developerguide/fix-keystore.html) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. ConnectionState *string `type:"string" enum:"ConnectionStateType"` // The date and time when the custom key store was created. @@ -9268,8 +9367,8 @@ type CustomKeyStoresListEntry struct { // The user-specified friendly name for the custom key store. CustomKeyStoreName *string `min:"1" type:"string"` - // The trust anchor certificate of the associated AWS CloudHSM cluster. When - // you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), + // The trust anchor certificate of the associated CloudHSM cluster. When you + // initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), // you create this certificate and save it in the customerCA.crt file. TrustAnchorCertificate *string `min:"1" type:"string"` } @@ -9341,47 +9440,47 @@ type DecryptInput struct { // a different algorithm, the Decrypt operation fails. // // This parameter is required only when the ciphertext was encrypted under an - // asymmetric CMK. The default value, SYMMETRIC_DEFAULT, represents the only - // supported algorithm that is valid for symmetric CMKs. + // asymmetric KMS key. The default value, SYMMETRIC_DEFAULT, represents the + // only supported algorithm that is valid for symmetric KMS keys. EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // Specifies the encryption context to use when decrypting the data. An encryption // context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // with a symmetric CMK. The standard asymmetric encryption algorithms that - // AWS KMS uses do not support an encryption context. + // with a symmetric KMS key. The standard asymmetric encryption algorithms that + // KMS uses do not support an encryption context. // // An encryption context is a collection of non-secret key-value pairs that // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from - // a newly created grant that has not yet achieved eventual consistency. Use - // a grant token when your permission to call this operation comes from a new - // grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // a new grant that has not yet achieved eventual consistency. For more information, + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Specifies the customer master key (CMK) that AWS KMS uses to decrypt the - // ciphertext. Enter a key ID of the CMK that was used to encrypt the ciphertext. + // Specifies the KMS key that KMS uses to decrypt the ciphertext. Enter a key + // ID of the KMS key that was used to encrypt the ciphertext. // // This parameter is required only when the ciphertext was encrypted under an - // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from - // metadata that it adds to the symmetric ciphertext blob. However, it is always - // recommended as a best practice. This practice ensures that you use the CMK - // that you intend. + // asymmetric KMS key. If you used a symmetric KMS key, KMS can get the KMS + // key from metadata that it adds to the symmetric ciphertext blob. However, + // it is always recommended as a best practice. This practice ensures that you + // use the KMS key that you intend. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -9393,8 +9492,8 @@ type DecryptInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. KeyId *string `min:"1" type:"string"` } @@ -9464,11 +9563,11 @@ type DecryptOutput struct { EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that was used to decrypt the ciphertext. + // of the KMS key that was used to decrypt the ciphertext. KeyId *string `min:"1" type:"string"` - // Decrypted plaintext data. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. + // Decrypted plaintext data. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // Plaintext is automatically base64 encoded/decoded by the SDK. Plaintext []byte `min:"1" type:"blob" sensitive:"true"` @@ -9617,10 +9716,10 @@ func (s DeleteCustomKeyStoreOutput) GoString() string { type DeleteImportedKeyMaterialInput struct { _ struct{} `type:"structure"` - // Identifies the CMK from which you are deleting imported key material. The - // Origin of the CMK must be EXTERNAL. + // Identifies the KMS key from which you are deleting imported key material. + // The Origin of the KMS key must be EXTERNAL. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -9628,7 +9727,7 @@ type DeleteImportedKeyMaterialInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -9759,7 +9858,7 @@ type DescribeCustomKeyStoresInput struct { CustomKeyStoreName *string `min:"1" type:"string"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. Limit *int64 `min:"1" type:"integer"` @@ -9877,19 +9976,22 @@ type DescribeKeyInput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Describes the specified customer master key (CMK). + // Describes the specified KMS key. // - // If you specify a predefined AWS alias (an AWS alias with no key ID), KMS - // associates the alias with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) + // If you specify a predefined Amazon Web Services alias (an Amazon Web Services + // alias with no key ID), KMS associates the alias with an Amazon Web Services + // managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html##aws-managed-cmk) // and returns its KeyId and Arn in the response. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -9901,8 +10003,8 @@ type DescribeKeyInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -9972,9 +10074,9 @@ func (s *DescribeKeyOutput) SetKeyMetadata(v *KeyMetadata) *DescribeKeyOutput { type DisableKeyInput struct { _ struct{} `type:"structure"` - // Identifies the customer master key (CMK) to disable. + // Identifies the KMS key to disable. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -9982,7 +10084,7 @@ type DisableKeyInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10037,12 +10139,12 @@ func (s DisableKeyOutput) GoString() string { type DisableKeyRotationInput struct { _ struct{} `type:"structure"` - // Identifies a symmetric customer master key (CMK). You cannot enable or disable - // automatic rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks), - // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), - // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // Identifies a symmetric KMS key. You cannot enable or disable automatic rotation + // of asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html#asymmetric-cmks), + // KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), + // or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -10050,7 +10152,7 @@ type DisableKeyRotationInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10102,7 +10204,7 @@ func (s DisableKeyRotationOutput) GoString() string { return s.String() } -// The request was rejected because the specified CMK is not enabled. +// The request was rejected because the specified KMS key is not enabled. type DisabledException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -10217,9 +10319,9 @@ func (s DisconnectCustomKeyStoreOutput) GoString() string { type EnableKeyInput struct { _ struct{} `type:"structure"` - // Identifies the customer master key (CMK) to enable. + // Identifies the KMS key to enable. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -10227,7 +10329,7 @@ type EnableKeyInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10282,15 +10384,15 @@ func (s EnableKeyOutput) GoString() string { type EnableKeyRotationInput struct { _ struct{} `type:"structure"` - // Identifies a symmetric customer master key (CMK). You cannot enable automatic - // rotation of asymmetric CMKs (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), - // CMKs with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), - // or CMKs in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). + // Identifies a symmetric KMS key. You cannot enable automatic rotation of asymmetric + // KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#asymmetric-cmks), + // KMS keys with imported key material (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys.html), + // or KMS keys in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // To enable or disable automatic rotation of a set of related multi-Region // keys (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html#mrk-replica-key), // set the property on the primary key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -10298,7 +10400,7 @@ type EnableKeyRotationInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10353,42 +10455,44 @@ func (s EnableKeyRotationOutput) GoString() string { type EncryptInput struct { _ struct{} `type:"structure"` - // Specifies the encryption algorithm that AWS KMS will use to encrypt the plaintext - // message. The algorithm must be compatible with the CMK that you specify. + // Specifies the encryption algorithm that KMS will use to encrypt the plaintext + // message. The algorithm must be compatible with the KMS key that you specify. // - // This parameter is required only for asymmetric CMKs. The default value, SYMMETRIC_DEFAULT, - // is the algorithm used for symmetric CMKs. If you are using an asymmetric - // CMK, we recommend RSAES_OAEP_SHA_256. + // This parameter is required only for asymmetric KMS keys. The default value, + // SYMMETRIC_DEFAULT, is the algorithm used for symmetric KMS keys. If you are + // using an asymmetric KMS key, we recommend RSAES_OAEP_SHA_256. EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // Specifies the encryption context that will be used to encrypt the data. An // encryption context is valid only for cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // with a symmetric CMK. The standard asymmetric encryption algorithms that - // AWS KMS uses do not support an encryption context. + // with a symmetric KMS key. The standard asymmetric encryption algorithms that + // KMS uses do not support an encryption context. // // An encryption context is a collection of non-secret key-value pairs that // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Identifies the customer master key (CMK) to use in the encryption operation. + // Identifies the KMS key to use in the encryption operation. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -10400,8 +10504,8 @@ type EncryptInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10479,8 +10583,8 @@ func (s *EncryptInput) SetPlaintext(v []byte) *EncryptInput { type EncryptOutput struct { _ struct{} `type:"structure"` - // The encrypted plaintext. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. + // The encrypted plaintext. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // CiphertextBlob is automatically base64 encoded/decoded by the SDK. CiphertextBlob []byte `min:"1" type:"blob"` @@ -10489,7 +10593,7 @@ type EncryptOutput struct { EncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that was used to encrypt the plaintext. + // of the KMS key that was used to encrypt the plaintext. KeyId *string `min:"1" type:"string"` } @@ -10589,25 +10693,27 @@ type GenerateDataKeyInput struct { // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Identifies the symmetric CMK that encrypts the data key. + // Identifies the symmetric KMS key that encrypts the data key. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -10619,8 +10725,8 @@ type GenerateDataKeyInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -10703,20 +10809,20 @@ func (s *GenerateDataKeyInput) SetNumberOfBytes(v int64) *GenerateDataKeyInput { type GenerateDataKeyOutput struct { _ struct{} `type:"structure"` - // The encrypted copy of the data key. When you use the HTTP API or the AWS - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // The encrypted copy of the data key. When you use the HTTP API or the Amazon + // Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // CiphertextBlob is automatically base64 encoded/decoded by the SDK. CiphertextBlob []byte `min:"1" type:"blob"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that encrypted the data key. + // of the KMS key that encrypted the data key. KeyId *string `min:"1" type:"string"` - // The plaintext data key. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. Use this data key - // to encrypt your data outside of KMS. Then, remove it from memory as soon - // as possible. + // The plaintext data key. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. Use + // this data key to encrypt your data outside of KMS. Then, remove it from memory + // as soon as possible. // // Plaintext is automatically base64 encoded/decoded by the SDK. Plaintext []byte `min:"1" type:"blob" sensitive:"true"` @@ -10760,27 +10866,30 @@ type GenerateDataKeyPairInput struct { // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Specifies the symmetric CMK that encrypts the private key in the data key - // pair. You cannot specify an asymmetric CMK or a CMK in a custom key store. - // To get the type and origin of your CMK, use the DescribeKey operation. + // Specifies the symmetric KMS key that encrypts the private key in the data + // key pair. You cannot specify an asymmetric KMS key or a KMS key in a custom + // key store. To get the type and origin of your KMS key, use the DescribeKey + // operation. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -10792,18 +10901,18 @@ type GenerateDataKeyPairInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // Determines the type of data key pair that is generated. // - // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt + // The KMS rule that restricts the use of asymmetric RSA KMS keys to encrypt // and decrypt or to sign and verify (but not both), and the rule that permits - // you to use ECC CMKs only to sign and verify, are not effective outside of - // AWS KMS. + // you to use ECC KMS keys only to sign and verify, are not effective on data + // key pairs, which are used outside of KMS. // // KeyPairSpec is a required field KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` @@ -10866,20 +10975,20 @@ type GenerateDataKeyPairOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that encrypted the private key. + // of the KMS key that encrypted the private key. KeyId *string `min:"1" type:"string"` // The type of data key pair that was generated. KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` - // The encrypted copy of the private key. When you use the HTTP API or the AWS - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // The encrypted copy of the private key. When you use the HTTP API or the Amazon + // Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` - // The plaintext copy of the private key. When you use the HTTP API or the AWS - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // The plaintext copy of the private key. When you use the HTTP API or the Amazon + // Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // PrivateKeyPlaintext is automatically base64 encoded/decoded by the SDK. PrivateKeyPlaintext []byte `min:"1" type:"blob" sensitive:"true"` @@ -10940,28 +11049,30 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Specifies the CMK that encrypts the private key in the data key pair. You - // must specify a symmetric CMK. You cannot use an asymmetric CMK or a CMK in - // a custom key store. To get the type and origin of your CMK, use the DescribeKey - // operation. + // Specifies the KMS key that encrypts the private key in the data key pair. + // You must specify a symmetric KMS key. You cannot use an asymmetric KMS key + // or a KMS key in a custom key store. To get the type and origin of your KMS + // key, use the DescribeKey operation. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -10973,18 +11084,18 @@ type GenerateDataKeyPairWithoutPlaintextInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // Determines the type of data key pair that is generated. // - // The AWS KMS rule that restricts the use of asymmetric RSA CMKs to encrypt + // The KMS rule that restricts the use of asymmetric RSA KMS keys to encrypt // and decrypt or to sign and verify (but not both), and the rule that permits - // you to use ECC CMKs only to sign and verify, are not effective outside of - // AWS KMS. + // you to use ECC KMS keys only to sign and verify, are not effective on data + // key pairs, which are used outside of KMS. // // KeyPairSpec is a required field KeyPairSpec *string `type:"string" required:"true" enum:"DataKeyPairSpec"` @@ -11047,14 +11158,14 @@ type GenerateDataKeyPairWithoutPlaintextOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that encrypted the private key. + // of the KMS key that encrypted the private key. KeyId *string `min:"1" type:"string"` // The type of data key pair that was generated. KeyPairSpec *string `type:"string" enum:"DataKeyPairSpec"` - // The encrypted copy of the private key. When you use the HTTP API or the AWS - // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. + // The encrypted copy of the private key. When you use the HTTP API or the Amazon + // Web Services CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // PrivateKeyCiphertextBlob is automatically base64 encoded/decoded by the SDK. PrivateKeyCiphertextBlob []byte `min:"1" type:"blob"` @@ -11109,26 +11220,27 @@ type GenerateDataKeyWithoutPlaintextInput struct { // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. EncryptionContext map[string]*string `type:"map"` // A list of grant tokens. // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // The identifier of the symmetric customer master key (CMK) that encrypts the - // data key. + // The identifier of the symmetric KMS key that encrypts the data key. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -11140,8 +11252,8 @@ type GenerateDataKeyWithoutPlaintextInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -11219,14 +11331,14 @@ func (s *GenerateDataKeyWithoutPlaintextInput) SetNumberOfBytes(v int64) *Genera type GenerateDataKeyWithoutPlaintextOutput struct { _ struct{} `type:"structure"` - // The encrypted data key. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. + // The encrypted data key. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // CiphertextBlob is automatically base64 encoded/decoded by the SDK. CiphertextBlob []byte `min:"1" type:"blob"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that encrypted the data key. + // of the KMS key that encrypted the data key. KeyId *string `min:"1" type:"string"` } @@ -11255,7 +11367,7 @@ func (s *GenerateDataKeyWithoutPlaintextOutput) SetKeyId(v string) *GenerateData type GenerateRandomInput struct { _ struct{} `type:"structure"` - // Generates the random byte string in the AWS CloudHSM cluster that is associated + // Generates the random byte string in the CloudHSM cluster that is associated // with the specified custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html). // To find the ID of a custom key store, use the DescribeCustomKeyStores operation. CustomKeyStoreId *string `min:"1" type:"string"` @@ -11305,8 +11417,8 @@ func (s *GenerateRandomInput) SetNumberOfBytes(v int64) *GenerateRandomInput { type GenerateRandomOutput struct { _ struct{} `type:"structure"` - // The random byte string. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. + // The random byte string. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // Plaintext is automatically base64 encoded/decoded by the SDK. Plaintext []byte `min:"1" type:"blob" sensitive:"true"` @@ -11331,9 +11443,9 @@ func (s *GenerateRandomOutput) SetPlaintext(v []byte) *GenerateRandomOutput { type GetKeyPolicyInput struct { _ struct{} `type:"structure"` - // Gets the key policy for the specified customer master key (CMK). + // Gets the key policy for the specified KMS key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -11341,7 +11453,7 @@ type GetKeyPolicyInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -11423,10 +11535,10 @@ func (s *GetKeyPolicyOutput) SetPolicy(v string) *GetKeyPolicyOutput { type GetKeyRotationStatusInput struct { _ struct{} `type:"structure"` - // Gets the rotation status for the specified customer master key (CMK). + // Gets the rotation status for the specified KMS key. // - // Specify the key ID or key ARN of the CMK. To specify a CMK in a different - // AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different + // Amazon Web Services account, you must use the key ARN. // // For example: // @@ -11434,7 +11546,7 @@ type GetKeyRotationStatusInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -11498,10 +11610,10 @@ func (s *GetKeyRotationStatusOutput) SetKeyRotationEnabled(v bool) *GetKeyRotati type GetParametersForImportInput struct { _ struct{} `type:"structure"` - // The identifier of the symmetric CMK into which you will import key material. - // The Origin of the CMK must be EXTERNAL. + // The identifier of the symmetric KMS key into which you will import key material. + // The Origin of the KMS key must be EXTERNAL. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -11509,7 +11621,7 @@ type GetParametersForImportInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -11517,7 +11629,7 @@ type GetParametersForImportInput struct { // The algorithm you will use to encrypt the key material before importing it // with ImportKeyMaterial. For more information, see Encrypt the Key Material // (https://docs.aws.amazon.com/kms/latest/developerguide/importing-keys-encrypt-key-material.html) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. // // WrappingAlgorithm is a required field WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` @@ -11588,8 +11700,8 @@ type GetParametersForImportOutput struct { ImportToken []byte `min:"1" type:"blob"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK to use in a subsequent ImportKeyMaterial request. This is the - // same CMK specified in the GetParametersForImport request. + // of the KMS key to use in a subsequent ImportKeyMaterial request. This is + // the same KMS key specified in the GetParametersForImport request. KeyId *string `min:"1" type:"string"` // The time at which the import token and public key are no longer valid. After @@ -11645,15 +11757,17 @@ type GetPublicKeyInput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Identifies the asymmetric CMK that includes the public key. + // Identifies the asymmetric KMS key that includes the public key. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -11665,8 +11779,8 @@ type GetPublicKeyInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -11713,41 +11827,49 @@ func (s *GetPublicKeyInput) SetKeyId(v string) *GetPublicKeyInput { type GetPublicKeyOutput struct { _ struct{} `type:"structure"` - // The type of the of the public key that was downloaded. - CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` - - // The encryption algorithms that AWS KMS supports for this key. + // Instead, use the KeySpec field in the GetPublicKey response. // - // This information is critical. If a public key encrypts data outside of AWS - // KMS by using an unsupported encryption algorithm, the ciphertext cannot be - // decrypted. + // The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend + // that you use the KeySpec field in your code. However, to avoid breaking changes, + // KMS will support both fields. + // + // Deprecated: This field has been deprecated. Instead, use the KeySpec field. + CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"` + + // The encryption algorithms that KMS supports for this key. + // + // This information is critical. If a public key encrypts data outside of KMS + // by using an unsupported encryption algorithm, the ciphertext cannot be decrypted. // // This field appears in the response only when the KeyUsage of the public key // is ENCRYPT_DECRYPT. EncryptionAlgorithms []*string `type:"list"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the asymmetric CMK from which the public key was downloaded. + // of the asymmetric KMS key from which the public key was downloaded. KeyId *string `min:"1" type:"string"` + // The type of the of the public key that was downloaded. + KeySpec *string `type:"string" enum:"KeySpec"` + // The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or // SIGN_VERIFY. // // This information is critical. If a public key with SIGN_VERIFY key usage - // encrypts data outside of AWS KMS, the ciphertext cannot be decrypted. + // encrypts data outside of KMS, the ciphertext cannot be decrypted. KeyUsage *string `type:"string" enum:"KeyUsageType"` // The exported public key. // // The value is a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo // (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280). When - // you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, - // it is not Base64-encoded. + // you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. + // Otherwise, it is not Base64-encoded. // // PublicKey is automatically base64 encoded/decoded by the SDK. PublicKey []byte `min:"1" type:"blob"` - // The signing algorithms that AWS KMS supports for this key. + // The signing algorithms that KMS supports for this key. // // This field appears in the response only when the KeyUsage of the public key // is SIGN_VERIFY. @@ -11782,6 +11904,12 @@ func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput { return s } +// SetKeySpec sets the KeySpec field's value. +func (s *GetPublicKeyOutput) SetKeySpec(v string) *GetPublicKeyOutput { + s.KeySpec = &v + return s +} + // SetKeyUsage sets the KeyUsage field's value. func (s *GetPublicKeyOutput) SetKeyUsage(v string) *GetPublicKeyOutput { s.KeyUsage = &v @@ -11804,11 +11932,11 @@ func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutp // in the grant only when the operation request includes the specified encryption // context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context). // -// AWS KMS applies the grant constraints only to cryptographic operations that -// support an encryption context, that is, all cryptographic operations with -// a symmetric CMK (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). +// KMS applies the grant constraints only to cryptographic operations that support +// an encryption context, that is, all cryptographic operations with a symmetric +// KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/symm-asymm-concepts.html#symmetric-cmks). // Grant constraints are not applied to operations that do not support an encryption -// context, such as cryptographic operations with asymmetric CMKs and management +// context, such as cryptographic operations with asymmetric KMS keys and management // operations, such as DescribeKey or RetireGrant. // // In a cryptographic operation, the encryption context in the decryption operation @@ -11822,7 +11950,7 @@ func (s *GetPublicKeyOutput) SetSigningAlgorithms(v []*string) *GetPublicKeyOutp // only by case. To require a fully case-sensitive encryption context, use the // kms:EncryptionContext: and kms:EncryptionContextKeys conditions in an IAM // or key policy. For details, see kms:EncryptionContext: (https://docs.aws.amazon.com/kms/latest/developerguide/policy-conditions.html#conditions-kms-encryption-context) -// in the AWS Key Management Service Developer Guide . +// in the Key Management Service Developer Guide . type GrantConstraints struct { _ struct{} `type:"structure"` @@ -11880,16 +12008,15 @@ type GrantListEntry struct { // // The GranteePrincipal field in the ListGrants response usually contains the // user or role designated as the grantee principal in the grant. However, when - // the grantee principal in the grant is an AWS service, the GranteePrincipal - // field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), + // the grantee principal in the grant is an Amazon Web Services service, the + // GranteePrincipal field contains the service principal (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-services), // which might represent several different grantee principals. GranteePrincipal *string `min:"1" type:"string"` - // The AWS account under which the grant was issued. + // The Amazon Web Services account under which the grant was issued. IssuingAccount *string `min:"1" type:"string"` - // The unique identifier for the customer master key (CMK) to which the grant - // applies. + // The unique identifier for the KMS key to which the grant applies. KeyId *string `min:"1" type:"string"` // The friendly name that identifies the grant. If a name was provided in the @@ -11994,11 +12121,11 @@ type ImportKeyMaterialInput struct { // ImportToken is a required field ImportToken []byte `min:"1" type:"blob" required:"true"` - // The identifier of the symmetric CMK that receives the imported key material. - // The CMK's Origin must be EXTERNAL. This must be the same CMK specified in - // the KeyID parameter of the corresponding GetParametersForImport request. + // The identifier of the symmetric KMS key that receives the imported key material. + // The KMS key's Origin must be EXTERNAL. This must be the same KMS key specified + // in the KeyID parameter of the corresponding GetParametersForImport request. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -12006,13 +12133,13 @@ type ImportKeyMaterialInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // The time at which the imported key material expires. When the key material - // expires, AWS KMS deletes the key material and the CMK becomes unusable. You + // expires, KMS deletes the key material and the KMS key becomes unusable. You // must omit this parameter when the ExpirationModel parameter is set to KEY_MATERIAL_DOES_NOT_EXPIRE. // Otherwise it is required. ValidTo *time.Time `type:"timestamp"` @@ -12100,9 +12227,9 @@ func (s ImportKeyMaterialOutput) GoString() string { return s.String() } -// The request was rejected because the specified CMK cannot decrypt the data. -// The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request -// must identify the same CMK that was used to encrypt the ciphertext. +// The request was rejected because the specified KMS key cannot decrypt the +// data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request +// must identify the same KMS key that was used to encrypt the ciphertext. type IncorrectKeyException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12160,7 +12287,7 @@ func (s *IncorrectKeyException) RequestID() string { // The request was rejected because the key material in the request is, expired, // invalid, or is not the same key material that was previously imported into -// this customer master key (CMK). +// this KMS key. type IncorrectKeyMaterialException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12217,7 +12344,7 @@ func (s *IncorrectKeyMaterialException) RequestID() string { } // The request was rejected because the trust anchor certificate in the request -// is not the trust anchor certificate for the specified AWS CloudHSM cluster. +// is not the trust anchor certificate for the specified CloudHSM cluster. // // When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), // you create the trust anchor certificate and save it in the customerCA.crt @@ -12452,8 +12579,8 @@ func (s *InvalidArnException) RequestID() string { // the ciphertext, such as the encryption context, is corrupted, missing, or // otherwise invalid. // -// From the ImportKeyMaterial operation, the request was rejected because AWS -// KMS could not decrypt the encrypted (wrapped) key material. +// From the ImportKeyMaterial operation, the request was rejected because KMS +// could not decrypt the encrypted (wrapped) key material. type InvalidCiphertextException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12622,7 +12749,7 @@ func (s *InvalidGrantTokenException) RequestID() string { } // The request was rejected because the provided import token is invalid or -// is associated with a different customer master key (CMK). +// is associated with a different KMS key. type InvalidImportTokenException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12680,17 +12807,18 @@ func (s *InvalidImportTokenException) RequestID() string { // The request was rejected for one of the following reasons: // -// * The KeyUsage value of the CMK is incompatible with the API operation. +// * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation -// is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). +// is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage -// must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. +// must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey +// operation. // -// To find the encryption or signing algorithms supported for a particular CMK, -// use the DescribeKey operation. +// To find the encryption or signing algorithms supported for a particular KMS +// key, use the DescribeKey operation. type InvalidKeyUsageException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12806,9 +12934,9 @@ func (s *InvalidMarkerException) RequestID() string { // The request was rejected because the state of the specified resource is not // valid for this request. // -// For more information about how key state affects the use of a CMK, see How -// Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) -// in the AWS Key Management Service Developer Guide . +// For more information about how key state affects the use of a KMS key, see +// Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) +// in the Key Management Service Developer Guide . type InvalidStateException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12866,7 +12994,7 @@ func (s *InvalidStateException) RequestID() string { // The request was rejected because the signature verification failed. Signature // verification fails when it cannot confirm that signature was produced by -// signing the specified message with the specified CMK and signing algorithm. +// signing the specified message with the specified KMS key and signing algorithm. type KMSInvalidSignatureException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -12955,125 +13083,134 @@ func (s *KeyListEntry) SetKeyId(v string) *KeyListEntry { return s } -// Contains metadata about a customer master key (CMK). +// Contains metadata about a KMS key. // // This data type is used as a response element for the CreateKey and DescribeKey // operations. type KeyMetadata struct { _ struct{} `type:"structure"` - // The twelve-digit account ID of the AWS account that owns the CMK. + // The twelve-digit account ID of the Amazon Web Services account that owns + // the KMS key. AWSAccountId *string `type:"string"` - // The Amazon Resource Name (ARN) of the CMK. For examples, see AWS Key Management - // Service (AWS KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) - // in the Example ARNs section of the AWS General Reference. + // The Amazon Resource Name (ARN) of the KMS key. For examples, see Key Management + // Service (KMS) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-kms) + // in the Example ARNs section of the Amazon Web Services General Reference. Arn *string `min:"20" type:"string"` - // The cluster ID of the AWS CloudHSM cluster that contains the key material - // for the CMK. When you create a CMK in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), - // AWS KMS creates the key material for the CMK in the associated AWS CloudHSM - // cluster. This value is present only when the CMK is created in a custom key - // store. + // The cluster ID of the CloudHSM cluster that contains the key material for + // the KMS key. When you create a KMS key in a custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html), + // KMS creates the key material for the KMS key in the associated CloudHSM cluster. + // This value is present only when the KMS key is created in a custom key store. CloudHsmClusterId *string `min:"19" type:"string"` - // The date and time when the CMK was created. + // The date and time when the KMS key was created. CreationDate *time.Time `type:"timestamp"` // A unique identifier for the custom key store (https://docs.aws.amazon.com/kms/latest/developerguide/custom-key-store-overview.html) - // that contains the CMK. This value is present only when the CMK is created - // in a custom key store. + // that contains the KMS key. This value is present only when the KMS key is + // created in a custom key store. CustomKeyStoreId *string `min:"1" type:"string"` - // Describes the type of key material in the CMK. - CustomerMasterKeySpec *string `type:"string" enum:"CustomerMasterKeySpec"` + // Instead, use the KeySpec field. + // + // The KeySpec and CustomerMasterKeySpec fields have the same value. We recommend + // that you use the KeySpec field in your code. However, to avoid breaking changes, + // KMS will support both fields. + // + // Deprecated: This field has been deprecated. Instead, use the KeySpec field. + CustomerMasterKeySpec *string `deprecated:"true" type:"string" enum:"CustomerMasterKeySpec"` - // The date and time after which AWS KMS deletes this CMK. This value is present - // only when the CMK is scheduled for deletion, that is, when its KeyState is - // PendingDeletion. + // The date and time after which KMS deletes this KMS key. This value is present + // only when the KMS key is scheduled for deletion, that is, when its KeyState + // is PendingDeletion. // // When the primary key in a multi-Region key is scheduled for deletion but // still has replica keys, its key state is PendingReplicaDeletion and the length // of its waiting period is displayed in the PendingDeletionWindowInDays field. DeletionDate *time.Time `type:"timestamp"` - // The description of the CMK. + // The description of the KMS key. Description *string `type:"string"` - // Specifies whether the CMK is enabled. When KeyState is Enabled this value + // Specifies whether the KMS key is enabled. When KeyState is Enabled this value // is true, otherwise it is false. Enabled *bool `type:"boolean"` - // The encryption algorithms that the CMK supports. You cannot use the CMK with - // other encryption algorithms within AWS KMS. + // The encryption algorithms that the KMS key supports. You cannot use the KMS + // key with other encryption algorithms within KMS. // - // This value is present only when the KeyUsage of the CMK is ENCRYPT_DECRYPT. + // This value is present only when the KeyUsage of the KMS key is ENCRYPT_DECRYPT. EncryptionAlgorithms []*string `type:"list"` - // Specifies whether the CMK's key material expires. This value is present only - // when Origin is EXTERNAL, otherwise this value is omitted. + // Specifies whether the KMS key's key material expires. This value is present + // only when Origin is EXTERNAL, otherwise this value is omitted. ExpirationModel *string `type:"string" enum:"ExpirationModelType"` - // The globally unique identifier for the CMK. + // The globally unique identifier for the KMS key. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` - // The manager of the CMK. CMKs in your AWS account are either customer managed - // or AWS managed. For more information about the difference, see Customer Master - // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#master_keys) - // in the AWS Key Management Service Developer Guide. + // The manager of the KMS key. KMS keys in your Amazon Web Services account + // are either customer managed or Amazon Web Services managed. For more information + // about the difference, see KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#kms_keys) + // in the Key Management Service Developer Guide. KeyManager *string `type:"string" enum:"KeyManagerType"` - // The current status of the CMK. + // Describes the type of key material in the KMS key. + KeySpec *string `type:"string" enum:"KeySpec"` + + // The current status of the KMS key. // - // For more information about how key state affects the use of a CMK, see Key - // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // in the AWS Key Management Service Developer Guide. + // For more information about how key state affects the use of a KMS key, see + // Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the Key Management Service Developer Guide. KeyState *string `type:"string" enum:"KeyState"` // The cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) - // for which you can use the CMK. + // for which you can use the KMS key. KeyUsage *string `type:"string" enum:"KeyUsageType"` - // Indicates whether the CMK is a multi-Region (True) or regional (False) key. - // This value is True for multi-Region primary and replica CMKs and False for - // regional CMKs. + // Indicates whether the KMS key is a multi-Region (True) or regional (False) + // key. This value is True for multi-Region primary and replica keys and False + // for regional KMS keys. // // For more information about multi-Region keys, see Using multi-Region keys // (https://docs.aws.amazon.com/kms/latest/developerguide/multi-region-keys-overview.html) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. MultiRegion *bool `type:"boolean"` - // Lists the primary and replica CMKs in same multi-Region CMK. This field is + // Lists the primary and replica keys in same multi-Region key. This field is // present only when the value of the MultiRegion field is True. // - // For more information about any listed CMK, use the DescribeKey operation. + // For more information about any listed KMS key, use the DescribeKey operation. // - // * MultiRegionKeyType indicates whether the CMK is a PRIMARY or REPLICA + // * MultiRegionKeyType indicates whether the KMS key is a PRIMARY or REPLICA // key. // // * PrimaryKey displays the key ARN and Region of the primary key. This - // field displays the current CMK if it is the primary key. + // field displays the current KMS key if it is the primary key. // // * ReplicaKeys displays the key ARNs and Regions of all replica keys. This - // field includes the current CMK if it is a replica key. + // field includes the current KMS key if it is a replica key. MultiRegionConfiguration *MultiRegionConfiguration `type:"structure"` - // The source of the CMK's key material. When this value is AWS_KMS, AWS KMS - // created the key material. When this value is EXTERNAL, the key material was - // imported from your existing key management infrastructure or the CMK lacks - // key material. When this value is AWS_CLOUDHSM, the key material was created - // in the AWS CloudHSM cluster associated with a custom key store. + // The source of the key material for the KMS key. When this value is AWS_KMS, + // KMS created the key material. When this value is EXTERNAL, the key material + // was imported or the KMS key doesn't have any key material. When this value + // is AWS_CLOUDHSM, the key material was created in the CloudHSM cluster associated + // with a custom key store. Origin *string `type:"string" enum:"OriginType"` // The waiting period before the primary key in a multi-Region key is deleted. // This waiting period begins when the last of its replica keys is deleted. - // This value is present only when the KeyState of the CMK is PendingReplicaDeletion. - // That indicates that the CMK is the primary key in a multi-Region key, it - // is scheduled for deletion, and it still has existing replica keys. + // This value is present only when the KeyState of the KMS key is PendingReplicaDeletion. + // That indicates that the KMS key is the primary key in a multi-Region key, + // it is scheduled for deletion, and it still has existing replica keys. // - // When a regional CMK or a replica key in a multi-Region key is scheduled for + // When a single-Region KMS key or a multi-Region replica key is scheduled for // deletion, its deletion date is displayed in the DeletionDate field. However, // when the primary key in a multi-Region key is scheduled for deletion, its // waiting period doesn't begin until all of its replica keys are deleted. This @@ -13082,15 +13219,15 @@ type KeyMetadata struct { // to PendingDeletion and the deletion date appears in the DeletionDate field. PendingDeletionWindowInDays *int64 `min:"1" type:"integer"` - // The signing algorithms that the CMK supports. You cannot use the CMK with - // other signing algorithms within AWS KMS. + // The signing algorithms that the KMS key supports. You cannot use the KMS + // key with other signing algorithms within KMS. // - // This field appears only when the KeyUsage of the CMK is SIGN_VERIFY. + // This field appears only when the KeyUsage of the KMS key is SIGN_VERIFY. SigningAlgorithms []*string `type:"list"` // The time at which the imported key material expires. When the key material - // expires, AWS KMS deletes the key material and the CMK becomes unusable. This - // value is present only for CMKs whose Origin is EXTERNAL and whose ExpirationModel + // expires, KMS deletes the key material and the KMS key becomes unusable. This + // value is present only for KMS keys whose Origin is EXTERNAL and whose ExpirationModel // is KEY_MATERIAL_EXPIRES, otherwise this value is omitted. ValidTo *time.Time `type:"timestamp"` } @@ -13183,6 +13320,12 @@ func (s *KeyMetadata) SetKeyManager(v string) *KeyMetadata { return s } +// SetKeySpec sets the KeySpec field's value. +func (s *KeyMetadata) SetKeySpec(v string) *KeyMetadata { + s.KeySpec = &v + return s +} + // SetKeyState sets the KeyState field's value. func (s *KeyMetadata) SetKeyState(v string) *KeyMetadata { s.KeyState = &v @@ -13231,8 +13374,8 @@ func (s *KeyMetadata) SetValidTo(v time.Time) *KeyMetadata { return s } -// The request was rejected because the specified CMK was not available. You -// can retry the request. +// The request was rejected because the specified KMS key was not available. +// You can retry the request. type KeyUnavailableException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -13290,7 +13433,7 @@ func (s *KeyUnavailableException) RequestID() string { // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) -// in the AWS Key Management Service Developer Guide. +// in the Key Management Service Developer Guide. type LimitExceededException struct { _ struct{} `type:"structure"` RespMetadata protocol.ResponseMetadata `json:"-" xml:"-"` @@ -13349,13 +13492,13 @@ func (s *LimitExceededException) RequestID() string { type ListAliasesInput struct { _ struct{} `type:"structure"` - // Lists only aliases that are associated with the specified CMK. Enter a CMK - // in your AWS account. + // Lists only aliases that are associated with the specified KMS key. Enter + // a KMS key in your Amazon Web Services account. // // This parameter is optional. If you omit it, ListAliases returns all aliases // in the account and Region. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -13363,11 +13506,11 @@ type ListAliasesInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. KeyId *string `min:"1" type:"string"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -13483,11 +13626,10 @@ type ListGrantsInput struct { // for the grant. GranteePrincipal *string `min:"1" type:"string"` - // Returns only grants for the specified customer master key (CMK). This parameter - // is required. + // Returns only grants for the specified KMS key. This parameter is required. // - // Specify the key ID or key ARN of the CMK. To specify a CMK in a different - // AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different + // Amazon Web Services account, you must use the key ARN. // // For example: // @@ -13495,13 +13637,13 @@ type ListGrantsInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -13630,9 +13772,9 @@ func (s *ListGrantsResponse) SetTruncated(v bool) *ListGrantsResponse { type ListKeyPoliciesInput struct { _ struct{} `type:"structure"` - // Gets the names of key policies for the specified customer master key (CMK). + // Gets the names of key policies for the specified KMS key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -13640,13 +13782,13 @@ type ListKeyPoliciesInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -13760,7 +13902,7 @@ type ListKeysInput struct { _ struct{} `type:"structure"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -13814,7 +13956,7 @@ func (s *ListKeysInput) SetMarker(v string) *ListKeysInput { type ListKeysOutput struct { _ struct{} `type:"structure"` - // A list of customer master keys (CMKs). + // A list of KMS keys. Keys []*KeyListEntry `type:"list"` // When Truncated is true, this element is present and contains the value to @@ -13859,9 +14001,9 @@ func (s *ListKeysOutput) SetTruncated(v bool) *ListKeysOutput { type ListResourceTagsInput struct { _ struct{} `type:"structure"` - // Gets tags on the specified customer master key (CMK). + // Gets tags on the specified KMS key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -13869,13 +14011,13 @@ type ListResourceTagsInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -13952,9 +14094,9 @@ type ListResourceTagsOutput struct { // A list of tags. Each tag consists of a tag key and a tag value. // - // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, - // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the AWS Key Management Service Developer Guide. + // Tagging or untagging a KMS key can allow or deny permission to the KMS key. + // For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the Key Management Service Developer Guide. Tags []*Tag `type:"list"` // A flag that indicates whether there are more items in the list. When this @@ -13996,7 +14138,7 @@ type ListRetirableGrantsInput struct { _ struct{} `type:"structure"` // Use this parameter to specify the maximum number of items to return. When - // this value is present, AWS KMS does not return more than the specified number + // this value is present, KMS does not return more than the specified number // of items, but it might return fewer. // // This value is optional. If you include a value, it must be between 1 and @@ -14009,13 +14151,13 @@ type ListRetirableGrantsInput struct { Marker *string `min:"1" type:"string"` // The retiring principal for which to list grants. Enter a principal in your - // AWS account. + // Amazon Web Services account. // // To specify the retiring principal, use the Amazon Resource Name (ARN) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // of an AWS principal. Valid AWS principals include AWS accounts (root), IAM - // users, federated users, and assumed role users. For examples of the ARN syntax - // for specifying a principal, see AWS Identity and Access Management (IAM) - // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) + // of an Amazon Web Services principal. Valid Amazon Web Services principals + // include Amazon Web Services accounts (root), IAM users, federated users, + // and assumed role users. For examples of the ARN syntax for specifying a principal, + // see Amazon Web Services Identity and Access Management (IAM) (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html#arn-syntax-iam) // in the Example ARNs section of the Amazon Web Services General Reference. // // RetiringPrincipal is a required field @@ -14129,22 +14271,22 @@ func (s *MalformedPolicyDocumentException) RequestID() string { return s.RespMetadata.RequestID } -// Describes the configuration of this multi-Region CMK. This field appears -// only when the CMK is a primary or replica of a multi-Region CMK. +// Describes the configuration of this multi-Region key. This field appears +// only when the KMS key is a primary or replica of a multi-Region key. // -// For more information about any listed CMK, use the DescribeKey operation. +// For more information about any listed KMS key, use the DescribeKey operation. type MultiRegionConfiguration struct { _ struct{} `type:"structure"` - // Indicates whether the CMK is a PRIMARY or REPLICA key. + // Indicates whether the KMS key is a PRIMARY or REPLICA key. MultiRegionKeyType *string `type:"string" enum:"MultiRegionKeyType"` // Displays the key ARN and Region of the primary key. This field includes the - // current CMK if it is the primary key. + // current KMS key if it is the primary key. PrimaryKey *MultiRegionKey `type:"structure"` // displays the key ARNs and Regions of all replica keys. This field includes - // the current CMK if it is a replica key. + // the current KMS key if it is a replica key. ReplicaKeys []*MultiRegionKey `type:"list"` } @@ -14183,7 +14325,8 @@ type MultiRegionKey struct { // Displays the key ARN of a primary or replica key of a multi-Region key. Arn *string `min:"20" type:"string"` - // Displays the AWS Region of a primary or replica key in a multi-Region key. + // Displays the Amazon Web Services Region of a primary or replica key in a + // multi-Region key. Region *string `min:"1" type:"string"` } @@ -14271,21 +14414,22 @@ type PutKeyPolicyInput struct { // A flag to indicate whether to bypass the key policy lockout safety check. // - // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Setting this value to true increases the risk that the KMS key becomes unmanageable. // Do not set this value to true indiscriminately. // // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section in the AWS Key Management Service Developer Guide. + // section in the Key Management Service Developer Guide. // // Use this parameter only when you intend to prevent the principal that is - // making the request from making a subsequent PutKeyPolicy request on the CMK. + // making the request from making a subsequent PutKeyPolicy request on the KMS + // key. // // The default value is false. BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` - // Sets the key policy on the specified customer master key (CMK). + // Sets the key policy on the specified KMS key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -14293,34 +14437,34 @@ type PutKeyPolicyInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` - // The key policy to attach to the CMK. + // The key policy to attach to the KMS key. // // The key policy must meet the following criteria: // // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy // must allow the principal that is making the PutKeyPolicy request to make - // a subsequent PutKeyPolicy request on the CMK. This reduces the risk that - // the CMK becomes unmanageable. For more information, refer to the scenario - // in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section of the AWS Key Management Service Developer Guide. + // a subsequent PutKeyPolicy request on the KMS key. This reduces the risk + // that the KMS key becomes unmanageable. For more information, refer to + // the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) + // section of the Key Management Service Developer Guide. // // * Each statement in the key policy must contain one or more principals. - // The principals in the key policy must exist and be visible to AWS KMS. - // When you create a new AWS principal (for example, an IAM user or role), - // you might need to enforce a delay before including the new principal in - // a key policy because the new principal might not be immediately visible - // to AWS KMS. For more information, see Changes that I make are not always - // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the AWS Identity and Access Management User Guide. + // The principals in the key policy must exist and be visible to KMS. When + // you create a new Amazon Web Services principal (for example, an IAM user + // or role), you might need to enforce a delay before including the new principal + // in a key policy because the new principal might not be immediately visible + // to KMS. For more information, see Changes that I make are not always immediately + // visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the Amazon Web Services Identity and Access Management User Guide. // // The key policy cannot exceed 32 kilobytes (32768 bytes). For more information, // see Resource Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/resource-limits.html) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. // // Policy is a required field Policy *string `min:"1" type:"string" required:"true"` @@ -14417,37 +14561,38 @@ type ReEncryptInput struct { // CiphertextBlob is a required field CiphertextBlob []byte `min:"1" type:"blob" required:"true"` - // Specifies the encryption algorithm that AWS KMS will use to reecrypt the - // data after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents - // the encryption algorithm used for symmetric CMKs. + // Specifies the encryption algorithm that KMS will use to reecrypt the data + // after it has decrypted it. The default value, SYMMETRIC_DEFAULT, represents + // the encryption algorithm used for symmetric KMS keys. // - // This parameter is required only when the destination CMK is an asymmetric - // CMK. + // This parameter is required only when the destination KMS key is an asymmetric + // KMS key. DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // Specifies that encryption context to use when the reencrypting the data. // - // A destination encryption context is valid only when the destination CMK is - // a symmetric CMK. The standard ciphertext format for asymmetric CMKs does - // not include fields for metadata. + // A destination encryption context is valid only when the destination KMS key + // is a symmetric KMS key. The standard ciphertext format for asymmetric KMS + // keys does not include fields for metadata. // // An encryption context is a collection of non-secret key-value pairs that // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. DestinationEncryptionContext map[string]*string `type:"map"` - // A unique identifier for the CMK that is used to reencrypt the data. Specify - // a symmetric or asymmetric CMK with a KeyUsage value of ENCRYPT_DECRYPT. To - // find the KeyUsage value of a CMK, use the DescribeKey operation. + // A unique identifier for the KMS key that is used to reencrypt the data. Specify + // a symmetric or asymmetric KMS key with a KeyUsage value of ENCRYPT_DECRYPT. + // To find the KeyUsage value of a KMS key, use the DescribeKey operation. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -14459,8 +14604,8 @@ type ReEncryptInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // DestinationKeyId is a required field DestinationKeyId *string `min:"1" type:"string" required:"true"` @@ -14469,19 +14614,20 @@ type ReEncryptInput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Specifies the encryption algorithm that AWS KMS will use to decrypt the ciphertext + // Specifies the encryption algorithm that KMS will use to decrypt the ciphertext // before it is reencrypted. The default value, SYMMETRIC_DEFAULT, represents - // the algorithm used for symmetric CMKs. + // the algorithm used for symmetric KMS keys. // // Specify the same algorithm that was used to encrypt the ciphertext. If you // specify a different algorithm, the decrypt attempt fails. // // This parameter is required only when the ciphertext was encrypted under an - // asymmetric CMK. + // asymmetric KMS key. SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // Specifies the encryption context to use to decrypt the ciphertext. Enter @@ -14491,25 +14637,26 @@ type ReEncryptInput struct { // represents additional authenticated data. When you use an encryption context // to encrypt data, you must specify the same (an exact case-sensitive match) // encryption context to decrypt the data. An encryption context is optional - // when encrypting with a symmetric CMK, but it is highly recommended. + // when encrypting with a symmetric KMS key, but it is highly recommended. // // For more information, see Encryption Context (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#encrypt_context) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. SourceEncryptionContext map[string]*string `type:"map"` - // Specifies the customer master key (CMK) that AWS KMS will use to decrypt - // the ciphertext before it is re-encrypted. Enter a key ID of the CMK that - // was used to encrypt the ciphertext. + // Specifies the KMS key that KMS will use to decrypt the ciphertext before + // it is re-encrypted. Enter a key ID of the KMS key that was used to encrypt + // the ciphertext. // // This parameter is required only when the ciphertext was encrypted under an - // asymmetric CMK. If you used a symmetric CMK, AWS KMS can get the CMK from - // metadata that it adds to the symmetric ciphertext blob. However, it is always - // recommended as a best practice. This practice ensures that you use the CMK - // that you intend. + // asymmetric KMS key. If you used a symmetric KMS key, KMS can get the KMS + // key from metadata that it adds to the symmetric ciphertext blob. However, + // it is always recommended as a best practice. This practice ensures that you + // use the KMS key that you intend. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -14521,8 +14668,8 @@ type ReEncryptInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. SourceKeyId *string `min:"1" type:"string"` } @@ -14612,8 +14759,8 @@ func (s *ReEncryptInput) SetSourceKeyId(v string) *ReEncryptInput { type ReEncryptOutput struct { _ struct{} `type:"structure"` - // The reencrypted data. When you use the HTTP API or the AWS CLI, the value - // is Base64-encoded. Otherwise, it is not Base64-encoded. + // The reencrypted data. When you use the HTTP API or the Amazon Web Services + // CLI, the value is Base64-encoded. Otherwise, it is not Base64-encoded. // // CiphertextBlob is automatically base64 encoded/decoded by the SDK. CiphertextBlob []byte `min:"1" type:"blob"` @@ -14622,14 +14769,14 @@ type ReEncryptOutput struct { DestinationEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK that was used to reencrypt the data. + // of the KMS key that was used to reencrypt the data. KeyId *string `min:"1" type:"string"` // The encryption algorithm that was used to decrypt the ciphertext before it // was reencrypted. SourceEncryptionAlgorithm *string `type:"string" enum:"EncryptionAlgorithmSpec"` - // Unique identifier of the CMK used to originally encrypt the data. + // Unique identifier of the KMS key used to originally encrypt the data. SourceKeyId *string `min:"1" type:"string"` } @@ -14678,29 +14825,28 @@ type ReplicateKeyInput struct { // A flag to indicate whether to bypass the key policy lockout safety check. // - // Setting this value to true increases the risk that the CMK becomes unmanageable. + // Setting this value to true increases the risk that the KMS key becomes unmanageable. // Do not set this value to true indiscriminately. // // For more information, refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section in the AWS Key Management Service Developer Guide. + // section in the Key Management Service Developer Guide. // // Use this parameter only when you intend to prevent the principal that is - // making the request from making a subsequent PutKeyPolicy request on the CMK. + // making the request from making a subsequent PutKeyPolicy request on the KMS + // key. // // The default value is false. BypassPolicyLockoutSafetyCheck *bool `type:"boolean"` - // A description of the CMK. Use a description that helps you decide whether - // the CMK is appropriate for a task. The default value is an empty string (no - // description). + // A description of the KMS key. The default value is an empty string (no description). // // The description is not a shared property of multi-Region keys. You can specify // the same description or a different description for each key in a set of - // related multi-Region keys. AWS KMS does not synchronize this property. + // related multi-Region keys. KMS does not synchronize this property. Description *string `type:"string"` // Identifies the multi-Region primary key that is being replicated. To determine - // whether a CMK is a multi-Region primary key, use the DescribeKey operation + // whether a KMS key is a multi-Region primary key, use the DescribeKey operation // to check the value of the MultiRegionKeyType property. // // Specify the key ID or key ARN of a multi-Region primary key. @@ -14711,52 +14857,54 @@ type ReplicateKeyInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` - // The key policy to attach to the CMK. This parameter is optional. If you do - // not provide a key policy, AWS KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) - // to the CMK. + // The key policy to attach to the KMS key. This parameter is optional. If you + // do not provide a key policy, KMS attaches the default key policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default) + // to the KMS key. // // The key policy is not a shared property of multi-Region keys. You can specify // the same key policy or a different key policy for each key in a set of related - // multi-Region keys. AWS KMS does not synchronize this property. + // multi-Region keys. KMS does not synchronize this property. // // If you provide a key policy, it must meet the following criteria: // // * If you don't set BypassPolicyLockoutSafetyCheck to true, the key policy - // must give the caller kms:PutKeyPolicy permission on the replica CMK. This - // reduces the risk that the CMK becomes unmanageable. For more information, + // must give the caller kms:PutKeyPolicy permission on the replica key. This + // reduces the risk that the KMS key becomes unmanageable. For more information, // refer to the scenario in the Default Key Policy (https://docs.aws.amazon.com/kms/latest/developerguide/key-policies.html#key-policy-default-allow-root-enable-iam) - // section of the AWS Key Management Service Developer Guide . + // section of the Key Management Service Developer Guide . // // * Each statement in the key policy must contain one or more principals. - // The principals in the key policy must exist and be visible to AWS KMS. - // When you create a new AWS principal (for example, an IAM user or role), - // you might need to enforce a delay before including the new principal in - // a key policy because the new principal might not be immediately visible - // to AWS KMS. For more information, see Changes that I make are not always - // immediately visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) - // in the AWS Identity and Access Management User Guide. + // The principals in the key policy must exist and be visible to KMS. When + // you create a new Amazon Web Services principal (for example, an IAM user + // or role), you might need to enforce a delay before including the new principal + // in a key policy because the new principal might not be immediately visible + // to KMS. For more information, see Changes that I make are not always immediately + // visible (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency) + // in the Identity and Access Management User Guide . // // * The key policy size quota is 32 kilobytes (32768 bytes). Policy *string `min:"1" type:"string"` - // The Region ID of the AWS Region for this replica key. + // The Region ID of the Amazon Web Services Region for this replica key. // - // Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of AWS - // Regions in which AWS KMS is supported, see AWS KMS service endpoints (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) - // in the Amazon Web Services General Reference. + // Enter the Region ID, such as us-east-1 or ap-southeast-2. For a list of Amazon + // Web Services Regions in which KMS is supported, see KMS service endpoints + // (https://docs.aws.amazon.com/general/latest/gr/kms.html#kms_region) in the + // Amazon Web Services General Reference. // - // The replica must be in a different AWS Region than its primary key and other - // replicas of that primary key, but in the same AWS partition. AWS KMS must - // be available in the replica Region. If the Region is not enabled by default, - // the AWS account must be enabled in the Region. + // The replica must be in a different Amazon Web Services Region than its primary + // key and other replicas of that primary key, but in the same Amazon Web Services + // partition. KMS must be available in the replica Region. If the Region is + // not enabled by default, the Amazon Web Services account must be enabled in + // the Region. // - // For information about AWS partitions, see Amazon Resource Names (ARNs) in - // the Amazon Web Services General Reference. (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // For information about Amazon Web Services partitions, see Amazon Resource + // Names (ARNs) in the Amazon Web Services General Reference. (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // For information about enabling and disabling Regions, see Enabling a Region // (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-enable) // and Disabling a Region (https://docs.aws.amazon.com/general/latest/gr/rande-manage.html#rande-manage-disable) @@ -14766,28 +14914,30 @@ type ReplicateKeyInput struct { ReplicaRegion *string `min:"1" type:"string" required:"true"` // Assigns one or more tags to the replica key. Use this parameter to tag the - // CMK when it is created. To tag an existing CMK, use the TagResource operation. + // KMS key when it is created. To tag an existing KMS key, use the TagResource + // operation. // - // Tagging or untagging a CMK can allow or deny permission to the CMK. For details, - // see Using ABAC in AWS KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) - // in the AWS Key Management Service Developer Guide. + // Tagging or untagging a KMS key can allow or deny permission to the KMS key. + // For details, see Using ABAC in KMS (https://docs.aws.amazon.com/kms/latest/developerguide/abac.html) + // in the Key Management Service Developer Guide. // // To use this parameter, you must have kms:TagResource (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html) // permission in an IAM policy. // // Tags are not a shared property of multi-Region keys. You can specify the // same tags or different tags for each key in a set of related multi-Region - // keys. AWS KMS does not synchronize this property. + // keys. KMS does not synchronize this property. // // Each tag consists of a tag key and a tag value. Both the tag key and the // tag value are required, but the tag value can be an empty (null) string. - // You cannot have more than one tag on a CMK with the same tag key. If you - // specify an existing tag key with a different tag value, AWS KMS replaces + // You cannot have more than one tag on a KMS key with the same tag key. If + // you specify an existing tag key with a different tag value, KMS replaces // the current tag value with the specified one. // - // When you assign tags to an AWS resource, AWS generates a cost allocation - // report with usage and costs aggregated by tags. Tags can also be used to - // control access to a CMK. For details, see Tagging Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). + // When you add tags to an Amazon Web Services resource, Amazon Web Services + // generates a cost allocation report with usage and costs aggregated by tags. + // Tags can also be used to control access to a KMS key. For details, see Tagging + // Keys (https://docs.aws.amazon.com/kms/latest/developerguide/tagging-keys.html). Tags []*Tag `type:"list"` } @@ -14875,11 +15025,11 @@ func (s *ReplicateKeyInput) SetTags(v []*Tag) *ReplicateKeyInput { type ReplicateKeyOutput struct { _ struct{} `type:"structure"` - // Displays details about the new replica CMK, including its Amazon Resource + // Displays details about the new replica key, including its Amazon Resource // Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) // and key state (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html). - // It also includes the ARN and AWS Region of its primary key and other replica - // keys. + // It also includes the ARN and Amazon Web Services Region of its primary key + // and other replica keys. ReplicaKeyMetadata *KeyMetadata `type:"structure"` // The key policy of the new replica key. The value is a key policy document @@ -14934,11 +15084,11 @@ type RetireGrantInput struct { // Only the CreateGrant operation returns a grant token. For details, see Grant // token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) // and Eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#terms-eventual-consistency) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. GrantToken *string `min:"1" type:"string"` - // The key ARN CMK associated with the grant. To find the key ARN, use the ListKeys - // operation. + // The key ARN KMS key associated with the grant. To find the key ARN, use the + // ListKeys operation. // // For example: arn:aws:kms:us-east-2:444455556666:key/1234abcd-12ab-34cd-56ef-1234567890ab KeyId *string `min:"1" type:"string"` @@ -15014,11 +15164,11 @@ type RevokeGrantInput struct { // GrantId is a required field GrantId *string `min:"1" type:"string" required:"true"` - // A unique identifier for the customer master key (CMK) associated with the - // grant. To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // A unique identifier for the KMS key associated with the grant. To get the + // key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // - // Specify the key ID or key ARN of the CMK. To specify a CMK in a different - // AWS account, you must use the key ARN. + // Specify the key ID or key ARN of the KMS key. To specify a KMS key in a different + // Amazon Web Services account, you must use the key ARN. // // For example: // @@ -15026,7 +15176,7 @@ type RevokeGrantInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -15093,9 +15243,9 @@ func (s RevokeGrantOutput) GoString() string { type ScheduleKeyDeletionInput struct { _ struct{} `type:"structure"` - // The unique identifier of the customer master key (CMK) to delete. + // The unique identifier of the KMS key to delete. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -15103,15 +15253,15 @@ type ScheduleKeyDeletionInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` // The waiting period, specified in number of days. After the waiting period - // ends, AWS KMS deletes the customer master key (CMK). + // ends, KMS deletes the KMS key. // - // If the CMK is a multi-Region primary key with replicas, the waiting period + // If the KMS key is a multi-Region primary key with replicas, the waiting period // begins when the last of its replica keys is deleted. Otherwise, the waiting // period begins immediately. // @@ -15164,27 +15314,27 @@ func (s *ScheduleKeyDeletionInput) SetPendingWindowInDays(v int64) *ScheduleKeyD type ScheduleKeyDeletionOutput struct { _ struct{} `type:"structure"` - // The date and time after which AWS KMS deletes the customer master key (CMK). + // The date and time after which KMS deletes the KMS key. // - // If the CMK is a multi-Region primary key with replica keys, this field does - // not appear. The deletion date for the primary key isn't known until its last - // replica key is deleted. + // If the KMS key is a multi-Region primary key with replica keys, this field + // does not appear. The deletion date for the primary key isn't known until + // its last replica key is deleted. DeletionDate *time.Time `type:"timestamp"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the CMK whose deletion is scheduled. + // of the KMS key whose deletion is scheduled. KeyId *string `min:"1" type:"string"` - // The current status of the CMK. + // The current status of the KMS key. // - // For more information about how key state affects the use of a CMK, see Key - // state: Effect on your CMK (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // in the AWS Key Management Service Developer Guide. + // For more information about how key state affects the use of a KMS key, see + // Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the Key Management Service Developer Guide. KeyState *string `type:"string" enum:"KeyState"` - // The waiting period before the CMK is deleted. + // The waiting period before the KMS key is deleted. // - // If the CMK is a multi-Region primary key with replicas, the waiting period + // If the KMS key is a multi-Region primary key with replicas, the waiting period // begins when the last of its replica keys is deleted. Otherwise, the waiting // period begins immediately. PendingWindowInDays *int64 `min:"1" type:"integer"` @@ -15231,17 +15381,19 @@ type SignInput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Identifies an asymmetric CMK. AWS KMS uses the private key in the asymmetric - // CMK to sign the message. The KeyUsage type of the CMK must be SIGN_VERIFY. - // To find the KeyUsage of a CMK, use the DescribeKey operation. + // Identifies an asymmetric KMS key. KMS uses the private key in the asymmetric + // KMS key to sign the message. The KeyUsage type of the KMS key must be SIGN_VERIFY. + // To find the KeyUsage of a KMS key, use the DescribeKey operation. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -15253,8 +15405,8 @@ type SignInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -15262,23 +15414,23 @@ type SignInput struct { // Specifies the message or message digest to sign. Messages can be 0-4096 bytes. // To sign a larger message, provide the message digest. // - // If you provide a message, AWS KMS generates a hash digest of the message - // and then signs it. + // If you provide a message, KMS generates a hash digest of the message and + // then signs it. // // Message is automatically base64 encoded/decoded by the SDK. // // Message is a required field Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` - // Tells AWS KMS whether the value of the Message parameter is a message or - // message digest. The default value, RAW, indicates a message. To indicate - // a message digest, enter DIGEST. + // Tells KMS whether the value of the Message parameter is a message or message + // digest. The default value, RAW, indicates a message. To indicate a message + // digest, enter DIGEST. MessageType *string `type:"string" enum:"MessageType"` // Specifies the signing algorithm to use when signing the message. // // Choose an algorithm that is compatible with the type and size of the specified - // asymmetric CMK. + // asymmetric KMS key. // // SigningAlgorithm is a required field SigningAlgorithm *string `type:"string" required:"true" enum:"SigningAlgorithmSpec"` @@ -15353,7 +15505,7 @@ type SignOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the asymmetric CMK that was used to sign the message. + // of the asymmetric KMS key that was used to sign the message. KeyId *string `min:"1" type:"string"` // The cryptographic signature that was generated for the message. @@ -15367,8 +15519,8 @@ type SignOutput struct { // This is the most commonly used signature format and is appropriate for // most uses. // - // When you use the HTTP API or the AWS CLI, the value is Base64-encoded. Otherwise, - // it is not Base64-encoded. + // When you use the HTTP API or the Amazon Web Services CLI, the value is Base64-encoded. + // Otherwise, it is not Base64-encoded. // // Signature is automatically base64 encoded/decoded by the SDK. Signature []byte `min:"1" type:"blob"` @@ -15410,7 +15562,7 @@ func (s *SignOutput) SetSigningAlgorithm(v string) *SignOutput { // // For information about the rules that apply to tag keys and tag values, see // User-Defined Tag Restrictions (https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/allocation-tag-restrictions.html) -// in the AWS Billing and Cost Management User Guide. +// in the Amazon Web Services Billing and Cost Management User Guide. type Tag struct { _ struct{} `type:"structure"` @@ -15525,9 +15677,9 @@ func (s *TagException) RequestID() string { type TagResourceInput struct { _ struct{} `type:"structure"` - // Identifies a customer managed CMK in the account and Region. + // Identifies a customer managed key in the account and Region. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -15535,7 +15687,7 @@ type TagResourceInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -15545,8 +15697,8 @@ type TagResourceInput struct { // Each tag consists of a tag key and a tag value. The tag value can be an empty // (null) string. // - // You cannot have more than one tag on a CMK with the same tag key. If you - // specify an existing tag key with a different tag value, AWS KMS replaces + // You cannot have more than one tag on a KMS key with the same tag key. If + // you specify an existing tag key with a different tag value, KMS replaces // the current tag value with the specified one. // // Tags is a required field @@ -15678,9 +15830,9 @@ func (s *UnsupportedOperationException) RequestID() string { type UntagResourceInput struct { _ struct{} `type:"structure"` - // Identifies the CMK from which you are removing tags. + // Identifies the KMS key from which you are removing tags. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -15688,7 +15840,7 @@ type UntagResourceInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -15757,22 +15909,23 @@ func (s UntagResourceOutput) GoString() string { type UpdateAliasInput struct { _ struct{} `type:"structure"` - // Identifies the alias that is changing its CMK. This value must begin with - // alias/ followed by the alias name, such as alias/ExampleAlias. You cannot + // Identifies the alias that is changing its KMS key. This value must begin + // with alias/ followed by the alias name, such as alias/ExampleAlias. You cannot // use UpdateAlias to change the alias name. // // AliasName is a required field AliasName *string `min:"1" type:"string" required:"true"` - // Identifies the customer managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) + // Identifies the customer managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#customer-cmk) // to associate with the alias. You don't have permission to associate an alias - // with an AWS managed CMK (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). + // with an Amazon Web Services managed key (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#aws-managed-cmk). // - // The CMK must be in the same AWS account and Region as the alias. Also, the - // new target CMK must be the same type as the current target CMK (both symmetric - // or both asymmetric) and they must have the same key usage. + // The KMS key must be in the same Amazon Web Services account and Region as + // the alias. Also, the new target KMS key must be the same type as the current + // target KMS key (both symmetric or both asymmetric) and they must have the + // same key usage. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -15780,9 +15933,9 @@ type UpdateAliasInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // - // To verify that the alias is mapped to the correct CMK, use ListAliases. + // To verify that the alias is mapped to the correct KMS key, use ListAliases. // // TargetKeyId is a required field TargetKeyId *string `min:"1" type:"string" required:"true"` @@ -15849,7 +16002,7 @@ func (s UpdateAliasOutput) GoString() string { type UpdateCustomKeyStoreInput struct { _ struct{} `type:"structure"` - // Associates the custom key store with a related AWS CloudHSM cluster. + // Associates the custom key store with a related CloudHSM cluster. // // Enter the cluster ID of the cluster that you used to create the custom key // store or a cluster that shares a backup history and has the same cluster @@ -15868,16 +16021,16 @@ type UpdateCustomKeyStoreInput struct { // CustomKeyStoreId is a required field CustomKeyStoreId *string `min:"1" type:"string" required:"true"` - // Enter the current password of the kmsuser crypto user (CU) in the AWS CloudHSM + // Enter the current password of the kmsuser crypto user (CU) in the CloudHSM // cluster that is associated with the custom key store. // - // This parameter tells AWS KMS the current password of the kmsuser crypto user - // (CU). It does not set or change the password of any users in the AWS CloudHSM + // This parameter tells KMS the current password of the kmsuser crypto user + // (CU). It does not set or change the password of any users in the CloudHSM // cluster. KeyStorePassword *string `min:"7" type:"string" sensitive:"true"` // Changes the friendly name of the custom key store to the value that you specify. - // The custom key store name must be unique in the AWS account. + // The custom key store name must be unique in the Amazon Web Services account. NewCustomKeyStoreName *string `min:"1" type:"string"` } @@ -15957,14 +16110,14 @@ func (s UpdateCustomKeyStoreOutput) GoString() string { type UpdateKeyDescriptionInput struct { _ struct{} `type:"structure"` - // New description for the CMK. + // New description for the KMS key. // // Description is a required field Description *string `type:"string" required:"true"` - // Updates the description of the specified customer master key (CMK). + // Updates the description of the specified KMS key. // - // Specify the key ID or key ARN of the CMK. + // Specify the key ID or key ARN of the KMS key. // // For example: // @@ -15972,7 +16125,7 @@ type UpdateKeyDescriptionInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -16036,8 +16189,8 @@ func (s UpdateKeyDescriptionOutput) GoString() string { type UpdatePrimaryRegionInput struct { _ struct{} `type:"structure"` - // Identifies the current primary key. When the operation completes, this CMK - // will be a replica key. + // Identifies the current primary key. When the operation completes, this KMS + // key will be a replica key. // // Specify the key ID or key ARN of a multi-Region primary key. // @@ -16047,13 +16200,14 @@ type UpdatePrimaryRegionInput struct { // // * Key ARN: arn:aws:kms:us-east-2:111122223333:key/mrk-1234abcd12ab34cd56ef1234567890ab // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` - // The AWS Region of the new primary key. Enter the Region ID, such as us-east-1 - // or ap-southeast-2. There must be an existing replica key in this Region. + // The Amazon Web Services Region of the new primary key. Enter the Region ID, + // such as us-east-1 or ap-southeast-2. There must be an existing replica key + // in this Region. // // When the operation completes, the multi-Region key in this Region will be // the primary key. @@ -16127,17 +16281,19 @@ type VerifyInput struct { // // Use a grant token when your permission to call this operation comes from // a new grant that has not yet achieved eventual consistency. For more information, - // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#grant_token) - // in the AWS Key Management Service Developer Guide. + // see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token) + // and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token) + // in the Key Management Service Developer Guide. GrantTokens []*string `type:"list"` - // Identifies the asymmetric CMK that will be used to verify the signature. - // This must be the same CMK that was used to generate the signature. If you - // specify a different CMK, the signature verification fails. + // Identifies the asymmetric KMS key that will be used to verify the signature. + // This must be the same KMS key that was used to generate the signature. If + // you specify a different KMS key, the signature verification fails. // - // To specify a CMK, use its key ID, key ARN, alias name, or alias ARN. When - // using an alias name, prefix it with "alias/". To specify a CMK in a different - // AWS account, you must use the key ARN or alias ARN. + // To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN. + // When using an alias name, prefix it with "alias/". To specify a KMS key in + // a different Amazon Web Services account, you must use the key ARN or alias + // ARN. // // For example: // @@ -16149,8 +16305,8 @@ type VerifyInput struct { // // * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias // - // To get the key ID and key ARN for a CMK, use ListKeys or DescribeKey. To - // get the alias name and alias ARN, use ListAliases. + // To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey. + // To get the alias name and alias ARN, use ListAliases. // // KeyId is a required field KeyId *string `min:"1" type:"string" required:"true"` @@ -16168,9 +16324,9 @@ type VerifyInput struct { // Message is a required field Message []byte `min:"1" type:"blob" required:"true" sensitive:"true"` - // Tells AWS KMS whether the value of the Message parameter is a message or - // message digest. The default value, RAW, indicates a message. To indicate - // a message digest, enter DIGEST. + // Tells KMS whether the value of the Message parameter is a message or message + // digest. The default value, RAW, indicates a message. To indicate a message + // digest, enter DIGEST. // // Use the DIGEST value only when the value of the Message parameter is a message // digest. If you use the DIGEST value with a raw message, the security of the @@ -16272,7 +16428,7 @@ type VerifyOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) - // of the asymmetric CMK that was used to verify the signature. + // of the asymmetric KMS key that was used to verify the signature. KeyId *string `min:"1" type:"string"` // A Boolean value that indicates whether the signature was verified. A value @@ -16613,6 +16769,46 @@ func KeyManagerType_Values() []string { } } +const ( + // KeySpecRsa2048 is a KeySpec enum value + KeySpecRsa2048 = "RSA_2048" + + // KeySpecRsa3072 is a KeySpec enum value + KeySpecRsa3072 = "RSA_3072" + + // KeySpecRsa4096 is a KeySpec enum value + KeySpecRsa4096 = "RSA_4096" + + // KeySpecEccNistP256 is a KeySpec enum value + KeySpecEccNistP256 = "ECC_NIST_P256" + + // KeySpecEccNistP384 is a KeySpec enum value + KeySpecEccNistP384 = "ECC_NIST_P384" + + // KeySpecEccNistP521 is a KeySpec enum value + KeySpecEccNistP521 = "ECC_NIST_P521" + + // KeySpecEccSecgP256k1 is a KeySpec enum value + KeySpecEccSecgP256k1 = "ECC_SECG_P256K1" + + // KeySpecSymmetricDefault is a KeySpec enum value + KeySpecSymmetricDefault = "SYMMETRIC_DEFAULT" +) + +// KeySpec_Values returns all elements of the KeySpec enum +func KeySpec_Values() []string { + return []string{ + KeySpecRsa2048, + KeySpecRsa3072, + KeySpecRsa4096, + KeySpecEccNistP256, + KeySpecEccNistP384, + KeySpecEccNistP521, + KeySpecEccSecgP256k1, + KeySpecSymmetricDefault, + } +} + const ( // KeyStateCreating is a KeyState enum value KeyStateCreating = "Creating" diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go index c4c212502..64050c225 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/doc.go @@ -3,21 +3,26 @@ // Package kms provides the client and types for making API // requests to AWS Key Management Service. // -// AWS Key Management Service (AWS KMS) is an encryption and key management -// web service. This guide describes the AWS KMS operations that you can call -// programmatically. For general information about AWS KMS, see the AWS Key -// Management Service Developer Guide (https://docs.aws.amazon.com/kms/latest/developerguide/). +// Key Management Service (KMS) is an encryption and key management web service. +// This guide describes the KMS operations that you can call programmatically. +// For general information about KMS, see the Key Management Service Developer +// Guide (https://docs.aws.amazon.com/kms/latest/developerguide/). // -// AWS provides SDKs that consist of libraries and sample code for various programming -// languages and platforms (Java, Ruby, .Net, macOS, Android, etc.). The SDKs -// provide a convenient way to create programmatic access to AWS KMS and other -// AWS services. For example, the SDKs take care of tasks such as signing requests -// (see below), managing errors, and retrying requests automatically. For more -// information about the AWS SDKs, including how to download and install them, -// see Tools for Amazon Web Services (http://aws.amazon.com/tools/). +// KMS is replacing the term customer master key (CMK) with KMS key and KMS +// key. The concept has not changed. To prevent breaking changes, KMS is keeping +// some variations of this term. // -// We recommend that you use the AWS SDKs to make programmatic API calls to -// AWS KMS. +// Amazon Web Services provides SDKs that consist of libraries and sample code +// for various programming languages and platforms (Java, Ruby, .Net, macOS, +// Android, etc.). The SDKs provide a convenient way to create programmatic +// access to KMS and other Amazon Web Services services. For example, the SDKs +// take care of tasks such as signing requests (see below), managing errors, +// and retrying requests automatically. For more information about the Amazon +// Web Services SDKs, including how to download and install them, see Tools +// for Amazon Web Services (http://aws.amazon.com/tools/). +// +// We recommend that you use the Amazon Web Services SDKs to make programmatic +// API calls to KMS. // // Clients must support TLS (Transport Layer Security) 1.0. We recommend TLS // 1.2. Clients must also support cipher suites with Perfect Forward Secrecy @@ -28,30 +33,31 @@ // Signing Requests // // Requests must be signed by using an access key ID and a secret access key. -// We strongly recommend that you do not use your AWS account (root) access -// key ID and secret key for everyday work with AWS KMS. Instead, use the access -// key ID and secret access key for an IAM user. You can also use the AWS Security -// Token Service to generate temporary security credentials that you can use -// to sign requests. +// We strongly recommend that you do not use your Amazon Web Services account +// (root) access key ID and secret key for everyday work with KMS. Instead, +// use the access key ID and secret access key for an IAM user. You can also +// use the Amazon Web Services Security Token Service to generate temporary +// security credentials that you can use to sign requests. // -// All AWS KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). +// All KMS operations require Signature Version 4 (https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html). // // Logging API Requests // -// AWS KMS supports AWS CloudTrail, a service that logs AWS API calls and related -// events for your AWS account and delivers them to an Amazon S3 bucket that -// you specify. By using the information collected by CloudTrail, you can determine -// what requests were made to AWS KMS, who made the request, when it was made, -// and so on. To learn more about CloudTrail, including how to turn it on and -// find your log files, see the AWS CloudTrail User Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). +// KMS supports CloudTrail, a service that logs Amazon Web Services API calls +// and related events for your Amazon Web Services account and delivers them +// to an Amazon S3 bucket that you specify. By using the information collected +// by CloudTrail, you can determine what requests were made to KMS, who made +// the request, when it was made, and so on. To learn more about CloudTrail, +// including how to turn it on and find your log files, see the CloudTrail User +// Guide (https://docs.aws.amazon.com/awscloudtrail/latest/userguide/). // // Additional Resources // // For more information about credentials and request signing, see the following: // -// * AWS Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) +// * Amazon Web Services Security Credentials (https://docs.aws.amazon.com/general/latest/gr/aws-security-credentials.html) // - This topic provides general information about the types of credentials -// used for accessing AWS. +// used to access Amazon Web Services. // // * Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) // - This section of the IAM User Guide describes how to create and use temporary diff --git a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go index 911bf576e..7f5a1f0ba 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go +++ b/vendor/github.com/aws/aws-sdk-go/service/kms/errors.go @@ -18,10 +18,10 @@ const ( // ErrCodeCloudHsmClusterInUseException for service response error code // "CloudHsmClusterInUseException". // - // The request was rejected because the specified AWS CloudHSM cluster is already + // The request was rejected because the specified CloudHSM cluster is already // associated with a custom key store or it shares a backup history with a cluster // that is associated with a custom key store. Each custom key store must be - // associated with a different AWS CloudHSM cluster. + // associated with a different CloudHSM cluster. // // Clusters that share a backup history have the same cluster certificate. To // view the cluster certificate of a cluster, use the DescribeClusters (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_DescribeClusters.html) @@ -31,8 +31,8 @@ const ( // ErrCodeCloudHsmClusterInvalidConfigurationException for service response error code // "CloudHsmClusterInvalidConfigurationException". // - // The request was rejected because the associated AWS CloudHSM cluster did - // not meet the configuration requirements for a custom key store. + // The request was rejected because the associated CloudHSM cluster did not + // meet the configuration requirements for a custom key store. // // * The cluster must be configured with private subnets in at least two // different Availability Zones in the Region. @@ -47,46 +47,44 @@ const ( // operation. // // * The cluster must contain at least as many HSMs as the operation requires. - // To add HSMs, use the AWS CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) + // To add HSMs, use the CloudHSM CreateHsm (https://docs.aws.amazon.com/cloudhsm/latest/APIReference/API_CreateHsm.html) // operation. For the CreateCustomKeyStore, UpdateCustomKeyStore, and CreateKey - // operations, the AWS CloudHSM cluster must have at least two active HSMs, - // each in a different Availability Zone. For the ConnectCustomKeyStore operation, - // the AWS CloudHSM must contain at least one active HSM. + // operations, the CloudHSM cluster must have at least two active HSMs, each + // in a different Availability Zone. For the ConnectCustomKeyStore operation, + // the CloudHSM must contain at least one active HSM. // - // For information about the requirements for an AWS CloudHSM cluster that is - // associated with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) - // in the AWS Key Management Service Developer Guide. For information about - // creating a private subnet for an AWS CloudHSM cluster, see Create a Private - // Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) - // in the AWS CloudHSM User Guide. For information about cluster security groups, + // For information about the requirements for an CloudHSM cluster that is associated + // with a custom key store, see Assemble the Prerequisites (https://docs.aws.amazon.com/kms/latest/developerguide/create-keystore.html#before-keystore) + // in the Key Management Service Developer Guide. For information about creating + // a private subnet for an CloudHSM cluster, see Create a Private Subnet (https://docs.aws.amazon.com/cloudhsm/latest/userguide/create-subnets.html) + // in the CloudHSM User Guide. For information about cluster security groups, // see Configure a Default Security Group (https://docs.aws.amazon.com/cloudhsm/latest/userguide/configure-sg.html) - // in the AWS CloudHSM User Guide . + // in the CloudHSM User Guide . ErrCodeCloudHsmClusterInvalidConfigurationException = "CloudHsmClusterInvalidConfigurationException" // ErrCodeCloudHsmClusterNotActiveException for service response error code // "CloudHsmClusterNotActiveException". // - // The request was rejected because the AWS CloudHSM cluster that is associated + // The request was rejected because the CloudHSM cluster that is associated // with the custom key store is not active. Initialize and activate the cluster // and try the command again. For detailed instructions, see Getting Started // (https://docs.aws.amazon.com/cloudhsm/latest/userguide/getting-started.html) - // in the AWS CloudHSM User Guide. + // in the CloudHSM User Guide. ErrCodeCloudHsmClusterNotActiveException = "CloudHsmClusterNotActiveException" // ErrCodeCloudHsmClusterNotFoundException for service response error code // "CloudHsmClusterNotFoundException". // - // The request was rejected because AWS KMS cannot find the AWS CloudHSM cluster - // with the specified cluster ID. Retry the request with a different cluster - // ID. + // The request was rejected because KMS cannot find the CloudHSM cluster with + // the specified cluster ID. Retry the request with a different cluster ID. ErrCodeCloudHsmClusterNotFoundException = "CloudHsmClusterNotFoundException" // ErrCodeCloudHsmClusterNotRelatedException for service response error code // "CloudHsmClusterNotRelatedException". // - // The request was rejected because the specified AWS CloudHSM cluster has a - // different cluster certificate than the original cluster. You cannot use the - // operation to specify an unrelated cluster. + // The request was rejected because the specified CloudHSM cluster has a different + // cluster certificate than the original cluster. You cannot use the operation + // to specify an unrelated cluster. // // Specify a cluster that shares a backup history with the original cluster. // This includes clusters that were created from a backup of the current cluster, @@ -101,10 +99,10 @@ const ( // ErrCodeCustomKeyStoreHasCMKsException for service response error code // "CustomKeyStoreHasCMKsException". // - // The request was rejected because the custom key store contains AWS KMS customer - // master keys (CMKs). After verifying that you do not need to use the CMKs, - // use the ScheduleKeyDeletion operation to delete the CMKs. After they are - // deleted, you can delete the custom key store. + // The request was rejected because the custom key store contains KMS keys. + // After verifying that you do not need to use the KMS keys, use the ScheduleKeyDeletion + // operation to delete the KMS keys. After they are deleted, you can delete + // the custom key store. ErrCodeCustomKeyStoreHasCMKsException = "CustomKeyStoreHasCMKsException" // ErrCodeCustomKeyStoreInvalidStateException for service response error code @@ -140,7 +138,7 @@ const ( // ErrCodeCustomKeyStoreNotFoundException for service response error code // "CustomKeyStoreNotFoundException". // - // The request was rejected because AWS KMS cannot find a custom key store with + // The request was rejected because KMS cannot find a custom key store with // the specified key store name or ID. ErrCodeCustomKeyStoreNotFoundException = "CustomKeyStoreNotFoundException" @@ -154,7 +152,7 @@ const ( // ErrCodeDisabledException for service response error code // "DisabledException". // - // The request was rejected because the specified CMK is not enabled. + // The request was rejected because the specified KMS key is not enabled. ErrCodeDisabledException = "DisabledException" // ErrCodeExpiredImportTokenException for service response error code @@ -168,9 +166,9 @@ const ( // ErrCodeIncorrectKeyException for service response error code // "IncorrectKeyException". // - // The request was rejected because the specified CMK cannot decrypt the data. - // The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request - // must identify the same CMK that was used to encrypt the ciphertext. + // The request was rejected because the specified KMS key cannot decrypt the + // data. The KeyId in a Decrypt request and the SourceKeyId in a ReEncrypt request + // must identify the same KMS key that was used to encrypt the ciphertext. ErrCodeIncorrectKeyException = "IncorrectKeyException" // ErrCodeIncorrectKeyMaterialException for service response error code @@ -178,14 +176,14 @@ const ( // // The request was rejected because the key material in the request is, expired, // invalid, or is not the same key material that was previously imported into - // this customer master key (CMK). + // this KMS key. ErrCodeIncorrectKeyMaterialException = "IncorrectKeyMaterialException" // ErrCodeIncorrectTrustAnchorException for service response error code // "IncorrectTrustAnchorException". // // The request was rejected because the trust anchor certificate in the request - // is not the trust anchor certificate for the specified AWS CloudHSM cluster. + // is not the trust anchor certificate for the specified CloudHSM cluster. // // When you initialize the cluster (https://docs.aws.amazon.com/cloudhsm/latest/userguide/initialize-cluster.html#sign-csr), // you create the trust anchor certificate and save it in the customerCA.crt @@ -220,8 +218,8 @@ const ( // the ciphertext, such as the encryption context, is corrupted, missing, or // otherwise invalid. // - // From the ImportKeyMaterial operation, the request was rejected because AWS - // KMS could not decrypt the encrypted (wrapped) key material. + // From the ImportKeyMaterial operation, the request was rejected because KMS + // could not decrypt the encrypted (wrapped) key material. ErrCodeInvalidCiphertextException = "InvalidCiphertextException" // ErrCodeInvalidGrantIdException for service response error code @@ -240,7 +238,7 @@ const ( // "InvalidImportTokenException". // // The request was rejected because the provided import token is invalid or - // is associated with a different customer master key (CMK). + // is associated with a different KMS key. ErrCodeInvalidImportTokenException = "InvalidImportTokenException" // ErrCodeInvalidKeyUsageException for service response error code @@ -248,17 +246,18 @@ const ( // // The request was rejected for one of the following reasons: // - // * The KeyUsage value of the CMK is incompatible with the API operation. + // * The KeyUsage value of the KMS key is incompatible with the API operation. // // * The encryption algorithm or signing algorithm specified for the operation - // is incompatible with the type of key material in the CMK (CustomerMasterKeySpec). + // is incompatible with the type of key material in the KMS key (KeySpec). // // For encrypting, decrypting, re-encrypting, and generating data keys, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying, the KeyUsage - // must be SIGN_VERIFY. To find the KeyUsage of a CMK, use the DescribeKey operation. + // must be SIGN_VERIFY. To find the KeyUsage of a KMS key, use the DescribeKey + // operation. // - // To find the encryption or signing algorithms supported for a particular CMK, - // use the DescribeKey operation. + // To find the encryption or signing algorithms supported for a particular KMS + // key, use the DescribeKey operation. ErrCodeInvalidKeyUsageException = "InvalidKeyUsageException" // ErrCodeInvalidMarkerException for service response error code @@ -274,9 +273,9 @@ const ( // The request was rejected because the state of the specified resource is not // valid for this request. // - // For more information about how key state affects the use of a CMK, see How - // Key State Affects Use of a Customer Master Key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) - // in the AWS Key Management Service Developer Guide . + // For more information about how key state affects the use of a KMS key, see + // Key state: Effect on your KMS key (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html) + // in the Key Management Service Developer Guide . ErrCodeInvalidStateException = "KMSInvalidStateException" // ErrCodeKMSInvalidSignatureException for service response error code @@ -284,14 +283,14 @@ const ( // // The request was rejected because the signature verification failed. Signature // verification fails when it cannot confirm that signature was produced by - // signing the specified message with the specified CMK and signing algorithm. + // signing the specified message with the specified KMS key and signing algorithm. ErrCodeKMSInvalidSignatureException = "KMSInvalidSignatureException" // ErrCodeKeyUnavailableException for service response error code // "KeyUnavailableException". // - // The request was rejected because the specified CMK was not available. You - // can retry the request. + // The request was rejected because the specified KMS key was not available. + // You can retry the request. ErrCodeKeyUnavailableException = "KeyUnavailableException" // ErrCodeLimitExceededException for service response error code @@ -299,7 +298,7 @@ const ( // // The request was rejected because a quota was exceeded. For more information, // see Quotas (https://docs.aws.amazon.com/kms/latest/developerguide/limits.html) - // in the AWS Key Management Service Developer Guide. + // in the Key Management Service Developer Guide. ErrCodeLimitExceededException = "LimitExceededException" // ErrCodeMalformedPolicyDocumentException for service response error code diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go index 17c463788..3cffd533d 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go @@ -57,19 +57,20 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // AssumeRole API operation for AWS Security Token Service. // // Returns a set of temporary security credentials that you can use to access -// AWS resources that you might not normally have access to. These temporary -// credentials consist of an access key ID, a secret access key, and a security -// token. Typically, you use AssumeRole within your account or for cross-account -// access. For a comparison of AssumeRole with other API operations that produce -// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// Amazon Web Services resources that you might not normally have access to. +// These temporary credentials consist of an access key ID, a secret access +// key, and a security token. Typically, you use AssumeRole within your account +// or for cross-account access. For a comparison of AssumeRole with other API +// operations that produce temporary credentials, see Requesting Temporary Security +// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // Permissions // // The temporary security credentials created by AssumeRole can be used to make -// API calls to any AWS service with the following exception: You cannot call -// the AWS STS GetFederationToken or GetSessionToken API operations. +// API calls to any Amazon Web Services service with the following exception: +// You cannot call the STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an @@ -79,15 +80,15 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent -// AWS API calls to access resources in the account that owns the role. You -// cannot use session policies to grant more permissions than those allowed -// by the identity-based policy of the role that is being assumed. For more -// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// Amazon Web Services API calls to access resources in the account that owns +// the role. You cannot use session policies to grant more permissions than +// those allowed by the identity-based policy of the role that is being assumed. +// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // -// To assume a role from a different account, your AWS account must be trusted -// by the role. The trust relationship is defined in the role's trust policy -// when the role is created. That trust policy states which accounts are allowed +// To assume a role from a different account, your account must be trusted by +// the role. The trust relationship is defined in the role's trust policy when +// the role is created. That trust policy states which accounts are allowed // to delegate that access to users in the account. // // A user who wants to access a role in a different account must also have permissions @@ -129,12 +130,12 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // // (Optional) You can include multi-factor authentication (MFA) information // when you call AssumeRole. This is useful for cross-account scenarios to ensure -// that the user that assumes the role has been authenticated with an AWS MFA -// device. In that scenario, the trust policy of the role being assumed includes -// a condition that tests for MFA authentication. If the caller does not include -// valid MFA information, the request to assume the role is denied. The condition -// in a trust policy that tests for MFA authentication might look like the following -// example. +// that the user that assumes the role has been authenticated with an Amazon +// Web Services MFA device. In that scenario, the trust policy of the role being +// assumed includes a condition that tests for MFA authentication. If the caller +// does not include valid MFA information, the request to assume the role is +// denied. The condition in a trust policy that tests for MFA authentication +// might look like the following example. // // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} // @@ -160,11 +161,11 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the total packed size of the session policies -// and session tags combined was too large. An AWS conversion compresses the -// session policy document, session policy ARNs, and session tags into a packed -// binary format that has a separate limit. The error message indicates by percentage -// how close the policies and tags are to the upper size limit. For more information, -// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// and session tags combined was too large. An Amazon Web Services conversion +// compresses the session policy document, session policy ARNs, and session +// tags into a packed binary format that has a separate limit. The error message +// indicates by percentage how close the policies and tags are to the upper +// size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // You could receive this error even though you meet other defined session policy @@ -176,7 +177,8 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating -// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// and Deactivating Amazon Web Services STS in an Amazon Web Services Region +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // * ErrCodeExpiredTokenException "ExpiredTokenException" @@ -252,16 +254,17 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // // Returns a set of temporary security credentials for users who have been authenticated // via a SAML authentication response. This operation provides a mechanism for -// tying an enterprise identity store or directory to role-based AWS access -// without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML -// with the other API operations that produce temporary credentials, see Requesting -// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// tying an enterprise identity store or directory to role-based Amazon Web +// Services access without user-specific credentials or configuration. For a +// comparison of AssumeRoleWithSAML with the other API operations that produce +// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // The temporary security credentials returned by this operation consist of // an access key ID, a secret access key, and a security token. Applications -// can use these temporary security credentials to sign calls to AWS services. +// can use these temporary security credentials to sign calls to Amazon Web +// Services services. // // Session Duration // @@ -281,19 +284,19 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // in the IAM User Guide. // // Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) -// limits your AWS CLI or AWS API role session to a maximum of one hour. When -// you use the AssumeRole API operation to assume a role, you can specify the -// duration of your role session with the DurationSeconds parameter. You can -// specify a parameter value of up to 43200 seconds (12 hours), depending on -// the maximum session duration setting for your role. However, if you assume +// limits your CLI or Amazon Web Services API role session to a maximum of one +// hour. When you use the AssumeRole API operation to assume a role, you can +// specify the duration of your role session with the DurationSeconds parameter. +// You can specify a parameter value of up to 43200 seconds (12 hours), depending +// on the maximum session duration setting for your role. However, if you assume // a role using role chaining and provide a DurationSeconds parameter value // greater than one hour, the operation fails. // // Permissions // // The temporary security credentials created by AssumeRoleWithSAML can be used -// to make API calls to any AWS service with the following exception: you cannot -// call the STS GetFederationToken or GetSessionToken API operations. +// to make API calls to any Amazon Web Services service with the following exception: +// you cannot call the STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an @@ -303,18 +306,19 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent -// AWS API calls to access resources in the account that owns the role. You -// cannot use session policies to grant more permissions than those allowed -// by the identity-based policy of the role that is being assumed. For more -// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// Amazon Web Services API calls to access resources in the account that owns +// the role. You cannot use session policies to grant more permissions than +// those allowed by the identity-based policy of the role that is being assumed. +// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // -// Calling AssumeRoleWithSAML does not require the use of AWS security credentials. -// The identity of the caller is validated by using keys in the metadata document -// that is uploaded for the SAML provider entity for your identity provider. +// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services +// security credentials. The identity of the caller is validated by using keys +// in the metadata document that is uploaded for the SAML provider entity for +// your identity provider. // -// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail -// logs. The entry includes the value in the NameID element of the SAML assertion. +// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. +// The entry includes the value in the NameID element of the SAML assertion. // We recommend that you use a NameIDType that is not associated with any personally // identifiable information (PII). For example, you could instead use the persistent // identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). @@ -332,11 +336,11 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // -// An AWS conversion compresses the passed session policies and session tags -// into a packed binary format that has a separate limit. Your request can fail -// for this limit even if your plaintext meets the other requirements. The PackedPolicySize -// response element indicates by percentage how close the policies and tags -// for your request are to the upper size limit. +// An Amazon Web Services conversion compresses the passed session policies +// and session tags into a packed binary format that has a separate limit. Your +// request can fail for this limit even if your plaintext meets the other requirements. +// The PackedPolicySize response element indicates by percentage how close the +// policies and tags for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is attached to // the role. When you do, session tags override the role's tags with the same @@ -356,10 +360,11 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // SAML Configuration // // Before your application can call AssumeRoleWithSAML, you must configure your -// SAML identity provider (IdP) to issue the claims required by AWS. Additionally, -// you must use AWS Identity and Access Management (IAM) to create a SAML provider -// entity in your AWS account that represents your identity provider. You must -// also create an IAM role that specifies this SAML provider in its trust policy. +// SAML identity provider (IdP) to issue the claims required by Amazon Web Services. +// Additionally, you must use Identity and Access Management (IAM) to create +// a SAML provider entity in your Amazon Web Services account that represents +// your identity provider. You must also create an IAM role that specifies this +// SAML provider in its trust policy. // // For more information, see the following resources: // @@ -389,11 +394,11 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the total packed size of the session policies -// and session tags combined was too large. An AWS conversion compresses the -// session policy document, session policy ARNs, and session tags into a packed -// binary format that has a separate limit. The error message indicates by percentage -// how close the policies and tags are to the upper size limit. For more information, -// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// and session tags combined was too large. An Amazon Web Services conversion +// compresses the session policy document, session policy ARNs, and session +// tags into a packed binary format that has a separate limit. The error message +// indicates by percentage how close the policies and tags are to the upper +// size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // You could receive this error even though you meet other defined session policy @@ -409,8 +414,9 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // can also mean that the claim has expired or has been explicitly revoked. // // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" -// The web identity token that was passed could not be validated by AWS. Get -// a new identity token from the identity provider and then retry the request. +// The web identity token that was passed could not be validated by Amazon Web +// Services. Get a new identity token from the identity provider and then retry +// the request. // // * ErrCodeExpiredTokenException "ExpiredTokenException" // The web identity token that was passed is expired or is not valid. Get a @@ -420,7 +426,8 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating -// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// and Deactivating Amazon Web Services STS in an Amazon Web Services Region +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML @@ -496,30 +503,33 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // Connect-compatible identity provider. // // For mobile applications, we recommend that you use Amazon Cognito. You can -// use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) -// and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) -// to uniquely identify a user. You can also supply the user with a consistent -// identity throughout the lifetime of an application. +// use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide +// (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android +// Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify +// a user. You can also supply the user with a consistent identity throughout +// the lifetime of an application. // // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) -// in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) -// in the AWS SDK for iOS Developer Guide. +// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito +// Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) +// in the Amazon Web Services SDK for iOS Developer Guide. // -// Calling AssumeRoleWithWebIdentity does not require the use of AWS security -// credentials. Therefore, you can distribute an application (for example, on -// mobile devices) that requests temporary security credentials without including -// long-term AWS credentials in the application. You also don't need to deploy -// server-based proxy services that use long-term AWS credentials. Instead, -// the identity of the caller is validated by using a token from the web identity -// provider. For a comparison of AssumeRoleWithWebIdentity with the other API -// operations that produce temporary credentials, see Requesting Temporary Security -// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web +// Services security credentials. Therefore, you can distribute an application +// (for example, on mobile devices) that requests temporary security credentials +// without including long-term Amazon Web Services credentials in the application. +// You also don't need to deploy server-based proxy services that use long-term +// Amazon Web Services credentials. Instead, the identity of the caller is validated +// by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity +// with the other API operations that produce temporary credentials, see Requesting +// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // The temporary security credentials returned by this API consist of an access // key ID, a secret access key, and a security token. Applications can use these -// temporary security credentials to sign calls to AWS service API operations. +// temporary security credentials to sign calls to Amazon Web Services service +// API operations. // // Session Duration // @@ -539,8 +549,9 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // Permissions // // The temporary security credentials created by AssumeRoleWithWebIdentity can -// be used to make API calls to any AWS service with the following exception: -// you cannot call the STS GetFederationToken or GetSessionToken API operations. +// be used to make API calls to any Amazon Web Services service with the following +// exception: you cannot call the STS GetFederationToken or GetSessionToken +// API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an @@ -550,10 +561,10 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent -// AWS API calls to access resources in the account that owns the role. You -// cannot use session policies to grant more permissions than those allowed -// by the identity-based policy of the role that is being assumed. For more -// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) +// Amazon Web Services API calls to access resources in the account that owns +// the role. You cannot use session policies to grant more permissions than +// those allowed by the identity-based policy of the role that is being assumed. +// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // Tags @@ -569,11 +580,11 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // -// An AWS conversion compresses the passed session policies and session tags -// into a packed binary format that has a separate limit. Your request can fail -// for this limit even if your plaintext meets the other requirements. The PackedPolicySize -// response element indicates by percentage how close the policies and tags -// for your request are to the upper size limit. +// An Amazon Web Services conversion compresses the passed session policies +// and session tags into a packed binary format that has a separate limit. Your +// request can fail for this limit even if your plaintext meets the other requirements. +// The PackedPolicySize response element indicates by percentage how close the +// policies and tags for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is attached to // the role. When you do, the session tag overrides the role tag with the same @@ -598,7 +609,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // the identity provider that is associated with the identity token. In other // words, the identity provider must be specified in the role's trust policy. // -// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail +// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) // of the provided web identity token. We recommend that you avoid using any // personally identifiable information (PII) in this field. For example, you @@ -614,10 +625,10 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/). // Walk through the process of authenticating through Login with Amazon, // Facebook, or Google, getting temporary security credentials, and then -// using those credentials to make a request to AWS. +// using those credentials to make a request to Amazon Web Services. // -// * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and -// AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). +// * Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) +// and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). // These toolkits contain sample apps that show how to invoke the identity // providers. The toolkits then show how to use the information from these // providers to get and use temporary security credentials. @@ -641,11 +652,11 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the total packed size of the session policies -// and session tags combined was too large. An AWS conversion compresses the -// session policy document, session policy ARNs, and session tags into a packed -// binary format that has a separate limit. The error message indicates by percentage -// how close the policies and tags are to the upper size limit. For more information, -// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// and session tags combined was too large. An Amazon Web Services conversion +// compresses the session policy document, session policy ARNs, and session +// tags into a packed binary format that has a separate limit. The error message +// indicates by percentage how close the policies and tags are to the upper +// size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // You could receive this error even though you meet other defined session policy @@ -668,8 +679,9 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // error persists, the identity provider might be down or not responding. // // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" -// The web identity token that was passed could not be validated by AWS. Get -// a new identity token from the identity provider and then retry the request. +// The web identity token that was passed could not be validated by Amazon Web +// Services. Get a new identity token from the identity provider and then retry +// the request. // // * ErrCodeExpiredTokenException "ExpiredTokenException" // The web identity token that was passed is expired or is not valid. Get a @@ -679,7 +691,8 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating -// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// and Deactivating Amazon Web Services STS in an Amazon Web Services Region +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity @@ -749,16 +762,18 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag // DecodeAuthorizationMessage API operation for AWS Security Token Service. // // Decodes additional information about the authorization status of a request -// from an encoded message returned in response to an AWS request. +// from an encoded message returned in response to an Amazon Web Services request. // // For example, if a user is not authorized to perform an operation that he // or she has requested, the request returns a Client.UnauthorizedOperation -// response (an HTTP 403 response). Some AWS operations additionally return -// an encoded message that can provide details about this authorization failure. +// response (an HTTP 403 response). Some Amazon Web Services operations additionally +// return an encoded message that can provide details about this authorization +// failure. // -// Only certain AWS operations return an encoded authorization message. The -// documentation for an individual operation indicates whether that operation -// returns an encoded message in addition to returning an HTTP code. +// Only certain Amazon Web Services operations return an encoded authorization +// message. The documentation for an individual operation indicates whether +// that operation returns an encoded message in addition to returning an HTTP +// code. // // The message is encoded because the details of the authorization status can // constitute privileged information that the user who requested the operation @@ -869,12 +884,12 @@ func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *reques // in the IAM User Guide. // // When you pass an access key ID to this operation, it returns the ID of the -// AWS account to which the keys belong. Access key IDs beginning with AKIA -// are long-term credentials for an IAM user or the AWS account root user. Access -// key IDs beginning with ASIA are temporary credentials that are created using -// STS operations. If the account in the response belongs to you, you can sign -// in as the root user and review your root user access keys. Then, you can -// pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) +// Amazon Web Services account to which the keys belong. Access key IDs beginning +// with AKIA are long-term credentials for an IAM user or the Amazon Web Services +// account root user. Access key IDs beginning with ASIA are temporary credentials +// that are created using STS operations. If the account in the response belongs +// to you, you can sign in as the root user and review your root user access +// keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) // to learn which IAM user owns the keys. To learn who requested the temporary // credentials for an ASIA access key, view the STS events in your CloudTrail // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) @@ -1050,7 +1065,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // For a comparison of GetFederationToken with the other API operations that // produce temporary credentials, see Requesting Temporary Security Credentials // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // You can create a mobile-based or browser-based app that can authenticate @@ -1062,11 +1077,11 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // in the IAM User Guide. // // You can also call GetFederationToken using the security credentials of an -// AWS account root user, but we do not recommend it. Instead, we recommend -// that you create an IAM user for the purpose of the proxy application. Then -// attach a policy to the IAM user that limits federated users to only the actions -// and resources that they need to access. For more information, see IAM Best -// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) +// Amazon Web Services account root user, but we do not recommend it. Instead, +// we recommend that you create an IAM user for the purpose of the proxy application. +// Then attach a policy to the IAM user that limits federated users to only +// the actions and resources that they need to access. For more information, +// see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) // in the IAM User Guide. // // Session duration @@ -1074,15 +1089,16 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // The temporary credentials are valid for the specified duration, from 900 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default // session duration is 43,200 seconds (12 hours). Temporary credentials that -// are obtained by using AWS account root user credentials have a maximum duration -// of 3,600 seconds (1 hour). +// are obtained by using Amazon Web Services account root user credentials have +// a maximum duration of 3,600 seconds (1 hour). // // Permissions // // You can use the temporary credentials created by GetFederationToken in any -// AWS service except the following: +// Amazon Web Services service except the following: // -// * You cannot call any IAM operations using the AWS CLI or the AWS API. +// * You cannot call any IAM operations using the CLI or the Amazon Web Services +// API. // // * You cannot call any STS operations except GetCallerIdentity. // @@ -1126,11 +1142,11 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // in the IAM User Guide. // // You can also call GetFederationToken using the security credentials of an -// AWS account root user, but we do not recommend it. Instead, we recommend -// that you create an IAM user for the purpose of the proxy application. Then -// attach a policy to the IAM user that limits federated users to only the actions -// and resources that they need to access. For more information, see IAM Best -// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) +// Amazon Web Services account root user, but we do not recommend it. Instead, +// we recommend that you create an IAM user for the purpose of the proxy application. +// Then attach a policy to the IAM user that limits federated users to only +// the actions and resources that they need to access. For more information, +// see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) // in the IAM User Guide. // // Session duration @@ -1138,15 +1154,16 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // The temporary credentials are valid for the specified duration, from 900 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default // session duration is 43,200 seconds (12 hours). Temporary credentials that -// are obtained by using AWS account root user credentials have a maximum duration -// of 3,600 seconds (1 hour). +// are obtained by using Amazon Web Services account root user credentials have +// a maximum duration of 3,600 seconds (1 hour). // // Permissions // // You can use the temporary credentials created by GetFederationToken in any -// AWS service except the following: +// Amazon Web Services service except the following: // -// * You cannot call any IAM operations using the AWS CLI or the AWS API. +// * You cannot call any IAM operations using the CLI or the Amazon Web Services +// API. // // * You cannot call any STS operations except GetCallerIdentity. // @@ -1208,11 +1225,11 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the total packed size of the session policies -// and session tags combined was too large. An AWS conversion compresses the -// session policy document, session policy ARNs, and session tags into a packed -// binary format that has a separate limit. The error message indicates by percentage -// how close the policies and tags are to the upper size limit. For more information, -// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) +// and session tags combined was too large. An Amazon Web Services conversion +// compresses the session policy document, session policy ARNs, and session +// tags into a packed binary format that has a separate limit. The error message +// indicates by percentage how close the policies and tags are to the upper +// size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // You could receive this error even though you meet other defined session policy @@ -1224,7 +1241,8 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating -// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// and Deactivating Amazon Web Services STS in an Amazon Web Services Region +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken @@ -1293,51 +1311,53 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request. // GetSessionToken API operation for AWS Security Token Service. // -// Returns a set of temporary credentials for an AWS account or IAM user. The -// credentials consist of an access key ID, a secret access key, and a security -// token. Typically, you use GetSessionToken if you want to use MFA to protect -// programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. -// MFA-enabled IAM users would need to call GetSessionToken and submit an MFA -// code that is associated with their MFA device. Using the temporary security -// credentials that are returned from the call, IAM users can then make programmatic -// calls to API operations that require MFA authentication. If you do not supply -// a correct MFA code, then the API returns an access denied error. For a comparison -// of GetSessionToken with the other API operations that produce temporary credentials, -// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) -// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) +// Returns a set of temporary credentials for an Amazon Web Services account +// or IAM user. The credentials consist of an access key ID, a secret access +// key, and a security token. Typically, you use GetSessionToken if you want +// to use MFA to protect programmatic calls to specific Amazon Web Services +// API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would +// need to call GetSessionToken and submit an MFA code that is associated with +// their MFA device. Using the temporary security credentials that are returned +// from the call, IAM users can then make programmatic calls to API operations +// that require MFA authentication. If you do not supply a correct MFA code, +// then the API returns an access denied error. For a comparison of GetSessionToken +// with the other API operations that produce temporary credentials, see Requesting +// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) +// and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // Session Duration // -// The GetSessionToken operation must be called by using the long-term AWS security -// credentials of the AWS account root user or an IAM user. Credentials that -// are created by IAM users are valid for the duration that you specify. This -// duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 -// seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials -// based on account credentials can range from 900 seconds (15 minutes) up to -// 3,600 seconds (1 hour), with a default of 1 hour. +// The GetSessionToken operation must be called by using the long-term Amazon +// Web Services security credentials of the Amazon Web Services account root +// user or an IAM user. Credentials that are created by IAM users are valid +// for the duration that you specify. This duration can range from 900 seconds +// (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default +// of 43,200 seconds (12 hours). Credentials based on account credentials can +// range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a +// default of 1 hour. // // Permissions // // The temporary security credentials created by GetSessionToken can be used -// to make API calls to any AWS service with the following exceptions: +// to make API calls to any Amazon Web Services service with the following exceptions: // // * You cannot call any IAM API operations unless MFA authentication information // is included in the request. // // * You cannot call any STS API except AssumeRole or GetCallerIdentity. // -// We recommend that you do not call GetSessionToken with AWS account root user -// credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) +// We recommend that you do not call GetSessionToken with Amazon Web Services +// account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) // by creating one or more IAM users, giving them the necessary permissions, -// and using IAM users for everyday interaction with AWS. +// and using IAM users for everyday interaction with Amazon Web Services. // // The credentials that are returned by GetSessionToken are based on permissions // associated with the user whose credentials were used to call the operation. -// If GetSessionToken is called using AWS account root user credentials, the -// temporary credentials have root user permissions. Similarly, if GetSessionToken -// is called using the credentials of an IAM user, the temporary credentials -// have the same permissions as the IAM user. +// If GetSessionToken is called using Amazon Web Services account root user +// credentials, the temporary credentials have root user permissions. Similarly, +// if GetSessionToken is called using the credentials of an IAM user, the temporary +// credentials have the same permissions as the IAM user. // // For more information about using GetSessionToken to create temporary credentials, // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) @@ -1355,7 +1375,8 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request. // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating -// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) +// and Deactivating Amazon Web Services STS in an Amazon Web Services Region +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken @@ -1401,7 +1422,7 @@ type AssumeRoleInput struct { // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the - // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` @@ -1413,8 +1434,8 @@ type AssumeRoleInput struct { // of the trusting account might send an external ID to the administrator of // the trusted account. That way, only someone with the ID can assume the role, // rather than everyone in the account. For more information about the external - // ID, see How to Use an External ID When Granting Access to Your AWS Resources - // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) + // ID, see How to Use an External ID When Granting Access to Your Amazon Web + // Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) // in the IAM User Guide. // // The regex used to validate this parameter is a string of characters consisting @@ -1427,10 +1448,11 @@ type AssumeRoleInput struct { // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use - // the role's temporary credentials in subsequent AWS API calls to access resources - // in the account that owns the role. You cannot use session policies to grant - // more permissions than those allowed by the identity-based policy of the role - // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // the role's temporary credentials in subsequent Amazon Web Services API calls + // to access resources in the account that owns the role. You cannot use session + // policies to grant more permissions than those allowed by the identity-based + // policy of the role that is being assumed. For more information, see Session + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plaintext that you use for both inline and managed session policies can't @@ -1439,11 +1461,11 @@ type AssumeRoleInput struct { // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage // return (\u000D) characters. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -1453,22 +1475,22 @@ type AssumeRoleInput struct { // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plaintext that you use for both inline and managed session policies // can't exceed 2,048 characters. For more information about ARNs, see Amazon - // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the AWS General Reference. + // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the Amazon Web Services General Reference. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials - // in subsequent AWS API calls to access resources in the account that owns - // the role. You cannot use session policies to grant more permissions than - // those allowed by the identity-based policy of the role that is being assumed. - // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in subsequent Amazon Web Services API calls to access resources in the account + // that owns the role. You cannot use session policies to grant more permissions + // than those allowed by the identity-based policy of the role that is being + // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` @@ -1485,7 +1507,7 @@ type AssumeRoleInput struct { // account that owns the role. The role session name is also used in the ARN // of the assumed role principal. This means that subsequent cross-account API // requests that use the temporary security credentials will expose the role - // session name to the external account in their AWS CloudTrail logs. + // session name to the external account in their CloudTrail logs. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can @@ -1510,23 +1532,23 @@ type AssumeRoleInput struct { // // You can require users to specify a source identity when they assume a role. // You do this by using the sts:SourceIdentity condition key in a role trust - // policy. You can use source identity information in AWS CloudTrail logs to - // determine who took actions with a role. You can use the aws:SourceIdentity - // condition key to further control access to AWS resources based on the value - // of source identity. For more information about using source identity, see - // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // policy. You can use source identity information in CloudTrail logs to determine + // who took actions with a role. You can use the aws:SourceIdentity condition + // key to further control access to Amazon Web Services resources based on the + // value of source identity. For more information about using source identity, + // see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) // in the IAM User Guide. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@-. You cannot - // use a value that begins with the text aws:. This prefix is reserved for AWS - // internal use. + // use a value that begins with the text aws:. This prefix is reserved for Amazon + // Web Services internal use. SourceIdentity *string `min:"2" type:"string"` // A list of session tags that you want to pass. Each session tag consists of // a key name and an associated value. For more information about session tags, - // see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) + // see Tagging STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // This parameter is optional. You can pass up to 50 session tags. The plaintext @@ -1535,11 +1557,11 @@ type AssumeRoleInput struct { // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is already attached // to the role. When you do, session tags override a role tag with the same @@ -1554,7 +1576,7 @@ type AssumeRoleInput struct { // Additionally, if you used temporary credentials to perform this operation, // the new session inherits any transitive session tags from the calling session. // If you pass a session tag with the same key as an inherited tag, the operation - // fails. To view the inherited tags for a session, see the AWS CloudTrail logs. + // fails. To view the inherited tags for a session, see the CloudTrail logs. // For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs) // in the IAM User Guide. Tags []*Tag `type:"list"` @@ -1720,7 +1742,8 @@ func (s *AssumeRoleInput) SetTransitiveTagKeys(v []*string) *AssumeRoleInput { } // Contains the response to a successful AssumeRole request, including temporary -// AWS credentials that can be used to make AWS requests. +// Amazon Web Services credentials that can be used to make Amazon Web Services +// requests. type AssumeRoleOutput struct { _ struct{} `type:"structure"` @@ -1749,11 +1772,11 @@ type AssumeRoleOutput struct { // // You can require users to specify a source identity when they assume a role. // You do this by using the sts:SourceIdentity condition key in a role trust - // policy. You can use source identity information in AWS CloudTrail logs to - // determine who took actions with a role. You can use the aws:SourceIdentity - // condition key to further control access to AWS resources based on the value - // of source identity. For more information about using source identity, see - // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) + // policy. You can use source identity information in CloudTrail logs to determine + // who took actions with a role. You can use the aws:SourceIdentity condition + // key to further control access to Amazon Web Services resources based on the + // value of source identity. For more information about using source identity, + // see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) // in the IAM User Guide. // // The regex used to validate this parameter is a string of characters consisting @@ -1819,7 +1842,7 @@ type AssumeRoleWithSAMLInput struct { // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the - // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` @@ -1828,10 +1851,11 @@ type AssumeRoleWithSAMLInput struct { // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use - // the role's temporary credentials in subsequent AWS API calls to access resources - // in the account that owns the role. You cannot use session policies to grant - // more permissions than those allowed by the identity-based policy of the role - // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // the role's temporary credentials in subsequent Amazon Web Services API calls + // to access resources in the account that owns the role. You cannot use session + // policies to grant more permissions than those allowed by the identity-based + // policy of the role that is being assumed. For more information, see Session + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plaintext that you use for both inline and managed session policies can't @@ -1840,11 +1864,11 @@ type AssumeRoleWithSAMLInput struct { // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage // return (\u000D) characters. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -1854,22 +1878,22 @@ type AssumeRoleWithSAMLInput struct { // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plaintext that you use for both inline and managed session policies // can't exceed 2,048 characters. For more information about ARNs, see Amazon - // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the AWS General Reference. + // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the Amazon Web Services General Reference. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials - // in subsequent AWS API calls to access resources in the account that owns - // the role. You cannot use session policies to grant more permissions than - // those allowed by the identity-based policy of the role that is being assumed. - // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in subsequent Amazon Web Services API calls to access resources in the account + // that owns the role. You cannot use session policies to grant more permissions + // than those allowed by the identity-based policy of the role that is being + // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` @@ -1984,7 +2008,8 @@ func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAML } // Contains the response to a successful AssumeRoleWithSAML request, including -// temporary AWS credentials that can be used to make AWS requests. +// temporary Amazon Web Services credentials that can be used to make Amazon +// Web Services requests. type AssumeRoleWithSAMLOutput struct { _ struct{} `type:"structure"` @@ -2010,7 +2035,7 @@ type AssumeRoleWithSAMLOutput struct { // // * The Issuer response value. // - // * The AWS account ID. + // * The Amazon Web Services account ID. // // * The friendly name (the last part of the ARN) of the SAML provider in // IAM. @@ -2148,7 +2173,7 @@ type AssumeRoleWithWebIdentityInput struct { // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the - // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) + // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` @@ -2157,10 +2182,11 @@ type AssumeRoleWithWebIdentityInput struct { // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use - // the role's temporary credentials in subsequent AWS API calls to access resources - // in the account that owns the role. You cannot use session policies to grant - // more permissions than those allowed by the identity-based policy of the role - // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // the role's temporary credentials in subsequent Amazon Web Services API calls + // to access resources in the account that owns the role. You cannot use session + // policies to grant more permissions than those allowed by the identity-based + // policy of the role that is being assumed. For more information, see Session + // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plaintext that you use for both inline and managed session policies can't @@ -2169,11 +2195,11 @@ type AssumeRoleWithWebIdentityInput struct { // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage // return (\u000D) characters. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -2183,22 +2209,22 @@ type AssumeRoleWithWebIdentityInput struct { // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plaintext that you use for both inline and managed session policies // can't exceed 2,048 characters. For more information about ARNs, see Amazon - // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the AWS General Reference. + // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the Amazon Web Services General Reference. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials - // in subsequent AWS API calls to access resources in the account that owns - // the role. You cannot use session policies to grant more permissions than - // those allowed by the identity-based policy of the role that is being assumed. - // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) + // in subsequent Amazon Web Services API calls to access resources in the account + // that owns the role. You cannot use session policies to grant more permissions + // than those allowed by the identity-based policy of the role that is being + // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` @@ -2338,7 +2364,8 @@ func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRo } // Contains the response to a successful AssumeRoleWithWebIdentity request, -// including temporary AWS credentials that can be used to make AWS requests. +// including temporary Amazon Web Services credentials that can be used to make +// Amazon Web Services requests. type AssumeRoleWithWebIdentityOutput struct { _ struct{} `type:"structure"` @@ -2471,8 +2498,8 @@ type AssumedRoleUser struct { Arn *string `min:"20" type:"string" required:"true"` // A unique identifier that contains the role ID and the role session name of - // the role that is being assumed. The role ID is generated by AWS when the - // role is created. + // the role that is being assumed. The role ID is generated by Amazon Web Services + // when the role is created. // // AssumedRoleId is a required field AssumedRoleId *string `min:"2" type:"string" required:"true"` @@ -2500,7 +2527,7 @@ func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { return s } -// AWS credentials for API authentication. +// Amazon Web Services credentials for API authentication. type Credentials struct { _ struct{} `type:"structure"` @@ -2601,8 +2628,8 @@ func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAut } // A document that contains additional information about the authorization status -// of a request from an encoded message that is returned in response to an AWS -// request. +// of a request from an encoded message that is returned in response to an Amazon +// Web Services request. type DecodeAuthorizationMessageOutput struct { _ struct{} `type:"structure"` @@ -2714,7 +2741,7 @@ func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput type GetAccessKeyInfoOutput struct { _ struct{} `type:"structure"` - // The number used to identify the AWS account. + // The number used to identify the Amazon Web Services account. Account *string `type:"string"` } @@ -2753,11 +2780,11 @@ func (s GetCallerIdentityInput) GoString() string { type GetCallerIdentityOutput struct { _ struct{} `type:"structure"` - // The AWS account ID number of the account that owns or contains the calling - // entity. + // The Amazon Web Services account ID number of the account that owns or contains + // the calling entity. Account *string `type:"string"` - // The AWS ARN associated with the calling entity. + // The Amazon Web Services ARN associated with the calling entity. Arn *string `min:"20" type:"string"` // The unique identifier of the calling entity. The exact value depends on the @@ -2801,9 +2828,10 @@ type GetFederationTokenInput struct { // The duration, in seconds, that the session should last. Acceptable durations // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained - // using AWS account root user credentials are restricted to a maximum of 3,600 - // seconds (one hour). If the specified duration is longer than one hour, the - // session obtained by using root user credentials defaults to one hour. + // using Amazon Web Services account root user credentials are restricted to + // a maximum of 3,600 seconds (one hour). If the specified duration is longer + // than one hour, the session obtained by using root user credentials defaults + // to one hour. DurationSeconds *int64 `min:"900" type:"integer"` // The name of the federated user. The name is used as an identifier for the @@ -2848,11 +2876,11 @@ type GetFederationTokenInput struct { // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage // return (\u000D) characters. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want @@ -2865,8 +2893,8 @@ type GetFederationTokenInput struct { // use as managed session policies. The plaintext that you use for both inline // and managed session policies can't exceed 2,048 characters. You can provide // up to 10 managed policy ARNs. For more information about ARNs, see Amazon - // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the AWS General Reference. + // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the Amazon Web Services General Reference. // // This parameter is optional. However, if you do not pass any session policies, // then the resulting federated user session has no permissions. @@ -2885,11 +2913,11 @@ type GetFederationTokenInput struct { // by the policy. These permissions are granted in addition to the permissions // that are granted by the session policies. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. PolicyArns []*PolicyDescriptorType `type:"list"` // A list of session tags. Each session tag consists of a key name and an associated @@ -2903,11 +2931,11 @@ type GetFederationTokenInput struct { // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // - // An AWS conversion compresses the passed session policies and session tags - // into a packed binary format that has a separate limit. Your request can fail - // for this limit even if your plaintext meets the other requirements. The PackedPolicySize - // response element indicates by percentage how close the policies and tags - // for your request are to the upper size limit. + // An Amazon Web Services conversion compresses the passed session policies + // and session tags into a packed binary format that has a separate limit. Your + // request can fail for this limit even if your plaintext meets the other requirements. + // The PackedPolicySize response element indicates by percentage how close the + // policies and tags for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is already attached // to the user you are federating. When you do, session tags override a user @@ -3004,7 +3032,8 @@ func (s *GetFederationTokenInput) SetTags(v []*Tag) *GetFederationTokenInput { } // Contains the response to a successful GetFederationToken request, including -// temporary AWS credentials that can be used to make AWS requests. +// temporary Amazon Web Services credentials that can be used to make Amazon +// Web Services requests. type GetFederationTokenOutput struct { _ struct{} `type:"structure"` @@ -3062,9 +3091,9 @@ type GetSessionTokenInput struct { // The duration, in seconds, that the credentials should remain valid. Acceptable // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions - // for AWS account owners are restricted to a maximum of 3,600 seconds (one - // hour). If the duration is longer than one hour, the session for AWS account - // owners defaults to one hour. + // for Amazon Web Services account owners are restricted to a maximum of 3,600 + // seconds (one hour). If the duration is longer than one hour, the session + // for Amazon Web Services account owners defaults to one hour. DurationSeconds *int64 `min:"900" type:"integer"` // The identification number of the MFA device that is associated with the IAM @@ -3072,7 +3101,7 @@ type GetSessionTokenInput struct { // user has a policy that requires MFA authentication. The value is either the // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). - // You can find the device for an IAM user by going to the AWS Management Console + // You can find the device for an IAM user by going to the Management Console // and viewing the user's security credentials. // // The regex used to validate this parameter is a string of characters consisting @@ -3139,7 +3168,8 @@ func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { } // Contains the response to a successful GetSessionToken request, including -// temporary AWS credentials that can be used to make AWS requests. +// temporary Amazon Web Services credentials that can be used to make Amazon +// Web Services requests. type GetSessionTokenOutput struct { _ struct{} `type:"structure"` @@ -3174,8 +3204,8 @@ type PolicyDescriptorType struct { // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session // policy for the role. For more information about ARNs, see Amazon Resource - // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) - // in the AWS General Reference. + // Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) + // in the Amazon Web Services General Reference. Arn *string `locationName:"arn" min:"20" type:"string"` } @@ -3210,9 +3240,9 @@ func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { // You can pass custom key-value pair attributes when you assume a role or federate // a user. These are called session tags. You can then use the session tags -// to control access to resources. For more information, see Tagging AWS STS -// Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) -// in the IAM User Guide. +// to control access to resources. For more information, see Tagging STS Sessions +// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in +// the IAM User Guide. type Tag struct { _ struct{} `type:"structure"` diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go index cb1debbaa..2d98d9235 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go @@ -3,11 +3,11 @@ // Package sts provides the client and types for making API // requests to AWS Security Token Service. // -// AWS Security Token Service (STS) enables you to request temporary, limited-privilege -// credentials for AWS Identity and Access Management (IAM) users or for users -// that you authenticate (federated users). This guide provides descriptions -// of the STS API. For more information about using this service, see Temporary -// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). +// Security Token Service (STS) enables you to request temporary, limited-privilege +// credentials for Identity and Access Management (IAM) users or for users that +// you authenticate (federated users). This guide provides descriptions of the +// STS API. For more information about using this service, see Temporary Security +// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). // // See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service. // diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go index a233f542e..7897d70c8 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go @@ -42,8 +42,9 @@ const ( // ErrCodeInvalidIdentityTokenException for service response error code // "InvalidIdentityToken". // - // The web identity token that was passed could not be validated by AWS. Get - // a new identity token from the identity provider and then retry the request. + // The web identity token that was passed could not be validated by Amazon Web + // Services. Get a new identity token from the identity provider and then retry + // the request. ErrCodeInvalidIdentityTokenException = "InvalidIdentityToken" // ErrCodeMalformedPolicyDocumentException for service response error code @@ -57,11 +58,11 @@ const ( // "PackedPolicyTooLarge". // // The request was rejected because the total packed size of the session policies - // and session tags combined was too large. An AWS conversion compresses the - // session policy document, session policy ARNs, and session tags into a packed - // binary format that has a separate limit. The error message indicates by percentage - // how close the policies and tags are to the upper size limit. For more information, - // see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) + // and session tags combined was too large. An Amazon Web Services conversion + // compresses the session policy document, session policy ARNs, and session + // tags into a packed binary format that has a separate limit. The error message + // indicates by percentage how close the policies and tags are to the upper + // size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // You could receive this error even though you meet other defined session policy @@ -76,7 +77,8 @@ const ( // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating - // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) + // and Deactivating Amazon Web Services STS in an Amazon Web Services Region + // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. ErrCodeRegionDisabledException = "RegionDisabledException" ) diff --git a/vendor/golang.org/x/net/http2/ascii.go b/vendor/golang.org/x/net/http2/ascii.go index 0c58d727c..17caa2058 100644 --- a/vendor/golang.org/x/net/http2/ascii.go +++ b/vendor/golang.org/x/net/http2/ascii.go @@ -6,6 +6,10 @@ package http2 import "strings" +// The HTTP protocols are defined in terms of ASCII, not Unicode. This file +// contains helper functions which may use Unicode-aware functions which would +// otherwise be unsafe and could introduce vulnerabilities if used improperly. + // asciiEqualFold is strings.EqualFold, ASCII only. It reports whether s and t // are equal, ASCII-case-insensitively. func asciiEqualFold(s, t string) bool { diff --git a/vendor/golang.org/x/net/http2/server.go b/vendor/golang.org/x/net/http2/server.go index 09bc70533..0ccbe9b4c 100644 --- a/vendor/golang.org/x/net/http2/server.go +++ b/vendor/golang.org/x/net/http2/server.go @@ -259,16 +259,12 @@ func ConfigureServer(s *http.Server, conf *Server) error { s.TLSConfig.PreferServerCipherSuites = true - haveNPN := false - for _, p := range s.TLSConfig.NextProtos { - if p == NextProtoTLS { - haveNPN = true - break - } - } - if !haveNPN { + if !strSliceContains(s.TLSConfig.NextProtos, NextProtoTLS) { s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, NextProtoTLS) } + if !strSliceContains(s.TLSConfig.NextProtos, "http/1.1") { + s.TLSConfig.NextProtos = append(s.TLSConfig.NextProtos, "http/1.1") + } if s.TLSNextProto == nil { s.TLSNextProto = map[string]func(*http.Server, *tls.Conn, http.Handler){} diff --git a/vendor/golang.org/x/net/http2/transport.go b/vendor/golang.org/x/net/http2/transport.go index 7bd4b9c19..b97adff7d 100644 --- a/vendor/golang.org/x/net/http2/transport.go +++ b/vendor/golang.org/x/net/http2/transport.go @@ -264,9 +264,8 @@ type ClientConn struct { peerMaxHeaderListSize uint64 initialWindowSize uint32 - hbuf bytes.Buffer // HPACK encoder writes into this - henc *hpack.Encoder - freeBuf [][]byte + hbuf bytes.Buffer // HPACK encoder writes into this + henc *hpack.Encoder wmu sync.Mutex // held while writing; acquire AFTER mu if holding both werr error // first write error that has occurred @@ -913,46 +912,6 @@ func (cc *ClientConn) closeForLostPing() error { return cc.closeForError(err) } -const maxAllocFrameSize = 512 << 10 - -// frameBuffer returns a scratch buffer suitable for writing DATA frames. -// They're capped at the min of the peer's max frame size or 512KB -// (kinda arbitrarily), but definitely capped so we don't allocate 4GB -// bufers. -func (cc *ClientConn) frameScratchBuffer() []byte { - cc.mu.Lock() - size := cc.maxFrameSize - if size > maxAllocFrameSize { - size = maxAllocFrameSize - } - for i, buf := range cc.freeBuf { - if len(buf) >= int(size) { - cc.freeBuf[i] = nil - cc.mu.Unlock() - return buf[:size] - } - } - cc.mu.Unlock() - return make([]byte, size) -} - -func (cc *ClientConn) putFrameScratchBuffer(buf []byte) { - cc.mu.Lock() - defer cc.mu.Unlock() - const maxBufs = 4 // arbitrary; 4 concurrent requests per conn? investigate. - if len(cc.freeBuf) < maxBufs { - cc.freeBuf = append(cc.freeBuf, buf) - return - } - for i, old := range cc.freeBuf { - if old == nil { - cc.freeBuf[i] = buf - return - } - } - // forget about it. -} - // errRequestCanceled is a copy of net/http's errRequestCanceled because it's not // exported. At least they'll be DeepEqual for h1-vs-h2 comparisons tests. var errRequestCanceled = errors.New("net/http: request canceled") @@ -1295,11 +1254,35 @@ var ( errReqBodyTooLong = errors.New("http2: request body larger than specified content length") ) +// frameScratchBufferLen returns the length of a buffer to use for +// outgoing request bodies to read/write to/from. +// +// It returns max(1, min(peer's advertised max frame size, +// Request.ContentLength+1, 512KB)). +func (cs *clientStream) frameScratchBufferLen(maxFrameSize int) int { + const max = 512 << 10 + n := int64(maxFrameSize) + if n > max { + n = max + } + if cl := actualContentLength(cs.req); cl != -1 && cl+1 < n { + // Add an extra byte past the declared content-length to + // give the caller's Request.Body io.Reader a chance to + // give us more bytes than they declared, so we can catch it + // early. + n = cl + 1 + } + if n < 1 { + return 1 + } + return int(n) // doesn't truncate; max is 512K +} + +var bufPool sync.Pool // of *[]byte + func (cs *clientStream) writeRequestBody(body io.Reader, bodyCloser io.Closer) (err error) { cc := cs.cc sentEnd := false // whether we sent the final DATA frame w/ END_STREAM - buf := cc.frameScratchBuffer() - defer cc.putFrameScratchBuffer(buf) defer func() { traceWroteRequest(cs.trace, err) @@ -1318,9 +1301,24 @@ func (cs *clientStream) writeRequestBody(body io.Reader, bodyCloser io.Closer) ( remainLen := actualContentLength(req) hasContentLen := remainLen != -1 + cc.mu.Lock() + maxFrameSize := int(cc.maxFrameSize) + cc.mu.Unlock() + + // Scratch buffer for reading into & writing from. + scratchLen := cs.frameScratchBufferLen(maxFrameSize) + var buf []byte + if bp, ok := bufPool.Get().(*[]byte); ok && len(*bp) >= scratchLen { + defer bufPool.Put(bp) + buf = *bp + } else { + buf = make([]byte, scratchLen) + defer bufPool.Put(&buf) + } + var sawEOF bool for !sawEOF { - n, err := body.Read(buf[:len(buf)-1]) + n, err := body.Read(buf[:len(buf)]) if hasContentLen { remainLen -= int64(n) if remainLen == 0 && err == nil { @@ -1331,8 +1329,9 @@ func (cs *clientStream) writeRequestBody(body io.Reader, bodyCloser io.Closer) ( // to send the END_STREAM bit early, double-check that we're actually // at EOF. Subsequent reads should return (0, EOF) at this point. // If either value is different, we return an error in one of two ways below. + var scratch [1]byte var n1 int - n1, err = body.Read(buf[n:]) + n1, err = body.Read(scratch[:]) remainLen -= int64(n1) } if remainLen < 0 { @@ -1402,10 +1401,6 @@ func (cs *clientStream) writeRequestBody(body io.Reader, bodyCloser io.Closer) ( } } - cc.mu.Lock() - maxFrameSize := int(cc.maxFrameSize) - cc.mu.Unlock() - cc.wmu.Lock() defer cc.wmu.Unlock() diff --git a/vendor/modules.txt b/vendor/modules.txt index b1b2e4762..b6982f5e4 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1,4 +1,4 @@ -# github.com/aws/aws-sdk-go v1.38.63 +# github.com/aws/aws-sdk-go v1.40.34 ## explicit github.com/aws/aws-sdk-go/aws github.com/aws/aws-sdk-go/aws/awserr @@ -363,7 +363,7 @@ golang.org/x/crypto/poly1305 golang.org/x/crypto/scrypt golang.org/x/crypto/ssh golang.org/x/crypto/ssh/internal/bcrypt_pbkdf -# golang.org/x/net v0.0.0-20210520170846-37e1c6afe023 +# golang.org/x/net v0.0.0-20210614182718-04defd469f4e golang.org/x/net/context golang.org/x/net/context/ctxhttp golang.org/x/net/html