AWS Directory Service Update: Added new APIs for enabling, disabling, and describing access to the AWS Directory Service Data API

AWS · AWS · commit eae693765721 · 2024-09-18T18:09:41.000Z
diff --git a/.changes/next-release/feature-AWSDirectoryService-8008834.json b/.changes/next-release/feature-AWSDirectoryService-8008834.json
@@ -0,0 +1,6 @@
+{
+    "type": "feature",
+    "category": "AWS Directory Service",
+    "contributor": "",
+    "description": "Added new APIs for enabling, disabling, and describing access to the AWS Directory Service Data API"
+}
diff --git a/services/directory/src/main/resources/codegen-resources/service-2.json b/services/directory/src/main/resources/codegen-resources/service-2.json
@@ -452,6 +452,23 @@
       ],
       "documentation":"<p>Obtains information about the directories that belong to this account.</p> <p>You can retrieve information about specific directories by passing the directory identifiers in the <code>DirectoryIds</code> parameter. Otherwise, all directories that belong to the current account are returned.</p> <p>This operation supports pagination with the use of the <code>NextToken</code> request and response parameters. If more results are available, the <code>DescribeDirectoriesResult.NextToken</code> member contains a token that you pass in the next call to <a>DescribeDirectories</a> to retrieve the next set of items.</p> <p>You can also specify a maximum number of return results with the <code>Limit</code> parameter.</p>"
     },
+    "DescribeDirectoryDataAccess":{
+      "name":"DescribeDirectoryDataAccess",
+      "http":{
+        "method":"POST",
+        "requestUri":"/"
+      },
+      "input":{"shape":"DescribeDirectoryDataAccessRequest"},
+      "output":{"shape":"DescribeDirectoryDataAccessResult"},
+      "errors":[
+        {"shape":"DirectoryDoesNotExistException"},
+        {"shape":"UnsupportedOperationException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"ClientException"},
+        {"shape":"ServiceException"}
+      ],
+      "documentation":"<p>Obtains status of directory data access enablement through the Directory Service Data API for the specified directory.</p>"
+    },
     "DescribeDomainControllers":{
       "name":"DescribeDomainControllers",
       "http":{
@@ -630,6 +647,25 @@
       ],
       "documentation":"<p>Disables alternative client authentication methods for the specified directory. </p>"
     },
+    "DisableDirectoryDataAccess":{
+      "name":"DisableDirectoryDataAccess",
+      "http":{
+        "method":"POST",
+        "requestUri":"/"
+      },
+      "input":{"shape":"DisableDirectoryDataAccessRequest"},
+      "output":{"shape":"DisableDirectoryDataAccessResult"},
+      "errors":[
+        {"shape":"DirectoryDoesNotExistException"},
+        {"shape":"DirectoryUnavailableException"},
+        {"shape":"UnsupportedOperationException"},
+        {"shape":"DirectoryInDesiredStateException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"ClientException"},
+        {"shape":"ServiceException"}
+      ],
+      "documentation":"<p>Deactivates access to directory data via the Directory Service Data API for the specified directory.</p>"
+    },
     "DisableLDAPS":{
       "name":"DisableLDAPS",
       "http":{
@@ -700,6 +736,25 @@
       ],
       "documentation":"<p>Enables alternative client authentication methods for the specified directory.</p>"
     },
+    "EnableDirectoryDataAccess":{
+      "name":"EnableDirectoryDataAccess",
+      "http":{
+        "method":"POST",
+        "requestUri":"/"
+      },
+      "input":{"shape":"EnableDirectoryDataAccessRequest"},
+      "output":{"shape":"EnableDirectoryDataAccessResult"},
+      "errors":[
+        {"shape":"DirectoryDoesNotExistException"},
+        {"shape":"DirectoryUnavailableException"},
+        {"shape":"UnsupportedOperationException"},
+        {"shape":"DirectoryInDesiredStateException"},
+        {"shape":"AccessDeniedException"},
+        {"shape":"ClientException"},
+        {"shape":"ServiceException"}
+      ],
+      "documentation":"<p>Enables access to directory data via the Directory Service Data API for the specified directory.</p>"
+    },
     "EnableLDAPS":{
       "name":"EnableLDAPS",
       "http":{
@@ -990,7 +1045,7 @@
         {"shape":"ClientException"},
         {"shape":"ServiceException"}
       ],
-      "documentation":"<p>Resets the password for any user in your Managed Microsoft AD or Simple AD directory.</p> <p>You can reset the password for any user in your directory with the following exceptions:</p> <ul> <li> <p>For Simple AD, you cannot reset the password for any user that is a member of either the <b>Domain Admins</b> or <b>Enterprise Admins</b> group except for the administrator user.</p> </li> <li> <p>For Managed Microsoft AD, you can only reset the password for a user that is in an OU based off of the NetBIOS name that you typed when you created your directory. For example, you cannot reset the password for a user in the <b>Amazon Web Services Reserved</b> OU. For more information about the OU structure for an Managed Microsoft AD directory, see <a href=\"https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html\">What Gets Created</a> in the <i>Directory Service Administration Guide</i>.</p> </li> </ul>"
+      "documentation":"<p>Resets the password for any user in your Managed Microsoft AD or Simple AD directory. Disabled users will become enabled and can be authenticated following the API call.</p> <p>You can reset the password for any user in your directory with the following exceptions:</p> <ul> <li> <p>For Simple AD, you cannot reset the password for any user that is a member of either the <b>Domain Admins</b> or <b>Enterprise Admins</b> group except for the administrator user.</p> </li> <li> <p>For Managed Microsoft AD, you can only reset the password for a user that is in an OU based off of the NetBIOS name that you typed when you created your directory. For example, you cannot reset the password for a user in the <b>Amazon Web Services Reserved</b> OU. For more information about the OU structure for an Managed Microsoft AD directory, see <a href=\"https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_getting_started_what_gets_created.html\">What Gets Created</a> in the <i>Directory Service Administration Guide</i>.</p> </li> </ul>"
     },
     "RestoreFromSnapshot":{
       "name":"RestoreFromSnapshot",
@@ -1219,7 +1274,7 @@
         "Message":{"shape":"ExceptionMessage"},
         "RequestId":{"shape":"RequestId"}
       },
-      "documentation":"<p>Client authentication is not available in this region at this time.</p>",
+      "documentation":"<p>You do not have sufficient access to perform this action.</p>",
       "exception":true
     },
     "AccessUrl":{
@@ -1244,7 +1299,7 @@
         },
         "UpdateSecurityGroupForDirectoryControllers":{
           "shape":"UpdateSecurityGroupForDirectoryControllers",
-          "documentation":"<p>If set to true, updates the inbound and outbound rules of the security group that has the description: \"Amazon Web Services created security group for <i>directory ID</i> directory controllers.\" Following are the new rules: </p> <p>Inbound:</p> <ul> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 88, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 123, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 138, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 389, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 464, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 445, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 88, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 135, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 445, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 464, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 636, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 1024-65535, Source: 0.0.0.0/0</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 3268-33269, Source: 0.0.0.0/0</p> </li> <li> <p>Type: DNS (UDP), Protocol: UDP, Range: 53, Source: 0.0.0.0/0</p> </li> <li> <p>Type: DNS (TCP), Protocol: TCP, Range: 53, Source: 0.0.0.0/0</p> </li> <li> <p>Type: LDAP, Protocol: TCP, Range: 389, Source: 0.0.0.0/0</p> </li> <li> <p>Type: All ICMP, Protocol: All, Range: N/A, Source: 0.0.0.0/0</p> </li> </ul> <p/> <p>Outbound:</p> <ul> <li> <p>Type: All traffic, Protocol: All, Range: All, Destination: 0.0.0.0/0</p> </li> </ul> <p>These security rules impact an internal network interface that is not exposed publicly.</p>"
+          "documentation":"<p>If set to true, updates the inbound and outbound rules of the security group that has the description: \"Amazon Web Services created security group for <i>directory ID</i> directory controllers.\" Following are the new rules: </p> <p>Inbound:</p> <ul> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 88, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 123, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 138, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 389, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 464, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom UDP Rule, Protocol: UDP, Range: 445, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 88, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 135, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 445, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 464, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 636, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 1024-65535, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: Custom TCP Rule, Protocol: TCP, Range: 3268-33269, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: DNS (UDP), Protocol: UDP, Range: 53, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: DNS (TCP), Protocol: TCP, Range: 53, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: LDAP, Protocol: TCP, Range: 389, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> <li> <p>Type: All ICMP, Protocol: All, Range: N/A, Source: Managed Microsoft AD VPC IPv4 CIDR</p> </li> </ul> <p/> <p>Outbound:</p> <ul> <li> <p>Type: All traffic, Protocol: All, Range: All, Destination: 0.0.0.0/0</p> </li> </ul> <p>These security rules impact an internal network interface that is not exposed publicly.</p>"
         }
       }
     },
@@ -1951,7 +2006,7 @@
         },
         "TrustPassword":{
           "shape":"TrustPassword",
-          "documentation":"<p>The trust password. The must be the same password that was used when creating the trust relationship on the external domain.</p>"
+          "documentation":"<p>The trust password. The trust password must be the same password that was used when creating the trust relationship on the external domain.</p>"
         },
         "TrustDirection":{
           "shape":"TrustDirection",
@@ -1993,6 +2048,16 @@
       "min":1,
       "pattern":"^(?!.*\\\\|.*\"|.*\\/|.*\\[|.*\\]|.*:|.*;|.*\\||.*=|.*,|.*\\+|.*\\*|.*\\?|.*<|.*>|.*@).*$"
     },
+    "DataAccessStatus":{
+      "type":"string",
+      "enum":[
+        "Disabled",
+        "Disabling",
+        "Enabled",
+        "Enabling",
+        "Failed"
+      ]
+    },
     "DeleteAssociatedConditionalForwarder":{"type":"boolean"},
     "DeleteConditionalForwarderRequest":{
       "type":"structure",
@@ -2264,6 +2329,25 @@
       },
       "documentation":"<p>Contains the results of the <a>DescribeDirectories</a> operation.</p>"
     },
+    "DescribeDirectoryDataAccessRequest":{
+      "type":"structure",
+      "required":["DirectoryId"],
+      "members":{
+        "DirectoryId":{
+          "shape":"DirectoryId",
+          "documentation":"<p>The directory identifier.</p>"
+        }
+      }
+    },
+    "DescribeDirectoryDataAccessResult":{
+      "type":"structure",
+      "members":{
+        "DataAccessStatus":{
+          "shape":"DataAccessStatus",
+          "documentation":"<p>The current status of data access through the Directory Service Data API.</p>"
+        }
+      }
+    },
     "DescribeDomainControllersRequest":{
       "type":"structure",
       "required":["DirectoryId"],
@@ -2753,7 +2837,7 @@
         },
         "Type":{
           "shape":"DirectoryType",
-          "documentation":"<p>The directory size.</p>"
+          "documentation":"<p>The directory type.</p>"
         },
         "VpcSettings":{
           "shape":"DirectoryVpcSettingsDescription",
@@ -2925,7 +3009,8 @@
         "RestoreFailed",
         "Deleting",
         "Deleted",
-        "Failed"
+        "Failed",
+        "Updating"
       ]
     },
     "DirectoryType":{
@@ -2943,7 +3028,7 @@
         "Message":{"shape":"ExceptionMessage"},
         "RequestId":{"shape":"RequestId"}
       },
-      "documentation":"<p>The specified directory is unavailable or could not be found.</p>",
+      "documentation":"<p>The specified directory is unavailable.</p>",
       "exception":true
     },
     "DirectoryVpcSettings":{
@@ -2999,7 +3084,7 @@
         },
         "Type":{
           "shape":"ClientAuthenticationType",
-          "documentation":"<p>The type of client authentication to disable. Currently, only the parameter, <code>SmartCard</code> is supported.</p>"
+          "documentation":"<p>The type of client authentication to disable. Currently the only parameter <code>\"SmartCard\"</code> is supported.</p>"
         }
       }
     },
@@ -3008,6 +3093,21 @@
       "members":{
       }
     },
+    "DisableDirectoryDataAccessRequest":{
+      "type":"structure",
+      "required":["DirectoryId"],
+      "members":{
+        "DirectoryId":{
+          "shape":"DirectoryId",
+          "documentation":"<p>The directory identifier.</p>"
+        }
+      }
+    },
+    "DisableDirectoryDataAccessResult":{
+      "type":"structure",
+      "members":{
+      }
+    },
     "DisableLDAPSRequest":{
       "type":"structure",
       "required":[
@@ -3148,7 +3248,8 @@
         "Restoring",
         "Deleting",
         "Deleted",
-        "Failed"
+        "Failed",
+        "Updating"
       ]
     },
     "DomainControllerStatusReason":{"type":"string"},
@@ -3178,6 +3279,21 @@
       "members":{
       }
     },
+    "EnableDirectoryDataAccessRequest":{
+      "type":"structure",
+      "required":["DirectoryId"],
+      "members":{
+        "DirectoryId":{
+          "shape":"DirectoryId",
+          "documentation":"<p>The directory identifier.</p>"
+        }
+      }
+    },
+    "EnableDirectoryDataAccessResult":{
+      "type":"structure",
+      "members":{
+      }
+    },
     "EnableLDAPSRequest":{
       "type":"structure",
       "required":[
@@ -3865,7 +3981,7 @@
         },
         "RadiusRetries":{
           "shape":"RadiusRetries",
-          "documentation":"<p>The maximum number of times that communication with the RADIUS server is attempted.</p>"
+          "documentation":"<p>The maximum number of times that communication with the RADIUS server is retried after the initial attempt.</p>"
         },
         "SharedSecret":{
           "shape":"RadiusSharedSecret",
@@ -3903,7 +4019,7 @@
     },
     "RadiusTimeout":{
       "type":"integer",
-      "max":20,
+      "max":50,
       "min":1
     },
     "RegionDescription":{
@@ -4635,11 +4751,11 @@
       "members":{
         "Key":{
           "shape":"TagKey",
-          "documentation":"<p>Required name of the tag. The string value can be Unicode characters and cannot be prefixed with \"aws:\". The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").</p>"
+          "documentation":"<p>Required name of the tag. The string value can be Unicode characters and cannot be prefixed with \"aws:\". The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-', ':', '@'(Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").</p>"
         },
         "Value":{
           "shape":"TagValue",
-          "documentation":"<p>The optional value of the tag. The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").</p>"
+          "documentation":"<p>The optional value of the tag. The string value can be Unicode characters. The string can contain only the set of Unicode letters, digits, white-space, '_', '.', '/', '=', '+', '-', ':', '@' (Java regex: \"^([\\\\p{L}\\\\p{Z}\\\\p{N}_.:/=+\\\\-]*)$\").</p>"
         }
       },
       "documentation":"<p>Metadata assigned to a directory consisting of a key-value pair.</p>"
