aws-sdk-managedgrafana 1.11.0 → 1.13.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 5c042706cd987c8288ba8bda68a372567005bf1c4d28a6346890d7089467b7eb
-  data.tar.gz: 73f9ebce553690ff0595933d91d41f84de83447434cf7166424a83efa0fe0dd1
+  metadata.gz: 95d1063eedc2551fd155e40eaa7b6bd779a0985a40b02bd76b0340793c0b8cc3
+  data.tar.gz: 8bf298a66f196a2e7cac0b6975d77569d1836221f2498a21db297b0f9a2ccb53
 SHA512:
-  metadata.gz: d8971fdb9c58e1da39b7eb71ec90b3f68d801023611610dfa5f9e66690911216e0ef9df2a399e815cd9fa8af17936bf433ac38346e0a38f6ad0c06e38d3f8e75
-  data.tar.gz: 977707474817b9bafb4c89c57362a80df22c70babdd9c4e7ae0d2f225f5e75c86000832ddca5b8f5ed2d18541f285dbb042ced433f7b83d5795995a37e4857d3
+  metadata.gz: d96a64a32df7817926d52f10c648433c0bf1c52817536dadfb3cde8e14865b830aa0640fd483cda412d736e9a62e2b591c27d52735b747d6076a500aef4802c0
+  data.tar.gz: 9f3bdc522883c556b465a803f98728cc443f9a7d65c6bf9a72e20151c28791695e83060183faa1e032010bfceb9c19acccda97d1cb587bc7fd9f54e8220fb955

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
 
+1.13.0 (2023-02-23)
+------------------
+
+* Feature - Doc-only update. Updated information on attached role policies for customer provided roles
+
+1.12.0 (2023-02-16)
+------------------
+
+* Feature - With this release Amazon Managed Grafana now supports inbound Network Access Control that helps you to restrict user access to your Grafana workspaces
+
 1.11.0 (2023-01-18)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.11.0
+1.13.0

data/lib/aws-sdk-managedgrafana/client.rb

@@ -412,6 +412,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -487,28 +491,40 @@ module Aws::ManagedGrafana
     #
     #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-workspace.html
     #
+    # @option params [Types::NetworkAccessConfiguration] :network_access_control
+    #   Configuration for network access to your workspace.
+    #
+    #   When this is configured, only listed IP addresses and VPC endpoints
+    #   will be able to access your workspace. Standard Grafana authentication
+    #   and authorization will still be required.
+    #
+    #   If this is not configured, or is removed, then all IP addresses and
+    #   VPC endpoints will be allowed. Standard Grafana authentication and
+    #   authorization will still be required.
+    #
     # @option params [String] :organization_role_name
     #   The name of an IAM role that already exists to use with Organizations
     #   to access Amazon Web Services data sources and notification channels
     #   in other accounts in an organization.
     #
     # @option params [required, String] :permission_type
-    #   If you specify `SERVICE_MANAGED` on AWS Grafana console, Amazon
-    #   Managed Grafana automatically creates the IAM roles and provisions the
-    #   permissions that the workspace needs to use Amazon Web Services data
-    #   sources and notification channels. In the CLI mode, the permissionType
-    #   `SERVICE_MANAGED` will not create the IAM role for you. The ability
-    #   for the Amazon Managed Grafana to create the IAM role on behalf of the
-    #   user is supported only in the Amazon Managed Grafana AWS console. Use
-    #   only the `CUSTOMER_MANAGED` permission type when creating a workspace
-    #   in the CLI.
-    #
-    #   If you specify `CUSTOMER_MANAGED`, you will manage those roles and
-    #   permissions yourself. If you are creating this workspace in a member
-    #   account of an organization that is not a delegated administrator
-    #   account, and you want the workspace to access data sources in other
-    #   Amazon Web Services accounts in the organization, you must choose
-    #   `CUSTOMER_MANAGED`.
+    #   When creating a workspace through the Amazon Web Services API, CLI or
+    #   Amazon Web Services CloudFormation, you must manage IAM roles and
+    #   provision the permissions that the workspace needs to use Amazon Web
+    #   Services data sources and notification channels.
+    #
+    #   You must also specify a `workspaceRoleArn` for a role that you will
+    #   manage for the workspace to use when accessing those datasources and
+    #   notification channels.
+    #
+    #   The ability for Amazon Managed Grafana to create and update IAM roles
+    #   on behalf of the user is supported only in the Amazon Managed Grafana
+    #   console, where this value may be set to `SERVICE_MANAGED`.
+    #
+    #   <note markdown="1"> Use only the `CUSTOMER_MANAGED` permission type when creating a
+    #   workspace with the API, CLI or Amazon Web Services CloudFormation.
+    #
+    #    </note>
     #
     #   For more information, see [Amazon Managed Grafana permissions and
     #   policies for Amazon Web Services data sources and notification
@@ -530,15 +546,7 @@ module Aws::ManagedGrafana
     #   sources for your Grafana workspace to connect to.
     #
     # @option params [Array<String>] :workspace_data_sources
-    #   Specify the Amazon Web Services data sources that you want to be
-    #   queried in this workspace. Specifying these data sources here enables
-    #   Amazon Managed Grafana to create IAM roles and permissions that allow
-    #   Amazon Managed Grafana to read data from these sources. You must still
-    #   add them as data sources in the Grafana console in the workspace.
-    #
-    #   If you don't specify a data source here, you can still add it as a
-    #   data source in the workspace console later. However, you will then
-    #   have to manually configure permissions for it.
+    #   This parameter is for internal use only, and should not be used.
     #
     # @option params [String] :workspace_description
     #   A description for the workspace. This is used only to help you
@@ -561,10 +569,11 @@ module Aws::ManagedGrafana
     #   of an organization.
     #
     # @option params [String] :workspace_role_arn
-    #   The workspace needs an IAM role that grants permissions to the Amazon
-    #   Web Services resources that the workspace will view data from. If you
-    #   already have a role that you want to use, specify it here. The
-    #   permission type should be set to `CUSTOMER_MANAGED`.
+    #   Specified the IAM role that grants permissions to the Amazon Web
+    #   Services resources that the workspace will view data from, including
+    #   both data sources and notification channels. You are responsible for
+    #   managing the permissions for this role as new data sources or
+    #   notification channels are added.
     #
     # @return [Types::CreateWorkspaceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -577,6 +586,10 @@ module Aws::ManagedGrafana
     #     authentication_providers: ["AWS_SSO"], # required, accepts AWS_SSO, SAML
     #     client_token: "ClientToken",
     #     configuration: "OverridableConfigurationJson",
+    #     network_access_control: {
+    #       prefix_list_ids: ["PrefixListId"], # required
+    #       vpce_ids: ["VpceId"], # required
+    #     },
     #     organization_role_name: "OrganizationRoleName",
     #     permission_type: "CUSTOMER_MANAGED", # required, accepts CUSTOMER_MANAGED, SERVICE_MANAGED
     #     stack_set_name: "StackSetName",
@@ -614,6 +627,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -728,6 +745,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -821,6 +842,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -959,6 +984,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -1277,30 +1306,64 @@ module Aws::ManagedGrafana
     #   which organizational units the workspace can access in the
     #   `workspaceOrganizationalUnits` parameter.
     #
+    # @option params [Types::NetworkAccessConfiguration] :network_access_control
+    #   The configuration settings for network access to your workspace.
+    #
+    #   When this is configured, only listed IP addresses and VPC endpoints
+    #   will be able to access your workspace. Standard Grafana authentication
+    #   and authorization will still be required.
+    #
+    #   If this is not configured, or is removed, then all IP addresses and
+    #   VPC endpoints will be allowed. Standard Grafana authentication and
+    #   authorization will still be required.
+    #
     # @option params [String] :organization_role_name
     #   The name of an IAM role that already exists to use to access resources
-    #   through Organizations.
+    #   through Organizations. This can only be used with a workspace that has
+    #   the `permissionType` set to `CUSTOMER_MANAGED`.
     #
     # @option params [String] :permission_type
-    #   If you specify `Service Managed`, Amazon Managed Grafana automatically
-    #   creates the IAM roles and provisions the permissions that the
-    #   workspace needs to use Amazon Web Services data sources and
-    #   notification channels.
+    #   Use this parameter if you want to change a workspace from
+    #   `SERVICE_MANAGED` to `CUSTOMER_MANAGED`. This allows you to manage the
+    #   permissions that the workspace uses to access datasources and
+    #   notification channels. If the workspace is in a member Amazon Web
+    #   Services account of an organization, and that account is not a
+    #   delegated administrator account, and you want the workspace to access
+    #   data sources in other Amazon Web Services accounts in the
+    #   organization, you must choose `CUSTOMER_MANAGED`.
     #
-    #   If you specify `CUSTOMER_MANAGED`, you will manage those roles and
-    #   permissions yourself. If you are creating this workspace in a member
-    #   account of an organization and that account is not a delegated
-    #   administrator account, and you want the workspace to access data
-    #   sources in other Amazon Web Services accounts in the organization, you
-    #   must choose `CUSTOMER_MANAGED`.
+    #   If you specify this as `CUSTOMER_MANAGED`, you must also specify a
+    #   `workspaceRoleArn` that the workspace will use for accessing Amazon
+    #   Web Services resources.
     #
-    #   For more information, see [Amazon Managed Grafana permissions and
-    #   policies for Amazon Web Services data sources and notification
-    #   channels][1]
+    #   For more information on the role and permissions needed, see [Amazon
+    #   Managed Grafana permissions and policies for Amazon Web Services data
+    #   sources and notification channels][1]
+    #
+    #   <note markdown="1"> Do not use this to convert a `CUSTOMER_MANAGED` workspace to
+    #   `SERVICE_MANAGED`. Do not include this parameter if you want to leave
+    #   the workspace as `SERVICE_MANAGED`.
+    #
+    #    You can convert a `CUSTOMER_MANAGED` workspace to `SERVICE_MANAGED`
+    #   using the Amazon Managed Grafana console. For more information, see
+    #   [Managing permissions for data sources and notification channels][2].
+    #
+    #    </note>
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html
+    #   [2]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-datasource-and-notification.html
+    #
+    # @option params [Boolean] :remove_network_access_configuration
+    #   Whether to remove the network access configuration from the workspace.
+    #
+    #   Setting this to `true` and providing a `networkAccessControl` to set
+    #   will return an error.
+    #
+    #   If you remove this configuration by setting this to `true`, then all
+    #   IP addresses and VPC endpoints will be allowed. Standard Grafana
+    #   authentication and authorization will still be required.
     #
     # @option params [Boolean] :remove_vpc_configuration
     #   Whether to remove the VPC configuration from the workspace.
@@ -1317,15 +1380,7 @@ module Aws::ManagedGrafana
     #   sources for your Grafana workspace to connect to.
     #
     # @option params [Array<String>] :workspace_data_sources
-    #   Specify the Amazon Web Services data sources that you want to be
-    #   queried in this workspace. Specifying these data sources here enables
-    #   Amazon Managed Grafana to create IAM roles and permissions that allow
-    #   Amazon Managed Grafana to read data from these sources. You must still
-    #   add them as data sources in the Grafana console in the workspace.
-    #
-    #   If you don't specify a data source here, you can still add it as a
-    #   data source later in the workspace console. However, you will then
-    #   have to manually configure permissions for it.
+    #   This parameter is for internal use only, and should not be used.
     #
     # @option params [String] :workspace_description
     #   A description for the workspace. This is used only to help you
@@ -1349,12 +1404,10 @@ module Aws::ManagedGrafana
     #   of an organization.
     #
     # @option params [String] :workspace_role_arn
-    #   The workspace needs an IAM role that grants permissions to the Amazon
-    #   Web Services resources that the workspace will view data from. If you
-    #   already have a role that you want to use, specify it here. If you omit
-    #   this field and you specify some Amazon Web Services resources in
-    #   `workspaceDataSources` or `workspaceNotificationDestinations`, a new
-    #   IAM role with the necessary permissions is automatically created.
+    #   Specifies an IAM role that grants permissions to Amazon Web Services
+    #   resources that the workspace accesses, such as data sources and
+    #   notification channels. If this workspace has `permissionType`
+    #   `CUSTOMER_MANAGED`, then this role is required.
     #
     # @return [Types::UpdateWorkspaceResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
@@ -1364,8 +1417,13 @@ module Aws::ManagedGrafana
     #
     #   resp = client.update_workspace({
     #     account_access_type: "CURRENT_ACCOUNT", # accepts CURRENT_ACCOUNT, ORGANIZATION
+    #     network_access_control: {
+    #       prefix_list_ids: ["PrefixListId"], # required
+    #       vpce_ids: ["VpceId"], # required
+    #     },
     #     organization_role_name: "OrganizationRoleName",
     #     permission_type: "CUSTOMER_MANAGED", # accepts CUSTOMER_MANAGED, SERVICE_MANAGED
+    #     remove_network_access_configuration: false,
     #     remove_vpc_configuration: false,
     #     stack_set_name: "StackSetName",
     #     vpc_configuration: {
@@ -1400,6 +1458,10 @@ module Aws::ManagedGrafana
     #   resp.workspace.license_type #=> String, one of "ENTERPRISE", "ENTERPRISE_FREE_TRIAL"
     #   resp.workspace.modified #=> Time
     #   resp.workspace.name #=> String
+    #   resp.workspace.network_access_control.prefix_list_ids #=> Array
+    #   resp.workspace.network_access_control.prefix_list_ids[0] #=> String
+    #   resp.workspace.network_access_control.vpce_ids #=> Array
+    #   resp.workspace.network_access_control.vpce_ids[0] #=> String
     #   resp.workspace.notification_destinations #=> Array
     #   resp.workspace.notification_destinations[0] #=> String, one of "SNS"
     #   resp.workspace.organization_role_name #=> String
@@ -1431,6 +1493,11 @@ module Aws::ManagedGrafana
     # groups in the assertion attribute are to have the `Admin` and `Editor`
     # roles in the workspace.
     #
+    # <note markdown="1"> Changes to the authentication method for a workspace may take a few
+    # minutes to take effect.
+    #
+    #  </note>
+    #
     # @option params [required, Array<String>] :authentication_providers
     #   Specifies whether this workspace uses SAML 2.0, IAM Identity Center
     #   (successor to Single Sign-On), or both to authenticate users for using
@@ -1561,7 +1628,7 @@ module Aws::ManagedGrafana
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-managedgrafana'
-      context[:gem_version] = '1.11.0'
+      context[:gem_version] = '1.13.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-managedgrafana/client_api.rb

@@ -68,6 +68,7 @@ module Aws::ManagedGrafana
     ListWorkspacesRequestMaxResultsInteger = Shapes::IntegerShape.new(name: 'ListWorkspacesRequestMaxResultsInteger')
     ListWorkspacesResponse = Shapes::StructureShape.new(name: 'ListWorkspacesResponse')
     LoginValidityDuration = Shapes::IntegerShape.new(name: 'LoginValidityDuration')
+    NetworkAccessConfiguration = Shapes::StructureShape.new(name: 'NetworkAccessConfiguration')
     NotificationDestinationType = Shapes::StringShape.new(name: 'NotificationDestinationType')
     NotificationDestinationsList = Shapes::ListShape.new(name: 'NotificationDestinationsList')
     OrganizationRoleName = Shapes::StringShape.new(name: 'OrganizationRoleName')
@@ -78,6 +79,8 @@ module Aws::ManagedGrafana
     PermissionEntry = Shapes::StructureShape.new(name: 'PermissionEntry')
     PermissionEntryList = Shapes::ListShape.new(name: 'PermissionEntryList')
     PermissionType = Shapes::StringShape.new(name: 'PermissionType')
+    PrefixListId = Shapes::StringShape.new(name: 'PrefixListId')
+    PrefixListIds = Shapes::ListShape.new(name: 'PrefixListIds')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     Role = Shapes::StringShape.new(name: 'Role')
     RoleValue = Shapes::StringShape.new(name: 'RoleValue')
@@ -127,6 +130,8 @@ module Aws::ManagedGrafana
     ValidationExceptionFieldList = Shapes::ListShape.new(name: 'ValidationExceptionFieldList')
     ValidationExceptionReason = Shapes::StringShape.new(name: 'ValidationExceptionReason')
     VpcConfiguration = Shapes::StructureShape.new(name: 'VpcConfiguration')
+    VpceId = Shapes::StringShape.new(name: 'VpceId')
+    VpceIds = Shapes::ListShape.new(name: 'VpceIds')
     WorkspaceDescription = Shapes::StructureShape.new(name: 'WorkspaceDescription')
     WorkspaceId = Shapes::StringShape.new(name: 'WorkspaceId')
     WorkspaceList = Shapes::ListShape.new(name: 'WorkspaceList')
@@ -188,6 +193,7 @@ module Aws::ManagedGrafana
     CreateWorkspaceRequest.add_member(:authentication_providers, Shapes::ShapeRef.new(shape: AuthenticationProviders, required: true, location_name: "authenticationProviders"))
     CreateWorkspaceRequest.add_member(:client_token, Shapes::ShapeRef.new(shape: ClientToken, location_name: "clientToken", metadata: {"idempotencyToken"=>true}))
     CreateWorkspaceRequest.add_member(:configuration, Shapes::ShapeRef.new(shape: OverridableConfigurationJson, location_name: "configuration", metadata: {"jsonvalue"=>true}))
+    CreateWorkspaceRequest.add_member(:network_access_control, Shapes::ShapeRef.new(shape: NetworkAccessConfiguration, location_name: "networkAccessControl"))
     CreateWorkspaceRequest.add_member(:organization_role_name, Shapes::ShapeRef.new(shape: OrganizationRoleName, location_name: "organizationRoleName"))
     CreateWorkspaceRequest.add_member(:permission_type, Shapes::ShapeRef.new(shape: PermissionType, required: true, location_name: "permissionType"))
     CreateWorkspaceRequest.add_member(:stack_set_name, Shapes::ShapeRef.new(shape: StackSetName, location_name: "stackSetName"))
@@ -283,6 +289,10 @@ module Aws::ManagedGrafana
     ListWorkspacesResponse.add_member(:workspaces, Shapes::ShapeRef.new(shape: WorkspaceList, required: true, location_name: "workspaces"))
     ListWorkspacesResponse.struct_class = Types::ListWorkspacesResponse
 
+    NetworkAccessConfiguration.add_member(:prefix_list_ids, Shapes::ShapeRef.new(shape: PrefixListIds, required: true, location_name: "prefixListIds"))
+    NetworkAccessConfiguration.add_member(:vpce_ids, Shapes::ShapeRef.new(shape: VpceIds, required: true, location_name: "vpceIds"))
+    NetworkAccessConfiguration.struct_class = Types::NetworkAccessConfiguration
+
     NotificationDestinationsList.member = Shapes::ShapeRef.new(shape: NotificationDestinationType)
 
     OrganizationalUnitList.member = Shapes::ShapeRef.new(shape: OrganizationalUnit)
@@ -293,6 +303,8 @@ module Aws::ManagedGrafana
 
     PermissionEntryList.member = Shapes::ShapeRef.new(shape: PermissionEntry)
 
+    PrefixListIds.member = Shapes::ShapeRef.new(shape: PrefixListId)
+
     ResourceNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: String, required: true, location_name: "message"))
     ResourceNotFoundException.add_member(:resource_id, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceId"))
     ResourceNotFoundException.add_member(:resource_type, Shapes::ShapeRef.new(shape: String, required: true, location_name: "resourceType"))
@@ -385,8 +397,10 @@ module Aws::ManagedGrafana
     UpdateWorkspaceConfigurationResponse.struct_class = Types::UpdateWorkspaceConfigurationResponse
 
     UpdateWorkspaceRequest.add_member(:account_access_type, Shapes::ShapeRef.new(shape: AccountAccessType, location_name: "accountAccessType"))
+    UpdateWorkspaceRequest.add_member(:network_access_control, Shapes::ShapeRef.new(shape: NetworkAccessConfiguration, location_name: "networkAccessControl"))
     UpdateWorkspaceRequest.add_member(:organization_role_name, Shapes::ShapeRef.new(shape: OrganizationRoleName, location_name: "organizationRoleName"))
     UpdateWorkspaceRequest.add_member(:permission_type, Shapes::ShapeRef.new(shape: PermissionType, location_name: "permissionType"))
+    UpdateWorkspaceRequest.add_member(:remove_network_access_configuration, Shapes::ShapeRef.new(shape: Boolean, location_name: "removeNetworkAccessConfiguration"))
     UpdateWorkspaceRequest.add_member(:remove_vpc_configuration, Shapes::ShapeRef.new(shape: Boolean, location_name: "removeVpcConfiguration"))
     UpdateWorkspaceRequest.add_member(:stack_set_name, Shapes::ShapeRef.new(shape: StackSetName, location_name: "stackSetName"))
     UpdateWorkspaceRequest.add_member(:vpc_configuration, Shapes::ShapeRef.new(shape: VpcConfiguration, location_name: "vpcConfiguration"))
@@ -423,6 +437,8 @@ module Aws::ManagedGrafana
     VpcConfiguration.add_member(:subnet_ids, Shapes::ShapeRef.new(shape: SubnetIds, required: true, location_name: "subnetIds"))
     VpcConfiguration.struct_class = Types::VpcConfiguration
 
+    VpceIds.member = Shapes::ShapeRef.new(shape: VpceId)
+
     WorkspaceDescription.add_member(:account_access_type, Shapes::ShapeRef.new(shape: AccountAccessType, location_name: "accountAccessType"))
     WorkspaceDescription.add_member(:authentication, Shapes::ShapeRef.new(shape: AuthenticationSummary, required: true, location_name: "authentication"))
     WorkspaceDescription.add_member(:created, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "created"))
@@ -437,6 +453,7 @@ module Aws::ManagedGrafana
     WorkspaceDescription.add_member(:license_type, Shapes::ShapeRef.new(shape: LicenseType, location_name: "licenseType"))
     WorkspaceDescription.add_member(:modified, Shapes::ShapeRef.new(shape: Timestamp, required: true, location_name: "modified"))
     WorkspaceDescription.add_member(:name, Shapes::ShapeRef.new(shape: WorkspaceName, location_name: "name"))
+    WorkspaceDescription.add_member(:network_access_control, Shapes::ShapeRef.new(shape: NetworkAccessConfiguration, location_name: "networkAccessControl"))
     WorkspaceDescription.add_member(:notification_destinations, Shapes::ShapeRef.new(shape: NotificationDestinationsList, location_name: "notificationDestinations"))
     WorkspaceDescription.add_member(:organization_role_name, Shapes::ShapeRef.new(shape: OrganizationRoleName, location_name: "organizationRoleName"))
     WorkspaceDescription.add_member(:organizational_units, Shapes::ShapeRef.new(shape: OrganizationalUnitList, location_name: "organizationalUnits"))

data/lib/aws-sdk-managedgrafana/endpoint_provider.rb

@@ -14,36 +14,69 @@ module Aws::ManagedGrafana
       use_dual_stack = parameters.use_dual_stack
       use_fips = parameters.use_fips
       endpoint = parameters.endpoint
-      if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
-        if Aws::Endpoints::Matchers.set?(endpoint) && (url = Aws::Endpoints::Matchers.parse_url(endpoint))
+      if Aws::Endpoints::Matchers.set?(endpoint)
+        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
+          raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
+        end
+        if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+          raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
+        end
+        return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
+      end
+      if Aws::Endpoints::Matchers.set?(region)
+        if (partition_result = Aws::Endpoints::Matchers.aws_partition(region))
+          if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://grafana-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
+          end
           if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-            raise ArgumentError, "Invalid Configuration: FIPS and custom endpoint are not supported"
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
+              return Aws::Endpoints::Endpoint.new(url: "https://grafana-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
           end
           if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-            raise ArgumentError, "Invalid Configuration: Dualstack and custom endpoint are not supported"
+            if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
+              return Aws::Endpoints::Endpoint.new(url: "https://grafana.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+            end
+            raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
           end
-          return Aws::Endpoints::Endpoint.new(url: endpoint, headers: {}, properties: {})
-        end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true) && Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS")) && Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://grafana-fips.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+          if Aws::Endpoints::Matchers.string_equals?(region, "ap-northeast-1")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.ap-northeast-1.amazonaws.com", headers: {}, properties: {})
           end
-          raise ArgumentError, "FIPS and DualStack are enabled, but this partition does not support one or both"
-        end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_fips, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsFIPS"))
-            return Aws::Endpoints::Endpoint.new(url: "https://grafana-fips.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
+          if Aws::Endpoints::Matchers.string_equals?(region, "ap-northeast-2")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.ap-northeast-2.amazonaws.com", headers: {}, properties: {})
           end
-          raise ArgumentError, "FIPS is enabled but this partition does not support FIPS"
-        end
-        if Aws::Endpoints::Matchers.boolean_equals?(use_dual_stack, true)
-          if Aws::Endpoints::Matchers.boolean_equals?(true, Aws::Endpoints::Matchers.attr(partition_result, "supportsDualStack"))
-            return Aws::Endpoints::Endpoint.new(url: "https://grafana.#{region}.#{partition_result['dualStackDnsSuffix']}", headers: {}, properties: {})
+          if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-1")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.ap-southeast-1.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "ap-southeast-2")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.ap-southeast-2.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "eu-central-1")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.eu-central-1.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-1")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.eu-west-1.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "eu-west-2")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.eu-west-2.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "us-east-1")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.us-east-1.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "us-east-2")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.us-east-2.amazonaws.com", headers: {}, properties: {})
+          end
+          if Aws::Endpoints::Matchers.string_equals?(region, "us-west-2")
+            return Aws::Endpoints::Endpoint.new(url: "https://grafana.us-west-2.amazonaws.com", headers: {}, properties: {})
           end
-          raise ArgumentError, "DualStack is enabled but this partition does not support DualStack"
+          return Aws::Endpoints::Endpoint.new(url: "https://grafana.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
         end
-        return Aws::Endpoints::Endpoint.new(url: "https://grafana.#{region}.#{partition_result['dnsSuffix']}", headers: {}, properties: {})
       end
+      raise ArgumentError, "Invalid Configuration: Missing Region"
       raise ArgumentError, 'No endpoint could be resolved'
 
     end

data/lib/aws-sdk-managedgrafana/types.rb

@@ -285,6 +285,18 @@ module Aws::ManagedGrafana
     #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-configure-workspace.html
     #   @return [String]
     #
+    # @!attribute [rw] network_access_control
+    #   Configuration for network access to your workspace.
+    #
+    #   When this is configured, only listed IP addresses and VPC endpoints
+    #   will be able to access your workspace. Standard Grafana
+    #   authentication and authorization will still be required.
+    #
+    #   If this is not configured, or is removed, then all IP addresses and
+    #   VPC endpoints will be allowed. Standard Grafana authentication and
+    #   authorization will still be required.
+    #   @return [Types::NetworkAccessConfiguration]
+    #
     # @!attribute [rw] organization_role_name
     #   The name of an IAM role that already exists to use with
     #   Organizations to access Amazon Web Services data sources and
@@ -292,22 +304,23 @@ module Aws::ManagedGrafana
     #   @return [String]
     #
     # @!attribute [rw] permission_type
-    #   If you specify `SERVICE_MANAGED` on AWS Grafana console, Amazon
-    #   Managed Grafana automatically creates the IAM roles and provisions
-    #   the permissions that the workspace needs to use Amazon Web Services
-    #   data sources and notification channels. In the CLI mode, the
-    #   permissionType `SERVICE_MANAGED` will not create the IAM role for
-    #   you. The ability for the Amazon Managed Grafana to create the IAM
-    #   role on behalf of the user is supported only in the Amazon Managed
-    #   Grafana AWS console. Use only the `CUSTOMER_MANAGED` permission type
-    #   when creating a workspace in the CLI.
-    #
-    #   If you specify `CUSTOMER_MANAGED`, you will manage those roles and
-    #   permissions yourself. If you are creating this workspace in a member
-    #   account of an organization that is not a delegated administrator
-    #   account, and you want the workspace to access data sources in other
-    #   Amazon Web Services accounts in the organization, you must choose
-    #   `CUSTOMER_MANAGED`.
+    #   When creating a workspace through the Amazon Web Services API, CLI
+    #   or Amazon Web Services CloudFormation, you must manage IAM roles and
+    #   provision the permissions that the workspace needs to use Amazon Web
+    #   Services data sources and notification channels.
+    #
+    #   You must also specify a `workspaceRoleArn` for a role that you will
+    #   manage for the workspace to use when accessing those datasources and
+    #   notification channels.
+    #
+    #   The ability for Amazon Managed Grafana to create and update IAM
+    #   roles on behalf of the user is supported only in the Amazon Managed
+    #   Grafana console, where this value may be set to `SERVICE_MANAGED`.
+    #
+    #   <note markdown="1"> Use only the `CUSTOMER_MANAGED` permission type when creating a
+    #   workspace with the API, CLI or Amazon Web Services CloudFormation.
+    #
+    #    </note>
     #
     #   For more information, see [Amazon Managed Grafana permissions and
     #   policies for Amazon Web Services data sources and notification
@@ -333,16 +346,7 @@ module Aws::ManagedGrafana
     #   @return [Types::VpcConfiguration]
     #
     # @!attribute [rw] workspace_data_sources
-    #   Specify the Amazon Web Services data sources that you want to be
-    #   queried in this workspace. Specifying these data sources here
-    #   enables Amazon Managed Grafana to create IAM roles and permissions
-    #   that allow Amazon Managed Grafana to read data from these sources.
-    #   You must still add them as data sources in the Grafana console in
-    #   the workspace.
-    #
-    #   If you don't specify a data source here, you can still add it as a
-    #   data source in the workspace console later. However, you will then
-    #   have to manually configure permissions for it.
+    #   This parameter is for internal use only, and should not be used.
     #   @return [Array<String>]
     #
     # @!attribute [rw] workspace_description
@@ -370,10 +374,11 @@ module Aws::ManagedGrafana
     #   @return [Array<String>]
     #
     # @!attribute [rw] workspace_role_arn
-    #   The workspace needs an IAM role that grants permissions to the
-    #   Amazon Web Services resources that the workspace will view data
-    #   from. If you already have a role that you want to use, specify it
-    #   here. The permission type should be set to `CUSTOMER_MANAGED`.
+    #   Specified the IAM role that grants permissions to the Amazon Web
+    #   Services resources that the workspace will view data from, including
+    #   both data sources and notification channels. You are responsible for
+    #   managing the permissions for this role as new data sources or
+    #   notification channels are added.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/grafana-2020-08-18/CreateWorkspaceRequest AWS API Documentation
@@ -383,6 +388,7 @@ module Aws::ManagedGrafana
       :authentication_providers,
       :client_token,
       :configuration,
+      :network_access_control,
       :organization_role_name,
       :permission_type,
       :stack_set_name,
@@ -750,6 +756,69 @@ module Aws::ManagedGrafana
       include Aws::Structure
     end
 
+    # The configuration settings for in-bound network access to your
+    # workspace.
+    #
+    # When this is configured, only listed IP addresses and VPC endpoints
+    # will be able to access your workspace. Standard Grafana authentication
+    # and authorization will still be required.
+    #
+    # If this is not configured, or is removed, then all IP addresses and
+    # VPC endpoints will be allowed. Standard Grafana authentication and
+    # authorization will still be required.
+    #
+    # @!attribute [rw] prefix_list_ids
+    #   An array of prefix list IDs. A prefix list is a list of CIDR ranges
+    #   of IP addresses. The IP addresses specified are allowed to access
+    #   your workspace. If the list is not included in the configuration
+    #   then no IP addresses will be allowed to access the workspace. You
+    #   create a prefix list using the Amazon VPC console.
+    #
+    #   Prefix list IDs have the format `pl-1a2b3c4d `.
+    #
+    #   For more information about prefix lists, see [Group CIDR blocks
+    #   using managed prefix lists][1]in the *Amazon Virtual Private Cloud
+    #   User Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] vpce_ids
+    #   An array of Amazon VPC endpoint IDs for the workspace. You can
+    #   create VPC endpoints to your Amazon Managed Grafana workspace for
+    #   access from within a VPC. If a `NetworkAccessConfiguration` is
+    #   specified then only VPC endpoints specified here will be allowed to
+    #   access the workspace.
+    #
+    #   VPC endpoint IDs have the format `vpce-1a2b3c4d `.
+    #
+    #   For more information about creating an interface VPC endpoint, see
+    #   [Interface VPC endpoints][1] in the *Amazon Managed Grafana User
+    #   Guide*.
+    #
+    #   <note markdown="1"> The only VPC endpoints that can be specified here are interface VPC
+    #   endpoints for Grafana workspaces (using the
+    #   `com.amazonaws.[region].grafana-workspace` service endpoint). Other
+    #   VPC endpoints will be ignored.
+    #
+    #    </note>
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/VPC-endpoints
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/grafana-2020-08-18/NetworkAccessConfiguration AWS API Documentation
+    #
+    class NetworkAccessConfiguration < Struct.new(
+      :prefix_list_ids,
+      :vpce_ids)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A structure containing the identity of one user or group and the
     # `Admin`, `Editor`, or `Viewer` role that they have.
     #
@@ -1162,33 +1231,71 @@ module Aws::ManagedGrafana
     #   `workspaceOrganizationalUnits` parameter.
     #   @return [String]
     #
+    # @!attribute [rw] network_access_control
+    #   The configuration settings for network access to your workspace.
+    #
+    #   When this is configured, only listed IP addresses and VPC endpoints
+    #   will be able to access your workspace. Standard Grafana
+    #   authentication and authorization will still be required.
+    #
+    #   If this is not configured, or is removed, then all IP addresses and
+    #   VPC endpoints will be allowed. Standard Grafana authentication and
+    #   authorization will still be required.
+    #   @return [Types::NetworkAccessConfiguration]
+    #
     # @!attribute [rw] organization_role_name
     #   The name of an IAM role that already exists to use to access
-    #   resources through Organizations.
+    #   resources through Organizations. This can only be used with a
+    #   workspace that has the `permissionType` set to `CUSTOMER_MANAGED`.
     #   @return [String]
     #
     # @!attribute [rw] permission_type
-    #   If you specify `Service Managed`, Amazon Managed Grafana
-    #   automatically creates the IAM roles and provisions the permissions
-    #   that the workspace needs to use Amazon Web Services data sources and
-    #   notification channels.
+    #   Use this parameter if you want to change a workspace from
+    #   `SERVICE_MANAGED` to `CUSTOMER_MANAGED`. This allows you to manage
+    #   the permissions that the workspace uses to access datasources and
+    #   notification channels. If the workspace is in a member Amazon Web
+    #   Services account of an organization, and that account is not a
+    #   delegated administrator account, and you want the workspace to
+    #   access data sources in other Amazon Web Services accounts in the
+    #   organization, you must choose `CUSTOMER_MANAGED`.
     #
-    #   If you specify `CUSTOMER_MANAGED`, you will manage those roles and
-    #   permissions yourself. If you are creating this workspace in a member
-    #   account of an organization and that account is not a delegated
-    #   administrator account, and you want the workspace to access data
-    #   sources in other Amazon Web Services accounts in the organization,
-    #   you must choose `CUSTOMER_MANAGED`.
+    #   If you specify this as `CUSTOMER_MANAGED`, you must also specify a
+    #   `workspaceRoleArn` that the workspace will use for accessing Amazon
+    #   Web Services resources.
     #
-    #   For more information, see [Amazon Managed Grafana permissions and
-    #   policies for Amazon Web Services data sources and notification
-    #   channels][1]
+    #   For more information on the role and permissions needed, see [Amazon
+    #   Managed Grafana permissions and policies for Amazon Web Services
+    #   data sources and notification channels][1]
+    #
+    #   <note markdown="1"> Do not use this to convert a `CUSTOMER_MANAGED` workspace to
+    #   `SERVICE_MANAGED`. Do not include this parameter if you want to
+    #   leave the workspace as `SERVICE_MANAGED`.
+    #
+    #    You can convert a `CUSTOMER_MANAGED` workspace to `SERVICE_MANAGED`
+    #   using the Amazon Managed Grafana console. For more information, see
+    #   [Managing permissions for data sources and notification
+    #   channels][2].
+    #
+    #    </note>
     #
     #
     #
     #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html
+    #   [2]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-datasource-and-notification.html
     #   @return [String]
     #
+    # @!attribute [rw] remove_network_access_configuration
+    #   Whether to remove the network access configuration from the
+    #   workspace.
+    #
+    #   Setting this to `true` and providing a `networkAccessControl` to set
+    #   will return an error.
+    #
+    #   If you remove this configuration by setting this to `true`, then all
+    #   IP addresses and VPC endpoints will be allowed. Standard Grafana
+    #   authentication and authorization will still be required.
+    #   @return [Boolean]
+    #
     # @!attribute [rw] remove_vpc_configuration
     #   Whether to remove the VPC configuration from the workspace.
     #
@@ -1207,16 +1314,7 @@ module Aws::ManagedGrafana
     #   @return [Types::VpcConfiguration]
     #
     # @!attribute [rw] workspace_data_sources
-    #   Specify the Amazon Web Services data sources that you want to be
-    #   queried in this workspace. Specifying these data sources here
-    #   enables Amazon Managed Grafana to create IAM roles and permissions
-    #   that allow Amazon Managed Grafana to read data from these sources.
-    #   You must still add them as data sources in the Grafana console in
-    #   the workspace.
-    #
-    #   If you don't specify a data source here, you can still add it as a
-    #   data source later in the workspace console. However, you will then
-    #   have to manually configure permissions for it.
+    #   This parameter is for internal use only, and should not be used.
     #   @return [Array<String>]
     #
     # @!attribute [rw] workspace_description
@@ -1246,21 +1344,20 @@ module Aws::ManagedGrafana
     #   @return [Array<String>]
     #
     # @!attribute [rw] workspace_role_arn
-    #   The workspace needs an IAM role that grants permissions to the
-    #   Amazon Web Services resources that the workspace will view data
-    #   from. If you already have a role that you want to use, specify it
-    #   here. If you omit this field and you specify some Amazon Web
-    #   Services resources in `workspaceDataSources` or
-    #   `workspaceNotificationDestinations`, a new IAM role with the
-    #   necessary permissions is automatically created.
+    #   Specifies an IAM role that grants permissions to Amazon Web Services
+    #   resources that the workspace accesses, such as data sources and
+    #   notification channels. If this workspace has `permissionType`
+    #   `CUSTOMER_MANAGED`, then this role is required.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/grafana-2020-08-18/UpdateWorkspaceRequest AWS API Documentation
     #
     class UpdateWorkspaceRequest < Struct.new(
       :account_access_type,
+      :network_access_control,
       :organization_role_name,
       :permission_type,
+      :remove_network_access_configuration,
       :remove_vpc_configuration,
       :stack_set_name,
       :vpc_configuration,
@@ -1356,14 +1453,19 @@ module Aws::ManagedGrafana
     # The configuration settings for an Amazon VPC that contains data
     # sources for your Grafana workspace to connect to.
     #
+    # <note markdown="1"> Provided `securityGroupIds` and `subnetIds` must be part of the same
+    # VPC.
+    #
+    #  </note>
+    #
     # @!attribute [rw] security_group_ids
     #   The list of Amazon EC2 security group IDs attached to the Amazon VPC
-    #   for your Grafana workspace to connect.
+    #   for your Grafana workspace to connect. Duplicates not allowed.
     #   @return [Array<String>]
     #
     # @!attribute [rw] subnet_ids
     #   The list of Amazon EC2 subnet IDs created in the Amazon VPC for your
-    #   Grafana workspace to connect.
+    #   Grafana workspace to connect. Duplicates not allowed.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/grafana-2020-08-18/VpcConfiguration AWS API Documentation
@@ -1400,6 +1502,10 @@ module Aws::ManagedGrafana
     #   Specifies the Amazon Web Services data sources that have been
     #   configured to have IAM roles and permissions created to allow Amazon
     #   Managed Grafana to read data from these sources.
+    #
+    #   This list is only used when the workspace was created through the
+    #   Amazon Web Services console, and the `permissionType` is
+    #   `SERVICE_MANAGED`.
     #   @return [Array<String>]
     #
     # @!attribute [rw] description
@@ -1447,6 +1553,10 @@ module Aws::ManagedGrafana
     #   The name of the workspace.
     #   @return [String]
     #
+    # @!attribute [rw] network_access_control
+    #   The configuration settings for network access to your workspace.
+    #   @return [Types::NetworkAccessConfiguration]
+    #
     # @!attribute [rw] notification_destinations
     #   The Amazon Web Services notification channels that Amazon Managed
     #   Grafana can automatically create IAM roles and permissions for, to
@@ -1465,25 +1575,32 @@ module Aws::ManagedGrafana
     #   @return [Array<String>]
     #
     # @!attribute [rw] permission_type
-    #   If this is `Service Managed`, Amazon Managed Grafana automatically
-    #   creates the IAM roles and provisions the permissions that the
-    #   workspace needs to use Amazon Web Services data sources and
+    #   If this is `SERVICE_MANAGED`, and the workplace was created through
+    #   the Amazon Managed Grafana console, then Amazon Managed Grafana
+    #   automatically creates the IAM roles and provisions the permissions
+    #   that the workspace needs to use Amazon Web Services data sources and
     #   notification channels.
     #
-    #   If this is `CUSTOMER_MANAGED`, you manage those roles and
-    #   permissions yourself. If you are creating this workspace in a member
-    #   account of an organization and that account is not a delegated
-    #   administrator account, and you want the workspace to access data
-    #   sources in other Amazon Web Services accounts in the organization,
-    #   you must choose `CUSTOMER_MANAGED`.
+    #   If this is `CUSTOMER_MANAGED`, you must manage those roles and
+    #   permissions yourself.
     #
-    #   For more information, see [Amazon Managed Grafana permissions and
-    #   policies for Amazon Web Services data sources and notification
-    #   channels][1]
+    #   If you are working with a workspace in a member account of an
+    #   organization and that account is not a delegated administrator
+    #   account, and you want the workspace to access data sources in other
+    #   Amazon Web Services accounts in the organization, this parameter
+    #   must be set to `CUSTOMER_MANAGED`.
     #
+    #   For more information about converting between customer and service
+    #   managed, see [Managing permissions for data sources and notification
+    #   channels][1]. For more information about the roles and permissions
+    #   that must be managed for customer managed workspaces, see [Amazon
+    #   Managed Grafana permissions and policies for Amazon Web Services
+    #   data sources and notification channels][2]
     #
     #
-    #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html
+    #
+    #   [1]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-datasource-and-notification.html
+    #   [2]: https://docs.aws.amazon.com/grafana/latest/userguide/AMG-manage-permissions.html
     #   @return [String]
     #
     # @!attribute [rw] stack_set_name
@@ -1527,6 +1644,7 @@ module Aws::ManagedGrafana
       :license_type,
       :modified,
       :name,
+      :network_access_control,
       :notification_destinations,
       :organization_role_name,
       :organizational_units,

data/lib/aws-sdk-managedgrafana.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-managedgrafana/customizations'
 # @!group service
 module Aws::ManagedGrafana
 
-  GEM_VERSION = '1.11.0'
+  GEM_VERSION = '1.13.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-managedgrafana
 version: !ruby/object:Gem::Version
-  version: 1.11.0
+  version: 1.13.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-01-18 00:00:00.000000000 Z
+date: 2023-02-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core