feat(client-controlcatalog): AWS Control Catalog GetControl public API returns additional data in output, including Implementation and Parameters

awstools · awstools · commit 43e848f37d1b · 2024-11-08T19:22:21.000Z
diff --git a/clients/client-controlcatalog/src/commands/GetControlCommand.ts b/clients/client-controlcatalog/src/commands/GetControlCommand.ts
@@ -52,6 +52,14 @@ export interface GetControlCommandOutput extends GetControlResponse, __MetadataB
  * //       "STRING_VALUE",
  * //     ],
  * //   },
+ * //   Implementation: { // ImplementationDetails
+ * //     Type: "STRING_VALUE", // required
+ * //   },
+ * //   Parameters: [ // ControlParameters
+ * //     { // ControlParameter
+ * //       Name: "STRING_VALUE", // required
+ * //     },
+ * //   ],
  * // };
  *
  * ```
diff --git a/clients/client-controlcatalog/src/models/models_0.ts b/clients/client-controlcatalog/src/models/models_0.ts
@@ -289,6 +289,94 @@ export interface GetControlRequest {
   ControlArn: string | undefined;
 }
 
+/**
+ * <p>An object that describes the implementation type for a control.</p>
+ *          <p>Our <code>ImplementationDetails</code>
+ *             <code>Type</code> format has three required segments:</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <code>SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME</code>
+ *                </p>
+ *             </li>
+ *          </ul>
+ *          <p>For example, <code>AWS::Config::ConfigRule</code>
+ *             <b>or</b>
+ *             <code>AWS::SecurityHub::SecurityControl</code> resources have the format with three required segments.</p>
+ *          <p>Our <code>ImplementationDetails</code>
+ *             <code>Type</code> format has an optional fourth segment, which is present for applicable
+ *       implementation types. The format is as follows: </p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <code>SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME::RESOURCE-TYPE-DESCRIPTION</code>
+ *                </p>
+ *             </li>
+ *          </ul>
+ *          <p>For example, <code>AWS::Organizations::Policy::SERVICE_CONTROL_POLICY</code>
+ *             <b>or</b>
+ *             <code>AWS::CloudFormation::Type::HOOK</code> have the format with four segments.</p>
+ *          <p>Although the format is similar, the values for the <code>Type</code> field do not match any Amazon Web Services CloudFormation values, and we do not use CloudFormation to implement these controls.</p>
+ * @public
+ */
+export interface ImplementationDetails {
+  /**
+   * <p>A string that describes a control's implementation type.</p>
+   * @public
+   */
+  Type: string | undefined;
+}
+
+/**
+ * <p>Four types of control parameters are supported.</p>
+ *          <ul>
+ *             <li>
+ *                <p>
+ *                   <b>AllowedRegions</b>: List of Amazon Web Services Regions exempted from the
+ *           control. Each string is expected to be an Amazon Web Services Region code. This parameter is mandatory for the <b>OU Region deny</b> control, <b>CT.MULTISERVICE.PV.1</b>.</p>
+ *                <p>Example: <code>["us-east-1","us-west-2"]</code>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>ExemptedActions</b>: List of Amazon Web Services IAM actions exempted
+ *           from the control. Each string is expected to be an IAM action.</p>
+ *                <p>Example:
+ *           <code>["logs:DescribeLogGroups","logs:StartQuery","logs:GetQueryResults"]</code>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>ExemptedPrincipalArns</b>: List of Amazon Web Services IAM principal ARNs
+ *           exempted from the control. Each string is expected to be an IAM principal that follows
+ *           the pattern <code>^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$</code>
+ *                </p>
+ *                <p>Example:
+ *           <code>["arn:aws:iam::*:role/ReadOnly","arn:aws:sts::*:assumed-role/ReadOnly/*"]</code>
+ *                </p>
+ *             </li>
+ *             <li>
+ *                <p>
+ *                   <b>ExemptedResourceArns</b>: List of resource ARNs exempted
+ *           from the control. Each string is expected to be a resource ARN.</p>
+ *                <p>Example: <code>["arn:aws:s3:::my-bucket-name"]</code>
+ *                </p>
+ *             </li>
+ *          </ul>
+ * @public
+ */
+export interface ControlParameter {
+  /**
+   * <p>The parameter name. This name is the parameter <code>key</code> when you call <a href="https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html">
+   *                <code>EnableControl</code>
+   *             </a> or <a href="https://docs.aws.amazon.com/controltower/latest/APIReference/API_UpdateEnabledControl.html">
+   *                <code>UpdateEnabledControl</code>
+   *             </a>.</p>
+   * @public
+   */
+  Name: string | undefined;
+}
+
 /**
  * @public
  * @enum
@@ -304,7 +392,7 @@ export const ControlScope = {
 export type ControlScope = (typeof ControlScope)[keyof typeof ControlScope];
 
 /**
- * <p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment.</p>
+ * <p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment. For more information about scope, see <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html">Global services</a>.</p>
  *          <p>If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the <code>RegionConfiguration</code> API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions <code>A</code>,<code>B</code>,and <code>C</code> while the control is available in Regions <code>A</code>, <code>B</code>, C<code>,</code> and <code>D</code>, you'd see a response with <code>DeployableRegions</code> of <code>A</code>, <code>B</code>, <code>C</code>, and <code>D</code> for a control with <code>REGIONAL</code> scope, even though you may not intend to deploy the control in Region <code>D</code>, because you do not govern it through your landing zone.</p>
  * @public
  */
@@ -345,18 +433,31 @@ export interface GetControlResponse {
   Description: string | undefined;
 
   /**
-   * <p>A term that identifies the control's functional behavior. One of <code>Preventive</code>, <code>Deteictive</code>, <code>Proactive</code>
+   * <p>A term that identifies the control's functional behavior. One of <code>Preventive</code>, <code>Detective</code>, <code>Proactive</code>
    *          </p>
    * @public
    */
   Behavior: ControlBehavior | undefined;
 
   /**
-   * <p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment.</p>
+   * <p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment. For more information about scope, see <a href="https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html">Global services</a>.</p>
    *          <p>If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the <code>RegionConfiguration</code> API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions <code>A</code>,<code>B</code>,and <code>C</code> while the control is available in Regions <code>A</code>, <code>B</code>, C<code>,</code> and <code>D</code>, you'd see a response with <code>DeployableRegions</code> of <code>A</code>, <code>B</code>, <code>C</code>, and <code>D</code> for a control with <code>REGIONAL</code> scope, even though you may not intend to deploy the control in Region <code>D</code>, because you do not govern it through your landing zone.</p>
    * @public
    */
   RegionConfiguration: RegionConfiguration | undefined;
+
+  /**
+   * <p>Returns information about the control, as an <code>ImplementationDetails</code> object that shows the underlying implementation type for a control.</p>
+   * @public
+   */
+  Implementation?: ImplementationDetails;
+
+  /**
+   * <p>Returns an array of <code>ControlParameter</code> objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters.
+   *     </p>
+   * @public
+   */
+  Parameters?: ControlParameter[];
 }
 
 /**
diff --git a/clients/client-controlcatalog/src/protocols/Aws_restJson1.ts b/clients/client-controlcatalog/src/protocols/Aws_restJson1.ts
@@ -173,7 +173,9 @@ export const de_GetControlCommand = async (
     Arn: __expectString,
     Behavior: __expectString,
     Description: __expectString,
+    Implementation: _json,
     Name: __expectString,
+    Parameters: _json,
     RegionConfiguration: _json,
   });
   Object.assign(contents, doc);
@@ -441,6 +443,10 @@ const de_CommonControlSummaryList = (output: any, context: __SerdeContext): Comm
   return retVal;
 };
 
+// de_ControlParameter omitted.
+
+// de_ControlParameters omitted.
+
 // de_Controls omitted.
 
 // de_ControlSummary omitted.
@@ -472,6 +478,8 @@ const de_DomainSummaryList = (output: any, context: __SerdeContext): DomainSumma
   return retVal;
 };
 
+// de_ImplementationDetails omitted.
+
 /**
  * deserializeAws_restJson1ObjectiveSummary
  */
diff --git a/codegen/sdk-codegen/aws-models/controlcatalog.json b/codegen/sdk-codegen/aws-models/controlcatalog.json
@@ -912,6 +912,27 @@
         }
       }
     },
+    "com.amazonaws.controlcatalog#ControlParameter": {
+      "type": "structure",
+      "members": {
+        "Name": {
+          "target": "smithy.api#String",
+          "traits": {
+            "smithy.api#documentation": "<p>The parameter name. This name is the parameter <code>key</code> when you call <a href=\"https://docs.aws.amazon.com/controltower/latest/APIReference/API_EnableControl.html\">\n               <code>EnableControl</code>\n            </a> or <a href=\"https://docs.aws.amazon.com/controltower/latest/APIReference/API_UpdateEnabledControl.html\">\n               <code>UpdateEnabledControl</code>\n            </a>.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>Four types of control parameters are supported.</p>\n         <ul>\n            <li>\n               <p>\n                  <b>AllowedRegions</b>: List of Amazon Web Services Regions exempted from the\n          control. Each string is expected to be an Amazon Web Services Region code. This parameter is mandatory for the <b>OU Region deny</b> control, <b>CT.MULTISERVICE.PV.1</b>.</p>\n               <p>Example: <code>[\"us-east-1\",\"us-west-2\"]</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <b>ExemptedActions</b>: List of Amazon Web Services IAM actions exempted\n          from the control. Each string is expected to be an IAM action.</p>\n               <p>Example:\n          <code>[\"logs:DescribeLogGroups\",\"logs:StartQuery\",\"logs:GetQueryResults\"]</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <b>ExemptedPrincipalArns</b>: List of Amazon Web Services IAM principal ARNs\n          exempted from the control. Each string is expected to be an IAM principal that follows\n          the pattern <code>^arn:(aws|aws-us-gov):(iam|sts)::.+:.+$</code>\n               </p>\n               <p>Example:\n          <code>[\"arn:aws:iam::*:role/ReadOnly\",\"arn:aws:sts::*:assumed-role/ReadOnly/*\"]</code>\n               </p>\n            </li>\n            <li>\n               <p>\n                  <b>ExemptedResourceArns</b>: List of resource ARNs exempted\n          from the control. Each string is expected to be a resource ARN.</p>\n               <p>Example: <code>[\"arn:aws:s3:::my-bucket-name\"]</code>\n               </p>\n            </li>\n         </ul>"
+      }
+    },
+    "com.amazonaws.controlcatalog#ControlParameters": {
+      "type": "list",
+      "member": {
+        "target": "com.amazonaws.controlcatalog#ControlParameter"
+      }
+    },
     "com.amazonaws.controlcatalog#ControlResource": {
       "type": "resource",
       "identifiers": {
@@ -1172,7 +1193,7 @@
         "Behavior": {
           "target": "com.amazonaws.controlcatalog#ControlBehavior",
           "traits": {
-            "smithy.api#documentation": "<p>A term that identifies the control's functional behavior. One of <code>Preventive</code>, <code>Deteictive</code>, <code>Proactive</code>\n         </p>",
+            "smithy.api#documentation": "<p>A term that identifies the control's functional behavior. One of <code>Preventive</code>, <code>Detective</code>, <code>Proactive</code>\n         </p>",
             "smithy.api#required": {}
           }
         },
@@ -1181,12 +1202,49 @@
           "traits": {
             "smithy.api#required": {}
           }
+        },
+        "Implementation": {
+          "target": "com.amazonaws.controlcatalog#ImplementationDetails",
+          "traits": {
+            "smithy.api#documentation": "<p>Returns information about the control, as an <code>ImplementationDetails</code> object that shows the underlying implementation type for a control.</p>"
+          }
+        },
+        "Parameters": {
+          "target": "com.amazonaws.controlcatalog#ControlParameters",
+          "traits": {
+            "smithy.api#documentation": "<p>Returns an array of <code>ControlParameter</code> objects that specify the parameters a control supports. An empty list is returned for controls that don’t support parameters.\n    </p>"
+          }
         }
       },
       "traits": {
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.controlcatalog#ImplementationDetails": {
+      "type": "structure",
+      "members": {
+        "Type": {
+          "target": "com.amazonaws.controlcatalog#ImplementationType",
+          "traits": {
+            "smithy.api#documentation": "<p>A string that describes a control's implementation type.</p>",
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>An object that describes the implementation type for a control.</p>\n         <p>Our <code>ImplementationDetails</code>\n            <code>Type</code> format has three required segments:</p>\n         <ul>\n            <li>\n               <p>\n                  <code>SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME</code>\n               </p>\n            </li>\n         </ul>\n         <p>For example, <code>AWS::Config::ConfigRule</code>\n            <b>or</b>\n            <code>AWS::SecurityHub::SecurityControl</code> resources have the format with three required segments.</p>\n         <p>Our <code>ImplementationDetails</code>\n            <code>Type</code> format has an optional fourth segment, which is present for applicable \n      implementation types. The format is as follows: </p>\n         <ul>\n            <li>\n               <p>\n                  <code>SERVICE-PROVIDER::SERVICE-NAME::RESOURCE-NAME::RESOURCE-TYPE-DESCRIPTION</code>\n               </p>\n            </li>\n         </ul>\n         <p>For example, <code>AWS::Organizations::Policy::SERVICE_CONTROL_POLICY</code>\n            <b>or</b>\n            <code>AWS::CloudFormation::Type::HOOK</code> have the format with four segments.</p>\n         <p>Although the format is similar, the values for the <code>Type</code> field do not match any Amazon Web Services CloudFormation values, and we do not use CloudFormation to implement these controls.</p>"
+      }
+    },
+    "com.amazonaws.controlcatalog#ImplementationType": {
+      "type": "string",
+      "traits": {
+        "smithy.api#length": {
+          "min": 7,
+          "max": 2048
+        },
+        "smithy.api#pattern": "^[A-Za-z0-9]+(::[A-Za-z0-9_]+){2,3}$"
+      }
+    },
     "com.amazonaws.controlcatalog#InternalServerException": {
       "type": "structure",
       "members": {
@@ -1727,7 +1785,7 @@
         }
       },
       "traits": {
-        "smithy.api#documentation": "<p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment.</p>\n         <p>If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the <code>RegionConfiguration</code> API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions <code>A</code>,<code>B</code>,and <code>C</code> while the control is available in Regions <code>A</code>, <code>B</code>, C<code>,</code> and <code>D</code>, you'd see a response with <code>DeployableRegions</code> of <code>A</code>, <code>B</code>, <code>C</code>, and <code>D</code> for a control with <code>REGIONAL</code> scope, even though you may not intend to deploy the control in Region <code>D</code>, because you do not govern it through your landing zone.</p>"
+        "smithy.api#documentation": "<p>Returns information about the control, including the scope of the control, if enabled, and the Regions in which the control currently is available for deployment. For more information about scope, see <a href=\"https://docs.aws.amazon.com/whitepapers/latest/aws-fault-isolation-boundaries/global-services.html\">Global services</a>.</p>\n         <p>If you are applying controls through an Amazon Web Services Control Tower landing zone environment, remember that the values returned in the <code>RegionConfiguration</code> API operation are not related to the governed Regions in your landing zone. For example, if you are governing Regions <code>A</code>,<code>B</code>,and <code>C</code> while the control is available in Regions <code>A</code>, <code>B</code>, C<code>,</code> and <code>D</code>, you'd see a response with <code>DeployableRegions</code> of <code>A</code>, <code>B</code>, <code>C</code>, and <code>D</code> for a control with <code>REGIONAL</code> scope, even though you may not intend to deploy the control in Region <code>D</code>, because you do not govern it through your landing zone.</p>"
       }
     },
     "com.amazonaws.controlcatalog#ResourceNotFoundException": {
