/*******************************************************************************
* Copyright 2012-2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
* Licensed under the Apache License, Version 2.0 (the "License"). You may not use
* this file except in compliance with the License. A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file.
* This file is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
* CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
* *****************************************************************************
*
* AWS Tools for Windows (TM) PowerShell (TM)
*
*/
using System;
using System.Collections.Generic;
using System.Linq;
using System.Management.Automation;
using System.Text;
using Amazon.PowerShell.Common;
using Amazon.Runtime;
using Amazon.CloudWatchLogs;
using Amazon.CloudWatchLogs.Model;
namespace Amazon.PowerShell.Cmdlets.CWL
{
///
/// Creates an account-level data protection policy that applies to all log groups in
/// the account. A data protection policy can help safeguard sensitive data that's ingested
/// by your log groups by auditing and masking the sensitive log data. Each account can
/// have only one account-level policy.
///
///
/// Sensitive data is detected and masked when it is ingested into a log group. When you
/// set a data protection policy, log events ingested into the log groups before that
/// time are not masked.
///
/// If you use PutAccountPolicy to create a data protection policy for your
/// whole account, it applies to both existing log groups and all log groups that are
/// created later in this account. The account policy is applied to existing log groups
/// with eventual consistency. It might take up to 5 minutes before sensitive data in
/// existing log groups begins to be masked.
///
/// By default, when a user views a log event that includes masked data, the sensitive
/// data is replaced by asterisks. A user who has the logs:Unmask permission
/// can use a GetLogEvents
/// or FilterLogEvents
/// operation with the unmask parameter set to true to view
/// the unmasked log events. Users with the logs:Unmask can also view unmasked
/// data in the CloudWatch Logs console by running a CloudWatch Logs Insights query with
/// the unmask query command.
///
/// For more information, including a list of types of data that can be audited and masked,
/// see Protect
/// sensitive log data with masking.
///
/// To use the PutAccountPolicy operation, you must be signed on with the
/// logs:PutDataProtectionPolicy and logs:PutAccountPolicy permissions.
///
/// The PutAccountPolicy operation applies to all log groups in the account.
/// You can also use PutDataProtectionPolicy
/// to create a data protection policy that applies to just one log group. If a log group
/// has its own data protection policy and the account also has an account-level data
/// protection policy, then the two policies are cumulative. Any sensitive term specified
/// in either policy is masked.
///
///
[Cmdlet("Write", "CWLAccountPolicy", SupportsShouldProcess = true, ConfirmImpact = ConfirmImpact.Medium)]
[OutputType("Amazon.CloudWatchLogs.Model.AccountPolicy")]
[AWSCmdlet("Calls the Amazon CloudWatch Logs PutAccountPolicy API operation.", Operation = new[] {"PutAccountPolicy"}, SelectReturnType = typeof(Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse))]
[AWSCmdletOutput("Amazon.CloudWatchLogs.Model.AccountPolicy or Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse",
"This cmdlet returns an Amazon.CloudWatchLogs.Model.AccountPolicy object.",
"The service call response (type Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse) can also be referenced from properties attached to the cmdlet entry in the $AWSHistory stack."
)]
public partial class WriteCWLAccountPolicyCmdlet : AmazonCloudWatchLogsClientCmdlet, IExecutor
{
#region Parameter PolicyDocument
///
///
/// Specify the data protection policy, in JSON.This policy must include two JSON blocks:- The first block must include both a
DataIdentifer array and an Operation
/// property with an Audit action. The DataIdentifer array lists
/// the types of sensitive data that you want to mask. For more information about the
/// available options, see Types
/// of data that you can mask.The Operation property with an Audit action is required
/// to find the sensitive data terms. This Audit action must contain a FindingsDestination
/// object. You can optionally use that FindingsDestination object to list
/// one or more destinations to send audit findings to. If you specify destinations such
/// as log groups, Kinesis Data Firehose streams, and S3 buckets, they must already exist. - The second block must include both a
DataIdentifer array and an Operation
/// property with an Deidentify action. The DataIdentifer array
/// must exactly match the DataIdentifer array in the first block of the
/// policy.The Operation property with the Deidentify action is what
/// actually masks the data, and it must contain the "MaskConfig": {} object.
/// The "MaskConfig": {} object must be empty.
For an example data protection policy, see the Examples section on this page.The contents of the two DataIdentifer arrays must match exactly.In addition to the two JSON blocks, the policyDocument can also include
/// Name, Description, and Version fields. The
/// Name is different than the operation's policyName parameter,
/// and is used as a dimension when CloudWatch Logs reports audit findings metrics to
/// CloudWatch.The JSON specified in policyDocument can be up to 30,720 characters.
///
///
#if !MODULAR
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
#else
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true, Mandatory = true)]
[System.Management.Automation.AllowEmptyString]
[System.Management.Automation.AllowNull]
#endif
[Amazon.PowerShell.Common.AWSRequiredParameter]
public System.String PolicyDocument { get; set; }
#endregion
#region Parameter PolicyName
///
///
/// A name for the policy. This must be unique within the account.
///
///
#if !MODULAR
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
#else
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true, Mandatory = true)]
[System.Management.Automation.AllowEmptyString]
[System.Management.Automation.AllowNull]
#endif
[Amazon.PowerShell.Common.AWSRequiredParameter]
public System.String PolicyName { get; set; }
#endregion
#region Parameter PolicyType
///
///
/// Currently the only valid value for this parameter is DATA_PROTECTION_POLICY.
///
///
#if !MODULAR
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
#else
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true, Mandatory = true)]
[System.Management.Automation.AllowNull]
#endif
[Amazon.PowerShell.Common.AWSRequiredParameter]
[AWSConstantClassSource("Amazon.CloudWatchLogs.PolicyType")]
public Amazon.CloudWatchLogs.PolicyType PolicyType { get; set; }
#endregion
#region Parameter Scope
///
///
/// Currently the only valid value for this parameter is ALL, which specifies
/// that the data protection policy applies to all log groups in the account. If you omit
/// this parameter, the default of ALL is used.
///
///
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
[AWSConstantClassSource("Amazon.CloudWatchLogs.Scope")]
public Amazon.CloudWatchLogs.Scope Scope { get; set; }
#endregion
#region Parameter Select
///
/// Use the -Select parameter to control the cmdlet output. The default value is 'AccountPolicy'.
/// Specifying -Select '*' will result in the cmdlet returning the whole service response (Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse).
/// Specifying the name of a property of type Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse will result in that property being returned.
/// Specifying -Select '^ParameterName' will result in the cmdlet returning the selected cmdlet parameter value.
///
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
public string Select { get; set; } = "AccountPolicy";
#endregion
#region Parameter Force
///
/// This parameter overrides confirmation prompts to force
/// the cmdlet to continue its operation. This parameter should always
/// be used with caution.
///
[System.Management.Automation.Parameter(ValueFromPipelineByPropertyName = true)]
public SwitchParameter Force { get; set; }
#endregion
protected override void ProcessRecord()
{
this._AWSSignerType = "v4";
base.ProcessRecord();
var resourceIdentifiersText = FormatParameterValuesForConfirmationMsg(nameof(this.PolicyName), MyInvocation.BoundParameters);
if (!ConfirmShouldProceed(this.Force.IsPresent, resourceIdentifiersText, "Write-CWLAccountPolicy (PutAccountPolicy)"))
{
return;
}
var context = new CmdletContext();
// allow for manipulation of parameters prior to loading into context
PreExecutionContextLoad(context);
if (ParameterWasBound(nameof(this.Select)))
{
context.Select = CreateSelectDelegate(Select) ??
throw new System.ArgumentException("Invalid value for -Select parameter.", nameof(this.Select));
}
context.PolicyDocument = this.PolicyDocument;
#if MODULAR
if (this.PolicyDocument == null && ParameterWasBound(nameof(this.PolicyDocument)))
{
WriteWarning("You are passing $null as a value for parameter PolicyDocument which is marked as required. In case you believe this parameter was incorrectly marked as required, report this by opening an issue at https://github.com/aws/aws-tools-for-powershell/issues.");
}
#endif
context.PolicyName = this.PolicyName;
#if MODULAR
if (this.PolicyName == null && ParameterWasBound(nameof(this.PolicyName)))
{
WriteWarning("You are passing $null as a value for parameter PolicyName which is marked as required. In case you believe this parameter was incorrectly marked as required, report this by opening an issue at https://github.com/aws/aws-tools-for-powershell/issues.");
}
#endif
context.PolicyType = this.PolicyType;
#if MODULAR
if (this.PolicyType == null && ParameterWasBound(nameof(this.PolicyType)))
{
WriteWarning("You are passing $null as a value for parameter PolicyType which is marked as required. In case you believe this parameter was incorrectly marked as required, report this by opening an issue at https://github.com/aws/aws-tools-for-powershell/issues.");
}
#endif
context.Scope = this.Scope;
// allow further manipulation of loaded context prior to processing
PostExecutionContextLoad(context);
var output = Execute(context) as CmdletOutput;
ProcessOutput(output);
}
#region IExecutor Members
public object Execute(ExecutorContext context)
{
var cmdletContext = context as CmdletContext;
// create request
var request = new Amazon.CloudWatchLogs.Model.PutAccountPolicyRequest();
if (cmdletContext.PolicyDocument != null)
{
request.PolicyDocument = cmdletContext.PolicyDocument;
}
if (cmdletContext.PolicyName != null)
{
request.PolicyName = cmdletContext.PolicyName;
}
if (cmdletContext.PolicyType != null)
{
request.PolicyType = cmdletContext.PolicyType;
}
if (cmdletContext.Scope != null)
{
request.Scope = cmdletContext.Scope;
}
CmdletOutput output;
// issue call
var client = Client ?? CreateClient(_CurrentCredentials, _RegionEndpoint);
try
{
var response = CallAWSServiceOperation(client, request);
object pipelineOutput = null;
pipelineOutput = cmdletContext.Select(response, this);
output = new CmdletOutput
{
PipelineOutput = pipelineOutput,
ServiceResponse = response
};
}
catch (Exception e)
{
output = new CmdletOutput { ErrorResponse = e };
}
return output;
}
public ExecutorContext CreateContext()
{
return new CmdletContext();
}
#endregion
#region AWS Service Operation Call
private Amazon.CloudWatchLogs.Model.PutAccountPolicyResponse CallAWSServiceOperation(IAmazonCloudWatchLogs client, Amazon.CloudWatchLogs.Model.PutAccountPolicyRequest request)
{
Utils.Common.WriteVerboseEndpointMessage(this, client.Config, "Amazon CloudWatch Logs", "PutAccountPolicy");
try
{
#if DESKTOP
return client.PutAccountPolicy(request);
#elif CORECLR
return client.PutAccountPolicyAsync(request).GetAwaiter().GetResult();
#else
#error "Unknown build edition"
#endif
}
catch (AmazonServiceException exc)
{
var webException = exc.InnerException as System.Net.WebException;
if (webException != null)
{
throw new Exception(Utils.Common.FormatNameResolutionFailureMessage(client.Config, webException.Message), webException);
}
throw;
}
}
#endregion
internal partial class CmdletContext : ExecutorContext
{
public System.String PolicyDocument { get; set; }
public System.String PolicyName { get; set; }
public Amazon.CloudWatchLogs.PolicyType PolicyType { get; set; }
public Amazon.CloudWatchLogs.Scope Scope { get; set; }
public System.Func Select { get; set; } =
(response, cmdlet) => response.AccountPolicy;
}
}
}