feat(client-verifiedpermissions): Adds deletion protection support to policy stores. Deletion protection is disabled by default, can be enabled via the CreatePolicyStore or UpdatePolicyStore APIs, and is visible in GetPolicyStore.

Author: awstools

clients/client-verifiedpermissions/src/commands/CreatePolicyStoreCommand.ts

@@ -59,6 +59,7 @@ export interface CreatePolicyStoreCommandOutput extends CreatePolicyStoreOutput,
  *     mode: "OFF" || "STRICT", // required
  *   },
  *   description: "STRING_VALUE",
+ *   deletionProtection: "ENABLED" || "DISABLED",
  * };
  * const command = new CreatePolicyStoreCommand(input);
  * const response = await client.send(command);

clients/client-verifiedpermissions/src/commands/DeletePolicyStoreCommand.ts

@@ -56,6 +56,9 @@ export interface DeletePolicyStoreCommandOutput extends DeletePolicyStoreOutput,
  * @see {@link DeletePolicyStoreCommandOutput} for command's `response` shape.
  * @see {@link VerifiedPermissionsClientResolvedConfig | config} for VerifiedPermissionsClient's `config` shape.
  *
+ * @throws {@link InvalidStateException} (client fault)
+ *  <p>The policy store can't be deleted because deletion protection is enabled. To delete this policy store, disable deletion protection.</p>
+ *
  * @throws {@link AccessDeniedException} (client fault)
  *  <p>You don't have sufficient access to perform this action.</p>
  *

clients/client-verifiedpermissions/src/commands/GetPolicyStoreCommand.ts

@@ -53,6 +53,7 @@ export interface GetPolicyStoreCommandOutput extends GetPolicyStoreOutput, __Met
  * //   createdDate: new Date("TIMESTAMP"), // required
  * //   lastUpdatedDate: new Date("TIMESTAMP"), // required
  * //   description: "STRING_VALUE",
+ * //   deletionProtection: "ENABLED" || "DISABLED",
  * // };
  *
  * ```

clients/client-verifiedpermissions/src/commands/UpdatePolicyStoreCommand.ts

@@ -54,6 +54,7 @@ export interface UpdatePolicyStoreCommandOutput extends UpdatePolicyStoreOutput,
  *   validationSettings: { // ValidationSettings
  *     mode: "OFF" || "STRICT", // required
  *   },
+ *   deletionProtection: "ENABLED" || "DISABLED",
  *   description: "STRING_VALUE",
  * };
  * const command = new UpdatePolicyStoreCommand(input);

clients/client-verifiedpermissions/src/models/models_0.ts

@@ -1958,6 +1958,20 @@ export interface CreatePolicyOutput {
   effect?: PolicyEffect | undefined;
 }
 
+/**
+ * @public
+ * @enum
+ */
+export const DeletionProtection = {
+  DISABLED: "DISABLED",
+  ENABLED: "ENABLED",
+} as const;
+
+/**
+ * @public
+ */
+export type DeletionProtection = (typeof DeletionProtection)[keyof typeof DeletionProtection];
+
 /**
  * @public
  * @enum
@@ -2049,6 +2063,13 @@ export interface CreatePolicyStoreInput {
    * @public
    */
   description?: string | undefined;
+
+  /**
+   * <p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>
+   *          <p>The default state is <code>DISABLED</code>.</p>
+   * @public
+   */
+  deletionProtection?: DeletionProtection | undefined;
 }
 
 /**
@@ -2212,6 +2233,26 @@ export interface DeletePolicyStoreInput {
  */
 export interface DeletePolicyStoreOutput {}
 
+/**
+ * <p>The policy store can't be deleted because deletion protection is enabled. To delete this policy store, disable deletion protection.</p>
+ * @public
+ */
+export class InvalidStateException extends __BaseException {
+  readonly name: "InvalidStateException" = "InvalidStateException";
+  readonly $fault: "client" = "client";
+  /**
+   * @internal
+   */
+  constructor(opts: __ExceptionOptionType<InvalidStateException, __BaseException>) {
+    super({
+      name: "InvalidStateException",
+      $fault: "client",
+      ...opts,
+    });
+    Object.setPrototypeOf(this, InvalidStateException.prototype);
+  }
+}
+
 /**
  * @public
  */
@@ -2565,6 +2606,13 @@ export interface GetPolicyStoreOutput {
    * @public
    */
   description?: string | undefined;
+
+  /**
+   * <p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>
+   *          <p>The default state is <code>DISABLED</code>.</p>
+   * @public
+   */
+  deletionProtection?: DeletionProtection | undefined;
 }
 
 /**
@@ -4117,6 +4165,13 @@ export interface UpdatePolicyStoreInput {
    */
   validationSettings: ValidationSettings | undefined;
 
+  /**
+   * <p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>
+   *          <p>When you call <code>UpdatePolicyStore</code>, this parameter is unchanged unless explicitly included in the call.</p>
+   * @public
+   */
+  deletionProtection?: DeletionProtection | undefined;
+
   /**
    * <p>Descriptive text that you can provide to help with identification
    *             of the current policy store.</p>

clients/client-verifiedpermissions/src/protocols/Aws_json1_0.ts

@@ -133,6 +133,7 @@ import {
   IdentitySourceFilter,
   IdentitySourceItem,
   InternalServerException,
+  InvalidStateException,
   IsAuthorizedInput,
   IsAuthorizedWithTokenInput,
   ListIdentitySourcesInput,
@@ -1106,6 +1107,9 @@ const de_CommandError = async (output: __HttpResponse, context: __SerdeContext):
     case "ServiceQuotaExceededException":
     case "com.amazonaws.verifiedpermissions#ServiceQuotaExceededException":
       throw await de_ServiceQuotaExceededExceptionRes(parsedOutput, context);
+    case "InvalidStateException":
+    case "com.amazonaws.verifiedpermissions#InvalidStateException":
+      throw await de_InvalidStateExceptionRes(parsedOutput, context);
     default:
       const parsedBody = parsedOutput.body;
       return throwDefaultError({
@@ -1161,6 +1165,22 @@ const de_InternalServerExceptionRes = async (
   return __decorateServiceException(exception, body);
 };
 
+/**
+ * deserializeAws_json1_0InvalidStateExceptionRes
+ */
+const de_InvalidStateExceptionRes = async (
+  parsedOutput: any,
+  context: __SerdeContext
+): Promise<InvalidStateException> => {
+  const body = parsedOutput.body;
+  const deserialized: any = _json(body);
+  const exception = new InvalidStateException({
+    $metadata: deserializeMetadata(parsedOutput),
+    ...deserialized,
+  });
+  return __decorateServiceException(exception, body);
+};
+
 /**
  * deserializeAws_json1_0ResourceNotFoundExceptionRes
  */
@@ -1382,6 +1402,7 @@ const se_CreatePolicyInput = (input: CreatePolicyInput, context: __SerdeContext)
 const se_CreatePolicyStoreInput = (input: CreatePolicyStoreInput, context: __SerdeContext): any => {
   return take(input, {
     clientToken: [true, (_) => _ ?? generateIdempotencyToken()],
+    deletionProtection: [],
     description: [],
     validationSettings: _json,
   });
@@ -1928,6 +1949,7 @@ const de_GetPolicyStoreOutput = (output: any, context: __SerdeContext): GetPolic
   return take(output, {
     arn: __expectString,
     createdDate: (_: any) => __expectNonNull(__parseRfc3339DateTimeWithOffset(_)),
+    deletionProtection: __expectString,
     description: __expectString,
     lastUpdatedDate: (_: any) => __expectNonNull(__parseRfc3339DateTimeWithOffset(_)),
     policyStoreId: __expectString,
@@ -1995,6 +2017,8 @@ const de_IdentitySources = (output: any, context: __SerdeContext): IdentitySourc
 
 // de_InternalServerException omitted.
 
+// de_InvalidStateException omitted.
+
 // de_IsAuthorizedOutput omitted.
 
 // de_IsAuthorizedWithTokenOutput omitted.

codegen/sdk-codegen/aws-models/verifiedpermissions.json

@@ -1720,6 +1720,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Descriptive text that you can provide to help with identification \n            of the current policy store.</p>"
           }
+        },
+        "deletionProtection": {
+          "target": "com.amazonaws.verifiedpermissions#DeletionProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>\n         <p>The default state is <code>DISABLED</code>.</p>"
+          }
         }
       },
       "traits": {
@@ -2042,6 +2048,11 @@
       "output": {
         "target": "com.amazonaws.verifiedpermissions#DeletePolicyStoreOutput"
       },
+      "errors": [
+        {
+          "target": "com.amazonaws.verifiedpermissions#InvalidStateException"
+        }
+      ],
       "traits": {
         "aws.iam#iamAction": {
           "documentation": "Grants permission to delete the specified policy store"
@@ -2146,6 +2157,23 @@
         "smithy.api#output": {}
       }
     },
+    "com.amazonaws.verifiedpermissions#DeletionProtection": {
+      "type": "enum",
+      "members": {
+        "ENABLED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "ENABLED"
+          }
+        },
+        "DISABLED": {
+          "target": "smithy.api#Unit",
+          "traits": {
+            "smithy.api#enumValue": "DISABLED"
+          }
+        }
+      }
+    },
     "com.amazonaws.verifiedpermissions#DeterminingPolicyItem": {
       "type": "structure",
       "members": {
@@ -2718,6 +2746,12 @@
           "traits": {
             "smithy.api#documentation": "<p>Descriptive text that you can provide to help with identification \n            of the current policy store.</p>"
           }
+        },
+        "deletionProtection": {
+          "target": "com.amazonaws.verifiedpermissions#DeletionProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>\n         <p>The default state is <code>DISABLED</code>.</p>"
+          }
         }
       },
       "traits": {
@@ -3192,6 +3226,22 @@
         "smithy.api#retryable": {}
       }
     },
+    "com.amazonaws.verifiedpermissions#InvalidStateException": {
+      "type": "structure",
+      "members": {
+        "message": {
+          "target": "smithy.api#String",
+          "traits": {
+            "smithy.api#required": {}
+          }
+        }
+      },
+      "traits": {
+        "smithy.api#documentation": "<p>The policy store can't be deleted because deletion protection is enabled. To delete this policy store, disable deletion protection.</p>",
+        "smithy.api#error": "client",
+        "smithy.api#httpError": 406
+      }
+    },
     "com.amazonaws.verifiedpermissions#IpAddr": {
       "type": "string",
       "traits": {
@@ -5949,6 +5999,12 @@
             "smithy.api#required": {}
           }
         },
+        "deletionProtection": {
+          "target": "com.amazonaws.verifiedpermissions#DeletionProtection",
+          "traits": {
+            "smithy.api#documentation": "<p>Specifies whether the policy store can be deleted. If enabled, the policy store can't be deleted.</p>\n         <p>When you call <code>UpdatePolicyStore</code>, this parameter is unchanged unless explicitly included in the call.</p>"
+          }
+        },
         "description": {
           "target": "com.amazonaws.verifiedpermissions#PolicyStoreDescription",
           "traits": {