feat(client-sfn): This release adds support to customer managed KMS k…

…ey encryption in AWS Step Functions.

clients/client-sfn/README.md

@@ -8,7 +8,7 @@ AWS SDK for JavaScript SFN Client for Node.js, Browser and React Native.
 
 <fullname>Step Functions</fullname>
 
-<p>Step Functions is a service that lets you coordinate the components of distributed applications
+<p>Step Functions coordinates the components of distributed applications
 and microservices using visual workflows.</p>
 <p>You can use Step Functions to build applications from individual components, each of which performs
 a discrete function, or <i>task</i>, allowing you to scale and change

clients/client-sfn/src/SFN.ts

@@ -790,7 +790,7 @@ export interface SFN {
 
 /**
  * <fullname>Step Functions</fullname>
- *          <p>Step Functions is a service that lets you coordinate the components of distributed applications
+ *          <p>Step Functions coordinates the components of distributed applications
  *       and microservices using visual workflows.</p>
  *          <p>You can use Step Functions to build applications from individual components, each of which performs
  *       a discrete function, or <i>task</i>, allowing you to scale and change

clients/client-sfn/src/SFNClient.ts

@@ -397,7 +397,7 @@ export interface SFNClientResolvedConfig extends SFNClientResolvedConfigType {}
 
 /**
  * <fullname>Step Functions</fullname>
- *          <p>Step Functions is a service that lets you coordinate the components of distributed applications
+ *          <p>Step Functions coordinates the components of distributed applications
  *       and microservices using visual workflows.</p>
  *          <p>You can use Step Functions to build applications from individual components, each of which performs
  *       a discrete function, or <i>task</i>, allowing you to scale and change

clients/client-sfn/src/commands/CreateActivityCommand.ts

@@ -59,6 +59,11 @@ export interface CreateActivityCommandOutput extends CreateActivityOutput, __Met
  *       value: "STRING_VALUE",
  *     },
  *   ],
+ *   encryptionConfiguration: { // EncryptionConfiguration
+ *     kmsKeyId: "STRING_VALUE",
+ *     kmsDataKeyReusePeriodSeconds: Number("int"),
+ *     type: "AWS_OWNED_KEY" || "CUSTOMER_MANAGED_KMS_KEY", // required
+ *   },
  * };
  * const command = new CreateActivityCommand(input);
  * const response = await client.send(command);
@@ -75,13 +80,25 @@ export interface CreateActivityCommandOutput extends CreateActivityOutput, __Met
  * @see {@link CreateActivityCommandOutput} for command's `response` shape.
  * @see {@link SFNClientResolvedConfig | config} for SFNClient's `config` shape.
  *
+ * @throws {@link ActivityAlreadyExists} (client fault)
+ *  <p>Activity already exists. <code>EncryptionConfiguration</code> may not be updated.</p>
+ *
  * @throws {@link ActivityLimitExceeded} (client fault)
  *  <p>The maximum number of activities has been reached. Existing activities must be deleted
  *       before a new activity can be created.</p>
  *
+ * @throws {@link InvalidEncryptionConfiguration} (client fault)
+ *  <p>Received when <code>encryptionConfiguration</code> is specified but various conditions exist which make the configuration invalid. For example, if <code>type</code> is set to <code>CUSTOMER_MANAGED_KMS_KEY</code>, but <code>kmsKeyId</code> is null, or <code>kmsDataKeyReusePeriodSeconds</code> is not between 60 and 900, or the KMS key is not symmetric or inactive.</p>
+ *
  * @throws {@link InvalidName} (client fault)
  *  <p>The provided name is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link TooManyTags} (client fault)
  *  <p>You've exceeded the number of tags allowed for a resource. See the <a href="https://docs.aws.amazon.com/step-functions/latest/dg/limits.html"> Limits Topic</a> in the
  *       Step Functions Developer Guide.</p>

clients/client-sfn/src/commands/CreateStateMachineCommand.ts

@@ -40,6 +40,9 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  *         Language</a> in the Step Functions User Guide.</p>
  *          <p>If you set the <code>publish</code> parameter of this API action to <code>true</code>, it
  *       publishes version <code>1</code> as the first revision of the state machine.</p>
+ *          <p>
+ *         For additional control over security, you can encrypt your data using a <b>customer-managed key</b> for Step Functions state machines. You can configure a symmetric KMS key and data key reuse period when creating or updating a <b>State Machine</b>. The execution history and state machine definition will be encrypted with the key applied to the State Machine.
+ *     </p>
  *          <note>
  *             <p>This operation is eventually consistent. The results are best effort and may not reflect very recent updates and changes.</p>
  *          </note>
@@ -48,8 +51,8 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  *                <code>CreateStateMachine</code> is an idempotent API. Subsequent requests won’t create a
  *         duplicate resource if it was already created. <code>CreateStateMachine</code>'s idempotency
  *         check is based on the state machine <code>name</code>, <code>definition</code>,
- *           <code>type</code>, <code>LoggingConfiguration</code>, and
- *         <code>TracingConfiguration</code>. The check is also based on the <code>publish</code> and <code>versionDescription</code> parameters. If a following request has a different
+ *           <code>type</code>, <code>LoggingConfiguration</code>,
+ *         <code>TracingConfiguration</code>, and <code>EncryptionConfiguration</code> The check is also based on the <code>publish</code> and <code>versionDescription</code> parameters. If a following request has a different
  *           <code>roleArn</code> or <code>tags</code>, Step Functions will ignore these differences and treat
  *         it as an idempotent request of the previous. In this case, <code>roleArn</code> and
  *           <code>tags</code> will not be updated, even if they are different.</p>
@@ -87,6 +90,11 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  *   },
  *   publish: true || false,
  *   versionDescription: "STRING_VALUE",
+ *   encryptionConfiguration: { // EncryptionConfiguration
+ *     kmsKeyId: "STRING_VALUE",
+ *     kmsDataKeyReusePeriodSeconds: Number("int"),
+ *     type: "AWS_OWNED_KEY" || "CUSTOMER_MANAGED_KMS_KEY", // required
+ *   },
  * };
  * const command = new CreateStateMachineCommand(input);
  * const response = await client.send(command);
@@ -114,8 +122,11 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  * @throws {@link InvalidDefinition} (client fault)
  *  <p>The provided Amazon States Language definition is not valid.</p>
  *
+ * @throws {@link InvalidEncryptionConfiguration} (client fault)
+ *  <p>Received when <code>encryptionConfiguration</code> is specified but various conditions exist which make the configuration invalid. For example, if <code>type</code> is set to <code>CUSTOMER_MANAGED_KMS_KEY</code>, but <code>kmsKeyId</code> is null, or <code>kmsDataKeyReusePeriodSeconds</code> is not between 60 and 900, or the KMS key is not symmetric or inactive.</p>
+ *
  * @throws {@link InvalidLoggingConfiguration} (client fault)
- *  <p></p>
+ *  <p>Configuration is not valid.</p>
  *
  * @throws {@link InvalidName} (client fault)
  *  <p>The provided name is not valid.</p>
@@ -124,6 +135,12 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  *  <p>Your <code>tracingConfiguration</code> key does not match, or <code>enabled</code> has not
  *       been set to <code>true</code> or <code>false</code>.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link StateMachineAlreadyExists} (client fault)
  *  <p>A state machine with the same name but a different definition or role ARN already
  *       exists.</p>
@@ -136,7 +153,7 @@ export interface CreateStateMachineCommandOutput extends CreateStateMachineOutpu
  *       deleted before a new state machine can be created.</p>
  *
  * @throws {@link StateMachineTypeNotSupported} (client fault)
- *  <p></p>
+ *  <p>State machine type is not supported.</p>
  *
  * @throws {@link TooManyTags} (client fault)
  *  <p>You've exceeded the number of tags allowed for a resource. See the <a href="https://docs.aws.amazon.com/step-functions/latest/dg/limits.html"> Limits Topic</a> in the

clients/client-sfn/src/commands/DeleteStateMachineVersionCommand.ts

@@ -30,9 +30,7 @@ export interface DeleteStateMachineVersionCommandOutput extends DeleteStateMachi
 /**
  * <p>Deletes a state machine <a href="https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-version.html">version</a>. After
  *       you delete a version, you can't call <a>StartExecution</a> using that version's ARN
- *       or use
- *       the
- *       version with a state machine <a href="https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-alias.html">alias</a>.</p>
+ *       or use the version with a state machine <a href="https://docs.aws.amazon.com/step-functions/latest/dg/concepts-state-machine-alias.html">alias</a>.</p>
  *          <note>
  *             <p>Deleting a state machine version won't terminate its in-progress executions.</p>
  *          </note>

clients/client-sfn/src/commands/DescribeActivityCommand.ts

@@ -47,6 +47,11 @@ export interface DescribeActivityCommandOutput extends DescribeActivityOutput, _
  * //   activityArn: "STRING_VALUE", // required
  * //   name: "STRING_VALUE", // required
  * //   creationDate: new Date("TIMESTAMP"), // required
+ * //   encryptionConfiguration: { // EncryptionConfiguration
+ * //     kmsKeyId: "STRING_VALUE",
+ * //     kmsDataKeyReusePeriodSeconds: Number("int"),
+ * //     type: "AWS_OWNED_KEY" || "CUSTOMER_MANAGED_KMS_KEY", // required
+ * //   },
  * // };
  *
  * ```

clients/client-sfn/src/commands/DescribeExecutionCommand.ts

@@ -47,6 +47,7 @@ export interface DescribeExecutionCommandOutput extends DescribeExecutionOutput,
  * const client = new SFNClient(config);
  * const input = { // DescribeExecutionInput
  *   executionArn: "STRING_VALUE", // required
+ *   includedData: "ALL_DATA" || "METADATA_ONLY",
  * };
  * const command = new DescribeExecutionCommand(input);
  * const response = await client.send(command);
@@ -91,6 +92,15 @@ export interface DescribeExecutionCommandOutput extends DescribeExecutionOutput,
  * @throws {@link InvalidArn} (client fault)
  *  <p>The provided Amazon Resource Name (ARN) is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link SFNServiceException}
  * <p>Base exception class for all service exceptions from SFN service.</p>
  *

clients/client-sfn/src/commands/DescribeStateMachineCommand.ts

@@ -74,6 +74,7 @@ export interface DescribeStateMachineCommandOutput extends DescribeStateMachineO
  * const client = new SFNClient(config);
  * const input = { // DescribeStateMachineInput
  *   stateMachineArn: "STRING_VALUE", // required
+ *   includedData: "ALL_DATA" || "METADATA_ONLY",
  * };
  * const command = new DescribeStateMachineCommand(input);
  * const response = await client.send(command);
@@ -102,6 +103,11 @@ export interface DescribeStateMachineCommandOutput extends DescribeStateMachineO
  * //   label: "STRING_VALUE",
  * //   revisionId: "STRING_VALUE",
  * //   description: "STRING_VALUE",
+ * //   encryptionConfiguration: { // EncryptionConfiguration
+ * //     kmsKeyId: "STRING_VALUE",
+ * //     kmsDataKeyReusePeriodSeconds: Number("int"),
+ * //     type: "AWS_OWNED_KEY" || "CUSTOMER_MANAGED_KMS_KEY", // required
+ * //   },
  * // };
  *
  * ```
@@ -115,6 +121,15 @@ export interface DescribeStateMachineCommandOutput extends DescribeStateMachineO
  * @throws {@link InvalidArn} (client fault)
  *  <p>The provided Amazon Resource Name (ARN) is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link StateMachineDoesNotExist} (client fault)
  *  <p>The specified state machine does not exist.</p>
  *

clients/client-sfn/src/commands/DescribeStateMachineForExecutionCommand.ts

@@ -39,9 +39,7 @@ export interface DescribeStateMachineForExecutionCommandOutput
 /**
  * <p>Provides information about a state machine's definition, its execution role ARN, and
  *       configuration. If a Map Run dispatched the execution, this action returns the Map Run
- *       Amazon Resource Name (ARN) in the response.
- *       The
- *       state machine returned is the state machine associated with the
+ *       Amazon Resource Name (ARN) in the response. The state machine returned is the state machine associated with the
  *       Map Run.</p>
  *          <note>
  *             <p>This operation is eventually consistent. The results are best effort and may not reflect very recent updates and changes.</p>
@@ -55,6 +53,7 @@ export interface DescribeStateMachineForExecutionCommandOutput
  * const client = new SFNClient(config);
  * const input = { // DescribeStateMachineForExecutionInput
  *   executionArn: "STRING_VALUE", // required
+ *   includedData: "ALL_DATA" || "METADATA_ONLY",
  * };
  * const command = new DescribeStateMachineForExecutionCommand(input);
  * const response = await client.send(command);
@@ -81,6 +80,11 @@ export interface DescribeStateMachineForExecutionCommandOutput
  * //   mapRunArn: "STRING_VALUE",
  * //   label: "STRING_VALUE",
  * //   revisionId: "STRING_VALUE",
+ * //   encryptionConfiguration: { // EncryptionConfiguration
+ * //     kmsKeyId: "STRING_VALUE",
+ * //     kmsDataKeyReusePeriodSeconds: Number("int"),
+ * //     type: "AWS_OWNED_KEY" || "CUSTOMER_MANAGED_KMS_KEY", // required
+ * //   },
  * // };
  *
  * ```
@@ -97,6 +101,15 @@ export interface DescribeStateMachineForExecutionCommandOutput
  * @throws {@link InvalidArn} (client fault)
  *  <p>The provided Amazon Resource Name (ARN) is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link SFNServiceException}
  * <p>Base exception class for all service exceptions from SFN service.</p>
  *

clients/client-sfn/src/commands/GetActivityTaskCommand.ts

@@ -83,6 +83,15 @@ export interface GetActivityTaskCommandOutput extends GetActivityTaskOutput, __M
  * @throws {@link InvalidArn} (client fault)
  *  <p>The provided Amazon Resource Name (ARN) is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link SFNServiceException}
  * <p>Base exception class for all service exceptions from SFN service.</p>
  *

clients/client-sfn/src/commands/GetExecutionHistoryCommand.ts

@@ -264,6 +264,15 @@ export interface GetExecutionHistoryCommandOutput extends GetExecutionHistoryOut
  * @throws {@link InvalidToken} (client fault)
  *  <p>The provided token is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link SFNServiceException}
  * <p>Base exception class for all service exceptions from SFN service.</p>
  *

clients/client-sfn/src/commands/ListExecutionsCommand.ts

@@ -95,7 +95,7 @@ export interface ListExecutionsCommandOutput extends ListExecutionsOutput, __Met
  *  <p>The specified state machine does not exist.</p>
  *
  * @throws {@link StateMachineTypeNotSupported} (client fault)
- *  <p></p>
+ *  <p>State machine type is not supported.</p>
  *
  * @throws {@link ValidationException} (client fault)
  *  <p>The input does not satisfy the constraints specified by an Amazon Web Services service.</p>

clients/client-sfn/src/commands/SendTaskFailureCommand.ts

@@ -34,6 +34,8 @@ export interface SendTaskFailureCommandOutput extends SendTaskFailureOutput, __M
 /**
  * <p>Used by activity workers, Task states using the <a href="https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-wait-token">callback</a>
  *       pattern, and optionally Task states using the <a href="https://docs.aws.amazon.com/step-functions/latest/dg/connect-to-resource.html#connect-sync">job run</a> pattern to report that the task identified by the <code>taskToken</code> failed.</p>
+ *          <p>For an execution with encryption enabled, Step Functions will encrypt the error and cause fields using the KMS key for the execution role.</p>
+ *          <p>A caller can mark a task as fail without using any KMS permissions in the execution role if the caller provides a null value for both <code>error</code> and <code>cause</code> fields because no data needs to be encrypted.</p>
  * @example
  * Use a bare-bones client and the command you need to make an API call.
  * ```javascript
@@ -60,6 +62,15 @@ export interface SendTaskFailureCommandOutput extends SendTaskFailureOutput, __M
  * @throws {@link InvalidToken} (client fault)
  *  <p>The provided token is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link TaskDoesNotExist} (client fault)
  *  <p>The activity does not exist.</p>
  *

clients/client-sfn/src/commands/SendTaskSuccessCommand.ts

@@ -63,6 +63,15 @@ export interface SendTaskSuccessCommandOutput extends SendTaskSuccessOutput, __M
  * @throws {@link InvalidToken} (client fault)
  *  <p>The provided token is not valid.</p>
  *
+ * @throws {@link KmsAccessDeniedException} (client fault)
+ *  <p>Either your KMS key policy or API caller does not have the required permissions.</p>
+ *
+ * @throws {@link KmsInvalidStateException} (client fault)
+ *  <p>The KMS key is not in valid state, for example: Disabled or Deleted.</p>
+ *
+ * @throws {@link KmsThrottlingException} (client fault)
+ *  <p>Received when KMS returns <code>ThrottlingException</code> for a KMS call that Step Functions makes on behalf of the caller.</p>
+ *
  * @throws {@link TaskDoesNotExist} (client fault)
  *  <p>The activity does not exist.</p>
  *