aws-sdk-secretsmanager 1.37.1 → 1.42.0

data/lib/aws-sdk-secretsmanager/client_api.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -36,6 +38,11 @@ module Aws::SecretsManager
     ExcludeNumbersType = Shapes::BooleanShape.new(name: 'ExcludeNumbersType')
     ExcludePunctuationType = Shapes::BooleanShape.new(name: 'ExcludePunctuationType')
     ExcludeUppercaseType = Shapes::BooleanShape.new(name: 'ExcludeUppercaseType')
+    Filter = Shapes::StructureShape.new(name: 'Filter')
+    FilterNameStringType = Shapes::StringShape.new(name: 'FilterNameStringType')
+    FilterValueStringType = Shapes::StringShape.new(name: 'FilterValueStringType')
+    FilterValuesStringList = Shapes::ListShape.new(name: 'FilterValuesStringList')
+    FiltersListType = Shapes::ListShape.new(name: 'FiltersListType')
     GetRandomPasswordRequest = Shapes::StructureShape.new(name: 'GetRandomPasswordRequest')
     GetRandomPasswordResponse = Shapes::StructureShape.new(name: 'GetRandomPasswordResponse')
     GetResourcePolicyRequest = Shapes::StructureShape.new(name: 'GetResourcePolicyRequest')
@@ -64,6 +71,7 @@ module Aws::SecretsManager
     OwningServiceType = Shapes::StringShape.new(name: 'OwningServiceType')
     PasswordLengthType = Shapes::IntegerShape.new(name: 'PasswordLengthType')
     PreconditionNotMetException = Shapes::StructureShape.new(name: 'PreconditionNotMetException')
+    PublicPolicyException = Shapes::StructureShape.new(name: 'PublicPolicyException')
     PutResourcePolicyRequest = Shapes::StructureShape.new(name: 'PutResourcePolicyRequest')
     PutResourcePolicyResponse = Shapes::StructureShape.new(name: 'PutResourcePolicyResponse')
     PutSecretValueRequest = Shapes::StructureShape.new(name: 'PutSecretValueRequest')
@@ -93,17 +101,23 @@ module Aws::SecretsManager
     SecretVersionsListEntry = Shapes::StructureShape.new(name: 'SecretVersionsListEntry')
     SecretVersionsListType = Shapes::ListShape.new(name: 'SecretVersionsListType')
     SecretVersionsToStagesMapType = Shapes::MapShape.new(name: 'SecretVersionsToStagesMapType')
+    SortOrderType = Shapes::StringShape.new(name: 'SortOrderType')
     Tag = Shapes::StructureShape.new(name: 'Tag')
     TagKeyListType = Shapes::ListShape.new(name: 'TagKeyListType')
     TagKeyType = Shapes::StringShape.new(name: 'TagKeyType')
     TagListType = Shapes::ListShape.new(name: 'TagListType')
     TagResourceRequest = Shapes::StructureShape.new(name: 'TagResourceRequest')
     TagValueType = Shapes::StringShape.new(name: 'TagValueType')
+    TimestampType = Shapes::TimestampShape.new(name: 'TimestampType')
     UntagResourceRequest = Shapes::StructureShape.new(name: 'UntagResourceRequest')
     UpdateSecretRequest = Shapes::StructureShape.new(name: 'UpdateSecretRequest')
     UpdateSecretResponse = Shapes::StructureShape.new(name: 'UpdateSecretResponse')
     UpdateSecretVersionStageRequest = Shapes::StructureShape.new(name: 'UpdateSecretVersionStageRequest')
     UpdateSecretVersionStageResponse = Shapes::StructureShape.new(name: 'UpdateSecretVersionStageResponse')
+    ValidateResourcePolicyRequest = Shapes::StructureShape.new(name: 'ValidateResourcePolicyRequest')
+    ValidateResourcePolicyResponse = Shapes::StructureShape.new(name: 'ValidateResourcePolicyResponse')
+    ValidationErrorsEntry = Shapes::StructureShape.new(name: 'ValidationErrorsEntry')
+    ValidationErrorsType = Shapes::ListShape.new(name: 'ValidationErrorsType')
 
     CancelRotateSecretRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
     CancelRotateSecretRequest.struct_class = Types::CancelRotateSecretRequest
@@ -164,11 +178,20 @@ module Aws::SecretsManager
     DescribeSecretResponse.add_member(:tags, Shapes::ShapeRef.new(shape: TagListType, location_name: "Tags"))
     DescribeSecretResponse.add_member(:version_ids_to_stages, Shapes::ShapeRef.new(shape: SecretVersionsToStagesMapType, location_name: "VersionIdsToStages"))
     DescribeSecretResponse.add_member(:owning_service, Shapes::ShapeRef.new(shape: OwningServiceType, location_name: "OwningService"))
+    DescribeSecretResponse.add_member(:created_date, Shapes::ShapeRef.new(shape: TimestampType, location_name: "CreatedDate", metadata: {"box"=>true}))
     DescribeSecretResponse.struct_class = Types::DescribeSecretResponse
 
     EncryptionFailure.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
     EncryptionFailure.struct_class = Types::EncryptionFailure
 
+    Filter.add_member(:key, Shapes::ShapeRef.new(shape: FilterNameStringType, location_name: "Key"))
+    Filter.add_member(:values, Shapes::ShapeRef.new(shape: FilterValuesStringList, location_name: "Values"))
+    Filter.struct_class = Types::Filter
+
+    FilterValuesStringList.member = Shapes::ShapeRef.new(shape: FilterValueStringType)
+
+    FiltersListType.member = Shapes::ShapeRef.new(shape: Filter)
+
     GetRandomPasswordRequest.add_member(:password_length, Shapes::ShapeRef.new(shape: PasswordLengthType, location_name: "PasswordLength", metadata: {"box"=>true}))
     GetRandomPasswordRequest.add_member(:exclude_characters, Shapes::ShapeRef.new(shape: ExcludeCharactersType, location_name: "ExcludeCharacters"))
     GetRandomPasswordRequest.add_member(:exclude_numbers, Shapes::ShapeRef.new(shape: ExcludeNumbersType, location_name: "ExcludeNumbers", metadata: {"box"=>true}))
@@ -233,6 +256,8 @@ module Aws::SecretsManager
 
     ListSecretsRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: MaxResultsType, location_name: "MaxResults", metadata: {"box"=>true}))
     ListSecretsRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: NextTokenType, location_name: "NextToken"))
+    ListSecretsRequest.add_member(:filters, Shapes::ShapeRef.new(shape: FiltersListType, location_name: "Filters"))
+    ListSecretsRequest.add_member(:sort_order, Shapes::ShapeRef.new(shape: SortOrderType, location_name: "SortOrder"))
     ListSecretsRequest.struct_class = Types::ListSecretsRequest
 
     ListSecretsResponse.add_member(:secret_list, Shapes::ShapeRef.new(shape: SecretListType, location_name: "SecretList"))
@@ -245,8 +270,12 @@ module Aws::SecretsManager
     PreconditionNotMetException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
     PreconditionNotMetException.struct_class = Types::PreconditionNotMetException
 
+    PublicPolicyException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
+    PublicPolicyException.struct_class = Types::PublicPolicyException
+
     PutResourcePolicyRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, required: true, location_name: "SecretId"))
     PutResourcePolicyRequest.add_member(:resource_policy, Shapes::ShapeRef.new(shape: NonEmptyResourcePolicyType, required: true, location_name: "ResourcePolicy"))
+    PutResourcePolicyRequest.add_member(:block_public_policy, Shapes::ShapeRef.new(shape: BooleanType, location_name: "BlockPublicPolicy", metadata: {"box"=>true}))
     PutResourcePolicyRequest.struct_class = Types::PutResourcePolicyRequest
 
     PutResourcePolicyResponse.add_member(:arn, Shapes::ShapeRef.new(shape: SecretARNType, location_name: "ARN"))
@@ -307,6 +336,7 @@ module Aws::SecretsManager
     SecretListEntry.add_member(:tags, Shapes::ShapeRef.new(shape: TagListType, location_name: "Tags"))
     SecretListEntry.add_member(:secret_versions_to_stages, Shapes::ShapeRef.new(shape: SecretVersionsToStagesMapType, location_name: "SecretVersionsToStages"))
     SecretListEntry.add_member(:owning_service, Shapes::ShapeRef.new(shape: OwningServiceType, location_name: "OwningService"))
+    SecretListEntry.add_member(:created_date, Shapes::ShapeRef.new(shape: TimestampType, location_name: "CreatedDate", metadata: {"box"=>true}))
     SecretListEntry.struct_class = Types::SecretListEntry
 
     SecretListType.member = Shapes::ShapeRef.new(shape: SecretListEntry)
@@ -363,6 +393,20 @@ module Aws::SecretsManager
     UpdateSecretVersionStageResponse.add_member(:name, Shapes::ShapeRef.new(shape: SecretNameType, location_name: "Name"))
     UpdateSecretVersionStageResponse.struct_class = Types::UpdateSecretVersionStageResponse
 
+    ValidateResourcePolicyRequest.add_member(:secret_id, Shapes::ShapeRef.new(shape: SecretIdType, location_name: "SecretId"))
+    ValidateResourcePolicyRequest.add_member(:resource_policy, Shapes::ShapeRef.new(shape: NonEmptyResourcePolicyType, required: true, location_name: "ResourcePolicy"))
+    ValidateResourcePolicyRequest.struct_class = Types::ValidateResourcePolicyRequest
+
+    ValidateResourcePolicyResponse.add_member(:policy_validation_passed, Shapes::ShapeRef.new(shape: BooleanType, location_name: "PolicyValidationPassed"))
+    ValidateResourcePolicyResponse.add_member(:validation_errors, Shapes::ShapeRef.new(shape: ValidationErrorsType, location_name: "ValidationErrors"))
+    ValidateResourcePolicyResponse.struct_class = Types::ValidateResourcePolicyResponse
+
+    ValidationErrorsEntry.add_member(:check_name, Shapes::ShapeRef.new(shape: NameType, location_name: "CheckName"))
+    ValidationErrorsEntry.add_member(:error_message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "ErrorMessage"))
+    ValidationErrorsEntry.struct_class = Types::ValidationErrorsEntry
+
+    ValidationErrorsType.member = Shapes::ShapeRef.new(shape: ValidationErrorsEntry)
+
 
     # @api private
     API = Seahorse::Model::Api.new.tap do |api|
@@ -524,6 +568,7 @@ module Aws::SecretsManager
         o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
         o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
+        o.errors << Shapes::ShapeRef.new(shape: PublicPolicyException)
       end)
 
       api.add_operation(:put_secret_value, Seahorse::Model::Operation.new.tap do |o|
@@ -618,6 +663,19 @@ module Aws::SecretsManager
         o.errors << Shapes::ShapeRef.new(shape: LimitExceededException)
         o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
       end)
+
+      api.add_operation(:validate_resource_policy, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "ValidateResourcePolicy"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: ValidateResourcePolicyRequest)
+        o.output = Shapes::ShapeRef.new(shape: ValidateResourcePolicyResponse)
+        o.errors << Shapes::ShapeRef.new(shape: MalformedPolicyDocumentException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidParameterException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServiceError)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
+      end)
     end
 
   end

data/lib/aws-sdk-secretsmanager/errors.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -34,6 +36,7 @@ module Aws::SecretsManager
   # * {LimitExceededException}
   # * {MalformedPolicyDocumentException}
   # * {PreconditionNotMetException}
+  # * {PublicPolicyException}
   # * {ResourceExistsException}
   # * {ResourceNotFoundException}
   #
@@ -178,6 +181,21 @@ module Aws::SecretsManager
       end
     end
 
+    class PublicPolicyException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::SecretsManager::Types::PublicPolicyException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class ResourceExistsException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-secretsmanager/resource.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:

data/lib/aws-sdk-secretsmanager/types.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -16,9 +18,9 @@ module Aws::SecretsManager
     #       }
     #
     # @!attribute [rw] secret_id
-    #   Specifies the secret for which you want to cancel a rotation
-    #   request. You can specify either the Amazon Resource Name (ARN) or
-    #   the friendly name of the secret.
+    #   Specifies the secret to cancel a rotation request. You can specify
+    #   either the Amazon Resource Name (ARN) or the friendly name of the
+    #   secret.
     #
     #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
     #   complete ARN. You can specify a partial ARN too—for example, if you
@@ -31,9 +33,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -41,6 +49,7 @@ module Aws::SecretsManager
     #
     class CancelRotateSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -53,9 +62,9 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The unique identifier of the version of the secret that was created
-    #   during the rotation. This version might not be complete, and should
-    #   be evaluated for possible deletion. At the very least, you should
+    #   The unique identifier of the version of the secret created during
+    #   the rotation. This version might not be complete, and should be
+    #   evaluated for possible deletion. At the very least, you should
     #   remove the `VersionStage` value `AWSPENDING` to enable this version
     #   to be deleted. Failing to clean up a cancelled rotation can block
     #   you from successfully starting future rotations.
@@ -67,6 +76,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -94,11 +104,11 @@ module Aws::SecretsManager
     #   The secret name must be ASCII letters, digits, or the following
     #   characters : /\_+=.@-
     #
-    #   <note markdown="1"> Don't end your secret name with a hyphen followed by six
+    #   <note markdown="1"> Do not end your secret name with a hyphen followed by six
     #   characters. If you do so, you risk confusion and unexpected results
-    #   when searching for a secret by partial ARN. This is because Secrets
-    #   Manager automatically adds a hyphen and six random characters at the
-    #   end of the ARN.
+    #   when searching for a secret by partial ARN. Secrets Manager
+    #   automatically adds a hyphen and six random characters at the end of
+    #   the ARN.
     #
     #    </note>
     #   @return [String]
@@ -114,7 +124,7 @@ module Aws::SecretsManager
     #   in the request. If you don't use the SDK and instead generate a raw
     #   HTTP request to the Secrets Manager service endpoint, then you must
     #   generate a `ClientRequestToken` yourself for the new version and
-    #   include that value in the request.
+    #   include the value in the request.
     #
     #    </note>
     #
@@ -127,10 +137,9 @@ module Aws::SecretsManager
     #   * If the `ClientRequestToken` value isn't already associated with a
     #     version of the secret then a new version of the secret is created.
     #
-    #   * If a version with this value already exists and that version's
+    #   * If a version with this value already exists and the version
     #     `SecretString` and `SecretBinary` values are the same as those in
-    #     the request, then the request is ignored (the operation is
-    #     idempotent).
+    #     the request, then the request is ignored.
     #
     #   * If a version with this value already exists and that version's
     #     `SecretString` and `SecretBinary` values are different from those
@@ -168,9 +177,9 @@ module Aws::SecretsManager
     #   first time it needs to encrypt a version's `SecretString` or
     #   `SecretBinary` fields.
     #
-    #   You can use the account's default CMK to encrypt and decrypt only
-    #   if you call this operation using credentials from the same account
-    #   that owns the secret. If the secret is in a different account, then
+    #   You can use the account default CMK to encrypt and decrypt only if
+    #   you call this operation using credentials from the same account that
+    #   owns the secret. If the secret resides in a different account, then
     #   you must create a custom CMK and specify the ARN in this field.
     #   @return [String]
     #
@@ -207,7 +216,7 @@ module Aws::SecretsManager
     #   environments, see [Using JSON for Parameters][1] in the *AWS CLI
     #   User Guide*. For example:
     #
-    #   `[\{"username":"bob"\},\{"password":"abc123xyz456"\}]`
+    #   `\{"username":"bob","password":"abc123xyz456"\}`
     #
     #   If your command-line tool or SDK requires quotation marks around the
     #   parameter, you should use single quotes to avoid confusion with the
@@ -255,15 +264,15 @@ module Aws::SecretsManager
     #   * Tag keys and values are case sensitive.
     #
     #   * Do not use the `aws:` prefix in your tag names or values because
-    #     it is reserved for AWS use. You can't edit or delete tag names or
-    #     values with this prefix. Tags with this prefix do not count
+    #     AWS reserves it for AWS use. You can't edit or delete tag names
+    #     or values with this prefix. Tags with this prefix do not count
     #     against your tags per secret limit.
     #
-    #   * If your tagging schema will be used across multiple services and
-    #     resources, remember that other services might have restrictions on
-    #     allowed characters. Generally allowed characters are: letters,
-    #     spaces, and numbers representable in UTF-8, plus the following
-    #     special characters: + - = . \_ : / @.
+    #   * If you use your tagging schema across multiple services and
+    #     resources, remember other services might have restrictions on
+    #     allowed characters. Generally allowed characters: letters, spaces,
+    #     and numbers representable in UTF-8, plus the following special
+    #     characters: + - = . \_ : / @.
     #
     #
     #
@@ -280,6 +289,7 @@ module Aws::SecretsManager
       :secret_binary,
       :secret_string,
       :tags)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -302,8 +312,8 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] version_id
-    #   The unique identifier that's associated with the version of the
-    #   secret you just created.
+    #   The unique identifier associated with the version of the secret you
+    #   just created.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/CreateSecretResponse AWS API Documentation
@@ -312,6 +322,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -325,6 +336,7 @@ module Aws::SecretsManager
     #
     class DecryptionFailure < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -351,9 +363,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -361,6 +379,7 @@ module Aws::SecretsManager
     #
     class DeleteResourcePolicyRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -379,6 +398,7 @@ module Aws::SecretsManager
     class DeleteResourcePolicyResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -406,9 +426,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -445,6 +471,7 @@ module Aws::SecretsManager
       :secret_id,
       :recovery_window_in_days,
       :force_delete_without_recovery)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -469,6 +496,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :deletion_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -495,9 +523,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -505,6 +539,7 @@ module Aws::SecretsManager
     #
     class DescribeSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -596,6 +631,10 @@ module Aws::SecretsManager
     #   Returns the name of the service that created this secret.
     #   @return [String]
     #
+    # @!attribute [rw] created_date
+    #   The date that the secret was created.
+    #   @return [Time]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/DescribeSecretResponse AWS API Documentation
     #
     class DescribeSecretResponse < Struct.new(
@@ -612,7 +651,9 @@ module Aws::SecretsManager
       :deleted_date,
       :tags,
       :version_ids_to_stages,
-      :owning_service)
+      :owning_service,
+      :created_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -632,6 +673,34 @@ module Aws::SecretsManager
     #
     class EncryptionFailure < Struct.new(
       :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Allows you to filter your list of secrets.
+    #
+    # @note When making an API call, you may pass Filter
+    #   data as a hash:
+    #
+    #       {
+    #         key: "description", # accepts description, name, tag-key, tag-value, all
+    #         values: ["FilterValueStringType"],
+    #       }
+    #
+    # @!attribute [rw] key
+    #   Filters your list of secrets by a specific key.
+    #   @return [String]
+    #
+    # @!attribute [rw] values
+    #   Filters your list of secrets by a specific value.
+    #   @return [Array<String>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/Filter AWS API Documentation
+    #
+    class Filter < Struct.new(
+      :key,
+      :values)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -715,6 +784,7 @@ module Aws::SecretsManager
       :exclude_lowercase,
       :include_space,
       :require_each_included_type)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -726,6 +796,7 @@ module Aws::SecretsManager
     #
     class GetRandomPasswordResponse < Struct.new(
       :random_password)
+      SENSITIVE = [:random_password]
       include Aws::Structure
     end
 
@@ -752,9 +823,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -762,6 +839,7 @@ module Aws::SecretsManager
     #
     class GetResourcePolicyRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -795,6 +873,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :resource_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -823,9 +902,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -862,6 +947,7 @@ module Aws::SecretsManager
       :secret_id,
       :version_id,
       :version_stage)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -930,6 +1016,7 @@ module Aws::SecretsManager
       :secret_string,
       :version_stages,
       :created_date)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -942,6 +1029,7 @@ module Aws::SecretsManager
     #
     class InternalServiceError < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -954,6 +1042,7 @@ module Aws::SecretsManager
     #
     class InvalidNextTokenException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -966,6 +1055,7 @@ module Aws::SecretsManager
     #
     class InvalidParameterException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -988,6 +1078,7 @@ module Aws::SecretsManager
     #
     class InvalidRequestException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1001,6 +1092,7 @@ module Aws::SecretsManager
     #
     class LimitExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1030,15 +1122,21 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
     # @!attribute [rw] max_results
-    #   (Optional) Limits the number of results that you want to include in
-    #   the response. If you don't include this parameter, it defaults to a
+    #   (Optional) Limits the number of results you want to include in the
+    #   response. If you don't include this parameter, it defaults to a
     #   value that's specific to the operation. If additional items exist
     #   beyond the maximum you specify, the `NextToken` response element is
     #   present and has a value (isn't null). Include that value as the
@@ -1051,10 +1149,10 @@ module Aws::SecretsManager
     #
     # @!attribute [rw] next_token
     #   (Optional) Use this parameter in a request if you receive a
-    #   `NextToken` response in a previous request that indicates that
-    #   there's more output available. In a subsequent call, set it to the
-    #   value of the previous call's `NextToken` response to indicate where
-    #   the output should continue from.
+    #   `NextToken` response in a previous request indicating there's more
+    #   output available. In a subsequent call, set it to the value of the
+    #   previous call `NextToken` response to indicate where the output
+    #   should continue from.
     #   @return [String]
     #
     # @!attribute [rw] include_deprecated
@@ -1071,6 +1169,7 @@ module Aws::SecretsManager
       :max_results,
       :next_token,
       :include_deprecated)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1081,10 +1180,10 @@ module Aws::SecretsManager
     #
     # @!attribute [rw] next_token
     #   If present in the response, this value indicates that there's more
-    #   output available than what's included in the current response. This
-    #   can occur even when the response includes no values at all, such as
-    #   when you ask for a filtered view of a very long list. Use this value
-    #   in the `NextToken` request parameter in a subsequent call to the
+    #   output available than included in the current response. This can
+    #   occur even when the response includes no values at all, such as when
+    #   you ask for a filtered view of a very long list. Use this value in
+    #   the `NextToken` request parameter in a subsequent call to the
     #   operation to continue processing and get the next part of the
     #   output. You should repeat this until the `NextToken` response
     #   element comes back empty (as `null`).
@@ -1115,6 +1214,7 @@ module Aws::SecretsManager
       :next_token,
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1124,11 +1224,18 @@ module Aws::SecretsManager
     #       {
     #         max_results: 1,
     #         next_token: "NextTokenType",
+    #         filters: [
+    #           {
+    #             key: "description", # accepts description, name, tag-key, tag-value, all
+    #             values: ["FilterValueStringType"],
+    #           },
+    #         ],
+    #         sort_order: "asc", # accepts asc, desc
     #       }
     #
     # @!attribute [rw] max_results
-    #   (Optional) Limits the number of results that you want to include in
-    #   the response. If you don't include this parameter, it defaults to a
+    #   (Optional) Limits the number of results you want to include in the
+    #   response. If you don't include this parameter, it defaults to a
     #   value that's specific to the operation. If additional items exist
     #   beyond the maximum you specify, the `NextToken` response element is
     #   present and has a value (isn't null). Include that value as the
@@ -1141,17 +1248,28 @@ module Aws::SecretsManager
     #
     # @!attribute [rw] next_token
     #   (Optional) Use this parameter in a request if you receive a
-    #   `NextToken` response in a previous request that indicates that
-    #   there's more output available. In a subsequent call, set it to the
-    #   value of the previous call's `NextToken` response to indicate where
-    #   the output should continue from.
+    #   `NextToken` response in a previous request indicating there's more
+    #   output available. In a subsequent call, set it to the value of the
+    #   previous call `NextToken` response to indicate where the output
+    #   should continue from.
+    #   @return [String]
+    #
+    # @!attribute [rw] filters
+    #   Lists the secret request filters.
+    #   @return [Array<Types::Filter>]
+    #
+    # @!attribute [rw] sort_order
+    #   Lists secrets in the requested order.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ListSecretsRequest AWS API Documentation
     #
     class ListSecretsRequest < Struct.new(
       :max_results,
-      :next_token)
+      :next_token,
+      :filters,
+      :sort_order)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1161,10 +1279,10 @@ module Aws::SecretsManager
     #
     # @!attribute [rw] next_token
     #   If present in the response, this value indicates that there's more
-    #   output available than what's included in the current response. This
-    #   can occur even when the response includes no values at all, such as
-    #   when you ask for a filtered view of a very long list. Use this value
-    #   in the `NextToken` request parameter in a subsequent call to the
+    #   output available than included in the current response. This can
+    #   occur even when the response includes no values at all, such as when
+    #   you ask for a filtered view of a very long list. Use this value in
+    #   the `NextToken` request parameter in a subsequent call to the
     #   operation to continue processing and get the next part of the
     #   output. You should repeat this until the `NextToken` response
     #   element comes back empty (as `null`).
@@ -1175,6 +1293,7 @@ module Aws::SecretsManager
     class ListSecretsResponse < Struct.new(
       :secret_list,
       :next_token)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1187,6 +1306,7 @@ module Aws::SecretsManager
     #
     class MalformedPolicyDocumentException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1200,6 +1320,20 @@ module Aws::SecretsManager
     #
     class PreconditionNotMetException < Struct.new(
       :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The resource policy did not prevent broad access to the secret.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PublicPolicyException AWS API Documentation
+    #
+    class PublicPolicyException < Struct.new(
+      :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1209,6 +1343,7 @@ module Aws::SecretsManager
     #       {
     #         secret_id: "SecretIdType", # required
     #         resource_policy: "NonEmptyResourcePolicyType", # required
+    #         block_public_policy: false,
     #       }
     #
     # @!attribute [rw] secret_id
@@ -1227,9 +1362,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1246,22 +1387,28 @@ module Aws::SecretsManager
     #   [1]: http://docs.aws.amazon.com/cli/latest/userguide/cli-using-param.html#cli-using-param-json
     #   @return [String]
     #
+    # @!attribute [rw] block_public_policy
+    #   Makes an optional API call to Zelkova to validate the Resource
+    #   Policy to prevent broad access to your secret.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyRequest AWS API Documentation
     #
     class PutResourcePolicyRequest < Struct.new(
       :secret_id,
-      :resource_policy)
+      :resource_policy,
+      :block_public_policy)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret that the resource-based policy was retrieved
-    #   for.
+    #   The ARN of the secret retrieved by the resource-based policy.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret that the resource-based policy was
-    #   retrieved for.
+    #   The friendly name of the secret that the retrieved by the
+    #   resource-based policy.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/PutResourcePolicyResponse AWS API Documentation
@@ -1269,6 +1416,7 @@ module Aws::SecretsManager
     class PutResourcePolicyResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1299,9 +1447,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1333,7 +1487,7 @@ module Aws::SecretsManager
     #     the request then the request is ignored (the operation is
     #     idempotent).
     #
-    #   * If a version with this value already exists and that version's
+    #   * If a version with this value already exists and the version of the
     #     `SecretString` and `SecretBinary` values are different from those
     #     in the request then the request fails because you cannot modify an
     #     existing secret version. You can only create new versions to store
@@ -1418,6 +1572,7 @@ module Aws::SecretsManager
       :secret_binary,
       :secret_string,
       :version_stages)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -1449,6 +1604,7 @@ module Aws::SecretsManager
       :name,
       :version_id,
       :version_stages)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1461,6 +1617,7 @@ module Aws::SecretsManager
     #
     class ResourceExistsException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1473,6 +1630,7 @@ module Aws::SecretsManager
     #
     class ResourceNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1499,9 +1657,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1509,6 +1673,7 @@ module Aws::SecretsManager
     #
     class RestoreSecretRequest < Struct.new(
       :secret_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1525,6 +1690,7 @@ module Aws::SecretsManager
     class RestoreSecretResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1555,9 +1721,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1573,10 +1745,10 @@ module Aws::SecretsManager
     #   generate a `ClientRequestToken` yourself for new versions and
     #   include that value in the request.
     #
-    #   You only need to specify your own value if you are implementing your
-    #   own retry logic and want to ensure that a given secret is not
-    #   created twice. We recommend that you generate a [UUID-type][1] value
-    #   to ensure uniqueness within the specified secret.
+    #   You only need to specify your own value if you implement your own
+    #   retry logic and want to ensure that a given secret is not created
+    #   twice. We recommend that you generate a [UUID-type][1] value to
+    #   ensure uniqueness within the specified secret.
     #
     #   Secrets Manager uses this value to prevent the accidental creation
     #   of duplicate versions if there are failures and retries during the
@@ -1607,6 +1779,7 @@ module Aws::SecretsManager
       :client_request_token,
       :rotation_lambda_arn,
       :rotation_rules)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1629,6 +1802,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1658,6 +1832,7 @@ module Aws::SecretsManager
     #
     class RotationRulesType < Struct.new(
       :automatically_after_days)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1688,11 +1863,11 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] kms_key_id
-    #   The ARN or alias of the AWS KMS customer master key (CMK) that's
-    #   used to encrypt the `SecretString` and `SecretBinary` fields in each
-    #   version of the secret. If you don't provide a key, then Secrets
-    #   Manager defaults to encrypting the secret fields with the default
-    #   KMS CMK (the one named `awssecretsmanager`) for this account.
+    #   The ARN or alias of the AWS KMS customer master key (CMK) used to
+    #   encrypt the `SecretString` and `SecretBinary` fields in each version
+    #   of the secret. If you don't provide a key, then Secrets Manager
+    #   defaults to encrypting the secret fields with the default KMS CMK,
+    #   the key named `awssecretsmanager`, for this account.
     #   @return [String]
     #
     # @!attribute [rw] rotation_enabled
@@ -1701,9 +1876,9 @@ module Aws::SecretsManager
     #   @return [Boolean]
     #
     # @!attribute [rw] rotation_lambda_arn
-    #   The ARN of an AWS Lambda function that's invoked by Secrets Manager
-    #   to rotate and expire the secret either automatically per the
-    #   schedule or manually by a call to RotateSecret.
+    #   The ARN of an AWS Lambda function invoked by Secrets Manager to
+    #   rotate and expire the secret either automatically per the schedule
+    #   or manually by a call to RotateSecret.
     #   @return [String]
     #
     # @!attribute [rw] rotation_rules
@@ -1726,21 +1901,21 @@ module Aws::SecretsManager
     #   @return [Time]
     #
     # @!attribute [rw] deleted_date
-    #   The date and time on which this secret was deleted. Not present on
-    #   active secrets. The secret can be recovered until the number of days
-    #   in the recovery window has passed, as specified in the
+    #   The date and time the deletion of the secret occurred. Not present
+    #   on active secrets. The secret can be recovered until the number of
+    #   days in the recovery window has passed, as specified in the
     #   `RecoveryWindowInDays` parameter of the DeleteSecret operation.
     #   @return [Time]
     #
     # @!attribute [rw] tags
-    #   The list of user-defined tags that are associated with the secret.
-    #   To add tags to a secret, use TagResource. To remove tags, use
+    #   The list of user-defined tags associated with the secret. To add
+    #   tags to a secret, use TagResource. To remove tags, use
     #   UntagResource.
     #   @return [Array<Types::Tag>]
     #
     # @!attribute [rw] secret_versions_to_stages
     #   A list of all of the currently assigned `SecretVersionStage` staging
-    #   labels and the `SecretVersionId` that each is attached to. Staging
+    #   labels and the `SecretVersionId` attached to each one. Staging
     #   labels are used to keep track of the different versions during the
     #   rotation process.
     #
@@ -1755,6 +1930,10 @@ module Aws::SecretsManager
     #   Returns the name of the service that created the secret.
     #   @return [String]
     #
+    # @!attribute [rw] created_date
+    #   The date and time when a secret was created.
+    #   @return [Time]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/SecretListEntry AWS API Documentation
     #
     class SecretListEntry < Struct.new(
@@ -1771,7 +1950,9 @@ module Aws::SecretsManager
       :deleted_date,
       :tags,
       :secret_versions_to_stages,
-      :owning_service)
+      :owning_service,
+      :created_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1803,6 +1984,7 @@ module Aws::SecretsManager
       :version_stages,
       :last_accessed_date,
       :created_date)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1821,7 +2003,7 @@ module Aws::SecretsManager
     #   @return [String]
     #
     # @!attribute [rw] value
-    #   The string value that's associated with the key of the tag.
+    #   The string value associated with the key of the tag.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/Tag AWS API Documentation
@@ -1829,6 +2011,7 @@ module Aws::SecretsManager
     class Tag < Struct.new(
       :key,
       :value)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1861,9 +2044,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1888,6 +2077,7 @@ module Aws::SecretsManager
     class TagResourceRequest < Struct.new(
       :secret_id,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1915,9 +2105,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -1941,6 +2137,7 @@ module Aws::SecretsManager
     class UntagResourceRequest < Struct.new(
       :secret_id,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -1972,9 +2169,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -2096,6 +2299,7 @@ module Aws::SecretsManager
       :kms_key_id,
       :secret_binary,
       :secret_string)
+      SENSITIVE = [:secret_binary, :secret_string]
       include Aws::Structure
     end
 
@@ -2128,6 +2332,7 @@ module Aws::SecretsManager
       :arn,
       :name,
       :version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
@@ -2142,9 +2347,9 @@ module Aws::SecretsManager
     #       }
     #
     # @!attribute [rw] secret_id
-    #   Specifies the secret with the version whose list of staging labels
-    #   you want to modify. You can specify either the Amazon Resource Name
-    #   (ARN) or the friendly name of the secret.
+    #   Specifies the secret with the version with the list of staging
+    #   labels you want to modify. You can specify either the Amazon
+    #   Resource Name (ARN) or the friendly name of the secret.
     #
     #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
     #   complete ARN. You can specify a partial ARN too—for example, if you
@@ -2157,9 +2362,15 @@ module Aws::SecretsManager
     #   partial ARN, then those characters cause Secrets Manager to assume
     #   that you’re specifying a complete ARN. This confusion can cause
     #   unexpected results. To avoid this situation, we recommend that you
-    #   don’t create secret names that end with a hyphen followed by six
+    #   don’t create secret names ending with a hyphen followed by six
     #   characters.
     #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
     #    </note>
     #   @return [String]
     #
@@ -2179,7 +2390,7 @@ module Aws::SecretsManager
     #
     # @!attribute [rw] move_to_version_id
     #   (Optional) The secret version ID that you want to add the staging
-    #   label to. If you want to remove a label from a version, then do not
+    #   label. If you want to remove a label from a version, then do not
     #   specify this parameter.
     #
     #   If the staging label is already attached to a different version of
@@ -2194,16 +2405,16 @@ module Aws::SecretsManager
       :version_stage,
       :remove_from_version_id,
       :move_to_version_id)
+      SENSITIVE = []
       include Aws::Structure
     end
 
     # @!attribute [rw] arn
-    #   The ARN of the secret with the staging label that was modified.
+    #   The ARN of the secret with the modified staging label.
     #   @return [String]
     #
     # @!attribute [rw] name
-    #   The friendly name of the secret with the staging label that was
-    #   modified.
+    #   The friendly name of the secret with the modified staging label.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/UpdateSecretVersionStageResponse AWS API Documentation
@@ -2211,6 +2422,95 @@ module Aws::SecretsManager
     class UpdateSecretVersionStageResponse < Struct.new(
       :arn,
       :name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @note When making an API call, you may pass ValidateResourcePolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         secret_id: "SecretIdType",
+    #         resource_policy: "NonEmptyResourcePolicyType", # required
+    #       }
+    #
+    # @!attribute [rw] secret_id
+    #   The identifier for the secret that you want to validate a resource
+    #   policy. You can specify either the Amazon Resource Name (ARN) or the
+    #   friendly name of the secret.
+    #
+    #   <note markdown="1"> If you specify an ARN, we generally recommend that you specify a
+    #   complete ARN. You can specify a partial ARN too—for example, if you
+    #   don’t include the final hyphen and six random characters that
+    #   Secrets Manager adds at the end of the ARN when you created the
+    #   secret. A partial ARN match can work as long as it uniquely matches
+    #   only one secret. However, if your secret has a name that ends in a
+    #   hyphen followed by six characters (before Secrets Manager adds the
+    #   hyphen and six characters to the ARN) and you try to use that as a
+    #   partial ARN, then those characters cause Secrets Manager to assume
+    #   that you’re specifying a complete ARN. This confusion can cause
+    #   unexpected results. To avoid this situation, we recommend that you
+    #   don’t create secret names ending with a hyphen followed by six
+    #   characters.
+    #
+    #    If you specify an incomplete ARN without the random suffix, and
+    #   instead provide the 'friendly name', you *must* not include the
+    #   random suffix. If you do include the random suffix added by Secrets
+    #   Manager, you receive either a *ResourceNotFoundException* or an
+    #   *AccessDeniedException* error, depending on your permissions.
+    #
+    #    </note>
+    #   @return [String]
+    #
+    # @!attribute [rw] resource_policy
+    #   Identifies the Resource Policy attached to the secret.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicyRequest AWS API Documentation
+    #
+    class ValidateResourcePolicyRequest < Struct.new(
+      :secret_id,
+      :resource_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] policy_validation_passed
+    #   Returns a message stating that your Reource Policy passed
+    #   validation.
+    #   @return [Boolean]
+    #
+    # @!attribute [rw] validation_errors
+    #   Returns an error message if your policy doesn't pass validatation.
+    #   @return [Array<Types::ValidationErrorsEntry>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidateResourcePolicyResponse AWS API Documentation
+    #
+    class ValidateResourcePolicyResponse < Struct.new(
+      :policy_validation_passed,
+      :validation_errors)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Displays errors that occurred during validation of the resource
+    # policy.
+    #
+    # @!attribute [rw] check_name
+    #   Checks the name of the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] error_message
+    #   Displays error messages if validation encounters problems during
+    #   validation of the resource policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/secretsmanager-2017-10-17/ValidationErrorsEntry AWS API Documentation
+    #
+    class ValidationErrorsEntry < Struct.new(
+      :check_name,
+      :error_message)
+      SENSITIVE = []
       include Aws::Structure
     end