AWS Native is in preview. AWS Classic is fully supported.
aws-native.networkfirewall.FirewallPolicy
Explore with Pulumi AI
AWS Native is in preview. AWS Classic is fully supported.
Resource type definition for AWS::NetworkFirewall::FirewallPolicy
Create FirewallPolicy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new FirewallPolicy(name: string, args: FirewallPolicyArgs, opts?: CustomResourceOptions);
@overload
def FirewallPolicy(resource_name: str,
args: FirewallPolicyInitArgs,
opts: Optional[ResourceOptions] = None)
@overload
def FirewallPolicy(resource_name: str,
opts: Optional[ResourceOptions] = None,
firewall_policy: Optional[FirewallPolicyArgs] = None,
description: Optional[str] = None,
firewall_policy_name: Optional[str] = None,
tags: Optional[Sequence[_root_inputs.TagArgs]] = None)
func NewFirewallPolicy(ctx *Context, name string, args FirewallPolicyArgs, opts ...ResourceOption) (*FirewallPolicy, error)
public FirewallPolicy(string name, FirewallPolicyArgs args, CustomResourceOptions? opts = null)
public FirewallPolicy(String name, FirewallPolicyArgs args)
public FirewallPolicy(String name, FirewallPolicyArgs args, CustomResourceOptions options)
type: aws-native:networkfirewall:FirewallPolicy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args FirewallPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args FirewallPolicyInitArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args FirewallPolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args FirewallPolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args FirewallPolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
FirewallPolicy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
The FirewallPolicy resource accepts the following input properties:
- Firewall
Policy Pulumi.Value Aws Native. Network Firewall. Inputs. Firewall Policy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- Description string
- A description of the firewall policy.
- Firewall
Policy stringName - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- List<Pulumi.
Aws Native. Inputs. Tag> An array of key-value pairs to apply to this resource.
For more information, see Tag .
- Firewall
Policy FirewallPolicy Type Args - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- Description string
- A description of the firewall policy.
- Firewall
Policy stringName - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- Tag
Args An array of key-value pairs to apply to this resource.
For more information, see Tag .
- firewall
Policy FirewallPolicy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- description String
- A description of the firewall policy.
- firewall
Policy StringName - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- List<Tag>
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- firewall
Policy FirewallPolicy - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- description string
- A description of the firewall policy.
- firewall
Policy stringName - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- Tag[]
An array of key-value pairs to apply to this resource.
For more information, see Tag .
- firewall_
policy FirewallPolicy Args - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- description str
- A description of the firewall policy.
- firewall_
policy_ strname - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- Sequence[Tag
Args] An array of key-value pairs to apply to this resource.
For more information, see Tag .
- firewall
Policy Property Map - The traffic filtering behavior of a firewall policy, defined in a collection of stateless and stateful rule groups and other settings.
- description String
- A description of the firewall policy.
- firewall
Policy StringName - The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.
- List<Property Map>
An array of key-value pairs to apply to this resource.
For more information, see Tag .
Outputs
All input properties are implicitly available as output properties. Additionally, the FirewallPolicy resource produces the following output properties:
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - Firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - Id string
- The provider-assigned unique ID for this managed resource.
- Firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - Firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - Id string
- The provider-assigned unique ID for this managed resource.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy StringId - The unique ID of the
FirewallPolicy
resource. - id String
- The provider-assigned unique ID for this managed resource.
- firewall
Policy stringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy stringId - The unique ID of the
FirewallPolicy
resource. - id string
- The provider-assigned unique ID for this managed resource.
- firewall_
policy_ strarn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall_
policy_ strid - The unique ID of the
FirewallPolicy
resource. - id str
- The provider-assigned unique ID for this managed resource.
- firewall
Policy StringArn - The Amazon Resource Name (ARN) of the
FirewallPolicy
. - firewall
Policy StringId - The unique ID of the
FirewallPolicy
resource. - id String
- The provider-assigned unique ID for this managed resource.
Supporting Types
FirewallPolicy, FirewallPolicyArgs
- Stateless
Default List<string>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Stateless
Fragment List<string>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Policy
Variables Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- Stateful
Default List<string>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- Stateful
Engine Pulumi.Options Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- Stateful
Rule List<Pulumi.Group References Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Rule Group Reference> - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- Stateless
Custom List<Pulumi.Actions Aws Native. Network Firewall. Inputs. Firewall Policy Custom Action> - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - Stateless
Rule List<Pulumi.Group References Aws Native. Network Firewall. Inputs. Firewall Policy Stateless Rule Group Reference> - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- Tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- Stateless
Default []stringActions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Stateless
Fragment []stringDefault Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- Policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- Stateful
Default []stringActions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- Stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- Stateful
Rule []FirewallGroup References Policy Stateful Rule Group Reference - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- Stateless
Custom []FirewallActions Policy Custom Action - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - Stateless
Rule []FirewallGroup References Policy Stateless Rule Group Reference - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- Tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default List<String>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment List<String>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default List<String>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule List<FirewallGroup References Policy Stateful Rule Group Reference> - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom List<FirewallActions Policy Custom Action> - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule List<FirewallGroup References Policy Stateless Rule Group Reference> - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection StringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default string[]Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment string[]Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default string[]Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine FirewallOptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule FirewallGroup References Policy Stateful Rule Group Reference[] - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom FirewallActions Policy Custom Action[] - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule FirewallGroup References Policy Stateless Rule Group Reference[] - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection stringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless_
default_ Sequence[str]actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless_
fragment_ Sequence[str]default_ actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy_
variables FirewallPolicy Policy Variables Properties - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful_
default_ Sequence[str]actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful_
engine_ Firewalloptions Policy Stateful Engine Options - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful_
rule_ Sequence[Firewallgroup_ references Policy Stateful Rule Group Reference] - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless_
custom_ Sequence[Firewallactions Policy Custom Action] - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless_
rule_ Sequence[Firewallgroup_ references Policy Stateless Rule Group Reference] - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls_
inspection_ strconfiguration_ arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
- stateless
Default List<String>Actions The actions to take on a packet if it doesn't match any of the stateless rules in the policy. If you want non-matching packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- stateless
Fragment List<String>Default Actions The actions to take on a fragmented packet if it doesn't match any of the stateless rules in the policy. If you want non-matching fragmented packets to be forwarded for stateful inspection, specify
aws:forward_to_sfe
.You must specify one of the standard actions:
aws:pass
,aws:drop
, oraws:forward_to_sfe
. In addition, you can specify custom actions that are compatible with your standard section choice.For example, you could specify
["aws:pass"]
or you could specify["aws:pass", "customActionName"]
. For information about compatibility, see the custom action descriptions.- policy
Variables Property Map - Contains variables that you can use to override default Suricata settings in your firewall policy.
- stateful
Default List<String>Actions The default actions to take on a packet that doesn't match any stateful rules. The stateful default action is optional, and is only valid when using the strict rule order.
Valid values of the stateful default action:
- aws:drop_strict
- aws:drop_established
- aws:alert_strict
- aws:alert_established
For more information, see Strict evaluation order in the AWS Network Firewall Developer Guide .
- stateful
Engine Property MapOptions - Additional options governing how Network Firewall handles stateful rules. The stateful rule groups that you use in your policy must have stateful rule options settings that are compatible with these settings.
- stateful
Rule List<Property Map>Group References - References to the stateful rule groups that are used in the policy. These define the inspection criteria in stateful rules.
- stateless
Custom List<Property Map>Actions - The custom action definitions that are available for use in the firewall policy's
StatelessDefaultActions
setting. You name each custom action that you define, and then you can use it by name in your default actions specifications. - stateless
Rule List<Property Map>Group References - References to the stateless rule groups that are used in the policy. These define the matching criteria in stateless rules.
- tls
Inspection StringConfiguration Arn - The Amazon Resource Name (ARN) of the TLS inspection configuration.
FirewallPolicyActionDefinition, FirewallPolicyActionDefinitionArgs
- Publish
Metric Pulumi.Action Aws Native. Network Firewall. Inputs. Firewall Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- Publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric FirewallAction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish_
metric_ Firewallaction Policy Publish Metric Action Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
- publish
Metric Property MapAction Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.
You can pair this custom action with any of the standard stateless rule actions. For example, you could pair this in a rule action with the standard action that forwards the packet for stateful inspection. Then, when a packet matches the rule, Network Firewall publishes metrics for the packet and forwards it.
FirewallPolicyCustomAction, FirewallPolicyCustomActionArgs
- Action
Definition Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Action Definition - The custom action associated with the action name.
- Action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- Action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- Action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action
Name String - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action
Name string - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action_
definition FirewallPolicy Action Definition - The custom action associated with the action name.
- action_
name str - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
- action
Definition Property Map - The custom action associated with the action name.
- action
Name String - The descriptive name of the custom action. You can't change the name of a custom action after you create it.
FirewallPolicyDimension, FirewallPolicyDimensionArgs
- Value string
- The value to use in the custom metric dimension.
- Value string
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
- value string
- The value to use in the custom metric dimension.
- value str
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
FirewallPolicyIpSet, FirewallPolicyIpSetArgs
- Definition List<string>
- The list of IP addresses and address ranges, in CIDR notation.
- Definition []string
- The list of IP addresses and address ranges, in CIDR notation.
- definition List<String>
- The list of IP addresses and address ranges, in CIDR notation.
- definition string[]
- The list of IP addresses and address ranges, in CIDR notation.
- definition Sequence[str]
- The list of IP addresses and address ranges, in CIDR notation.
- definition List<String>
- The list of IP addresses and address ranges, in CIDR notation.
FirewallPolicyOverrideAction, FirewallPolicyOverrideActionArgs
- Drop
To Alert - DROP_TO_ALERT
- Firewall
Policy Override Action Drop To Alert - DROP_TO_ALERT
- Drop
To Alert - DROP_TO_ALERT
- Drop
To Alert - DROP_TO_ALERT
- DROP_TO_ALERT
- DROP_TO_ALERT
- "DROP_TO_ALERT"
- DROP_TO_ALERT
FirewallPolicyPolicyVariablesProperties, FirewallPolicyPolicyVariablesPropertiesArgs
- Rule
Variables Dictionary<string, Pulumi.Aws Native. Network Firewall. Inputs. Firewall Policy Ip Set>
- Rule
Variables map[string]FirewallPolicy Ip Set
- rule
Variables Map<String,FirewallPolicy Ip Set>
- rule
Variables {[key: string]: FirewallPolicy Ip Set}
- rule_
variables Mapping[str, FirewallPolicy Ip Set]
- rule
Variables Map<Property Map>
FirewallPolicyPublishMetricAction, FirewallPolicyPublishMetricActionArgs
FirewallPolicyRuleOrder, FirewallPolicyRuleOrderArgs
- Default
Action Order - DEFAULT_ACTION_ORDER
- Strict
Order - STRICT_ORDER
- Firewall
Policy Rule Order Default Action Order - DEFAULT_ACTION_ORDER
- Firewall
Policy Rule Order Strict Order - STRICT_ORDER
- Default
Action Order - DEFAULT_ACTION_ORDER
- Strict
Order - STRICT_ORDER
- Default
Action Order - DEFAULT_ACTION_ORDER
- Strict
Order - STRICT_ORDER
- DEFAULT_ACTION_ORDER
- DEFAULT_ACTION_ORDER
- STRICT_ORDER
- STRICT_ORDER
- "DEFAULT_ACTION_ORDER"
- DEFAULT_ACTION_ORDER
- "STRICT_ORDER"
- STRICT_ORDER
FirewallPolicyStatefulEngineOptions, FirewallPolicyStatefulEngineOptionsArgs
- Rule
Order Pulumi.Aws Native. Network Firewall. Firewall Policy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - Stream
Exception Pulumi.Policy Aws Native. Network Firewall. Firewall Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- Rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - Stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- rule
Order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception FirewallPolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- rule_
order FirewallPolicy Rule Order - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream_
exception_ Firewallpolicy Policy Stream Exception Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
- rule
Order "DEFAULT_ACTION_ORDER" | "STRICT_ORDER" - Indicates how to manage the order of stateful rule evaluation for the policy.
DEFAULT_ACTION_ORDER
is the default behavior. Stateful rules are provided to the rule engine as Suricata compatible strings, and Suricata evaluates them based on certain settings. For more information, see Evaluation order for stateful rules in the AWS Network Firewall Developer Guide . - stream
Exception "DROP" | "CONTINUE" | "REJECT"Policy - Configures how Network Firewall processes traffic when a network connection breaks midstream. Network connections can break due to disruptions in external networks or within the firewall itself.
DROP
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. This is the default behavior.CONTINUE
- Network Firewall continues to apply rules to the subsequent traffic without context from traffic before the break. This impacts the behavior of rules that depend on this context. For example, if you have a stateful rule todrop http
traffic, Network Firewall won't match the traffic for this rule because the service won't have the context from session initialization defining the application layer protocol as HTTP. However, this behavior is rule dependent—a TCP-layer rule using aflow:stateless
rule would still match, as would theaws:drop_strict
default action.REJECT
- Network Firewall fails closed and drops all subsequent traffic going to the firewall. Network Firewall also sends a TCP reject packet back to your client so that the client can immediately establish a new session. Network Firewall will have context about the new session and will apply rules to the subsequent traffic.
FirewallPolicyStatefulRuleGroupOverride, FirewallPolicyStatefulRuleGroupOverrideArgs
- Action
Pulumi.
Aws Native. Network Firewall. Firewall Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- Action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action
Firewall
Policy Override Action - The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
- action "DROP_TO_ALERT"
- The action that changes the rule group from
DROP
toALERT
. This only applies to managed rule groups.
FirewallPolicyStatefulRuleGroupReference, FirewallPolicyStatefulRuleGroupReferenceArgs
- Resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- Override
Pulumi.
Aws Native. Network Firewall. Inputs. Firewall Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- Priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- Resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- Override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- Priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn String - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority Integer
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn string - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority number
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource_
arn str - The Amazon Resource Name (ARN) of the stateful rule group.
- override
Firewall
Policy Stateful Rule Group Override - The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority int
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
- resource
Arn String - The Amazon Resource Name (ARN) of the stateful rule group.
- override Property Map
- The action that allows the policy owner to override the behavior of the rule group within a policy.
- priority Number
An integer setting that indicates the order in which to run the stateful rule groups in a single
FirewallPolicy
. This setting only applies to firewall policies that specify theSTRICT_ORDER
rule order in the stateful engine options settings.Network Firewall evalutes each stateful rule group against a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy.
You can change the priority settings of your rule groups at any time. To make it easier to insert rule groups later, number them so there's a wide range in between, for example use 100, 200, and so on.
FirewallPolicyStatelessRuleGroupReference, FirewallPolicyStatelessRuleGroupReferenceArgs
- Priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - Resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- Priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - Resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- priority Integer
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn String - The Amazon Resource Name (ARN) of the stateless rule group.
- priority number
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn string - The Amazon Resource Name (ARN) of the stateless rule group.
- priority int
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource_
arn str - The Amazon Resource Name (ARN) of the stateless rule group.
- priority Number
- An integer setting that indicates the order in which to run the stateless rule groups in a single
FirewallPolicy
. Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. You must ensure that the priority settings are unique within each policy. - resource
Arn String - The Amazon Resource Name (ARN) of the stateless rule group.
FirewallPolicyStreamExceptionPolicy, FirewallPolicyStreamExceptionPolicyArgs
- Drop
- DROP
- Continue
- CONTINUE
- Reject
- REJECT
- Firewall
Policy Stream Exception Policy Drop - DROP
- Firewall
Policy Stream Exception Policy Continue - CONTINUE
- Firewall
Policy Stream Exception Policy Reject - REJECT
- Drop
- DROP
- Continue
- CONTINUE
- Reject
- REJECT
- Drop
- DROP
- Continue
- CONTINUE
- Reject
- REJECT
- DROP
- DROP
- CONTINUE_
- CONTINUE
- REJECT
- REJECT
- "DROP"
- DROP
- "CONTINUE"
- CONTINUE
- "REJECT"
- REJECT
Tag, TagArgs
Package Details
- Repository
- AWS Native pulumi/pulumi-aws-native
- License
- Apache-2.0
AWS Native is in preview. AWS Classic is fully supported.