aws-sdk-acmpca 1.35.0 → 1.36.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d04817022fa4367102b398d2f979e2f076f2a9289beaf9f9b789f9a3405f1904
-  data.tar.gz: 40e3ddf003ceaa3c2390f4112a9648eb8fca9357f287af74585531fdfc518047
+  metadata.gz: 6f3a3088e948b635c92f274b880ceb55aa7dafd77799a3f19af7b2171c38f982
+  data.tar.gz: ed00f35cdce2863f478e50e1597eea47cf92bdc518c071fb7e544d9c6bc6497a
 SHA512:
-  metadata.gz: 9ce075366b23fb423a85d72b845980d37e1c370dce89b72159973df33ebad843aec8b839d188fd90988fac0e307a6e60b51036eb5e05694e7a52e6a950c3b811
-  data.tar.gz: 0f7dbdcdcb82244e9d57792407ecc8a94f59862360959d6d5dc843ab3671497b650882e90b8b7cef804e755f4e415688a45923e6f12e7a7db3b0708e0a9f7d69
+  metadata.gz: 0c574e23bf71374dfd49579ce35aa830dac961fd033b03e324f63e30ff9114583610b2fcee9f7d5032e59de1d075de315cb71a51d80567bffbfb93d78a2211bf
+  data.tar.gz: 0df701f48febe1dbe26fa232ad220bcb6204b2627d972b5fbf8e206ad76ed5e2b7b4b265827e9977b1ad80a1bda064907b338469c40b991258a7e967a2ac90ab

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.36.0 (2021-05-26)
+------------------
+
+* Feature - This release enables customers to store CRLs in S3 buckets with Block Public Access enabled. The release adds the S3ObjectAcl parameter to the CreateCertificateAuthority and UpdateCertificateAuthority APIs to allow customers to choose whether their CRL will be publicly available.
+
 1.35.0 (2021-05-04)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.35.0
+1.36.0

data/lib/aws-sdk-acmpca.rb

@@ -49,6 +49,6 @@ require_relative 'aws-sdk-acmpca/customizations'
 # @!group service
 module Aws::ACMPCA
 
-  GEM_VERSION = '1.35.0'
+  GEM_VERSION = '1.36.0'
 
 end

data/lib/aws-sdk-acmpca/client.rb

@@ -400,12 +400,13 @@ module Aws::ACMPCA
     #
     #   Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
     #
-    #   Note: AWS Region ap-northeast-3 supports only
-    #   FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
-    #   parameter and value when creating a CA in that Region. Specifying a
-    #   different value (or no value) results in an `InvalidArgsException`
-    #   with the message "A certificate authority cannot be created in this
-    #   region with the specified security standard."
+    #   Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
+    #   ap-northeast-3. When creating a CA in the ap-northeast-3, you must
+    #   provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
+    #   `KeyStorageSecurityStandard`. Failure to do this results in an
+    #   `InvalidArgsException` with the message, "A certificate authority
+    #   cannot be created in this region with the specified security
+    #   standard."
     #
     # @option params [Array<Types::Tag>] :tags
     #   Key-value pairs that will be attached to the new private CA. You can
@@ -502,6 +503,7 @@ module Aws::ACMPCA
     #         expiration_in_days: 1,
     #         custom_cname: "String253",
     #         s3_bucket_name: "String3To255",
+    #         s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #       },
     #     },
     #     certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
@@ -996,6 +998,7 @@ module Aws::ACMPCA
     #   resp.certificate_authority.revocation_configuration.crl_configuration.expiration_in_days #=> Integer
     #   resp.certificate_authority.revocation_configuration.crl_configuration.custom_cname #=> String
     #   resp.certificate_authority.revocation_configuration.crl_configuration.s3_bucket_name #=> String
+    #   resp.certificate_authority.revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"
     #   resp.certificate_authority.restorable_until #=> Time
     #   resp.certificate_authority.key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER"
     #
@@ -1801,6 +1804,7 @@ module Aws::ACMPCA
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.expiration_in_days #=> Integer
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.custom_cname #=> String
     #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_bucket_name #=> String
+    #   resp.certificate_authorities[0].revocation_configuration.crl_configuration.s3_object_acl #=> String, one of "PUBLIC_READ", "BUCKET_OWNER_FULL_CONTROL"
     #   resp.certificate_authorities[0].restorable_until #=> Time
     #   resp.certificate_authorities[0].key_storage_security_standard #=> String, one of "FIPS_140_2_LEVEL_2_OR_HIGHER", "FIPS_140_2_LEVEL_3_OR_HIGHER"
     #   resp.next_token #=> String
@@ -2329,6 +2333,7 @@ module Aws::ACMPCA
     #         expiration_in_days: 1,
     #         custom_cname: "String253",
     #         s3_bucket_name: "String3To255",
+    #         s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #       },
     #     },
     #     status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED
@@ -2356,7 +2361,7 @@ module Aws::ACMPCA
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-acmpca'
-      context[:gem_version] = '1.35.0'
+      context[:gem_version] = '1.36.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-acmpca/client_api.rb

@@ -126,6 +126,7 @@ module Aws::ACMPCA
     RevokeCertificateRequest = Shapes::StructureShape.new(name: 'RevokeCertificateRequest')
     S3BucketName = Shapes::StringShape.new(name: 'S3BucketName')
     S3Key = Shapes::StringShape.new(name: 'S3Key')
+    S3ObjectAcl = Shapes::StringShape.new(name: 'S3ObjectAcl')
     SigningAlgorithm = Shapes::StringShape.new(name: 'SigningAlgorithm')
     String = Shapes::StringShape.new(name: 'String')
     String128 = Shapes::StringShape.new(name: 'String128')
@@ -244,6 +245,7 @@ module Aws::ACMPCA
     CrlConfiguration.add_member(:expiration_in_days, Shapes::ShapeRef.new(shape: Integer1To5000, location_name: "ExpirationInDays", metadata: {"box"=>true}))
     CrlConfiguration.add_member(:custom_cname, Shapes::ShapeRef.new(shape: String253, location_name: "CustomCname"))
     CrlConfiguration.add_member(:s3_bucket_name, Shapes::ShapeRef.new(shape: String3To255, location_name: "S3BucketName"))
+    CrlConfiguration.add_member(:s3_object_acl, Shapes::ShapeRef.new(shape: S3ObjectAcl, location_name: "S3ObjectAcl"))
     CrlConfiguration.struct_class = Types::CrlConfiguration
 
     CsrExtensions.add_member(:key_usage, Shapes::ShapeRef.new(shape: KeyUsage, location_name: "KeyUsage"))

data/lib/aws-sdk-acmpca/types.rb

@@ -754,6 +754,7 @@ module Aws::ACMPCA
     #             expiration_in_days: 1,
     #             custom_cname: "String253",
     #             s3_bucket_name: "String3To255",
+    #             s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #           },
     #         },
     #         certificate_authority_type: "ROOT", # required, accepts ROOT, SUBORDINATE
@@ -807,12 +808,13 @@ module Aws::ACMPCA
     #
     #   Default: FIPS\_140\_2\_LEVEL\_3\_OR\_HIGHER
     #
-    #   Note: AWS Region ap-northeast-3 supports only
-    #   FIPS\_140\_2\_LEVEL\_2\_OR\_HIGHER. You must explicitly specify this
-    #   parameter and value when creating a CA in that Region. Specifying a
-    #   different value (or no value) results in an `InvalidArgsException`
-    #   with the message "A certificate authority cannot be created in this
-    #   region with the specified security standard."
+    #   Note: `FIPS_140_2_LEVEL_3_OR_HIGHER` is not supported in Region
+    #   ap-northeast-3. When creating a CA in the ap-northeast-3, you must
+    #   provide `FIPS_140_2_LEVEL_2_OR_HIGHER` as the argument for
+    #   `KeyStorageSecurityStandard`. Failure to do this results in an
+    #   `InvalidArgsException` with the message, "A certificate authority
+    #   cannot be created in this region with the specified security
+    #   standard."
     #   @return [String]
     #
     # @!attribute [rw] tags
@@ -984,6 +986,7 @@ module Aws::ACMPCA
     #         expiration_in_days: 1,
     #         custom_cname: "String253",
     #         s3_bucket_name: "String3To255",
+    #         s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #       }
     #
     # @!attribute [rw] enabled
@@ -1016,12 +1019,39 @@ module Aws::ACMPCA
     #   is placed into the **CRL Distribution Points** extension of the
     #   issued certificate. You can change the name of your bucket by
     #   calling the [UpdateCertificateAuthority][1] action. You must specify
-    #   a bucket policy that allows ACM Private CA to write the CRL to your
-    #   bucket.
+    #   a [bucket policy][2] that allows ACM Private CA to write the CRL to
+    #   your bucket.
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/acm-pca/latest/APIReference/API_UpdateCertificateAuthority.html
+    #   [2]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-policies
+    #   @return [String]
+    #
+    # @!attribute [rw] s3_object_acl
+    #   Determines whether the CRL will be publicly readable or privately
+    #   held in the CRL Amazon S3 bucket. If you choose PUBLIC\_READ, the
+    #   CRL will be accessible over the public internet. If you choose
+    #   BUCKET\_OWNER\_FULL\_CONTROL, only the owner of the CRL S3 bucket
+    #   can access the CRL, and your PKI clients may need an alternative
+    #   method of access.
+    #
+    #   If no value is specified, the default is `PUBLIC_READ`.
+    #
+    #   *Note:* This default can cause CA creation to fail in some
+    #   circumstances. If you have have enabled the Block Public Access
+    #   (BPA) feature in your S3 account, then you must specify the value of
+    #   this parameter as `BUCKET_OWNER_FULL_CONTROL`, and not doing so
+    #   results in an error. If you have disabled BPA in S3, then you can
+    #   specify either `BUCKET_OWNER_FULL_CONTROL` or `PUBLIC_READ` as the
+    #   value.
+    #
+    #   For more information, see [Blocking public access to the S3
+    #   bucket][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/acm-pca/latest/userguide/PcaCreateCa.html#s3-bpa
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/acm-pca-2017-08-22/CrlConfiguration AWS API Documentation
@@ -1030,7 +1060,8 @@ module Aws::ACMPCA
       :enabled,
       :expiration_in_days,
       :custom_cname,
-      :s3_bucket_name)
+      :s3_bucket_name,
+      :s3_object_acl)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2868,6 +2899,7 @@ module Aws::ACMPCA
     #           expiration_in_days: 1,
     #           custom_cname: "String253",
     #           s3_bucket_name: "String3To255",
+    #           s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #         },
     #       }
     #
@@ -3073,6 +3105,7 @@ module Aws::ACMPCA
     #             expiration_in_days: 1,
     #             custom_cname: "String253",
     #             s3_bucket_name: "String3To255",
+    #             s3_object_acl: "PUBLIC_READ", # accepts PUBLIC_READ, BUCKET_OWNER_FULL_CONTROL
     #           },
     #         },
     #         status: "CREATING", # accepts CREATING, PENDING_CERTIFICATE, ACTIVE, DELETED, DISABLED, EXPIRED, FAILED

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-acmpca
 version: !ruby/object:Gem::Version
-  version: 1.35.0
+  version: 1.36.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-05-04 00:00:00.000000000 Z
+date: 2021-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core