aws-sdk-secretsmanager 1.31.0 → 1.113.0

data/lib/aws-sdk-secretsmanager/types.rb

@@ -1,64 +1,141 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
-# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
+# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
 #
 # WARNING ABOUT GENERATED CODE
 
 module Aws::SecretsManager
   module Types
 
-    # @note When making an API call, you may pass CancelRotateSecretRequest
-    #   data as a hash:
+    # The error Secrets Manager encountered while retrieving an individual
+    # secret as part of BatchGetSecretValue.
+    #
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_code
+    #   The error Secrets Manager encountered while retrieving an individual
+    #   secret as part of BatchGetSecretValue, for example
+    #   `ResourceNotFoundException`,`InvalidParameterException`,
+    #   `InvalidRequestException`, `DecryptionFailure`, or
+    #   `AccessDeniedException`.
+    #   @return [String]
+    #
+    # @!attribute [rw] message
+    #   A message describing the error.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/APIErrorType AWS API Documentation
+    #
+    class APIErrorType < Struct.new(
+      :secret_id,
+      :error_code,
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] secret_id_list
+    #   The ARN or names of the secrets to retrieve. You must include
+    #   `Filters` or `SecretIdList`, but not both.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] filters
+    #   The filters to choose which secrets to retrieve. You must include
+    #   `Filters` or `SecretIdList`, but not both.
+    #   @return [Array<Types::Filter>]
+    #
+    # @!attribute [rw] max_results
+    #   The number of results to include in the response.
+    #
+    #   If there are more results available, in the response, Secrets
+    #   Manager includes `NextToken`. To get the next results, call
+    #   `BatchGetSecretValue` again with the value from `NextToken`. To use
+    #   this parameter, you must also use the `Filters` parameter.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] next_token
+    #   A token that indicates where the output should continue from, if a
+    #   previous call did not show all results. To get the next results,
+    #   call `BatchGetSecretValue` again with this value.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/BatchGetSecretValueRequest AWS API Documentation
+    #
+    class BatchGetSecretValueRequest < Struct.new(
+      :secret_id_list,
+      :filters,
+      :max_results,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] secret_values
+    #   A list of secret values.
+    #   @return [Array<Types::SecretValueEntry>]
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #       }
+    # @!attribute [rw] next_token
+    #   Secrets Manager includes this value if there's more output
+    #   available than what is included in the current response. This can
+    #   occur even when the response includes no values at all, such as when
+    #   you ask for a filtered view of a long list. To get the next results,
+    #   call `BatchGetSecretValue` again with this value.
+    #   @return [String]
+    #
+    # @!attribute [rw] errors
+    #   A list of errors Secrets Manager encountered while attempting to
+    #   retrieve individual secrets.
+    #   @return [Array<Types::APIErrorType>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/BatchGetSecretValueResponse AWS API Documentation
     #
+    class BatchGetSecretValueResponse < Struct.new(
+      :secret_values,
+      :next_token,
+      :errors)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] secret_id
-    #   Specifies the secret for which you want to cancel a rotation
-    #   request. You can specify either the Amazon Resource Name (ARN) or
-    #   the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
+    #   The ARN or name of the secret.
     #
-    #    </note>
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CancelRotateSecretRequest AWS API Documentation
     #
     class CancelRotateSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret for which rotation was canceled.
+    #   The ARN of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret for which rotation was canceled.
+    #   The name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The unique identifier of the version of the secret that was created
-    #   during the rotation. This version might not be complete, and should
-    #   be evaluated for possible deletion. At the very least, you should
-    #   remove the `VersionStage` value `AWSPENDING` to enable this version
-    #   to be deleted. Failing to clean up a cancelled rotation can block
-    #   you from successfully starting future rotations.
+    #   The unique identifier of the version of the secret created during
+    #   the rotation. This version might not be complete, and should be
+    #   evaluated for possible deletion. We recommend that you remove the
+    #   `VersionStage` value `AWSPENDING` from this version so that Secrets
+    #   Manager can delete it. Failing to clean up a cancelled rotation can
+    #   block you from starting future rotations.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CancelRotateSecretResponse AWS API Documentation
@@ -67,57 +144,39 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass CreateSecretRequest
-    #   data as a hash:
-    #
-    #       {
-    #         name: "NameType", # required
-    #         client_request_token: "ClientRequestTokenType",
-    #         description: "DescriptionType",
-    #         kms_key_id: "KmsKeyIdType",
-    #         secret_binary: "data",
-    #         secret_string: "SecretStringType",
-    #         tags: [
-    #           {
-    #             key: "TagKeyType",
-    #             value: "TagValueType",
-    #           },
-    #         ],
-    #       }
-    #
     # @!attribute [rw] name
-    #   Specifies the friendly name of the new secret.
+    #   The name of the new secret.
     #
-    #   The secret name must be ASCII letters, digits, or the following
-    #   characters : /\_+=.@-
+    #   The secret name can contain ASCII letters, numbers, and the
+    #   following characters: /\_+=.@-
     #
-    #   <note markdown="1"> Don't end your secret name with a hyphen followed by six
+    #   Do not end your secret name with a hyphen followed by six
     #   characters. If you do so, you risk confusion and unexpected results
-    #   when searching for a secret by partial ARN. This is because Secrets
-    #   Manager automatically adds a hyphen and six random characters at the
-    #   end of the ARN.
-    #
-    #    </note>
+    #   when searching for a secret by partial ARN. Secrets Manager
+    #   automatically adds a hyphen and six random characters after the
+    #   secret name at the end of the ARN.
     #   @return [String]
     #
     # @!attribute [rw] client_request_token
-    #   (Optional) If you include `SecretString` or `SecretBinary`, then an
-    #   initial version is created as part of the secret, and this parameter
-    #   specifies a unique identifier for the new version.
-    #
-    #   <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes it as the value for this parameter
-    #   in the request. If you don't use the SDK and instead generate a raw
-    #   HTTP request to the Secrets Manager service endpoint, then you must
-    #   generate a `ClientRequestToken` yourself for the new version and
-    #   include that value in the request.
+    #   If you include `SecretString` or `SecretBinary`, then Secrets
+    #   Manager creates an initial version for the secret, and this
+    #   parameter specifies the unique identifier for the new version.
+    #
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDKs to call this operation, then you can leave this
+    #   parameter empty. The CLI or SDK generates a random UUID for you and
+    #   includes it as the value for this parameter in the request.
     #
     #    </note>
     #
+    #   If you generate a raw HTTP request to the Secrets Manager service
+    #   endpoint, then you must generate a `ClientRequestToken` and include
+    #   it in the request.
+    #
     #   This value helps ensure idempotency. Secrets Manager uses this value
     #   to prevent the accidental creation of duplicate versions if there
     #   are failures and retries during a rotation. We recommend that you
@@ -127,15 +186,14 @@ module Aws::SecretsManager
     #   * If the `ClientRequestToken` value isn't already associated with a
     #     version of the secret then a new version of the secret is created.
     #
-    #   * If a version with this value already exists and that version's
+    #   * If a version with this value already exists and the version
     #     `SecretString` and `SecretBinary` values are the same as those in
-    #     the request, then the request is ignored (the operation is
-    #     idempotent).
+    #     the request, then the request is ignored.
     #
     #   * If a version with this value already exists and that version's
     #     `SecretString` and `SecretBinary` values are different from those
-    #     in the request then the request fails because you cannot modify an
-    #     existing version. Instead, use PutSecretValue to create a new
+    #     in the request, then the request fails because you cannot modify
+    #     an existing version. Instead, use PutSecretValue to create a new
     #     version.
     #
     #   This value becomes the `VersionId` of the new version.
@@ -149,126 +207,111 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   (Optional) Specifies a user-provided description of the secret.
+    #   The description of the secret.
     #   @return [String]
     #
     # @!attribute [rw] kms_key_id
-    #   (Optional) Specifies the ARN, Key ID, or alias of the AWS KMS
-    #   customer master key (CMK) to be used to encrypt the `SecretString`
-    #   or `SecretBinary` values in the versions stored in this secret.
+    #   The ARN, key ID, or alias of the KMS key that Secrets Manager uses
+    #   to encrypt the secret value in the secret. An alias is always
+    #   prefixed by `alias/`, for example `alias/aws/secretsmanager`. For
+    #   more information, see [About aliases][1].
     #
-    #   You can specify any of the supported ways to identify a AWS KMS key
-    #   ID. If you need to reference a CMK in a different account, you can
-    #   use only the key ARN or the alias ARN.
+    #   To use a KMS key in a different account, use the key ARN or the
+    #   alias ARN.
     #
-    #   If you don't specify this value, then Secrets Manager defaults to
-    #   using the AWS account's default CMK (the one named
-    #   `aws/secretsmanager`). If a AWS KMS CMK with that name doesn't yet
-    #   exist, then Secrets Manager creates it for you automatically the
-    #   first time it needs to encrypt a version's `SecretString` or
-    #   `SecretBinary` fields.
+    #   If you don't specify this value, then Secrets Manager uses the key
+    #   `aws/secretsmanager`. If that key doesn't yet exist, then Secrets
+    #   Manager creates it for you automatically the first time it encrypts
+    #   the secret value.
     #
-    #   You can use the account's default CMK to encrypt and decrypt only
-    #   if you call this operation using credentials from the same account
-    #   that owns the secret. If the secret is in a different account, then
-    #   you must create a custom CMK and specify the ARN in this field.
+    #   If the secret is in a different Amazon Web Services account from the
+    #   credentials calling the API, then you can't use
+    #   `aws/secretsmanager` to encrypt the secret, and you must create and
+    #   use a customer managed KMS key.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html
     #   @return [String]
     #
     # @!attribute [rw] secret_binary
-    #   (Optional) Specifies binary data that you want to encrypt and store
-    #   in the new version of the secret. To use this parameter in the
-    #   command-line tools, we recommend that you store your binary data in
-    #   a file and then use the appropriate technique for your tool to pass
-    #   the contents of the file as a parameter.
+    #   The binary data to encrypt and store in the new version of the
+    #   secret. We recommend that you store your binary data in a file and
+    #   then pass the contents of the file as a parameter.
     #
     #   Either `SecretString` or `SecretBinary` must have a value, but not
-    #   both. They cannot both be empty.
+    #   both.
     #
-    #   This parameter is not available using the Secrets Manager console.
-    #   It can be accessed only by using the AWS CLI or one of the AWS SDKs.
+    #   This parameter is not available in the Secrets Manager console.
+    #
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @!attribute [rw] secret_string
-    #   (Optional) Specifies text data that you want to encrypt and store in
-    #   this new version of the secret.
+    #   The text data to encrypt and store in this new version of the
+    #   secret. We recommend you use a JSON structure of key/value pairs for
+    #   your secret value.
     #
     #   Either `SecretString` or `SecretBinary` must have a value, but not
-    #   both. They cannot both be empty.
+    #   both.
     #
     #   If you create a secret by using the Secrets Manager console then
     #   Secrets Manager puts the protected secret text in only the
     #   `SecretString` parameter. The Secrets Manager console stores the
-    #   information as a JSON structure of key/value pairs that the Lambda
-    #   rotation function knows how to parse.
-    #
-    #   For storing multiple values, we recommend that you use a JSON text
-    #   string argument and specify key/value pairs. For information on how
-    #   to format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI
-    #   User Guide*. For example:
-    #
-    #   `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
-    #
-    #   If your command-line tool or SDK requires quotation marks around the
-    #   parameter, you should use single quotes to avoid confusion with the
-    #   double quotes required in the JSON text.
+    #   information as a JSON structure of key/value pairs that a Lambda
+    #   rotation function can parse.
     #
-    #
-    #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   (Optional) Specifies a list of user-defined tags that are attached
-    #   to the secret. Each tag is a "Key" and "Value" pair of strings.
-    #   This operation only appends tags to the existing list of tags. To
-    #   remove tags, you must use UntagResource.
+    #   A list of tags to attach to the secret. Each tag is a key and value
+    #   pair of strings in a JSON text string, for example:
     #
-    #   * Secrets Manager tag key names are case sensitive. A tag with the
-    #     key "ABC" is a different tag from one with key "abc".
+    #   `[{"Key":"CostCenter","Value":"12345"},{"Key":"environment","Value":"production"}]`
     #
-    #   * If you check tags in IAM policy `Condition` elements as part of
-    #     your security strategy, then adding or removing a tag can change
-    #     permissions. If the successful completion of this operation would
-    #     result in you losing your permissions for this secret, then this
-    #     operation is blocked and returns an `Access Denied` error.
+    #   Secrets Manager tag key names are case sensitive. A tag with the key
+    #   "ABC" is a different tag from one with key "abc".
     #
-    #   This parameter requires a JSON text string argument. For information
-    #   on how to format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI
-    #   User Guide*. For example:
-    #
-    #   `[\{"Key":"CostCenter","Value":"12345"\},\{"Key":"environment","Value":"production"\}]`
+    #   If you check tags in permissions policies as part of your security
+    #   strategy, then adding or removing a tag can change permissions. If
+    #   the completion of this operation would result in you losing your
+    #   permissions for this secret, then Secrets Manager blocks the
+    #   operation and returns an `Access Denied` error. For more
+    #   information, see [Control access to secrets using tags][1] and
+    #   [Limit access to identities with tags that match secrets' tags][2].
     #
+    #   For information about how to format a JSON parameter for the various
+    #   command line tool environments, see [Using JSON for Parameters][3].
     #   If your command-line tool or SDK requires quotation marks around the
     #   parameter, you should use single quotes to avoid confusion with the
     #   double quotes required in the JSON text.
     #
-    #   The following basic restrictions apply to tags:
-    #
-    #   * Maximum number of tags per secret—50
+    #   For tag quotas and naming restrictions, see [Service quotas for
+    #   Tagging][4] in the *Amazon Web Services General Reference guide*.
     #
-    #   * Maximum key length—127 Unicode characters in UTF-8
     #
-    #   * Maximum value length—255 Unicode characters in UTF-8
-    #
-    #   * Tag keys and values are case sensitive.
-    #
-    #   * Do not use the `aws:` prefix in your tag names or values because
-    #     it is reserved for AWS use. You can't edit or delete tag names or
-    #     values with this prefix. Tags with this prefix do not count
-    #     against your tags per secret limit.
-    #
-    #   * If your tagging schema will be used across multiple services and
-    #     resources, remember that other services might have restrictions on
-    #     allowed characters. Generally allowed characters are: letters,
-    #     spaces, and numbers representable in UTF-8, plus the following
-    #     special characters: + - = . \_ : / @.
     #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#tag-secrets-abac
+    #   [2]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html#auth-and-access_tags2
+    #   [3]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   [4]: https://docs.aws.amazon.com/general/latest/gr/arg.html#taged-reference-quotas
+    #   @return [Array<Types::Tag>]
     #
+    # @!attribute [rw] add_replica_regions
+    #   A list of Regions and KMS keys to replicate secrets.
+    #   @return [Array<Types::ReplicaRegionType>]
     #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
-    #   @return [Array<Types::Tag>]
+    # @!attribute [rw] force_overwrite_replica_secret
+    #   Specifies whether to overwrite a secret with the same name in the
+    #   destination Region. By default, secrets aren't overwritten.
+    #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecretRequest AWS API Documentation
     #
@@ -279,39 +322,48 @@ module Aws::SecretsManager
       :kms_key_id,
       :secret_binary,
       :secret_string,
-      :tags)
+      :tags,
+      :add_replica_regions,
+      :force_overwrite_replica_secret)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The Amazon Resource Name (ARN) of the secret that you just created.
-    #
-    #   <note markdown="1"> Secrets Manager automatically adds several random characters to the
-    #   name at the end of the ARN when you initially create a secret. This
-    #   affects only the ARN and not the actual friendly name. This ensures
-    #   that if you create a new secret with the same name as an old secret
-    #   that you previously deleted, then users with access to the old
-    #   secret *don't* automatically get access to the new secret because
+    #   The ARN of the new secret. The ARN includes the name of the secret
+    #   followed by six random characters. This ensures that if you create a
+    #   new secret with the same name as a deleted secret, then users with
+    #   access to the old secret don't get access to the new secret because
     #   the ARNs are different.
-    #
-    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that you just created.
+    #   The name of the new secret.
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The unique identifier that's associated with the version of the
-    #   secret you just created.
+    #   The unique identifier associated with the version of the new secret.
     #   @return [String]
     #
+    # @!attribute [rw] replication_status
+    #   A list of the replicas of this secret and their status:
+    #
+    #   * `Failed`, which indicates that the replica was not created.
+    #
+    #   * `InProgress`, which indicates that Secrets Manager is in the
+    #     process of creating the replica.
+    #
+    #   * `InSync`, which indicates that the replica was created.
+    #   @return [Array<Types::ReplicationStatusType>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecretResponse AWS API Documentation
     #
     class CreateSecretResponse < Struct.new(
       :arn,
       :name,
-      :version_id)
+      :version_id,
+      :replication_status)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -325,42 +377,27 @@ module Aws::SecretsManager
     #
     class DecryptionFailure < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteResourcePolicyRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to delete the attached resource-based
+    #   policy for.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to delete the attached
-    #   resource-based policy for. You can specify either the Amazon
-    #   Resource Name (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DeleteResourcePolicyRequest AWS API Documentation
     #
     class DeleteResourcePolicyRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -370,8 +407,8 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that the resource-based policy was
-    #   deleted for.
+    #   The name of the secret that the resource-based policy was deleted
+    #   for.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DeleteResourcePolicyResponse AWS API Documentation
@@ -379,64 +416,50 @@ module Aws::SecretsManager
     class DeleteResourcePolicyResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DeleteSecretRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to delete.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         recovery_window_in_days: 1,
-    #         force_delete_without_recovery: false,
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to delete. You can specify either
-    #   the Amazon Resource Name (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] recovery_window_in_days
-    #   (Optional) Specifies the number of days that Secrets Manager waits
-    #   before it can delete the secret. You can't use both this parameter
-    #   and the `ForceDeleteWithoutRecovery` parameter in the same API call.
-    #
-    #   This value can range from 7 to 30 days. The default value is 30.
+    #   The number of days from 7 to 30 that Secrets Manager waits before
+    #   permanently deleting the secret. You can't use both this parameter
+    #   and `ForceDeleteWithoutRecovery` in the same call. If you don't use
+    #   either, then by default Secrets Manager uses a 30 day recovery
+    #   window.
     #   @return [Integer]
     #
     # @!attribute [rw] force_delete_without_recovery
-    #   (Optional) Specifies that the secret is to be deleted without any
-    #   recovery window. You can't use both this parameter and the
-    #   `RecoveryWindowInDays` parameter in the same API call.
+    #   Specifies whether to delete the secret without any recovery window.
+    #   You can't use both this parameter and `RecoveryWindowInDays` in the
+    #   same call. If you don't use either, then by default Secrets Manager
+    #   uses a 30 day recovery window.
     #
-    #   An asynchronous background process performs the actual deletion, so
-    #   there can be a short delay before the operation completes. If you
-    #   write code to delete and then immediately recreate a secret with the
-    #   same name, ensure that your code includes appropriate back off and
-    #   retry logic.
+    #   Secrets Manager performs the actual deletion with an asynchronous
+    #   background process, so there might be a short delay before the
+    #   secret is permanently deleted. If you delete a secret and then
+    #   immediately create a secret with the same name, use appropriate back
+    #   off and retry logic.
+    #
+    #   If you forcibly delete an already deleted or nonexistent secret, the
+    #   operation does not return `ResourceNotFoundException`.
     #
     #   Use this parameter with caution. This parameter causes the operation
-    #   to skip the normal waiting period before the permanent deletion that
-    #   AWS would normally impose with the `RecoveryWindowInDays` parameter.
-    #   If you delete a secret with the `ForceDeleteWithouRecovery`
-    #   parameter, then you have no opportunity to recover the secret. It is
-    #   permanently lost.
+    #   to skip the normal recovery window before the permanent deletion
+    #   that Secrets Manager would normally impose with the
+    #   `RecoveryWindowInDays` parameter. If you delete a secret with the
+    #   `ForceDeleteWithoutRecovery` parameter, then you have no opportunity
+    #   to recover the secret. You lose the secret permanently.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DeleteSecretRequest AWS API Documentation
@@ -445,22 +468,23 @@ module Aws::SecretsManager
       :secret_id,
       :recovery_window_in_days,
       :force_delete_without_recovery)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret that is now scheduled for deletion.
+    #   The ARN of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that is now scheduled for deletion.
+    #   The name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] deletion_date
-    #   The date and time after which this secret can be deleted by Secrets
-    #   Manager and can no longer be restored. This value is the date and
-    #   time of the delete request plus the number of days specified in
-    #   `RecoveryWindowInDays`.
+    #   The date and time after which this secret Secrets Manager can
+    #   permanently delete this secret, and it can no longer be restored.
+    #   This value is the date and time of the delete request plus the
+    #   number of days in `RecoveryWindowInDays`.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DeleteSecretResponse AWS API Documentation
@@ -469,42 +493,26 @@ module Aws::SecretsManager
       :arn,
       :name,
       :deletion_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass DescribeSecretRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   The identifier of the secret whose details you want to retrieve. You
-    #   can specify either the Amazon Resource Name (ARN) or the friendly
-    #   name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecretRequest AWS API Documentation
     #
     class DescribeSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -513,44 +521,46 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The user-provided friendly name of the secret.
+    #   The name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   The user-provided description of the secret.
+    #   The description of the secret.
     #   @return [String]
     #
     # @!attribute [rw] kms_key_id
-    #   The ARN or alias of the AWS KMS customer master key (CMK) that's
-    #   used to encrypt the `SecretString` or `SecretBinary` fields in each
-    #   version of the secret. If you don't provide a key, then Secrets
-    #   Manager defaults to encrypting the secret fields with the default
-    #   AWS KMS CMK (the one named `awssecretsmanager`) for this account.
+    #   The key ID or alias ARN of the KMS key that Secrets Manager uses to
+    #   encrypt the secret value. If the secret is encrypted with the Amazon
+    #   Web Services managed key `aws/secretsmanager`, this field is
+    #   omitted. Secrets created using the console use an KMS key ID.
     #   @return [String]
     #
     # @!attribute [rw] rotation_enabled
-    #   Specifies whether automatic rotation is enabled for this secret.
+    #   Specifies whether automatic rotation is turned on for this secret.
+    #   If the secret has never been configured for rotation, Secrets
+    #   Manager returns null.
     #
-    #   To enable rotation, use RotateSecret with
-    #   `AutomaticallyRotateAfterDays` set to a value greater than 0. To
-    #   disable rotation, use CancelRotateSecret.
+    #   To turn on rotation, use RotateSecret. To turn off rotation, use
+    #   CancelRotateSecret.
     #   @return [Boolean]
     #
     # @!attribute [rw] rotation_lambda_arn
-    #   The ARN of a Lambda function that's invoked by Secrets Manager to
-    #   rotate the secret either automatically per the schedule or manually
-    #   by a call to `RotateSecret`.
+    #   The ARN of the Lambda function that Secrets Manager invokes to
+    #   rotate the secret.
     #   @return [String]
     #
     # @!attribute [rw] rotation_rules
-    #   A structure that contains the rotation configuration for this
-    #   secret.
+    #   The rotation schedule and Lambda function for this secret. If the
+    #   secret previously had rotation turned on, but it is now turned off,
+    #   this field shows the previous rotation schedule and rotation
+    #   function. If the secret never had rotation turned on, this field is
+    #   omitted.
     #   @return [Types::RotationRulesType]
     #
     # @!attribute [rw] last_rotated_date
-    #   The most recent date and time that the Secrets Manager rotation
-    #   process was successfully completed. This value is null if the secret
-    #   has never rotated.
+    #   The last date and time that Secrets Manager rotated the secret. If
+    #   the secret isn't configured for rotation or rotation has been
+    #   disabled, Secrets Manager returns null.
     #   @return [Time]
     #
     # @!attribute [rw] last_changed_date
@@ -558,43 +568,100 @@ module Aws::SecretsManager
     #   @return [Time]
     #
     # @!attribute [rw] last_accessed_date
-    #   The last date that this secret was accessed. This value is truncated
-    #   to midnight of the date and therefore shows only the date, not the
-    #   time.
+    #   The date that the secret was last accessed in the Region. This field
+    #   is omitted if the secret has never been retrieved in the Region.
     #   @return [Time]
     #
     # @!attribute [rw] deleted_date
-    #   This value exists if the secret is scheduled for deletion. Some time
-    #   after the specified date and time, Secrets Manager deletes the
-    #   secret and all of its versions.
+    #   The date the secret is scheduled for deletion. If it is not
+    #   scheduled for deletion, this field is omitted. When you delete a
+    #   secret, Secrets Manager requires a recovery window of at least 7
+    #   days before deleting the secret. Some time after the deleted date,
+    #   Secrets Manager deletes the secret, including all of its versions.
     #
     #   If a secret is scheduled for deletion, then its details, including
-    #   the encrypted secret information, is not accessible. To cancel a
-    #   scheduled deletion and restore access, use RestoreSecret.
+    #   the encrypted secret value, is not accessible. To cancel a scheduled
+    #   deletion and restore access to the secret, use RestoreSecret.
+    #   @return [Time]
+    #
+    # @!attribute [rw] next_rotation_date
+    #   The next rotation is scheduled to occur on or before this date. If
+    #   the secret isn't configured for rotation or rotation has been
+    #   disabled, Secrets Manager returns null. If rotation fails, Secrets
+    #   Manager retries the entire rotation process multiple times. If
+    #   rotation is unsuccessful, this date may be in the past.
+    #
+    #   This date represents the latest date that rotation will occur, but
+    #   it is not an approximate rotation date. In some cases, for example
+    #   if you turn off automatic rotation and then turn it back on, the
+    #   next rotation may occur much sooner than this date.
     #   @return [Time]
     #
     # @!attribute [rw] tags
-    #   The list of user-defined tags that are associated with the secret.
-    #   To add tags to a secret, use TagResource. To remove tags, use
-    #   UntagResource.
+    #   The list of tags attached to the secret. To add tags to a secret,
+    #   use TagResource. To remove tags, use UntagResource.
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] version_ids_to_stages
-    #   A list of all of the currently assigned `VersionStage` staging
-    #   labels and the `VersionId` that each is attached to. Staging labels
-    #   are used to keep track of the different versions during the rotation
-    #   process.
+    #   A list of the versions of the secret that have staging labels
+    #   attached. Versions that don't have staging labels are considered
+    #   deprecated and Secrets Manager can delete them.
     #
-    #   <note markdown="1"> A version that does not have any staging labels attached is
-    #   considered deprecated and subject to deletion. Such versions are not
-    #   included in this list.
+    #   Secrets Manager uses staging labels to indicate the status of a
+    #   secret version during rotation. The three staging labels for
+    #   rotation are:
     #
-    #    </note>
+    #   * `AWSCURRENT`, which indicates the current version of the secret.
+    #
+    #   * `AWSPENDING`, which indicates the version of the secret that
+    #     contains new secret information that will become the next current
+    #     version when rotation finishes.
+    #
+    #     During rotation, Secrets Manager creates an `AWSPENDING` version
+    #     ID before creating the new secret version. To check if a secret
+    #     version exists, call GetSecretValue.
+    #
+    #   * `AWSPREVIOUS`, which indicates the previous current version of the
+    #     secret. You can use this as the *last known good* version.
+    #
+    #   For more information about rotation and staging labels, see [How
+    #   rotation works][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_how.html
     #   @return [Hash<String,Array<String>>]
     #
     # @!attribute [rw] owning_service
+    #   The ID of the service that created this secret. For more
+    #   information, see [Secrets managed by other Amazon Web Services
+    #   services][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html
+    #   @return [String]
+    #
+    # @!attribute [rw] created_date
+    #   The date the secret was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] primary_region
+    #   The Region the secret is in. If a secret is replicated to other
+    #   Regions, the replicas are listed in `ReplicationStatus`.
     #   @return [String]
     #
+    # @!attribute [rw] replication_status
+    #   A list of the replicas of this secret and their status:
+    #
+    #   * `Failed`, which indicates that the replica was not created.
+    #
+    #   * `InProgress`, which indicates that Secrets Manager is in the
+    #     process of creating the replica.
+    #
+    #   * `InSync`, which indicates that the replica was created.
+    #   @return [Array<Types::ReplicationStatusType>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecretResponse AWS API Documentation
     #
     class DescribeSecretResponse < Struct.new(
@@ -609,20 +676,25 @@ module Aws::SecretsManager
       :last_changed_date,
       :last_accessed_date,
       :deleted_date,
+      :next_rotation_date,
       :tags,
       :version_ids_to_stages,
-      :owning_service)
+      :owning_service,
+      :created_date,
+      :primary_region,
+      :replication_status)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # Secrets Manager can't encrypt the protected secret text using the
-    # provided KMS key. Check that the customer master key (CMK) is
-    # available, enabled, and not in an invalid state. For more information,
-    # see [How Key State Affects Use of a Customer Master Key][1].
+    # provided KMS key. Check that the KMS key is available, enabled, and
+    # not in an invalid state. For more information, see [Key state: Effect
+    # on your KMS key][1].
     #
     #
     #
-    # [1]: http://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
+    # [1]: https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -631,76 +703,95 @@ module Aws::SecretsManager
     #
     class EncryptionFailure < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetRandomPasswordRequest
-    #   data as a hash:
+    # Allows you to add filters when you use the search function in Secrets
+    # Manager. For more information, see [Find secrets in Secrets
+    # Manager][1].
+    #
+    #
     #
-    #       {
-    #         password_length: 1,
-    #         exclude_characters: "ExcludeCharactersType",
-    #         exclude_numbers: false,
-    #         exclude_punctuation: false,
-    #         exclude_uppercase: false,
-    #         exclude_lowercase: false,
-    #         include_space: false,
-    #         require_each_included_type: false,
-    #       }
+    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/manage_search-secret.html
     #
+    # @!attribute [rw] key
+    #   The following are keys you can use:
+    #
+    #   * **description**: Prefix match, not case-sensitive.
+    #
+    #   * **name**: Prefix match, case-sensitive.
+    #
+    #   * **tag-key**: Prefix match, case-sensitive.
+    #
+    #   * **tag-value**: Prefix match, case-sensitive.
+    #
+    #   * **primary-region**: Prefix match, case-sensitive.
+    #
+    #   * **owning-service**: Prefix match, case-sensitive.
+    #
+    #   * **all**: Breaks the filter value string into words and then
+    #     searches all attributes for matches. Not case-sensitive.
+    #   @return [String]
+    #
+    # @!attribute [rw] values
+    #   The keyword to filter for.
+    #
+    #   You can prefix your search value with an exclamation mark (`!`) in
+    #   order to perform negation filters.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/Filter AWS API Documentation
+    #
+    class Filter < Struct.new(
+      :key,
+      :values)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] password_length
-    #   The desired length of the generated password. The default value if
-    #   you do not include this parameter is 32 characters.
+    #   The length of the password. If you don't include this parameter,
+    #   the default length is 32 characters.
     #   @return [Integer]
     #
     # @!attribute [rw] exclude_characters
-    #   A string that includes characters that should not be included in the
-    #   generated password. The default is that all characters from the
-    #   included sets can be used.
+    #   A string of the characters that you don't want in the password.
     #   @return [String]
     #
     # @!attribute [rw] exclude_numbers
-    #   Specifies that the generated password should not include digits. The
-    #   default if you do not include this switch parameter is that digits
-    #   can be included.
+    #   Specifies whether to exclude numbers from the password. If you
+    #   don't include this switch, the password can contain numbers.
     #   @return [Boolean]
     #
     # @!attribute [rw] exclude_punctuation
-    #   Specifies that the generated password should not include punctuation
-    #   characters. The default if you do not include this switch parameter
-    #   is that punctuation characters can be included.
-    #
-    #   The following are the punctuation characters that *can* be included
-    #   in the generated password if you don't explicitly exclude them with
-    #   `ExcludeCharacters` or `ExcludePunctuation`\:
-    #
-    #   `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [ \ ] ^ _ ` \{ | \} ~
-    #   ``
+    #   Specifies whether to exclude the following punctuation characters
+    #   from the password: `` ! " # $ % & ' ( ) * + , - . / : ; < = > ? @ [
+    #   \ ] ^ _ ` { | } ~ ``. If you don't include this switch, the
+    #   password can contain punctuation.
     #   @return [Boolean]
     #
     # @!attribute [rw] exclude_uppercase
-    #   Specifies that the generated password should not include uppercase
-    #   letters. The default if you do not include this switch parameter is
-    #   that uppercase letters can be included.
+    #   Specifies whether to exclude uppercase letters from the password. If
+    #   you don't include this switch, the password can contain uppercase
+    #   letters.
     #   @return [Boolean]
     #
     # @!attribute [rw] exclude_lowercase
-    #   Specifies that the generated password should not include lowercase
-    #   letters. The default if you do not include this switch parameter is
-    #   that lowercase letters can be included.
+    #   Specifies whether to exclude lowercase letters from the password. If
+    #   you don't include this switch, the password can contain lowercase
+    #   letters.
     #   @return [Boolean]
     #
     # @!attribute [rw] include_space
-    #   Specifies that the generated password can include the space
-    #   character. The default if you do not include this switch parameter
-    #   is that the space character is not included.
+    #   Specifies whether to include the space character. If you include
+    #   this switch, the password can contain space characters.
     #   @return [Boolean]
     #
     # @!attribute [rw] require_each_included_type
-    #   A boolean value that specifies whether the generated password must
-    #   include at least one of every allowed character type. The default
-    #   value is `True` and the operation requires at least one of every
-    #   character type.
+    #   Specifies whether to include at least one upper and lowercase
+    #   letter, one number, and one punctuation. If you don't include this
+    #   switch, the password contains at least one of every character type.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetRandomPasswordRequest AWS API Documentation
@@ -714,53 +805,39 @@ module Aws::SecretsManager
       :exclude_lowercase,
       :include_space,
       :require_each_included_type)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] random_password
-    #   A string with the generated password.
+    #   A string with the password.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetRandomPasswordResponse AWS API Documentation
     #
     class GetRandomPasswordResponse < Struct.new(
       :random_password)
+      SENSITIVE = [:random_password]
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetResourcePolicyRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to retrieve the attached
+    #   resource-based policy for.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to retrieve the attached
-    #   resource-based policy for. You can specify either the Amazon
-    #   Resource Name (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetResourcePolicyRequest AWS API Documentation
     #
     class GetResourcePolicyRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -770,22 +847,19 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that the resource-based policy was
-    #   retrieved for.
+    #   The name of the secret that the resource-based policy was retrieved
+    #   for.
     #   @return [String]
     #
     # @!attribute [rw] resource_policy
-    #   A JSON-formatted string that describes the permissions that are
-    #   associated with the attached secret. These permissions are combined
-    #   with any permissions that are associated with the user or role that
-    #   attempts to access this secret. The combined permissions specify who
-    #   can access the secret and what actions they can perform. For more
-    #   information, see [Authentication and Access Control for AWS Secrets
-    #   Manager][1] in the *AWS Secrets Manager User Guide*.
+    #   A JSON-formatted string that contains the permissions policy
+    #   attached to the secret. For more information about permissions
+    #   policies, see [Authentication and access control for Secrets
+    #   Manager][1].
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetResourcePolicyResponse AWS API Documentation
@@ -794,47 +868,28 @@ module Aws::SecretsManager
       :arn,
       :name,
       :resource_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass GetSecretValueRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to retrieve. To retrieve a secret from
+    #   another account, you must use an ARN.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         version_id: "SecretVersionIdType",
-    #         version_stage: "SecretVersionStageType",
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret containing the version that you want to
-    #   retrieve. You can specify either the Amazon Resource Name (ARN) or
-    #   the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   Specifies the unique identifier of the version of the secret that
-    #   you want to retrieve. If you specify this parameter then don't
-    #   specify `VersionStage`. If you don't specify either a
-    #   `VersionStage` or `VersionId` then the default is to perform the
-    #   operation on the version with the `VersionStage` value of
-    #   `AWSCURRENT`.
+    #   The unique identifier of the version of the secret to retrieve. If
+    #   you include both this parameter and `VersionStage`, the two
+    #   parameters must refer to the same secret version. If you don't
+    #   specify either a `VersionStage` or `VersionId`, then Secrets Manager
+    #   returns the `AWSCURRENT` version.
     #
     #   This value is typically a [UUID-type][1] value with 32 hexadecimal
     #   digits.
@@ -845,14 +900,13 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] version_stage
-    #   Specifies the secret version that you want to retrieve by the
-    #   staging label attached to the version.
+    #   The staging label of the version of the secret to retrieve.
     #
-    #   Staging labels are used to keep track of different versions during
-    #   the rotation process. If you use this parameter then don't specify
-    #   `VersionId`. If you don't specify either a `VersionStage` or
-    #   `VersionId`, then the default is to perform the operation on the
-    #   version with the `VersionStage` value of `AWSCURRENT`.
+    #   Secrets Manager uses staging labels to keep track of different
+    #   versions during the rotation process. If you include both this
+    #   parameter and `VersionId`, the two parameters must refer to the same
+    #   secret version. If you don't specify either a `VersionStage` or
+    #   `VersionId`, Secrets Manager returns the `AWSCURRENT` version.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetSecretValueRequest AWS API Documentation
@@ -861,6 +915,7 @@ module Aws::SecretsManager
       :secret_id,
       :version_id,
       :version_stage)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -877,37 +932,35 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] secret_binary
-    #   The decrypted part of the protected secret information that was
-    #   originally provided as binary data in the form of a byte array. The
-    #   response parameter represents the binary data as a
-    #   [base64-encoded][1] string.
-    #
-    #   This parameter is not used if the secret is created by the Secrets
-    #   Manager console.
-    #
-    #   If you store custom information in this field of the secret, then
-    #   you must code your Lambda rotation function to parse and interpret
-    #   whatever you store in the `SecretString` or `SecretBinary` fields.
-    #
+    #   The decrypted secret value, if the secret value was originally
+    #   provided as binary data in the form of a byte array. When you
+    #   retrieve a `SecretBinary` using the HTTP API, the Python SDK, or the
+    #   Amazon Web Services CLI, the value is Base64-encoded. Otherwise, it
+    #   is not encoded.
     #
+    #   If the secret was created by using the Secrets Manager console, or
+    #   if the secret value was originally provided as a string, then this
+    #   field is omitted. The secret value appears in `SecretString`
+    #   instead.
     #
-    #   [1]: https://tools.ietf.org/html/rfc4648#section-4
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @!attribute [rw] secret_string
-    #   The decrypted part of the protected secret information that was
-    #   originally provided as a string.
+    #   The decrypted secret value, if the secret value was originally
+    #   provided as a string or through the Secrets Manager console.
     #
-    #   If you create this secret by using the Secrets Manager console then
-    #   only the `SecretString` parameter contains data. Secrets Manager
-    #   stores the information as a JSON structure of key/value pairs that
-    #   the Lambda rotation function knows how to parse.
+    #   If this secret was created by using the console, then Secrets
+    #   Manager stores the information as a JSON structure of key/value
+    #   pairs.
     #
-    #   If you store custom information in the secret by using the
-    #   CreateSecret, UpdateSecret, or PutSecretValue API operations instead
-    #   of the Secrets Manager console, or by using the **Other secret
-    #   type** in the console, then you must code your Lambda rotation
-    #   function to parse and interpret those values.
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @!attribute [rw] version_stages
@@ -916,7 +969,9 @@ module Aws::SecretsManager
     #   @return [Array<String>]
     #
     # @!attribute [rw] created_date
-    #   The date and time that this version of the secret was created.
+    #   The date and time that this version of the secret was created. If
+    #   you don't specify which version in `VersionId` or `VersionStage`,
+    #   then Secrets Manager uses the `AWSCURRENT` version.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/GetSecretValueResponse AWS API Documentation
@@ -929,6 +984,7 @@ module Aws::SecretsManager
       :secret_string,
       :version_stages,
       :created_date)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -941,10 +997,11 @@ module Aws::SecretsManager
     #
     class InternalServiceError < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # You provided an invalid `NextToken` value.
+    # The `NextToken` value is invalid.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -953,10 +1010,11 @@ module Aws::SecretsManager
     #
     class InvalidNextTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # You provided an invalid value for a parameter.
+    # The parameter name or value is invalid.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -965,21 +1023,28 @@ module Aws::SecretsManager
     #
     class InvalidParameterException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # You provided a parameter value that is not valid for the current state
-    # of the resource.
+    # A parameter value is not valid for the current state of the resource.
     #
     # Possible causes:
     #
-    # * You tried to perform the operation on a secret that's currently
-    #   marked deleted.
+    # * The secret is scheduled for deletion.
     #
     # * You tried to enable rotation on a secret that doesn't already have
     #   a Lambda function ARN configured and you didn't include such an ARN
     #   as a parameter in this call.
     #
+    # * The secret is managed by another service, and you must use that
+    #   service to update it. For more information, see [Secrets managed by
+    #   other Amazon Web Services services][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/service-linked-secrets.html
+    #
     # @!attribute [rw] message
     #   @return [String]
     #
@@ -987,11 +1052,12 @@ module Aws::SecretsManager
     #
     class InvalidRequestException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # The request failed because it would exceed one of the Secrets Manager
-    # internal limits.
+    # quotas.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1000,67 +1066,41 @@ module Aws::SecretsManager
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListSecretVersionIdsRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret whose versions you want to list.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         max_results: 1,
-    #         next_token: "NextTokenType",
-    #         include_deprecated: false,
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   The identifier for the secret containing the versions you want to
-    #   list. You can specify either the Amazon Resource Name (ARN) or the
-    #   friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   (Optional) Limits the number of results that you want to include in
-    #   the response. If you don't include this parameter, it defaults to a
-    #   value that's specific to the operation. If additional items exist
-    #   beyond the maximum you specify, the `NextToken` response element is
-    #   present and has a value (isn't null). Include that value as the
-    #   `NextToken` request parameter in the next call to the operation to
-    #   get the next part of the results. Note that Secrets Manager might
-    #   return fewer results than the maximum even when there are more
-    #   results available. You should check `NextToken` after every
-    #   operation to ensure that you receive all of the results.
+    #   The number of results to include in the response.
+    #
+    #   If there are more results available, in the response, Secrets
+    #   Manager includes `NextToken`. To get the next results, call
+    #   `ListSecretVersionIds` again with the value from `NextToken`.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
-    #   (Optional) Use this parameter in a request if you receive a
-    #   `NextToken` response in a previous request that indicates that
-    #   there's more output available. In a subsequent call, set it to the
-    #   value of the previous call's `NextToken` response to indicate where
-    #   the output should continue from.
+    #   A token that indicates where the output should continue from, if a
+    #   previous call did not show all results. To get the next results,
+    #   call `ListSecretVersionIds` again with this value.
     #   @return [String]
     #
     # @!attribute [rw] include_deprecated
-    #   (Optional) Specifies that you want the results to include versions
-    #   that do not have any staging labels attached to them. Such versions
+    #   Specifies whether to include versions of secrets that don't have
+    #   any staging labels attached to them. Versions without staging labels
     #   are considered deprecated and are subject to deletion by Secrets
-    #   Manager as needed.
+    #   Manager. By default, versions without staging labels aren't
+    #   included.
     #   @return [Boolean]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretVersionIdsRequest AWS API Documentation
@@ -1070,41 +1110,28 @@ module Aws::SecretsManager
       :max_results,
       :next_token,
       :include_deprecated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] versions
-    #   The list of the currently available versions of the specified
-    #   secret.
+    #   A list of the versions of the secret.
     #   @return [Array<Types::SecretVersionsListEntry>]
     #
     # @!attribute [rw] next_token
-    #   If present in the response, this value indicates that there's more
-    #   output available than what's included in the current response. This
-    #   can occur even when the response includes no values at all, such as
-    #   when you ask for a filtered view of a very long list. Use this value
-    #   in the `NextToken` request parameter in a subsequent call to the
-    #   operation to continue processing and get the next part of the
-    #   output. You should repeat this until the `NextToken` response
-    #   element comes back empty (as `null`).
+    #   Secrets Manager includes this value if there's more output
+    #   available than what is included in the current response. This can
+    #   occur even when the response includes no values at all, such as when
+    #   you ask for a filtered view of a long list. To get the next results,
+    #   call `ListSecretVersionIds` again with this value.
     #   @return [String]
     #
     # @!attribute [rw] arn
-    #   The Amazon Resource Name (ARN) for the secret.
-    #
-    #   <note markdown="1"> Secrets Manager automatically adds several random characters to the
-    #   name at the end of the ARN when you initially create a secret. This
-    #   affects only the ARN and not the actual friendly name. This ensures
-    #   that if you create a new secret with the same name as an old secret
-    #   that you previously deleted, then users with access to the old
-    #   secret *don't* automatically get access to the new secret because
-    #   the ARNs are different.
-    #
-    #    </note>
+    #   The ARN of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret.
+    #   The name of the secret.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretVersionIdsResponse AWS API Documentation
@@ -1114,43 +1141,46 @@ module Aws::SecretsManager
       :next_token,
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass ListSecretsRequest
-    #   data as a hash:
-    #
-    #       {
-    #         max_results: 1,
-    #         next_token: "NextTokenType",
-    #       }
+    # @!attribute [rw] include_planned_deletion
+    #   Specifies whether to include secrets scheduled for deletion. By
+    #   default, secrets scheduled for deletion aren't included.
+    #   @return [Boolean]
     #
     # @!attribute [rw] max_results
-    #   (Optional) Limits the number of results that you want to include in
-    #   the response. If you don't include this parameter, it defaults to a
-    #   value that's specific to the operation. If additional items exist
-    #   beyond the maximum you specify, the `NextToken` response element is
-    #   present and has a value (isn't null). Include that value as the
-    #   `NextToken` request parameter in the next call to the operation to
-    #   get the next part of the results. Note that Secrets Manager might
-    #   return fewer results than the maximum even when there are more
-    #   results available. You should check `NextToken` after every
-    #   operation to ensure that you receive all of the results.
+    #   The number of results to include in the response.
+    #
+    #   If there are more results available, in the response, Secrets
+    #   Manager includes `NextToken`. To get the next results, call
+    #   `ListSecrets` again with the value from `NextToken`.
     #   @return [Integer]
     #
     # @!attribute [rw] next_token
-    #   (Optional) Use this parameter in a request if you receive a
-    #   `NextToken` response in a previous request that indicates that
-    #   there's more output available. In a subsequent call, set it to the
-    #   value of the previous call's `NextToken` response to indicate where
-    #   the output should continue from.
+    #   A token that indicates where the output should continue from, if a
+    #   previous call did not show all results. To get the next results,
+    #   call `ListSecrets` again with this value.
+    #   @return [String]
+    #
+    # @!attribute [rw] filters
+    #   The filters to apply to the list of secrets.
+    #   @return [Array<Types::Filter>]
+    #
+    # @!attribute [rw] sort_order
+    #   Secrets are listed by `CreatedDate`.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretsRequest AWS API Documentation
     #
     class ListSecretsRequest < Struct.new(
+      :include_planned_deletion,
       :max_results,
-      :next_token)
+      :next_token,
+      :filters,
+      :sort_order)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1159,14 +1189,11 @@ module Aws::SecretsManager
     #   @return [Array<Types::SecretListEntry>]
     #
     # @!attribute [rw] next_token
-    #   If present in the response, this value indicates that there's more
-    #   output available than what's included in the current response. This
-    #   can occur even when the response includes no values at all, such as
-    #   when you ask for a filtered view of a very long list. Use this value
-    #   in the `NextToken` request parameter in a subsequent call to the
-    #   operation to continue processing and get the next part of the
-    #   output. You should repeat this until the `NextToken` response
-    #   element comes back empty (as `null`).
+    #   Secrets Manager includes this value if there's more output
+    #   available than what is included in the current response. This can
+    #   occur even when the response includes no values at all, such as when
+    #   you ask for a filtered view of a long list. To get the next results,
+    #   call `ListSecrets` again with this value.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretsResponse AWS API Documentation
@@ -1174,10 +1201,11 @@ module Aws::SecretsManager
     class ListSecretsResponse < Struct.new(
       :secret_list,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # The policy document that you provided isn't valid.
+    # The resource policy has syntax errors.
     #
     # @!attribute [rw] message
     #   @return [String]
@@ -1186,6 +1214,7 @@ module Aws::SecretsManager
     #
     class MalformedPolicyDocumentException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1199,68 +1228,87 @@ module Aws::SecretsManager
     #
     class PreconditionNotMetException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass PutResourcePolicyRequest
-    #   data as a hash:
+    # The `BlockPublicPolicy` parameter is set to true, and the resource
+    # policy did not prevent broad access to the secret.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         resource_policy: "NonEmptyResourcePolicyType", # required
-    #       }
+    # @!attribute [rw] message
+    #   @return [String]
     #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PublicPolicyException AWS API Documentation
+    #
+    class PublicPolicyException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to attach the resource-based
-    #   policy to. You can specify either the ARN or the friendly name of
-    #   the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
+    #   The ARN or name of the secret to attach the resource-based policy.
     #
-    #    </note>
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] resource_policy
-    #   A JSON-formatted string that's constructed according to the grammar
-    #   and syntax for an AWS resource-based policy. The policy in the
-    #   string identifies who can access or manage this secret and its
-    #   versions. For information on how to format a JSON parameter for the
-    #   various command line tool environments, see [Using JSON for
-    #   Parameters][1] in the *AWS CLI User Guide*.
+    #   A JSON-formatted string for an Amazon Web Services resource-based
+    #   policy. For example policies, see [Permissions policy examples][1].
     #
     #
     #
-    #   [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
     #   @return [String]
     #
+    # @!attribute [rw] block_public_policy
+    #   Specifies whether to block resource-based policies that allow broad
+    #   access to the secret, for example those that use a wildcard for the
+    #   principal. By default, public policies aren't blocked.
+    #
+    #   Resource policy validation and the BlockPublicPolicy parameter help
+    #   protect your resources by preventing public access from being
+    #   granted through the resource policies that are directly attached to
+    #   your secrets. In addition to using these features, carefully inspect
+    #   the following policies to confirm that they do not grant public
+    #   access:
+    #
+    #    * Identity-based policies attached to associated Amazon Web
+    #   Services
+    #     principals (for example, IAM roles)
+    #
+    #   * Resource-based policies attached to associated Amazon Web Services
+    #     resources (for example, Key Management Service (KMS) keys)
+    #
+    #    To review permissions to your secrets, see [Determine who has
+    #   permissions to your secrets][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyRequest AWS API Documentation
     #
     class PutResourcePolicyRequest < Struct.new(
       :secret_id,
-      :resource_policy)
+      :resource_policy,
+      :block_public_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret that the resource-based policy was retrieved
-    #   for.
+    #   The ARN of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that the resource-based policy was
-    #   retrieved for.
+    #   The name of the secret.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyResponse AWS API Documentation
@@ -1268,75 +1316,56 @@ module Aws::SecretsManager
     class PutResourcePolicyResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass PutSecretValueRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to add a new version to.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         client_request_token: "ClientRequestTokenType",
-    #         secret_binary: "data",
-    #         secret_string: "SecretStringType",
-    #         version_stages: ["SecretVersionStageType"],
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret to which you want to add a new version. You can
-    #   specify either the Amazon Resource Name (ARN) or the friendly name
-    #   of the secret. The secret must already exist.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
+    #   If the secret doesn't already exist, use `CreateSecret` instead.
     #
-    #    </note>
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] client_request_token
-    #   (Optional) Specifies a unique identifier for the new version of the
-    #   secret.
+    #   A unique identifier for the new version of the secret.
     #
-    #   <note markdown="1"> If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request. If you don't
-    #   use the SDK and instead generate a raw HTTP request to the Secrets
-    #   Manager service endpoint, then you must generate a
-    #   `ClientRequestToken` yourself for new versions and include that
-    #   value in the request.
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDKs to call this operation, then you can leave this
+    #   parameter empty. The CLI or SDK generates a random UUID for you and
+    #   includes it as the value for this parameter in the request.
     #
     #    </note>
     #
+    #   If you generate a raw HTTP request to the Secrets Manager service
+    #   endpoint, then you must generate a `ClientRequestToken` and include
+    #   it in the request.
+    #
     #   This value helps ensure idempotency. Secrets Manager uses this value
     #   to prevent the accidental creation of duplicate versions if there
-    #   are failures and retries during the Lambda rotation function's
-    #   processing. We recommend that you generate a [UUID-type][1] value to
-    #   ensure uniqueness within the specified secret.
+    #   are failures and retries during a rotation. We recommend that you
+    #   generate a [UUID-type][1] value to ensure uniqueness of your
+    #   versions within the specified secret.
     #
     #   * If the `ClientRequestToken` value isn't already associated with a
     #     version of the secret then a new version of the secret is created.
     #
     #   * If a version with this value already exists and that version's
     #     `SecretString` or `SecretBinary` values are the same as those in
-    #     the request then the request is ignored (the operation is
-    #     idempotent).
+    #     the request then the request is ignored. The operation is
+    #     idempotent.
     #
-    #   * If a version with this value already exists and that version's
+    #   * If a version with this value already exists and the version of the
     #     `SecretString` and `SecretBinary` values are different from those
-    #     in the request then the request fails because you cannot modify an
-    #     existing secret version. You can only create new versions to store
-    #     new secret values.
+    #     in the request, then the request fails because you can't modify a
+    #     secret version. You can only create new versions to store new
+    #     secret values.
     #
     #   This value becomes the `VersionId` of the new version.
     #
@@ -1349,65 +1378,68 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] secret_binary
-    #   (Optional) Specifies binary data that you want to encrypt and store
-    #   in the new version of the secret. To use this parameter in the
-    #   command-line tools, we recommend that you store your binary data in
-    #   a file and then use the appropriate technique for your tool to pass
-    #   the contents of the file as a parameter. Either `SecretBinary` or
-    #   `SecretString` must have a value, but not both. They cannot both be
-    #   empty.
+    #   The binary data to encrypt and store in the new version of the
+    #   secret. To use this parameter in the command-line tools, we
+    #   recommend that you store your binary data in a file and then pass
+    #   the contents of the file as a parameter.
     #
-    #   This parameter is not accessible if the secret using the Secrets
-    #   Manager console.
+    #   You must include `SecretBinary` or `SecretString`, but not both.
+    #
+    #   You can't access this value from the Secrets Manager console.
+    #
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @!attribute [rw] secret_string
-    #   (Optional) Specifies text data that you want to encrypt and store in
-    #   this new version of the secret. Either `SecretString` or
-    #   `SecretBinary` must have a value, but not both. They cannot both be
-    #   empty.
+    #   The text to encrypt and store in the new version of the secret.
     #
-    #   If you create this secret by using the Secrets Manager console then
-    #   Secrets Manager puts the protected secret text in only the
-    #   `SecretString` parameter. The Secrets Manager console stores the
-    #   information as a JSON structure of key/value pairs that the default
-    #   Lambda rotation function knows how to parse.
+    #   You must include `SecretBinary` or `SecretString`, but not both.
     #
-    #   For storing multiple values, we recommend that you use a JSON text
-    #   string argument and specify key/value pairs. For information on how
-    #   to format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI
-    #   User Guide*.
+    #   We recommend you create the secret string as JSON key/value pairs,
+    #   as shown in the example.
     #
-    #   For example:
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
+    #   @return [String]
     #
-    #   `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
+    # @!attribute [rw] version_stages
+    #   A list of staging labels to attach to this version of the secret.
+    #   Secrets Manager uses staging labels to track versions of a secret
+    #   through the rotation process.
+    #
+    #   If you specify a staging label that's already associated with a
+    #   different version of the same secret, then Secrets Manager removes
+    #   the label from the other version and attaches it to this version. If
+    #   you specify `AWSCURRENT`, and it is already attached to another
+    #   version, then Secrets Manager also moves the staging label
+    #   `AWSPREVIOUS` to the version that `AWSCURRENT` was removed from.
+    #
+    #   If you don't include `VersionStages`, then Secrets Manager
+    #   automatically moves the staging label `AWSCURRENT` to this version.
+    #   @return [Array<String>]
     #
-    #   If your command-line tool or SDK requires quotation marks around the
-    #   parameter, you should use single quotes to avoid confusion with the
-    #   double quotes required in the JSON text.
+    # @!attribute [rw] rotation_token
+    #   A unique identifier that indicates the source of the request. For
+    #   cross-account rotation (when you rotate a secret in one account by
+    #   using a Lambda rotation function in another account) and the Lambda
+    #   rotation function assumes an IAM role to call Secrets Manager,
+    #   Secrets Manager validates the identity with the rotation token. For
+    #   more information, see [How rotation works][1].
     #
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
-    #   @return [String]
     #
-    # @!attribute [rw] version_stages
-    #   (Optional) Specifies a list of staging labels that are attached to
-    #   this version of the secret. These staging labels are used to track
-    #   the versions through the rotation process by the Lambda rotation
-    #   function.
-    #
-    #   A staging label must be unique to a single version of the secret. If
-    #   you specify a staging label that's already associated with a
-    #   different version of the same secret then that staging label is
-    #   automatically removed from the other version and attached to this
-    #   version.
-    #
-    #   If you do not specify a value for `VersionStages` then Secrets
-    #   Manager automatically moves the staging label `AWSCURRENT` to this
-    #   new version.
-    #   @return [Array<String>]
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotating-secrets.html
+    #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutSecretValueRequest AWS API Documentation
     #
@@ -1416,29 +1448,28 @@ module Aws::SecretsManager
       :client_request_token,
       :secret_binary,
       :secret_string,
-      :version_stages)
+      :version_stages,
+      :rotation_token)
+      SENSITIVE = [:secret_binary, :secret_string, :rotation_token]
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The Amazon Resource Name (ARN) for the secret for which you just
-    #   created a version.
+    #   The ARN of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret for which you just created or
-    #   updated a version.
+    #   The name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The unique identifier of the version of the secret you just created
-    #   or updated.
+    #   The unique identifier of the version of the secret.
     #   @return [String]
     #
     # @!attribute [rw] version_stages
     #   The list of staging labels that are currently attached to this
-    #   version of the secret. Staging labels are used to track a version as
-    #   it progresses through the secret rotation process.
+    #   version of the secret. Secrets Manager uses staging labels to track
+    #   a version as it progresses through the secret rotation process.
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutSecretValueResponse AWS API Documentation
@@ -1448,66 +1479,190 @@ module Aws::SecretsManager
       :name,
       :version_id,
       :version_stages)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # A resource with the ID you requested already exists.
-    #
-    # @!attribute [rw] message
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ResourceExistsException AWS API Documentation
+    # @!attribute [rw] remove_replica_regions
+    #   The Regions of the replicas to remove.
+    #   @return [Array<String>]
     #
-    class ResourceExistsException < Struct.new(
-      :message)
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplicationRequest AWS API Documentation
+    #
+    class RemoveRegionsFromReplicationRequest < Struct.new(
+      :secret_id,
+      :remove_replica_regions)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # We can't find the resource that you asked for.
-    #
-    # @!attribute [rw] message
+    # @!attribute [rw] arn
+    #   The ARN of the primary secret.
     #   @return [String]
     #
-    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ResourceNotFoundException AWS API Documentation
+    # @!attribute [rw] replication_status
+    #   The status of replicas for this secret after you remove Regions.
+    #   @return [Array<Types::ReplicationStatusType>]
     #
-    class ResourceNotFoundException < Struct.new(
-      :message)
-      include Aws::Structure
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RemoveRegionsFromReplicationResponse AWS API Documentation
+    #
+    class RemoveRegionsFromReplicationResponse < Struct.new(
+      :arn,
+      :replication_status)
+      SENSITIVE = []
+      include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RestoreSecretRequest
-    #   data as a hash:
+    # A custom type that specifies a `Region` and the `KmsKeyId` for a
+    # replica secret.
+    #
+    # @!attribute [rw] region
+    #   A Region code. For a list of Region codes, see [Name and code of
+    #   Regions][1].
+    #
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #       }
     #
+    #   [1]: https://docs.aws.amazon.com/general/latest/gr/rande.html#regional-endpoints
+    #   @return [String]
+    #
+    # @!attribute [rw] kms_key_id
+    #   The ARN, key ID, or alias of the KMS key to encrypt the secret. If
+    #   you don't include this field, Secrets Manager uses
+    #   `aws/secretsmanager`.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicaRegionType AWS API Documentation
+    #
+    class ReplicaRegionType < Struct.new(
+      :region,
+      :kms_key_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to restore from a previously
-    #   scheduled deletion. You can specify either the Amazon Resource Name
-    #   (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
+    #   The ARN or name of the secret to replicate.
+    #   @return [String]
     #
-    #    </note>
+    # @!attribute [rw] add_replica_regions
+    #   A list of Regions in which to replicate the secret.
+    #   @return [Array<Types::ReplicaRegionType>]
+    #
+    # @!attribute [rw] force_overwrite_replica_secret
+    #   Specifies whether to overwrite a secret with the same name in the
+    #   destination Region. By default, secrets aren't overwritten.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegionsRequest AWS API Documentation
+    #
+    class ReplicateSecretToRegionsRequest < Struct.new(
+      :secret_id,
+      :add_replica_regions,
+      :force_overwrite_replica_secret)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] arn
+    #   The ARN of the primary secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] replication_status
+    #   The status of replication.
+    #   @return [Array<Types::ReplicationStatusType>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicateSecretToRegionsResponse AWS API Documentation
+    #
+    class ReplicateSecretToRegionsResponse < Struct.new(
+      :arn,
+      :replication_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A replication object consisting of a `RegionReplicationStatus` object
+    # and includes a Region, KMSKeyId, status, and status message.
+    #
+    # @!attribute [rw] region
+    #   The Region where replication occurs.
+    #   @return [String]
+    #
+    # @!attribute [rw] kms_key_id
+    #   Can be an `ARN`, `Key ID`, or `Alias`.
+    #   @return [String]
+    #
+    # @!attribute [rw] status
+    #   The status can be `InProgress`, `Failed`, or `InSync`.
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   Status message such as "*Secret with this name already exists in
+    #   this region*".
+    #   @return [String]
+    #
+    # @!attribute [rw] last_accessed_date
+    #   The date that the secret was last accessed in the Region. This field
+    #   is omitted if the secret has never been retrieved in the Region.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ReplicationStatusType AWS API Documentation
+    #
+    class ReplicationStatusType < Struct.new(
+      :region,
+      :kms_key_id,
+      :status,
+      :status_message,
+      :last_accessed_date)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A resource with the ID you requested already exists.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ResourceExistsException AWS API Documentation
+    #
+    class ResourceExistsException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Secrets Manager can't find the resource that you asked for.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ResourceNotFoundException AWS API Documentation
+    #
+    class ResourceNotFoundException < Struct.new(
+      :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to restore.
+    #
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RestoreSecretRequest AWS API Documentation
     #
     class RestoreSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1516,7 +1671,7 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that was restored.
+    #   The name of the secret that was restored.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RestoreSecretResponse AWS API Documentation
@@ -1524,63 +1679,43 @@ module Aws::SecretsManager
     class RestoreSecretResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass RotateSecretRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret to rotate.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         client_request_token: "ClientRequestTokenType",
-    #         rotation_lambda_arn: "RotationLambdaARNType",
-    #         rotation_rules: {
-    #           automatically_after_days: 1,
-    #         },
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to rotate. You can specify either
-    #   the Amazon Resource Name (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] client_request_token
-    #   (Optional) Specifies a unique identifier for the new version of the
-    #   secret that helps ensure idempotency.
-    #
-    #   If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request for this
-    #   parameter. If you don't use the SDK and instead generate a raw HTTP
-    #   request to the Secrets Manager service endpoint, then you must
-    #   generate a `ClientRequestToken` yourself for new versions and
-    #   include that value in the request.
-    #
-    #   You only need to specify your own value if you are implementing your
-    #   own retry logic and want to ensure that a given secret is not
-    #   created twice. We recommend that you generate a [UUID-type][1] value
-    #   to ensure uniqueness within the specified secret.
-    #
-    #   Secrets Manager uses this value to prevent the accidental creation
-    #   of duplicate versions if there are failures and retries during the
-    #   function's processing. This value becomes the `VersionId` of the
-    #   new version.
+    #   A unique identifier for the new version of the secret. You only need
+    #   to specify this value if you implement your own retry logic and you
+    #   want to ensure that Secrets Manager doesn't attempt to create a
+    #   secret version twice.
+    #
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDKs to call this operation, then you can leave this
+    #   parameter empty. The CLI or SDK generates a random UUID for you and
+    #   includes it as the value for this parameter in the request.
+    #
+    #    </note>
+    #
+    #   If you generate a raw HTTP request to the Secrets Manager service
+    #   endpoint, then you must generate a `ClientRequestToken` and include
+    #   it in the request.
+    #
+    #   This value helps ensure idempotency. Secrets Manager uses this value
+    #   to prevent the accidental creation of duplicate versions if there
+    #   are failures and retries during a rotation. We recommend that you
+    #   generate a [UUID-type][1] value to ensure uniqueness of your
+    #   versions within the specified secret.
     #
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.
@@ -1591,21 +1726,49 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] rotation_lambda_arn
-    #   (Optional) Specifies the ARN of the Lambda function that can rotate
-    #   the secret.
+    #   For secrets that use a Lambda rotation function to rotate, the ARN
+    #   of the Lambda rotation function.
+    #
+    #   For secrets that use *managed rotation*, omit this field. For more
+    #   information, see [Managed rotation][1] in the *Secrets Manager User
+    #   Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_managed.html
     #   @return [String]
     #
     # @!attribute [rw] rotation_rules
     #   A structure that defines the rotation configuration for this secret.
     #   @return [Types::RotationRulesType]
     #
+    # @!attribute [rw] rotate_immediately
+    #   Specifies whether to rotate the secret immediately or wait until the
+    #   next scheduled rotation window. The rotation schedule is defined in
+    #   RotateSecretRequest$RotationRules.
+    #
+    #   For secrets that use a Lambda rotation function to rotate, if you
+    #   don't immediately rotate the secret, Secrets Manager tests the
+    #   rotation configuration by running the [ `testSecret` step][1] of the
+    #   Lambda rotation function. The test creates an `AWSPENDING` version
+    #   of the secret and then removes it.
+    #
+    #   By default, Secrets Manager rotates the secret immediately.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_lambda-functions.html#rotate-secrets_lambda-functions-code
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RotateSecretRequest AWS API Documentation
     #
     class RotateSecretRequest < Struct.new(
       :secret_id,
       :client_request_token,
       :rotation_lambda_arn,
-      :rotation_rules)
+      :rotation_rules,
+      :rotate_immediately)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1614,12 +1777,11 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret.
+    #   The name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The ID of the new version of the secret created by the rotation
-    #   started by this request.
+    #   The ID of the new version of the secret.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RotateSecretResponse AWS API Documentation
@@ -1628,58 +1790,101 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # A structure that defines the rotation configuration for the secret.
     #
-    # @note When making an API call, you may pass RotationRulesType
-    #   data as a hash:
-    #
-    #       {
-    #         automatically_after_days: 1,
-    #       }
-    #
     # @!attribute [rw] automatically_after_days
-    #   Specifies the number of days between automatic scheduled rotations
-    #   of the secret.
-    #
-    #   Secrets Manager schedules the next rotation when the previous one is
-    #   complete. Secrets Manager schedules the date by adding the rotation
-    #   interval (number of days) to the actual date of the last rotation.
-    #   The service chooses the hour within that 24-hour date window
-    #   randomly. The minute is also chosen somewhat randomly, but weighted
-    #   towards the top of the hour and influenced by a variety of factors
-    #   that help distribute load.
+    #   The number of days between rotations of the secret. You can use this
+    #   value to check that your secret meets your compliance guidelines for
+    #   how often secrets must be rotated. If you use this field to set the
+    #   rotation schedule, Secrets Manager calculates the next rotation date
+    #   based on the previous rotation. Manually updating the secret value
+    #   by calling `PutSecretValue` or `UpdateSecret` is considered a valid
+    #   rotation.
+    #
+    #   In `DescribeSecret` and `ListSecrets`, this value is calculated from
+    #   the rotation schedule after every successful rotation. In
+    #   `RotateSecret`, you can set the rotation schedule in `RotationRules`
+    #   with `AutomaticallyAfterDays` or `ScheduleExpression`, but not both.
+    #   To set a rotation schedule in hours, use `ScheduleExpression`.
     #   @return [Integer]
     #
+    # @!attribute [rw] duration
+    #   The length of the rotation window in hours, for example `3h` for a
+    #   three hour window. Secrets Manager rotates your secret at any time
+    #   during this window. The window must not extend into the next
+    #   rotation window or the next UTC day. The window starts according to
+    #   the `ScheduleExpression`. If you don't specify a `Duration`, for a
+    #   `ScheduleExpression` in hours, the window automatically closes after
+    #   one hour. For a `ScheduleExpression` in days, the window
+    #   automatically closes at the end of the UTC day. For more
+    #   information, including examples, see [Schedule expressions in
+    #   Secrets Manager rotation][1] in the *Secrets Manager Users Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html
+    #   @return [String]
+    #
+    # @!attribute [rw] schedule_expression
+    #   A `cron()` or `rate()` expression that defines the schedule for
+    #   rotating your secret. Secrets Manager rotation schedules use UTC
+    #   time zone. Secrets Manager rotates your secret any time during a
+    #   rotation window.
+    #
+    #   Secrets Manager `rate()` expressions represent the interval in hours
+    #   or days that you want to rotate your secret, for example `rate(12
+    #   hours)` or `rate(10 days)`. You can rotate a secret as often as
+    #   every four hours. If you use a `rate()` expression, the rotation
+    #   window starts at midnight. For a rate in hours, the default rotation
+    #   window closes after one hour. For a rate in days, the default
+    #   rotation window closes at the end of the day. You can set the
+    #   `Duration` to change the rotation window. The rotation window must
+    #   not extend into the next UTC day or into the next rotation window.
+    #
+    #   You can use a `cron()` expression to create a rotation schedule that
+    #   is more detailed than a rotation interval. For more information,
+    #   including examples, see [Schedule expressions in Secrets Manager
+    #   rotation][1] in the *Secrets Manager Users Guide*. For a cron
+    #   expression that represents a schedule in hours, the default rotation
+    #   window closes after one hour. For a cron expression that represents
+    #   a schedule in days, the default rotation window closes at the end of
+    #   the day. You can set the `Duration` to change the rotation window.
+    #   The rotation window must not extend into the next UTC day or into
+    #   the next rotation window.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/rotate-secrets_schedule.html
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/RotationRulesType AWS API Documentation
     #
     class RotationRulesType < Struct.new(
-      :automatically_after_days)
+      :automatically_after_days,
+      :duration,
+      :schedule_expression)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # A structure that contains the details about a secret. It does not
     # include the encrypted `SecretString` and `SecretBinary` values. To get
-    # those values, use the GetSecretValue operation.
+    # those values, use [GetSecretValue][1] .
     #
-    # @!attribute [rw] arn
-    #   The Amazon Resource Name (ARN) of the secret.
     #
-    #   For more information about ARNs in Secrets Manager, see [Policy
-    #   Resources][1] in the *AWS Secrets Manager User Guide*.
     #
+    # [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
     #
-    #
-    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/reference_iam-permissions.html#iam-resources
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the secret.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret. You can use forward slashes in the
-    #   name to represent a path hierarchy. For example,
-    #   `/prod/databases/dbserver1` could represent the secret for a server
-    #   named `dbserver1` in the folder `databases` in the folder `prod`.
+    #   The friendly name of the secret.
     #   @return [String]
     #
     # @!attribute [rw] description
@@ -1687,22 +1892,24 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] kms_key_id
-    #   The ARN or alias of the AWS KMS customer master key (CMK) that's
-    #   used to encrypt the `SecretString` and `SecretBinary` fields in each
-    #   version of the secret. If you don't provide a key, then Secrets
-    #   Manager defaults to encrypting the secret fields with the default
-    #   KMS CMK (the one named `awssecretsmanager`) for this account.
+    #   The ARN of the KMS key that Secrets Manager uses to encrypt the
+    #   secret value. If the secret is encrypted with the Amazon Web
+    #   Services managed key `aws/secretsmanager`, this field is omitted.
     #   @return [String]
     #
     # @!attribute [rw] rotation_enabled
-    #   Indicated whether automatic, scheduled rotation is enabled for this
+    #   Indicates whether automatic, scheduled rotation is enabled for this
     #   secret.
     #   @return [Boolean]
     #
     # @!attribute [rw] rotation_lambda_arn
-    #   The ARN of an AWS Lambda function that's invoked by Secrets Manager
-    #   to rotate and expire the secret either automatically per the
-    #   schedule or manually by a call to RotateSecret.
+    #   The ARN of an Amazon Web Services Lambda function invoked by Secrets
+    #   Manager to rotate and expire the secret either automatically per the
+    #   schedule or manually by a call to [ `RotateSecret` ][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_RotateSecret.html
     #   @return [String]
     #
     # @!attribute [rw] rotation_rules
@@ -1710,8 +1917,9 @@ module Aws::SecretsManager
     #   @return [Types::RotationRulesType]
     #
     # @!attribute [rw] last_rotated_date
-    #   The last date and time that the rotation process for this secret was
-    #   invoked.
+    #   The most recent date and time that the Secrets Manager rotation
+    #   process was successfully completed. This value is null if the secret
+    #   hasn't ever rotated.
     #   @return [Time]
     #
     # @!attribute [rw] last_changed_date
@@ -1719,27 +1927,42 @@ module Aws::SecretsManager
     #   @return [Time]
     #
     # @!attribute [rw] last_accessed_date
-    #   The last date that this secret was accessed. This value is truncated
-    #   to midnight of the date and therefore shows only the date, not the
-    #   time.
+    #   The date that the secret was last accessed in the Region. This field
+    #   is omitted if the secret has never been retrieved in the Region.
     #   @return [Time]
     #
     # @!attribute [rw] deleted_date
-    #   The date and time on which this secret was deleted. Not present on
-    #   active secrets. The secret can be recovered until the number of days
-    #   in the recovery window has passed, as specified in the
-    #   `RecoveryWindowInDays` parameter of the DeleteSecret operation.
+    #   The date and time the deletion of the secret occurred. Not present
+    #   on active secrets. The secret can be recovered until the number of
+    #   days in the recovery window has passed, as specified in the
+    #   `RecoveryWindowInDays` parameter of the [ `DeleteSecret` ][1]
+    #   operation.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_DeleteSecret.html
+    #   @return [Time]
+    #
+    # @!attribute [rw] next_rotation_date
+    #   The next rotation is scheduled to occur on or before this date. If
+    #   the secret isn't configured for rotation or rotation has been
+    #   disabled, Secrets Manager returns null.
     #   @return [Time]
     #
     # @!attribute [rw] tags
-    #   The list of user-defined tags that are associated with the secret.
-    #   To add tags to a secret, use TagResource. To remove tags, use
-    #   UntagResource.
+    #   The list of user-defined tags associated with the secret. To add
+    #   tags to a secret, use [ `TagResource` ][1]. To remove tags, use [
+    #   `UntagResource` ][2].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_TagResource.html
+    #   [2]: https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_UntagResource.html
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] secret_versions_to_stages
     #   A list of all of the currently assigned `SecretVersionStage` staging
-    #   labels and the `SecretVersionId` that each is attached to. Staging
+    #   labels and the `SecretVersionId` attached to each one. Staging
     #   labels are used to keep track of the different versions during the
     #   rotation process.
     #
@@ -1751,6 +1974,15 @@ module Aws::SecretsManager
     #   @return [Hash<String,Array<String>>]
     #
     # @!attribute [rw] owning_service
+    #   Returns the name of the service that created the secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] created_date
+    #   The date and time when a secret was created.
+    #   @return [Time]
+    #
+    # @!attribute [rw] primary_region
+    #   The Region where Secrets Manager originated the secret.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/SecretListEntry AWS API Documentation
@@ -1767,9 +1999,66 @@ module Aws::SecretsManager
       :last_changed_date,
       :last_accessed_date,
       :deleted_date,
+      :next_rotation_date,
       :tags,
       :secret_versions_to_stages,
-      :owning_service)
+      :owning_service,
+      :created_date,
+      :primary_region)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A structure that contains the secret value and other details for a
+    # secret.
+    #
+    # @!attribute [rw] arn
+    #   The Amazon Resource Name (ARN) of the secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] name
+    #   The friendly name of the secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] version_id
+    #   The unique version identifier of this version of the secret.
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_binary
+    #   The decrypted secret value, if the secret value was originally
+    #   provided as binary data in the form of a byte array. The parameter
+    #   represents the binary data as a [base64-encoded][1] string.
+    #
+    #
+    #
+    #   [1]: https://tools.ietf.org/html/rfc4648#section-4
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_string
+    #   The decrypted secret value, if the secret value was originally
+    #   provided as a string or through the Secrets Manager console.
+    #   @return [String]
+    #
+    # @!attribute [rw] version_stages
+    #   A list of all of the staging labels currently attached to this
+    #   version of the secret.
+    #   @return [Array<String>]
+    #
+    # @!attribute [rw] created_date
+    #   The date the secret was created.
+    #   @return [Time]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/SecretValueEntry AWS API Documentation
+    #
+    class SecretValueEntry < Struct.new(
+      :arn,
+      :name,
+      :version_id,
+      :secret_binary,
+      :secret_string,
+      :version_stages,
+      :created_date)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -1794,32 +2083,55 @@ module Aws::SecretsManager
     #   The date and time this version of the secret was created.
     #   @return [Time]
     #
+    # @!attribute [rw] kms_key_ids
+    #   The KMS keys used to encrypt the secret version.
+    #   @return [Array<String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/SecretVersionsListEntry AWS API Documentation
     #
     class SecretVersionsListEntry < Struct.new(
       :version_id,
       :version_stages,
       :last_accessed_date,
-      :created_date)
+      :created_date,
+      :kms_key_ids)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # A structure that contains information about a tag.
+    # @!attribute [rw] secret_id
+    #   The ARN of the primary secret.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplicaRequest AWS API Documentation
+    #
+    class StopReplicationToReplicaRequest < Struct.new(
+      :secret_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] arn
+    #   The ARN of the promoted secret. The ARN is the same as the original
+    #   primary secret except the Region is changed.
+    #   @return [String]
     #
-    # @note When making an API call, you may pass Tag
-    #   data as a hash:
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/StopReplicationToReplicaResponse AWS API Documentation
     #
-    #       {
-    #         key: "TagKeyType",
-    #         value: "TagValueType",
-    #       }
+    class StopReplicationToReplicaResponse < Struct.new(
+      :arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # A structure that contains information about a tag.
     #
     # @!attribute [rw] key
     #   The key identifier, or name, of the tag.
     #   @return [String]
     #
     # @!attribute [rw] value
-    #   The string value that's associated with the key of the tag.
+    #   The string value associated with the key of the tag.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/Tag AWS API Documentation
@@ -1827,58 +2139,35 @@ module Aws::SecretsManager
     class Tag < Struct.new(
       :key,
       :value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass TagResourceRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The identifier for the secret to attach tags to. You can specify
+    #   either the Amazon Resource Name (ARN) or the friendly name of the
+    #   secret.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         tags: [ # required
-    #           {
-    #             key: "TagKeyType",
-    #             value: "TagValueType",
-    #           },
-    #         ],
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   The identifier for the secret that you want to attach tags to. You
-    #   can specify either the Amazon Resource Name (ARN) or the friendly
-    #   name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] tags
-    #   The tags to attach to the secret. Each element in the list consists
-    #   of a `Key` and a `Value`.
+    #   The tags to attach to the secret as a JSON text string argument.
+    #   Each element in the list consists of a `Key` and a `Value`.
     #
-    #   This parameter to the API requires a JSON text string argument. For
-    #   information on how to format a JSON parameter for the various
-    #   command line tool environments, see [Using JSON for Parameters][1]
-    #   in the *AWS CLI User Guide*. For the AWS CLI, you can also use the
-    #   syntax: `--Tags
-    #   Key="Key1",Value="Value1",Key="Key2",Value="Value2"[,…]`
+    #   For storing multiple values, we recommend that you use a JSON text
+    #   string argument and specify key/value pairs. For more information,
+    #   see [Specifying parameter values for the Amazon Web Services CLI][1]
+    #   in the Amazon Web Services CLI User Guide.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
     #   @return [Array<Types::Tag>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/TagResourceRequest AWS API Documentation
@@ -1886,37 +2175,19 @@ module Aws::SecretsManager
     class TagResourceRequest < Struct.new(
       :secret_id,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UntagResourceRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         tag_keys: ["TagKeyType"], # required
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   The identifier for the secret that you want to remove tags from. You
-    #   can specify either the Amazon Resource Name (ARN) or the friendly
-    #   name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] tag_keys
@@ -1924,14 +2195,16 @@ module Aws::SecretsManager
     #   specify the value. Both the key and its associated value are
     #   removed.
     #
-    #   This parameter to the API requires a JSON text string argument. For
-    #   information on how to format a JSON parameter for the various
-    #   command line tool environments, see [Using JSON for Parameters][1]
-    #   in the *AWS CLI User Guide*.
+    #   This parameter requires a JSON text string argument.
+    #
+    #   For storing multiple values, we recommend that you use a JSON text
+    #   string argument and specify key/value pairs. For more information,
+    #   see [Specifying parameter values for the Amazon Web Services CLI][1]
+    #   in the Amazon Web Services CLI User Guide.
     #
     #
     #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-usage-parameters.html
     #   @return [Array<String>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/UntagResourceRequest AWS API Documentation
@@ -1939,79 +2212,42 @@ module Aws::SecretsManager
     class UntagResourceRequest < Struct.new(
       :secret_id,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UpdateSecretRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         client_request_token: "ClientRequestTokenType",
-    #         description: "DescriptionType",
-    #         kms_key_id: "KmsKeyIdType",
-    #         secret_binary: "data",
-    #         secret_string: "SecretStringType",
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret that you want to modify or to which you want to
-    #   add a new version. You can specify either the Amazon Resource Name
-    #   (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] client_request_token
-    #   (Optional) If you want to add a new version to the secret, this
-    #   parameter specifies a unique identifier for the new version that
-    #   helps ensure idempotency.
-    #
-    #   If you use the AWS CLI or one of the AWS SDK to call this operation,
-    #   then you can leave this parameter empty. The CLI or SDK generates a
-    #   random UUID for you and includes that in the request. If you don't
-    #   use the SDK and instead generate a raw HTTP request to the Secrets
-    #   Manager service endpoint, then you must generate a
-    #   `ClientRequestToken` yourself for new versions and include that
-    #   value in the request.
-    #
-    #   You typically only need to interact with this value if you implement
-    #   your own retry logic and want to ensure that a given secret is not
-    #   created twice. We recommend that you generate a [UUID-type][1] value
-    #   to ensure uniqueness within the specified secret.
-    #
-    #   Secrets Manager uses this value to prevent the accidental creation
-    #   of duplicate versions if there are failures and retries during the
-    #   Lambda rotation function's processing.
+    #   If you include `SecretString` or `SecretBinary`, then Secrets
+    #   Manager creates a new version for the secret, and this parameter
+    #   specifies the unique identifier for the new version.
     #
-    #   * If the `ClientRequestToken` value isn't already associated with a
-    #     version of the secret then a new version of the secret is created.
+    #   <note markdown="1"> If you use the Amazon Web Services CLI or one of the Amazon Web
+    #   Services SDKs to call this operation, then you can leave this
+    #   parameter empty. The CLI or SDK generates a random UUID for you and
+    #   includes it as the value for this parameter in the request.
     #
-    #   * If a version with this value already exists and that version's
-    #     `SecretString` and `SecretBinary` values are the same as those in
-    #     the request then the request is ignored (the operation is
-    #     idempotent).
+    #    </note>
     #
-    #   * If a version with this value already exists and that version's
-    #     `SecretString` and `SecretBinary` values are different from the
-    #     request then an error occurs because you cannot modify an existing
-    #     secret value.
+    #   If you generate a raw HTTP request to the Secrets Manager service
+    #   endpoint, then you must generate a `ClientRequestToken` and include
+    #   it in the request.
     #
-    #   This value becomes the `VersionId` of the new version.
+    #   This value helps ensure idempotency. Secrets Manager uses this value
+    #   to prevent the accidental creation of duplicate versions if there
+    #   are failures and retries during a rotation. We recommend that you
+    #   generate a [UUID-type][1] value to ensure uniqueness of your
+    #   versions within the specified secret.
     #
     #   **A suitable default value is auto-generated.** You should normally
     #   not need to pass this option.
@@ -2022,67 +2258,72 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   (Optional) Specifies an updated user-provided description of the
-    #   secret.
+    #   The description of the secret.
     #   @return [String]
     #
     # @!attribute [rw] kms_key_id
-    #   (Optional) Specifies an updated ARN or alias of the AWS KMS customer
-    #   master key (CMK) to be used to encrypt the protected text in new
-    #   versions of this secret.
+    #   The ARN, key ID, or alias of the KMS key that Secrets Manager uses
+    #   to encrypt new secret versions as well as any existing versions with
+    #   the staging labels `AWSCURRENT`, `AWSPENDING`, or `AWSPREVIOUS`. If
+    #   you don't have `kms:Encrypt` permission to the new key, Secrets
+    #   Manager does not re-encrypt existing secret versions with the new
+    #   key. For more information about versions and staging labels, see
+    #   [Concepts: Version][1].
     #
-    #   You can only use the account's default CMK to encrypt and decrypt
-    #   if you call this operation using credentials from the same account
-    #   that owns the secret. If the secret is in a different account, then
-    #   you must create a custom CMK and provide the ARN of that CMK in this
-    #   field. The user making the call must have permissions to both the
-    #   secret and the CMK in their respective accounts.
-    #   @return [String]
+    #   A key alias is always prefixed by `alias/`, for example
+    #   `alias/aws/secretsmanager`. For more information, see [About
+    #   aliases][2].
     #
-    # @!attribute [rw] secret_binary
-    #   (Optional) Specifies updated binary data that you want to encrypt
-    #   and store in the new version of the secret. To use this parameter in
-    #   the command-line tools, we recommend that you store your binary data
-    #   in a file and then use the appropriate technique for your tool to
-    #   pass the contents of the file as a parameter. Either `SecretBinary`
-    #   or `SecretString` must have a value, but not both. They cannot both
-    #   be empty.
+    #   If you set this to an empty string, Secrets Manager uses the Amazon
+    #   Web Services managed key `aws/secretsmanager`. If this key doesn't
+    #   already exist in your account, then Secrets Manager creates it for
+    #   you automatically. All users and roles in the Amazon Web Services
+    #   account automatically have access to use `aws/secretsmanager`.
+    #   Creating `aws/secretsmanager` can result in a one-time significant
+    #   delay in returning the result.
     #
-    #   This parameter is not accessible using the Secrets Manager console.
-    #   @return [String]
+    #   You can only use the Amazon Web Services managed key
+    #   `aws/secretsmanager` if you call this operation using credentials
+    #   from the same Amazon Web Services account that owns the secret. If
+    #   the secret is in a different account, then you must use a customer
+    #   managed key and provide the ARN of that KMS key in this field. The
+    #   user making the call must have permissions to both the secret and
+    #   the KMS key in their respective accounts.
     #
-    # @!attribute [rw] secret_string
-    #   (Optional) Specifies updated text data that you want to encrypt and
-    #   store in this new version of the secret. Either `SecretBinary` or
-    #   `SecretString` must have a value, but not both. They cannot both be
-    #   empty.
     #
-    #   If you create this secret by using the Secrets Manager console then
-    #   Secrets Manager puts the protected secret text in only the
-    #   `SecretString` parameter. The Secrets Manager console stores the
-    #   information as a JSON structure of key/value pairs that the default
-    #   Lambda rotation function knows how to parse.
     #
-    #   For storing multiple values, we recommend that you use a JSON text
-    #   string argument and specify key/value pairs. For information on how
-    #   to format a JSON parameter for the various command line tool
-    #   environments, see [Using JSON for Parameters][1] in the *AWS CLI
-    #   User Guide*. For example:
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/getting-started.html#term_version
+    #   [2]: https://docs.aws.amazon.com/kms/latest/developerguide/alias-about.html
+    #   @return [String]
     #
-    #   `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
+    # @!attribute [rw] secret_binary
+    #   The binary data to encrypt and store in the new version of the
+    #   secret. We recommend that you store your binary data in a file and
+    #   then pass the contents of the file as a parameter.
     #
-    #   If your command-line tool or SDK requires quotation marks around the
-    #   parameter, you should use single quotes to avoid confusion with the
-    #   double quotes required in the JSON text. You can also 'escape' the
-    #   double quote character in the embedded JSON text by prefacing each
-    #   with a backslash. For example, the following string is surrounded by
-    #   double-quotes. All of the embedded double quotes are escaped:
+    #   Either `SecretBinary` or `SecretString` must have a value, but not
+    #   both.
     #
-    #   `"[\{"username":"bob"\},\{"password":"abc123xyz456"\}]"`
+    #   You can't access this parameter in the Secrets Manager console.
     #
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
+    #   @return [String]
+    #
+    # @!attribute [rw] secret_string
+    #   The text data to encrypt and store in the new version of the secret.
+    #   We recommend you use a JSON structure of key/value pairs for your
+    #   secret value.
     #
+    #   Either `SecretBinary` or `SecretString` must have a value, but not
+    #   both.
     #
-    #   [1]: https://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
+    #   Sensitive: This field contains sensitive information, so the service
+    #   does not include it in CloudTrail log entries. If you create your
+    #   own log entries, you must also avoid logging the information in this
+    #   field.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/UpdateSecretRequest AWS API Documentation
@@ -2094,30 +2335,22 @@ module Aws::SecretsManager
       :kms_key_id,
       :secret_binary,
       :secret_string)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
     #   The ARN of the secret that was updated.
-    #
-    #   <note markdown="1"> Secrets Manager automatically adds several random characters to the
-    #   name at the end of the ARN when you initially create a secret. This
-    #   affects only the ARN and not the actual friendly name. This ensures
-    #   that if you create a new secret with the same name as an old secret
-    #   that you previously deleted, then users with access to the old
-    #   secret *don't* automatically get access to the new secret because
-    #   the ARNs are different.
-    #
-    #    </note>
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that was updated.
+    #   The name of the secret that was updated.
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   If a new version of the secret was created by this operation, then
-    #   `VersionId` contains the unique identifier of the new version.
+    #   If Secrets Manager created a new version of the secret during this
+    #   operation, then `VersionId` contains the unique identifier of the
+    #   new version.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/UpdateSecretResponse AWS API Documentation
@@ -2126,39 +2359,20 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
-    # @note When making an API call, you may pass UpdateSecretVersionStageRequest
-    #   data as a hash:
+    # @!attribute [rw] secret_id
+    #   The ARN or the name of the secret with the version and staging
+    #   labelsto modify.
     #
-    #       {
-    #         secret_id: "SecretIdType", # required
-    #         version_stage: "SecretVersionStageType", # required
-    #         remove_from_version_id: "SecretVersionIdType",
-    #         move_to_version_id: "SecretVersionIdType",
-    #       }
+    #   For an ARN, we recommend that you specify a complete ARN rather than
+    #   a partial ARN. See [Finding a secret from a partial ARN][1].
     #
-    # @!attribute [rw] secret_id
-    #   Specifies the secret with the version whose list of staging labels
-    #   you want to modify. You can specify either the Amazon Resource Name
-    #   (ARN) or the friendly name of the secret.
-    #
-    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
-    #   complete ARN. You can specify a partial ARN too—for example, if you
-    #   don’t include the final hyphen and six random characters that
-    #   Secrets Manager adds at the end of the ARN when you created the
-    #   secret. A partial ARN match can work as long as it uniquely matches
-    #   only one secret. However, if your secret has a name that ends in a
-    #   hyphen followed by six characters (before Secrets Manager adds the
-    #   hyphen and six characters to the ARN) and you try to use that as a
-    #   partial ARN, then those characters cause Secrets Manager to assume
-    #   that you’re specifying a complete ARN. This confusion can cause
-    #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
-    #   characters.
     #
-    #    </note>
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/troubleshoot.html#ARN_secretnamehyphen
     #   @return [String]
     #
     # @!attribute [rw] version_stage
@@ -2166,19 +2380,18 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] remove_from_version_id
-    #   Specifies the secret version ID of the version that the staging
-    #   label is to be removed from. If the staging label you are trying to
-    #   attach to one version is already attached to a different version,
-    #   then you must include this parameter and specify the version that
-    #   the label is to be removed from. If the label is attached and you
-    #   either do not specify this parameter, or the version ID does not
-    #   match, then the operation fails.
+    #   The ID of the version that the staging label is to be removed from.
+    #   If the staging label you are trying to attach to one version is
+    #   already attached to a different version, then you must include this
+    #   parameter and specify the version that the label is to be removed
+    #   from. If the label is attached and you either do not specify this
+    #   parameter, or the version ID does not match, then the operation
+    #   fails.
     #   @return [String]
     #
     # @!attribute [rw] move_to_version_id
-    #   (Optional) The secret version ID that you want to add the staging
-    #   label to. If you want to remove a label from a version, then do not
-    #   specify this parameter.
+    #   The ID of the version to add the staging label to. To remove a label
+    #   from a version, then do not specify this parameter.
     #
     #   If the staging label is already attached to a different version of
     #   the secret, then you must also specify the `RemoveFromVersionId`
@@ -2192,16 +2405,16 @@ module Aws::SecretsManager
       :version_stage,
       :remove_from_version_id,
       :move_to_version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret with the staging label that was modified.
+    #   The ARN of the secret that was updated.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret with the staging label that was
-    #   modified.
+    #   The name of the secret that was updated.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/UpdateSecretVersionStageResponse AWS API Documentation
@@ -2209,8 +2422,73 @@ module Aws::SecretsManager
     class UpdateSecretVersionStageResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] secret_id
+    #   The ARN or name of the secret with the resource-based policy you
+    #   want to validate.
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_policy
+    #   A JSON-formatted string that contains an Amazon Web Services
+    #   resource-based policy. The policy in the string identifies who can
+    #   access or manage this secret and its versions. For example policies,
+    #   see [Permissions policy examples][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_examples.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicyRequest AWS API Documentation
+    #
+    class ValidateResourcePolicyRequest < Struct.new(
+      :secret_id,
+      :resource_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] policy_validation_passed
+    #   True if your policy passes validation, otherwise false.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] validation_errors
+    #   Validation errors if your policy didn't pass validation.
+    #   @return [Array<Types::ValidationErrorsEntry>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicyResponse AWS API Documentation
+    #
+    class ValidateResourcePolicyResponse < Struct.new(
+      :policy_validation_passed,
+      :validation_errors)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Displays errors that occurred during validation of the resource
+    # policy.
+    #
+    # @!attribute [rw] check_name
+    #   Checks the name of the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_message
+    #   Displays error messages if validation encounters problems during
+    #   validation of the resource policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidationErrorsEntry AWS API Documentation
+    #
+    class ValidationErrorsEntry < Struct.new(
+      :check_name,
+      :error_message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
   end
 end
+