Guides

SSO-ADMIN

docs.aws.amazon.com
AWS documentation

AttachCustomerManagedPolicyReferenceToPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.CustomerManagedPolicyReference.Name == STRING
    input.Body.CustomerManagedPolicyReference.Path == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

AttachManagedPolicyToPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.ManagedPolicyArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateAccountAssignment

enum_PrincipalType := [ "USER", "GROUP" ]
enum_TargetType := [ "AWS_ACCOUNT" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.TargetId == STRING
    input.Body.TargetType == enum_TargetType[_]
    input.Body.PermissionSetArn == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.Body.PrincipalId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateApplication

enum_ApplicationStatus := [ "ENABLED", "DISABLED" ]
enum_ApplicationVisibility := [ "ENABLED", "DISABLED" ]
enum_SignInOrigin := [ "IDENTITY_CENTER", "APPLICATION" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.ApplicationProviderArn == STRING
    input.Body.Name == STRING
    input.Body.Description == STRING
    input.Body.PortalOptions.SignInOptions.Origin == enum_SignInOrigin[_]
    input.Body.PortalOptions.SignInOptions.ApplicationUrl == STRING
    input.Body.PortalOptions.Visibility == enum_ApplicationVisibility[_]
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.Body.Status == enum_ApplicationStatus[_]
    input.Body.ClientToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateApplicationAssignment

enum_PrincipalType := [ "USER", "GROUP" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.PrincipalId == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateInstance

valid {
    input.Body.Name == STRING
    input.Body.ClientToken == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateInstanceAccessControlAttributeConfiguration

valid {
    input.Body.InstanceArn == STRING
    input.Body.InstanceAccessControlAttributeConfiguration.AccessControlAttributes[_].Key == STRING
    input.Body.InstanceAccessControlAttributeConfiguration.AccessControlAttributes[_].Value.Source[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreatePermissionSet

valid {
    input.Body.Name == STRING
    input.Body.Description == STRING
    input.Body.InstanceArn == STRING
    input.Body.SessionDuration == STRING
    input.Body.RelayState == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

CreateTrustedTokenIssuer

enum_JwksRetrievalOption := [ "OPEN_ID_DISCOVERY" ]
enum_TrustedTokenIssuerType := [ "OIDC_JWT" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.Name == STRING
    input.Body.TrustedTokenIssuerType == enum_TrustedTokenIssuerType[_]
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IssuerUrl == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.ClaimAttributePath == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IdentityStoreAttributePath == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.JwksRetrievalOption == enum_JwksRetrievalOption[_]
    input.Body.ClientToken == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteAccountAssignment

enum_PrincipalType := [ "USER", "GROUP" ]
enum_TargetType := [ "AWS_ACCOUNT" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.TargetId == STRING
    input.Body.TargetType == enum_TargetType[_]
    input.Body.PermissionSetArn == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.Body.PrincipalId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteApplication

valid {
    input.Body.ApplicationArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteApplicationAccessScope

valid {
    input.Body.ApplicationArn == STRING
    input.Body.Scope == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteApplicationAssignment

enum_PrincipalType := [ "USER", "GROUP" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.PrincipalId == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteApplicationAuthenticationMethod

enum_AuthenticationMethodType := [ "IAM" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.AuthenticationMethodType == enum_AuthenticationMethodType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteApplicationGrant

enum_GrantType := [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:token-exchange" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.GrantType == enum_GrantType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteInlinePolicyFromPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteInstance

valid {
    input.Body.InstanceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteInstanceAccessControlAttributeConfiguration

valid {
    input.Body.InstanceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeletePermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeletePermissionsBoundaryFromPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DeleteTrustedTokenIssuer

valid {
    input.Body.TrustedTokenIssuerArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeAccountAssignmentCreationStatus

valid {
    input.Body.InstanceArn == STRING
    input.Body.AccountAssignmentCreationRequestId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeAccountAssignmentDeletionStatus

valid {
    input.Body.InstanceArn == STRING
    input.Body.AccountAssignmentDeletionRequestId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeApplication

valid {
    input.Body.ApplicationArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeApplicationAssignment

enum_PrincipalType := [ "USER", "GROUP" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.PrincipalId == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeApplicationProvider

valid {
    input.Body.ApplicationProviderArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeInstance

valid {
    input.Body.InstanceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeInstanceAccessControlAttributeConfiguration

valid {
    input.Body.InstanceArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribePermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribePermissionSetProvisioningStatus

valid {
    input.Body.InstanceArn == STRING
    input.Body.ProvisionPermissionSetRequestId == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DescribeTrustedTokenIssuer

valid {
    input.Body.TrustedTokenIssuerArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DetachCustomerManagedPolicyReferenceFromPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.CustomerManagedPolicyReference.Name == STRING
    input.Body.CustomerManagedPolicyReference.Path == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

DetachManagedPolicyFromPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.ManagedPolicyArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetApplicationAccessScope

valid {
    input.Body.ApplicationArn == STRING
    input.Body.Scope == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetApplicationAssignmentConfiguration

valid {
    input.Body.ApplicationArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetApplicationAuthenticationMethod

enum_AuthenticationMethodType := [ "IAM" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.AuthenticationMethodType == enum_AuthenticationMethodType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetApplicationGrant

enum_GrantType := [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:token-exchange" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.GrantType == enum_GrantType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetApplicationSessionConfiguration

valid {
    input.Body.ApplicationArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetInlinePolicyForPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

GetPermissionsBoundaryForPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccountAssignmentCreationStatus

enum_StatusValues := [ "IN_PROGRESS", "FAILED", "SUCCEEDED" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.Filter.Status == enum_StatusValues[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccountAssignmentDeletionStatus

enum_StatusValues := [ "IN_PROGRESS", "FAILED", "SUCCEEDED" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.Filter.Status == enum_StatusValues[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccountAssignments

valid {
    input.Body.InstanceArn == STRING
    input.Body.AccountId == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccountAssignmentsForPrincipal

enum_PrincipalType := [ "USER", "GROUP" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.PrincipalId == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.Body.Filter.AccountId == STRING
    input.Body.NextToken == STRING
    input.Body.MaxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListAccountsForProvisionedPermissionSet

enum_ProvisioningStatus := [ "LATEST_PERMISSION_SET_PROVISIONED", "LATEST_PERMISSION_SET_NOT_PROVISIONED" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.ProvisioningStatus == enum_ProvisioningStatus[_]
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationAccessScopes

valid {
    input.Body.ApplicationArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationAssignments

valid {
    input.Body.ApplicationArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationAssignmentsForPrincipal

enum_PrincipalType := [ "USER", "GROUP" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.PrincipalId == STRING
    input.Body.PrincipalType == enum_PrincipalType[_]
    input.Body.Filter.ApplicationArn == STRING
    input.Body.NextToken == STRING
    input.Body.MaxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationAuthenticationMethods

valid {
    input.Body.ApplicationArn == STRING
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationGrants

valid {
    input.Body.ApplicationArn == STRING
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplicationProviders

valid {
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListApplications

valid {
    input.Body.InstanceArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.Filter.ApplicationAccount == STRING
    input.Body.Filter.ApplicationProvider == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListCustomerManagedPolicyReferencesInPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListInstances

valid {
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListManagedPoliciesInPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListPermissionSetProvisioningStatus

enum_StatusValues := [ "IN_PROGRESS", "FAILED", "SUCCEEDED" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.Body.Filter.Status == enum_StatusValues[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListPermissionSets

valid {
    input.Body.InstanceArn == STRING
    input.Body.NextToken == STRING
    input.Body.MaxResults == INTEGER
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListPermissionSetsProvisionedToAccount

enum_ProvisioningStatus := [ "LATEST_PERMISSION_SET_PROVISIONED", "LATEST_PERMISSION_SET_NOT_PROVISIONED" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.AccountId == STRING
    input.Body.ProvisioningStatus == enum_ProvisioningStatus[_]
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTagsForResource

valid {
    input.Body.InstanceArn == STRING
    input.Body.ResourceArn == STRING
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ListTrustedTokenIssuers

valid {
    input.Body.InstanceArn == STRING
    input.Body.MaxResults == INTEGER
    input.Body.NextToken == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

ProvisionPermissionSet

enum_ProvisionTargetType := [ "AWS_ACCOUNT", "ALL_PROVISIONED_ACCOUNTS" ]

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.TargetId == STRING
    input.Body.TargetType == enum_ProvisionTargetType[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutApplicationAccessScope

valid {
    input.Body.Scope == STRING
    input.Body.AuthorizedTargets[_] == STRING
    input.Body.ApplicationArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutApplicationAssignmentConfiguration

valid {
    input.Body.ApplicationArn == STRING
    input.Body.AssignmentRequired == BOOLEAN
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutApplicationAuthenticationMethod

enum_AuthenticationMethodType := [ "IAM" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.AuthenticationMethodType == enum_AuthenticationMethodType[_]
    input.Body.AuthenticationMethod.Iam.ActorPolicy == {}
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutApplicationGrant

enum_GrantType := [ "authorization_code", "refresh_token", "urn:ietf:params:oauth:grant-type:jwt-bearer", "urn:ietf:params:oauth:grant-type:token-exchange" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.GrantType == enum_GrantType[_]
    input.Body.Grant.AuthorizationCode.RedirectUris[_] == STRING
    input.Body.Grant.JwtBearer.AuthorizedTokenIssuers[_].TrustedTokenIssuerArn == STRING
    input.Body.Grant.JwtBearer.AuthorizedTokenIssuers[_].AuthorizedAudiences[_] == STRING
    input.Body.Grant.RefreshToken == {}
    input.Body.Grant.TokenExchange == {}
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutApplicationSessionConfiguration

enum_UserBackgroundSessionApplicationStatus := [ "ENABLED", "DISABLED" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.UserBackgroundSessionApplicationStatus == enum_UserBackgroundSessionApplicationStatus[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutInlinePolicyToPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.InlinePolicy == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

PutPermissionsBoundaryToPermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.PermissionsBoundary.CustomerManagedPolicyReference.Name == STRING
    input.Body.PermissionsBoundary.CustomerManagedPolicyReference.Path == STRING
    input.Body.PermissionsBoundary.ManagedPolicyArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

TagResource

valid {
    input.Body.InstanceArn == STRING
    input.Body.ResourceArn == STRING
    input.Body.Tags[_].Key == STRING
    input.Body.Tags[_].Value == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UntagResource

valid {
    input.Body.InstanceArn == STRING
    input.Body.ResourceArn == STRING
    input.Body.TagKeys[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateApplication

enum_ApplicationStatus := [ "ENABLED", "DISABLED" ]
enum_SignInOrigin := [ "IDENTITY_CENTER", "APPLICATION" ]

valid {
    input.Body.ApplicationArn == STRING
    input.Body.Name == STRING
    input.Body.Description == STRING
    input.Body.Status == enum_ApplicationStatus[_]
    input.Body.PortalOptions.SignInOptions.Origin == enum_SignInOrigin[_]
    input.Body.PortalOptions.SignInOptions.ApplicationUrl == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateInstance

enum_KmsKeyType := [ "AWS_OWNED_KMS_KEY", "CUSTOMER_MANAGED_KEY" ]

valid {
    input.Body.Name == STRING
    input.Body.InstanceArn == STRING
    input.Body.EncryptionConfiguration.KeyType == enum_KmsKeyType[_]
    input.Body.EncryptionConfiguration.KmsKeyArn == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateInstanceAccessControlAttributeConfiguration

valid {
    input.Body.InstanceArn == STRING
    input.Body.InstanceAccessControlAttributeConfiguration.AccessControlAttributes[_].Key == STRING
    input.Body.InstanceAccessControlAttributeConfiguration.AccessControlAttributes[_].Value.Source[_] == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdatePermissionSet

valid {
    input.Body.InstanceArn == STRING
    input.Body.PermissionSetArn == STRING
    input.Body.Description == STRING
    input.Body.SessionDuration == STRING
    input.Body.RelayState == STRING
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}

UpdateTrustedTokenIssuer

enum_JwksRetrievalOption := [ "OPEN_ID_DISCOVERY" ]

valid {
    input.Body.TrustedTokenIssuerArn == STRING
    input.Body.Name == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.ClaimAttributePath == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.IdentityStoreAttributePath == STRING
    input.Body.TrustedTokenIssuerConfiguration.OidcJwtConfiguration.JwksRetrievalOption == enum_JwksRetrievalOption[_]
    input.ProviderMetadata.Account == STRING
    input.ProviderMetadata.AccessKeyId == STRING
    input.ProviderMetadata.Region == STRING
}