AWS v7.7.0, Sep 5 25

AWS v7.7.0 published on Friday, Sep 5, 2025 by Pulumi

aws.networkfirewall.Firewall

Explore with Pulumi AI

AWS v7.7.0 published on Friday, Sep 5, 2025 by Pulumi

Example Usage

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkfirewall.Firewall("example", {
    name: "example",
    firewallPolicyArn: exampleAwsNetworkfirewallFirewallPolicy.arn,
    vpcId: exampleAwsVpc.id,
    enabledAnalysisTypes: [
        "TLS_SNI",
        "HTTP_HOST",
    ],
    subnetMappings: [{
        subnetId: exampleAwsSubnet.id,
    }],
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
});

import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.Firewall("example",
    name="example",
    firewall_policy_arn=example_aws_networkfirewall_firewall_policy["arn"],
    vpc_id=example_aws_vpc["id"],
    enabled_analysis_types=[
        "TLS_SNI",
        "HTTP_HOST",
    ],
    subnet_mappings=[{
        "subnet_id": example_aws_subnet["id"],
    }],
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    })

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewFirewall(ctx, "example", &networkfirewall.FirewallArgs{
			Name:              pulumi.String("example"),
			FirewallPolicyArn: pulumi.Any(exampleAwsNetworkfirewallFirewallPolicy.Arn),
			VpcId:             pulumi.Any(exampleAwsVpc.Id),
			EnabledAnalysisTypes: pulumi.StringArray{
				pulumi.String("TLS_SNI"),
				pulumi.String("HTTP_HOST"),
			},
			SubnetMappings: networkfirewall.FirewallSubnetMappingArray{
				&networkfirewall.FirewallSubnetMappingArgs{
					SubnetId: pulumi.Any(exampleAwsSubnet.Id),
				},
			},
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = new Aws.NetworkFirewall.Firewall("example", new()
    {
        Name = "example",
        FirewallPolicyArn = exampleAwsNetworkfirewallFirewallPolicy.Arn,
        VpcId = exampleAwsVpc.Id,
        EnabledAnalysisTypes = new[]
        {
            "TLS_SNI",
            "HTTP_HOST",
        },
        SubnetMappings = new[]
        {
            new Aws.NetworkFirewall.Inputs.FirewallSubnetMappingArgs
            {
                SubnetId = exampleAwsSubnet.Id,
            },
        },
        Tags = 
        {
            { "Tag1", "Value1" },
            { "Tag2", "Value2" },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.Firewall;
import com.pulumi.aws.networkfirewall.FirewallArgs;
import com.pulumi.aws.networkfirewall.inputs.FirewallSubnetMappingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new Firewall("example", FirewallArgs.builder()
            .name("example")
            .firewallPolicyArn(exampleAwsNetworkfirewallFirewallPolicy.arn())
            .vpcId(exampleAwsVpc.id())
            .enabledAnalysisTypes(            
                "TLS_SNI",
                "HTTP_HOST")
            .subnetMappings(FirewallSubnetMappingArgs.builder()
                .subnetId(exampleAwsSubnet.id())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());

    }
}

resources:
  example:
    type: aws:networkfirewall:Firewall
    properties:
      name: example
      firewallPolicyArn: ${exampleAwsNetworkfirewallFirewallPolicy.arn}
      vpcId: ${exampleAwsVpc.id}
      enabledAnalysisTypes:
        - TLS_SNI
        - HTTP_HOST
      subnetMappings:
        - subnetId: ${exampleAwsSubnet.id}
      tags:
        Tag1: Value1
        Tag2: Value2

Transit Gateway Attached Firewall

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = aws.getAvailabilityZones({
    state: "available",
});
const exampleFirewall = new aws.networkfirewall.Firewall("example", {
    name: "example",
    firewallPolicyArn: exampleAwsNetworkfirewallFirewallPolicy.arn,
    transitGatewayId: exampleAwsEc2TransitGateway.id,
    availabilityZoneMappings: [
        {
            availabilityZoneId: example.then(example => example.zoneIds?.[0]),
        },
        {
            availabilityZoneId: example.then(example => example.zoneIds?.[1]),
        },
    ],
});

import pulumi
import pulumi_aws as aws

example = aws.get_availability_zones(state="available")
example_firewall = aws.networkfirewall.Firewall("example",
    name="example",
    firewall_policy_arn=example_aws_networkfirewall_firewall_policy["arn"],
    transit_gateway_id=example_aws_ec2_transit_gateway["id"],
    availability_zone_mappings=[
        {
            "availability_zone_id": example.zone_ids[0],
        },
        {
            "availability_zone_id": example.zone_ids[1],
        },
    ])

package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws"
	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		example, err := aws.GetAvailabilityZones(ctx, &aws.GetAvailabilityZonesArgs{
			State: pulumi.StringRef("available"),
		}, nil)
		if err != nil {
			return err
		}
		_, err = networkfirewall.NewFirewall(ctx, "example", &networkfirewall.FirewallArgs{
			Name:              pulumi.String("example"),
			FirewallPolicyArn: pulumi.Any(exampleAwsNetworkfirewallFirewallPolicy.Arn),
			TransitGatewayId:  pulumi.Any(exampleAwsEc2TransitGateway.Id),
			AvailabilityZoneMappings: networkfirewall.FirewallAvailabilityZoneMappingArray{
				&networkfirewall.FirewallAvailabilityZoneMappingArgs{
					AvailabilityZoneId: pulumi.String(example.ZoneIds[0]),
				},
				&networkfirewall.FirewallAvailabilityZoneMappingArgs{
					AvailabilityZoneId: pulumi.String(example.ZoneIds[1]),
				},
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}

using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;

return await Deployment.RunAsync(() => 
{
    var example = Aws.GetAvailabilityZones.Invoke(new()
    {
        State = "available",
    });

    var exampleFirewall = new Aws.NetworkFirewall.Firewall("example", new()
    {
        Name = "example",
        FirewallPolicyArn = exampleAwsNetworkfirewallFirewallPolicy.Arn,
        TransitGatewayId = exampleAwsEc2TransitGateway.Id,
        AvailabilityZoneMappings = new[]
        {
            new Aws.NetworkFirewall.Inputs.FirewallAvailabilityZoneMappingArgs
            {
                AvailabilityZoneId = example.Apply(getAvailabilityZonesResult => getAvailabilityZonesResult.ZoneIds[0]),
            },
            new Aws.NetworkFirewall.Inputs.FirewallAvailabilityZoneMappingArgs
            {
                AvailabilityZoneId = example.Apply(getAvailabilityZonesResult => getAvailabilityZonesResult.ZoneIds[1]),
            },
        },
    });

});

package generated_program;

import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.AwsFunctions;
import com.pulumi.aws.inputs.GetAvailabilityZonesArgs;
import com.pulumi.aws.networkfirewall.Firewall;
import com.pulumi.aws.networkfirewall.FirewallArgs;
import com.pulumi.aws.networkfirewall.inputs.FirewallAvailabilityZoneMappingArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var example = AwsFunctions.getAvailabilityZones(GetAvailabilityZonesArgs.builder()
            .state("available")
            .build());

        var exampleFirewall = new Firewall("exampleFirewall", FirewallArgs.builder()
            .name("example")
            .firewallPolicyArn(exampleAwsNetworkfirewallFirewallPolicy.arn())
            .transitGatewayId(exampleAwsEc2TransitGateway.id())
            .availabilityZoneMappings(            
                FirewallAvailabilityZoneMappingArgs.builder()
                    .availabilityZoneId(example.zoneIds()[0])
                    .build(),
                FirewallAvailabilityZoneMappingArgs.builder()
                    .availabilityZoneId(example.zoneIds()[1])
                    .build())
            .build());

    }
}

resources:
  exampleFirewall:
    type: aws:networkfirewall:Firewall
    name: example
    properties:
      name: example
      firewallPolicyArn: ${exampleAwsNetworkfirewallFirewallPolicy.arn}
      transitGatewayId: ${exampleAwsEc2TransitGateway.id}
      availabilityZoneMappings:
        - availabilityZoneId: ${example.zoneIds[0]}
        - availabilityZoneId: ${example.zoneIds[1]}
variables:
  example:
    fn::invoke:
      function: aws:getAvailabilityZones
      arguments:
        state: available

Transit Gateway Attached Firewall (Cross Account)

A full example of how to create a Transit Gateway in one AWS account, share it with a second AWS account, and create Network Firewall in the second account to the Transit Gateway via the aws.networkfirewall.Firewall and aws_networkfirewall_network_firewall_transit_gateway_attachment_accepter resources can be found in the ./examples/network-firewall-cross-account-transit-gateway directory within the Github Repository

Create Firewall Resource

Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

Constructor syntax

new Firewall(name: string, args: FirewallArgs, opts?: CustomResourceOptions);

@overload
def Firewall(resource_name: str,
             args: FirewallArgs,
             opts: Optional[ResourceOptions] = None)

@overload
def Firewall(resource_name: str,
             opts: Optional[ResourceOptions] = None,
             firewall_policy_arn: Optional[str] = None,
             description: Optional[str] = None,
             name: Optional[str] = None,
             availability_zone_change_protection: Optional[bool] = None,
             enabled_analysis_types: Optional[Sequence[str]] = None,
             encryption_configuration: Optional[FirewallEncryptionConfigurationArgs] = None,
             availability_zone_mappings: Optional[Sequence[FirewallAvailabilityZoneMappingArgs]] = None,
             firewall_policy_change_protection: Optional[bool] = None,
             delete_protection: Optional[bool] = None,
             region: Optional[str] = None,
             subnet_change_protection: Optional[bool] = None,
             subnet_mappings: Optional[Sequence[FirewallSubnetMappingArgs]] = None,
             tags: Optional[Mapping[str, str]] = None,
             transit_gateway_id: Optional[str] = None,
             vpc_id: Optional[str] = None)

func NewFirewall(ctx *Context, name string, args FirewallArgs, opts ...ResourceOption) (*Firewall, error)

public Firewall(string name, FirewallArgs args, CustomResourceOptions? opts = null)

public Firewall(String name, FirewallArgs args)
public Firewall(String name, FirewallArgs args, CustomResourceOptions options)

type: aws:networkfirewall:Firewall
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

Parameters

name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

resource_name str: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts ResourceOptions: Bag of options to control resource's behavior.

ctx Context: Context object for the current deployment.
name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts ResourceOption: Bag of options to control resource's behavior.

name string: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
opts CustomResourceOptions: Bag of options to control resource's behavior.

name String: The unique name of the resource.
args FirewallArgs: The arguments to resource properties.
options CustomResourceOptions: Bag of options to control resource's behavior.

Constructor example

The following reference example uses placeholder values for all input properties.

var firewallResource = new Aws.NetworkFirewall.Firewall("firewallResource", new()
{
    FirewallPolicyArn = "string",
    Description = "string",
    Name = "string",
    AvailabilityZoneChangeProtection = false,
    EnabledAnalysisTypes = new[]
    {
        "string",
    },
    EncryptionConfiguration = new Aws.NetworkFirewall.Inputs.FirewallEncryptionConfigurationArgs
    {
        Type = "string",
        KeyId = "string",
    },
    AvailabilityZoneMappings = new[]
    {
        new Aws.NetworkFirewall.Inputs.FirewallAvailabilityZoneMappingArgs
        {
            AvailabilityZoneId = "string",
        },
    },
    FirewallPolicyChangeProtection = false,
    DeleteProtection = false,
    Region = "string",
    SubnetChangeProtection = false,
    SubnetMappings = new[]
    {
        new Aws.NetworkFirewall.Inputs.FirewallSubnetMappingArgs
        {
            SubnetId = "string",
            IpAddressType = "string",
        },
    },
    Tags = 
    {
        { "string", "string" },
    },
    TransitGatewayId = "string",
    VpcId = "string",
});

example, err := networkfirewall.NewFirewall(ctx, "firewallResource", &networkfirewall.FirewallArgs{
	FirewallPolicyArn:                pulumi.String("string"),
	Description:                      pulumi.String("string"),
	Name:                             pulumi.String("string"),
	AvailabilityZoneChangeProtection: pulumi.Bool(false),
	EnabledAnalysisTypes: pulumi.StringArray{
		pulumi.String("string"),
	},
	EncryptionConfiguration: &networkfirewall.FirewallEncryptionConfigurationArgs{
		Type:  pulumi.String("string"),
		KeyId: pulumi.String("string"),
	},
	AvailabilityZoneMappings: networkfirewall.FirewallAvailabilityZoneMappingArray{
		&networkfirewall.FirewallAvailabilityZoneMappingArgs{
			AvailabilityZoneId: pulumi.String("string"),
		},
	},
	FirewallPolicyChangeProtection: pulumi.Bool(false),
	DeleteProtection:               pulumi.Bool(false),
	Region:                         pulumi.String("string"),
	SubnetChangeProtection:         pulumi.Bool(false),
	SubnetMappings: networkfirewall.FirewallSubnetMappingArray{
		&networkfirewall.FirewallSubnetMappingArgs{
			SubnetId:      pulumi.String("string"),
			IpAddressType: pulumi.String("string"),
		},
	},
	Tags: pulumi.StringMap{
		"string": pulumi.String("string"),
	},
	TransitGatewayId: pulumi.String("string"),
	VpcId:            pulumi.String("string"),
})

var firewallResource = new Firewall("firewallResource", FirewallArgs.builder()
    .firewallPolicyArn("string")
    .description("string")
    .name("string")
    .availabilityZoneChangeProtection(false)
    .enabledAnalysisTypes("string")
    .encryptionConfiguration(FirewallEncryptionConfigurationArgs.builder()
        .type("string")
        .keyId("string")
        .build())
    .availabilityZoneMappings(FirewallAvailabilityZoneMappingArgs.builder()
        .availabilityZoneId("string")
        .build())
    .firewallPolicyChangeProtection(false)
    .deleteProtection(false)
    .region("string")
    .subnetChangeProtection(false)
    .subnetMappings(FirewallSubnetMappingArgs.builder()
        .subnetId("string")
        .ipAddressType("string")
        .build())
    .tags(Map.of("string", "string"))
    .transitGatewayId("string")
    .vpcId("string")
    .build());

firewall_resource = aws.networkfirewall.Firewall("firewallResource",
    firewall_policy_arn="string",
    description="string",
    name="string",
    availability_zone_change_protection=False,
    enabled_analysis_types=["string"],
    encryption_configuration={
        "type": "string",
        "key_id": "string",
    },
    availability_zone_mappings=[{
        "availability_zone_id": "string",
    }],
    firewall_policy_change_protection=False,
    delete_protection=False,
    region="string",
    subnet_change_protection=False,
    subnet_mappings=[{
        "subnet_id": "string",
        "ip_address_type": "string",
    }],
    tags={
        "string": "string",
    },
    transit_gateway_id="string",
    vpc_id="string")

const firewallResource = new aws.networkfirewall.Firewall("firewallResource", {
    firewallPolicyArn: "string",
    description: "string",
    name: "string",
    availabilityZoneChangeProtection: false,
    enabledAnalysisTypes: ["string"],
    encryptionConfiguration: {
        type: "string",
        keyId: "string",
    },
    availabilityZoneMappings: [{
        availabilityZoneId: "string",
    }],
    firewallPolicyChangeProtection: false,
    deleteProtection: false,
    region: "string",
    subnetChangeProtection: false,
    subnetMappings: [{
        subnetId: "string",
        ipAddressType: "string",
    }],
    tags: {
        string: "string",
    },
    transitGatewayId: "string",
    vpcId: "string",
});

type: aws:networkfirewall:Firewall
properties:
    availabilityZoneChangeProtection: false
    availabilityZoneMappings:
        - availabilityZoneId: string
    deleteProtection: false
    description: string
    enabledAnalysisTypes:
        - string
    encryptionConfiguration:
        keyId: string
        type: string
    firewallPolicyArn: string
    firewallPolicyChangeProtection: false
    name: string
    region: string
    subnetChangeProtection: false
    subnetMappings:
        - ipAddressType: string
          subnetId: string
    tags:
        string: string
    transitGatewayId: string
    vpcId: string

Firewall Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

The Firewall resource accepts the following input properties:

FirewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
AvailabilityZoneChangeProtection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
AvailabilityZoneMappings List<FirewallAvailabilityZoneMapping>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
DeleteProtection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
Description string: A friendly description of the firewall.
EnabledAnalysisTypes List<string>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
EncryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
FirewallPolicyChangeProtection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
Name string: A friendly name of the firewall.
Region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
SubnetChangeProtection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
SubnetMappings List<FirewallSubnetMapping>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
Tags Dictionary<string, string>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TransitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
VpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

FirewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
AvailabilityZoneChangeProtection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
AvailabilityZoneMappings []FirewallAvailabilityZoneMappingArgs: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
DeleteProtection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
Description string: A friendly description of the firewall.
EnabledAnalysisTypes []string: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
EncryptionConfiguration FirewallEncryptionConfigurationArgs: KMS encryption configuration settings. See Encryption Configuration below for details.
FirewallPolicyChangeProtection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
Name string: A friendly name of the firewall.
Region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
SubnetChangeProtection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
SubnetMappings []FirewallSubnetMappingArgs: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
Tags map[string]string: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TransitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
VpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

firewallPolicyArn String: The Amazon Resource Name (ARN) of the VPC Firewall policy.
availabilityZoneChangeProtection Boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings List<FirewallAvailabilityZoneMapping>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection Boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description String: A friendly description of the firewall.
enabledAnalysisTypes List<String>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyChangeProtection Boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
name String: A friendly name of the firewall.
region String: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection Boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings List<FirewallSubnetMapping>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Map<String,String>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
transitGatewayId String: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
vpcId String: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

firewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
availabilityZoneChangeProtection boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings FirewallAvailabilityZoneMapping[]: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description string: A friendly description of the firewall.
enabledAnalysisTypes string[]: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyChangeProtection boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
name string: A friendly name of the firewall.
region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings FirewallSubnetMapping[]: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags {[key: string]: string}: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
transitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
vpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

firewall_policy_arn str: The Amazon Resource Name (ARN) of the VPC Firewall policy.
availability_zone_change_protection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availability_zone_mappings Sequence[FirewallAvailabilityZoneMappingArgs]: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
delete_protection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description str: A friendly description of the firewall.
enabled_analysis_types Sequence[str]: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryption_configuration FirewallEncryptionConfigurationArgs: KMS encryption configuration settings. See Encryption Configuration below for details.
firewall_policy_change_protection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
name str: A friendly name of the firewall.
region str: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnet_change_protection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnet_mappings Sequence[FirewallSubnetMappingArgs]: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Mapping[str, str]: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
transit_gateway_id str: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
vpc_id str: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

firewallPolicyArn String: The Amazon Resource Name (ARN) of the VPC Firewall policy.
availabilityZoneChangeProtection Boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings List<Property Map>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection Boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description String: A friendly description of the firewall.
enabledAnalysisTypes List<String>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration Property Map: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyChangeProtection Boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
name String: A friendly name of the firewall.
region String: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection Boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings List<Property Map>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Map<String>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
transitGatewayId String: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
vpcId String: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

Outputs

All input properties are implicitly available as output properties. Additionally, the Firewall resource produces the following output properties:

Arn string: The Amazon Resource Name (ARN) that identifies the firewall.
FirewallStatuses List<FirewallFirewallStatus>: Nested list of information about the current status of the firewall.
Id string: The provider-assigned unique ID for this managed resource.
TagsAll Dictionary<string, string>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
TransitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
UpdateToken string: A string token used when updating a firewall.

Arn string: The Amazon Resource Name (ARN) that identifies the firewall.
FirewallStatuses []FirewallFirewallStatus: Nested list of information about the current status of the firewall.
Id string: The provider-assigned unique ID for this managed resource.
TagsAll map[string]string: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
TransitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
UpdateToken string: A string token used when updating a firewall.

arn String: The Amazon Resource Name (ARN) that identifies the firewall.
firewallStatuses List<FirewallFirewallStatus>: Nested list of information about the current status of the firewall.
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String,String>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayOwnerAccountId String: The AWS account ID that owns the transit gateway.
updateToken String: A string token used when updating a firewall.

arn string: The Amazon Resource Name (ARN) that identifies the firewall.
firewallStatuses FirewallFirewallStatus[]: Nested list of information about the current status of the firewall.
id string: The provider-assigned unique ID for this managed resource.
tagsAll {[key: string]: string}: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
updateToken string: A string token used when updating a firewall.

arn str: The Amazon Resource Name (ARN) that identifies the firewall.
firewall_statuses Sequence[FirewallFirewallStatus]: Nested list of information about the current status of the firewall.
id str: The provider-assigned unique ID for this managed resource.
tags_all Mapping[str, str]: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transit_gateway_owner_account_id str: The AWS account ID that owns the transit gateway.
update_token str: A string token used when updating a firewall.

arn String: The Amazon Resource Name (ARN) that identifies the firewall.
firewallStatuses List<Property Map>: Nested list of information about the current status of the firewall.
id String: The provider-assigned unique ID for this managed resource.
tagsAll Map<String>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayOwnerAccountId String: The AWS account ID that owns the transit gateway.
updateToken String: A string token used when updating a firewall.

Look up Existing Firewall Resource

Get an existing Firewall resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: FirewallState, opts?: CustomResourceOptions): Firewall

@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        availability_zone_change_protection: Optional[bool] = None,
        availability_zone_mappings: Optional[Sequence[FirewallAvailabilityZoneMappingArgs]] = None,
        delete_protection: Optional[bool] = None,
        description: Optional[str] = None,
        enabled_analysis_types: Optional[Sequence[str]] = None,
        encryption_configuration: Optional[FirewallEncryptionConfigurationArgs] = None,
        firewall_policy_arn: Optional[str] = None,
        firewall_policy_change_protection: Optional[bool] = None,
        firewall_statuses: Optional[Sequence[FirewallFirewallStatusArgs]] = None,
        name: Optional[str] = None,
        region: Optional[str] = None,
        subnet_change_protection: Optional[bool] = None,
        subnet_mappings: Optional[Sequence[FirewallSubnetMappingArgs]] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        transit_gateway_id: Optional[str] = None,
        transit_gateway_owner_account_id: Optional[str] = None,
        update_token: Optional[str] = None,
        vpc_id: Optional[str] = None) -> Firewall

func GetFirewall(ctx *Context, name string, id IDInput, state *FirewallState, opts ...ResourceOption) (*Firewall, error)

public static Firewall Get(string name, Input<string> id, FirewallState? state, CustomResourceOptions? opts = null)

public static Firewall get(String name, Output<String> id, FirewallState state, CustomResourceOptions options)

resources:  _:    type: aws:networkfirewall:Firewall    get:      id: ${id}

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

resource_name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

name: The unique name of the resulting resource.
id: The unique provider ID of the resource to lookup.
state: Any extra arguments used during the lookup.
opts: A bag of options that control this resource's behavior.

The following state arguments are supported:

Arn string: The Amazon Resource Name (ARN) that identifies the firewall.
AvailabilityZoneChangeProtection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
AvailabilityZoneMappings List<FirewallAvailabilityZoneMapping>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
DeleteProtection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
Description string: A friendly description of the firewall.
EnabledAnalysisTypes List<string>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
EncryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
FirewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
FirewallPolicyChangeProtection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
FirewallStatuses List<FirewallFirewallStatus>: Nested list of information about the current status of the firewall.
Name string: A friendly name of the firewall.
Region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
SubnetChangeProtection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
SubnetMappings List<FirewallSubnetMapping>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
Tags Dictionary<string, string>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll Dictionary<string, string>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
TransitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
TransitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
UpdateToken string: A string token used when updating a firewall.
VpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

Arn string: The Amazon Resource Name (ARN) that identifies the firewall.
AvailabilityZoneChangeProtection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
AvailabilityZoneMappings []FirewallAvailabilityZoneMappingArgs: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
DeleteProtection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
Description string: A friendly description of the firewall.
EnabledAnalysisTypes []string: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
EncryptionConfiguration FirewallEncryptionConfigurationArgs: KMS encryption configuration settings. See Encryption Configuration below for details.
FirewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
FirewallPolicyChangeProtection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
FirewallStatuses []FirewallFirewallStatusArgs: Nested list of information about the current status of the firewall.
Name string: A friendly name of the firewall.
Region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
SubnetChangeProtection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
SubnetMappings []FirewallSubnetMappingArgs: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
Tags map[string]string: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
TagsAll map[string]string: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
TransitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
TransitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
UpdateToken string: A string token used when updating a firewall.
VpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

arn String: The Amazon Resource Name (ARN) that identifies the firewall.
availabilityZoneChangeProtection Boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings List<FirewallAvailabilityZoneMapping>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection Boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description String: A friendly description of the firewall.
enabledAnalysisTypes List<String>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyArn String: The Amazon Resource Name (ARN) of the VPC Firewall policy.
firewallPolicyChangeProtection Boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
firewallStatuses List<FirewallFirewallStatus>: Nested list of information about the current status of the firewall.
name String: A friendly name of the firewall.
region String: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection Boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings List<FirewallSubnetMapping>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Map<String,String>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String,String>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayId String: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
transitGatewayOwnerAccountId String: The AWS account ID that owns the transit gateway.
updateToken String: A string token used when updating a firewall.
vpcId String: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

arn string: The Amazon Resource Name (ARN) that identifies the firewall.
availabilityZoneChangeProtection boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings FirewallAvailabilityZoneMapping[]: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description string: A friendly description of the firewall.
enabledAnalysisTypes string[]: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration FirewallEncryptionConfiguration: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyArn string: The Amazon Resource Name (ARN) of the VPC Firewall policy.
firewallPolicyChangeProtection boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
firewallStatuses FirewallFirewallStatus[]: Nested list of information about the current status of the firewall.
name string: A friendly name of the firewall.
region string: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings FirewallSubnetMapping[]: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags {[key: string]: string}: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll {[key: string]: string}: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayId string: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
transitGatewayOwnerAccountId string: The AWS account ID that owns the transit gateway.
updateToken string: A string token used when updating a firewall.
vpcId string: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

arn str: The Amazon Resource Name (ARN) that identifies the firewall.
availability_zone_change_protection bool: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availability_zone_mappings Sequence[FirewallAvailabilityZoneMappingArgs]: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
delete_protection bool: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description str: A friendly description of the firewall.
enabled_analysis_types Sequence[str]: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryption_configuration FirewallEncryptionConfigurationArgs: KMS encryption configuration settings. See Encryption Configuration below for details.
firewall_policy_arn str: The Amazon Resource Name (ARN) of the VPC Firewall policy.
firewall_policy_change_protection bool: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
firewall_statuses Sequence[FirewallFirewallStatusArgs]: Nested list of information about the current status of the firewall.
name str: A friendly name of the firewall.
region str: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnet_change_protection bool: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnet_mappings Sequence[FirewallSubnetMappingArgs]: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Mapping[str, str]: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tags_all Mapping[str, str]: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transit_gateway_id str: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
transit_gateway_owner_account_id str: The AWS account ID that owns the transit gateway.
update_token str: A string token used when updating a firewall.
vpc_id str: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

arn String: The Amazon Resource Name (ARN) that identifies the firewall.
availabilityZoneChangeProtection Boolean: A setting indicating whether the firewall is protected against changes to its Availability Zone configuration. When set to true, you must first disable this protection before adding or removing Availability Zones.
availabilityZoneMappings List<Property Map>: Required when creating a transit gateway-attached firewall. Set of configuration blocks describing the avaiability availability where you want to create firewall endpoints for a transit gateway-attached firewall.
deleteProtection Boolean: A flag indicating whether the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. Defaults to false.
description String: A friendly description of the firewall.
enabledAnalysisTypes List<String>: Set of types for which to collect analysis metrics. See Reporting on network traffic in Network Firewall for details on how to use the data. Valid values: TLS_SNI, HTTP_HOST. Defaults to [].
encryptionConfiguration Property Map: KMS encryption configuration settings. See Encryption Configuration below for details.
firewallPolicyArn String: The Amazon Resource Name (ARN) of the VPC Firewall policy.
firewallPolicyChangeProtection Boolean: A flag indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. Defaults to false.
firewallStatuses List<Property Map>: Nested list of information about the current status of the firewall.
name String: A friendly name of the firewall.
region String: Region where this resource will be managed. Defaults to the Region set in the provider configuration.
subnetChangeProtection Boolean: A flag indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. Defaults to false.
subnetMappings List<Property Map>: Required when creating a VPC attached firewall. Set of configuration blocks describing the public subnets. Each subnet must belong to a different Availability Zone in the VPC. AWS Network Firewall creates a firewall endpoint in each subnet. See Subnet Mapping below for details.
tags Map<String>: Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
tagsAll Map<String>: A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.
transitGatewayId String: . Required when creating a transit gateway-attached firewall. The unique identifier of the transit gateway to attach to this firewall. You can provide either a transit gateway from your account or one that has been shared with you through AWS Resource Access Manager
transitGatewayOwnerAccountId String: The AWS account ID that owns the transit gateway.
updateToken String: A string token used when updating a firewall.
vpcId String: Required when creating a VPC attached firewall. The unique identifier of the VPC where AWS Network Firewall should create the firewall.

Supporting Types

FirewallAvailabilityZoneMapping, FirewallAvailabilityZoneMappingArgs

AvailabilityZoneId string: The ID of the Availability Zone where the firewall endpoint is located..

AvailabilityZoneId string: The ID of the Availability Zone where the firewall endpoint is located..

availabilityZoneId String: The ID of the Availability Zone where the firewall endpoint is located..

availabilityZoneId string: The ID of the Availability Zone where the firewall endpoint is located..

availability_zone_id str: The ID of the Availability Zone where the firewall endpoint is located..

availabilityZoneId String: The ID of the Availability Zone where the firewall endpoint is located..

FirewallEncryptionConfiguration, FirewallEncryptionConfigurationArgs

Type string: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
KeyId string: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

Type string: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
KeyId string: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

type String: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
keyId String: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

type string: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
keyId string: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

type str: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
key_id str: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

type String: The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
keyId String: The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

FirewallFirewallStatus, FirewallFirewallStatusArgs

SyncStates List<FirewallFirewallStatusSyncState>: Set of subnets configured for use by the firewall.
TransitGatewayAttachmentSyncStates List<FirewallFirewallStatusTransitGatewayAttachmentSyncState>: Set of transit gateway configured for use by the firewall.

SyncStates []FirewallFirewallStatusSyncState: Set of subnets configured for use by the firewall.
TransitGatewayAttachmentSyncStates []FirewallFirewallStatusTransitGatewayAttachmentSyncState: Set of transit gateway configured for use by the firewall.

syncStates List<FirewallFirewallStatusSyncState>: Set of subnets configured for use by the firewall.
transitGatewayAttachmentSyncStates List<FirewallFirewallStatusTransitGatewayAttachmentSyncState>: Set of transit gateway configured for use by the firewall.

syncStates FirewallFirewallStatusSyncState[]: Set of subnets configured for use by the firewall.
transitGatewayAttachmentSyncStates FirewallFirewallStatusTransitGatewayAttachmentSyncState[]: Set of transit gateway configured for use by the firewall.

sync_states Sequence[FirewallFirewallStatusSyncState]: Set of subnets configured for use by the firewall.
transit_gateway_attachment_sync_states Sequence[FirewallFirewallStatusTransitGatewayAttachmentSyncState]: Set of transit gateway configured for use by the firewall.

syncStates List<Property Map>: Set of subnets configured for use by the firewall.
transitGatewayAttachmentSyncStates List<Property Map>: Set of transit gateway configured for use by the firewall.

FirewallFirewallStatusSyncState, FirewallFirewallStatusSyncStateArgs

Attachments List<FirewallFirewallStatusSyncStateAttachment>: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
AvailabilityZone string: The Availability Zone where the subnet is configured.

Attachments []FirewallFirewallStatusSyncStateAttachment: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
AvailabilityZone string: The Availability Zone where the subnet is configured.

attachments List<FirewallFirewallStatusSyncStateAttachment>: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
availabilityZone String: The Availability Zone where the subnet is configured.

attachments FirewallFirewallStatusSyncStateAttachment[]: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
availabilityZone string: The Availability Zone where the subnet is configured.

attachments Sequence[FirewallFirewallStatusSyncStateAttachment]: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
availability_zone str: The Availability Zone where the subnet is configured.

attachments List<Property Map>: Nested list describing the attachment status of the firewall's association with a single VPC subnet.
availabilityZone String: The Availability Zone where the subnet is configured.

FirewallFirewallStatusSyncStateAttachment, FirewallFirewallStatusSyncStateAttachmentArgs

EndpointId string: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
SubnetId string: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

EndpointId string: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
SubnetId string: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

endpointId String: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
subnetId String: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

endpointId string: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
subnetId string: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

endpoint_id str: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
subnet_id str: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

endpointId String: The identifier of the firewall endpoint that AWS Network Firewall has instantiated in the subnet. You use this to identify the firewall endpoint in the VPC route tables, when you redirect the VPC traffic through the endpoint.
subnetId String: The unique identifier of the subnet that you've specified to be used for a firewall endpoint.

FirewallFirewallStatusTransitGatewayAttachmentSyncState, FirewallFirewallStatusTransitGatewayAttachmentSyncStateArgs

AttachmentId string: The unique identifier of the transit gateway attachment.

AttachmentId string: The unique identifier of the transit gateway attachment.

attachmentId String: The unique identifier of the transit gateway attachment.

attachmentId string: The unique identifier of the transit gateway attachment.

attachment_id str: The unique identifier of the transit gateway attachment.

attachmentId String: The unique identifier of the transit gateway attachment.

FirewallSubnetMapping, FirewallSubnetMappingArgs

SubnetId string: The unique identifier for the subnet.
IpAddressType string: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

SubnetId string: The unique identifier for the subnet.
IpAddressType string: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

subnetId String: The unique identifier for the subnet.
ipAddressType String: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

subnetId string: The unique identifier for the subnet.
ipAddressType string: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

subnet_id str: The unique identifier for the subnet.
ip_address_type str: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

subnetId String: The unique identifier for the subnet.
ipAddressType String: The subnet's IP address type. Valid values: "DUALSTACK", "IPV4".

Import

Using pulumi import, import Network Firewall Firewalls using their arn. For example:

$ pulumi import aws:networkfirewall/firewall:Firewall example arn:aws:network-firewall:us-west-1:123456789012:firewall/example

To learn more about importing existing cloud resources, see Importing resources.

Package Details

Repository: AWS Classic pulumi/pulumi-aws
License: Apache-2.0
Notes: This Pulumi package is based on the aws Terraform Provider.

AWS v7.7.0 published on Friday, Sep 5, 2025 by Pulumi

pulumi/pulumi-aws

aws.networkfirewall.Firewall

On this page

On this page

Example Usage

Transit Gateway Attached Firewall

Transit Gateway Attached Firewall (Cross Account)

Create Firewall Resource

Constructor syntax

Parameters

Constructor example

Firewall Resource Properties

Inputs

Outputs

Look up Existing Firewall Resource

Supporting Types

FirewallAvailabilityZoneMapping, FirewallAvailabilityZoneMappingArgs

FirewallEncryptionConfiguration, FirewallEncryptionConfigurationArgs

FirewallFirewallStatus, FirewallFirewallStatusArgs

FirewallFirewallStatusSyncState, FirewallFirewallStatusSyncStateArgs

FirewallFirewallStatusSyncStateAttachment, FirewallFirewallStatusSyncStateAttachmentArgs

FirewallFirewallStatusTransitGatewayAttachmentSyncState, FirewallFirewallStatusTransitGatewayAttachmentSyncStateArgs

FirewallSubnetMapping, FirewallSubnetMappingArgs

Import

Package Details

On this page

On this page