1. Packages
  2. AWS Classic
  3. API Docs
  4. networkfirewall
  5. FirewallPolicy

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

aws.networkfirewall.FirewallPolicy

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi

    Provides an AWS Network Firewall Firewall Policy Resource

    Example Usage

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.FirewallPolicy("example", {
        name: "example",
        firewallPolicy: {
            statelessDefaultActions: ["aws:pass"],
            statelessFragmentDefaultActions: ["aws:drop"],
            statelessRuleGroupReferences: [{
                priority: 1,
                resourceArn: exampleAwsNetworkfirewallRuleGroup.arn,
            }],
            tlsInspectionConfigurationArn: "arn:aws:network-firewall:REGION:ACCT:tls-configuration/example",
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.FirewallPolicy("example",
        name="example",
        firewall_policy=aws.networkfirewall.FirewallPolicyFirewallPolicyArgs(
            stateless_default_actions=["aws:pass"],
            stateless_fragment_default_actions=["aws:drop"],
            stateless_rule_group_references=[aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs(
                priority=1,
                resource_arn=example_aws_networkfirewall_rule_group["arn"],
            )],
            tls_inspection_configuration_arn="arn:aws:network-firewall:REGION:ACCT:tls-configuration/example",
        ),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewFirewallPolicy(ctx, "example", &networkfirewall.FirewallPolicyArgs{
    			Name: pulumi.String("example"),
    			FirewallPolicy: &networkfirewall.FirewallPolicyFirewallPolicyArgs{
    				StatelessDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:pass"),
    				},
    				StatelessFragmentDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:drop"),
    				},
    				StatelessRuleGroupReferences: networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArray{
    					&networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs{
    						Priority:    pulumi.Int(1),
    						ResourceArn: pulumi.Any(exampleAwsNetworkfirewallRuleGroup.Arn),
    					},
    				},
    				TlsInspectionConfigurationArn: pulumi.String("arn:aws:network-firewall:REGION:ACCT:tls-configuration/example"),
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.FirewallPolicy("example", new()
        {
            Name = "example",
            FirewallPolicyConfiguration = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyArgs
            {
                StatelessDefaultActions = new[]
                {
                    "aws:pass",
                },
                StatelessFragmentDefaultActions = new[]
                {
                    "aws:drop",
                },
                StatelessRuleGroupReferences = new[]
                {
                    new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs
                    {
                        Priority = 1,
                        ResourceArn = exampleAwsNetworkfirewallRuleGroup.Arn,
                    },
                },
                TlsInspectionConfigurationArn = "arn:aws:network-firewall:REGION:ACCT:tls-configuration/example",
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.FirewallPolicy;
    import com.pulumi.aws.networkfirewall.FirewallPolicyArgs;
    import com.pulumi.aws.networkfirewall.inputs.FirewallPolicyFirewallPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new FirewallPolicy("example", FirewallPolicyArgs.builder()        
                .name("example")
                .firewallPolicy(FirewallPolicyFirewallPolicyArgs.builder()
                    .statelessDefaultActions("aws:pass")
                    .statelessFragmentDefaultActions("aws:drop")
                    .statelessRuleGroupReferences(FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs.builder()
                        .priority(1)
                        .resourceArn(exampleAwsNetworkfirewallRuleGroup.arn())
                        .build())
                    .tlsInspectionConfigurationArn("arn:aws:network-firewall:REGION:ACCT:tls-configuration/example")
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:FirewallPolicy
        properties:
          name: example
          firewallPolicy:
            statelessDefaultActions:
              - aws:pass
            statelessFragmentDefaultActions:
              - aws:drop
            statelessRuleGroupReferences:
              - priority: 1
                resourceArn: ${exampleAwsNetworkfirewallRuleGroup.arn}
            tlsInspectionConfigurationArn: arn:aws:network-firewall:REGION:ACCT:tls-configuration/example
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Policy with a HOME_NET Override

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.FirewallPolicy("example", {
        name: "example",
        firewallPolicy: {
            policyVariables: {
                ruleVariables: [{
                    key: "HOME_NET",
                    ipSet: {
                        definitions: [
                            "10.0.0.0/16",
                            "10.1.0.0/24",
                        ],
                    },
                }],
            },
            statelessDefaultActions: ["aws:pass"],
            statelessFragmentDefaultActions: ["aws:drop"],
            statelessRuleGroupReferences: [{
                priority: 1,
                resourceArn: exampleAwsNetworkfirewallRuleGroup.arn,
            }],
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.FirewallPolicy("example",
        name="example",
        firewall_policy=aws.networkfirewall.FirewallPolicyFirewallPolicyArgs(
            policy_variables=aws.networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesArgs(
                rule_variables=[aws.networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArgs(
                    key="HOME_NET",
                    ip_set=aws.networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSetArgs(
                        definitions=[
                            "10.0.0.0/16",
                            "10.1.0.0/24",
                        ],
                    ),
                )],
            ),
            stateless_default_actions=["aws:pass"],
            stateless_fragment_default_actions=["aws:drop"],
            stateless_rule_group_references=[aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs(
                priority=1,
                resource_arn=example_aws_networkfirewall_rule_group["arn"],
            )],
        ),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewFirewallPolicy(ctx, "example", &networkfirewall.FirewallPolicyArgs{
    			Name: pulumi.String("example"),
    			FirewallPolicy: &networkfirewall.FirewallPolicyFirewallPolicyArgs{
    				PolicyVariables: &networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesArgs{
    					RuleVariables: networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArray{
    						&networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArgs{
    							Key: pulumi.String("HOME_NET"),
    							IpSet: &networkfirewall.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("10.0.0.0/16"),
    									pulumi.String("10.1.0.0/24"),
    								},
    							},
    						},
    					},
    				},
    				StatelessDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:pass"),
    				},
    				StatelessFragmentDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:drop"),
    				},
    				StatelessRuleGroupReferences: networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArray{
    					&networkfirewall.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs{
    						Priority:    pulumi.Int(1),
    						ResourceArn: pulumi.Any(exampleAwsNetworkfirewallRuleGroup.Arn),
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.FirewallPolicy("example", new()
        {
            Name = "example",
            FirewallPolicyConfiguration = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyArgs
            {
                PolicyVariables = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyPolicyVariablesArgs
                {
                    RuleVariables = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArgs
                        {
                            Key = "HOME_NET",
                            IpSet = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSetArgs
                            {
                                Definitions = new[]
                                {
                                    "10.0.0.0/16",
                                    "10.1.0.0/24",
                                },
                            },
                        },
                    },
                },
                StatelessDefaultActions = new[]
                {
                    "aws:pass",
                },
                StatelessFragmentDefaultActions = new[]
                {
                    "aws:drop",
                },
                StatelessRuleGroupReferences = new[]
                {
                    new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs
                    {
                        Priority = 1,
                        ResourceArn = exampleAwsNetworkfirewallRuleGroup.Arn,
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.FirewallPolicy;
    import com.pulumi.aws.networkfirewall.FirewallPolicyArgs;
    import com.pulumi.aws.networkfirewall.inputs.FirewallPolicyFirewallPolicyArgs;
    import com.pulumi.aws.networkfirewall.inputs.FirewallPolicyFirewallPolicyPolicyVariablesArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new FirewallPolicy("example", FirewallPolicyArgs.builder()        
                .name("example")
                .firewallPolicy(FirewallPolicyFirewallPolicyArgs.builder()
                    .policyVariables(FirewallPolicyFirewallPolicyPolicyVariablesArgs.builder()
                        .ruleVariables(FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArgs.builder()
                            .key("HOME_NET")
                            .ipSet(FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSetArgs.builder()
                                .definitions(                            
                                    "10.0.0.0/16",
                                    "10.1.0.0/24")
                                .build())
                            .build())
                        .build())
                    .statelessDefaultActions("aws:pass")
                    .statelessFragmentDefaultActions("aws:drop")
                    .statelessRuleGroupReferences(FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs.builder()
                        .priority(1)
                        .resourceArn(exampleAwsNetworkfirewallRuleGroup.arn())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:FirewallPolicy
        properties:
          name: example
          firewallPolicy:
            policyVariables:
              ruleVariables:
                - key: HOME_NET
                  ipSet:
                    definitions:
                      - 10.0.0.0/16
                      - 10.1.0.0/24
            statelessDefaultActions:
              - aws:pass
            statelessFragmentDefaultActions:
              - aws:drop
            statelessRuleGroupReferences:
              - priority: 1
                resourceArn: ${exampleAwsNetworkfirewallRuleGroup.arn}
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Policy with a Custom Action for Stateless Inspection

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const test = new aws.networkfirewall.FirewallPolicy("test", {
        name: "example",
        firewallPolicy: {
            statelessDefaultActions: [
                "aws:pass",
                "ExampleCustomAction",
            ],
            statelessFragmentDefaultActions: ["aws:drop"],
            statelessCustomActions: [{
                actionDefinition: {
                    publishMetricAction: {
                        dimensions: [{
                            value: "1",
                        }],
                    },
                },
                actionName: "ExampleCustomAction",
            }],
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    test = aws.networkfirewall.FirewallPolicy("test",
        name="example",
        firewall_policy=aws.networkfirewall.FirewallPolicyFirewallPolicyArgs(
            stateless_default_actions=[
                "aws:pass",
                "ExampleCustomAction",
            ],
            stateless_fragment_default_actions=["aws:drop"],
            stateless_custom_actions=[aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionArgs(
                action_definition=aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionArgs(
                    publish_metric_action=aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionArgs(
                        dimensions=[aws.networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArgs(
                            value="1",
                        )],
                    ),
                ),
                action_name="ExampleCustomAction",
            )],
        ))
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewFirewallPolicy(ctx, "test", &networkfirewall.FirewallPolicyArgs{
    			Name: pulumi.String("example"),
    			FirewallPolicy: &networkfirewall.FirewallPolicyFirewallPolicyArgs{
    				StatelessDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:pass"),
    					pulumi.String("ExampleCustomAction"),
    				},
    				StatelessFragmentDefaultActions: pulumi.StringArray{
    					pulumi.String("aws:drop"),
    				},
    				StatelessCustomActions: networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionArray{
    					&networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionArgs{
    						ActionDefinition: &networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionArgs{
    							PublishMetricAction: &networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionArgs{
    								Dimensions: networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArray{
    									&networkfirewall.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArgs{
    										Value: pulumi.String("1"),
    									},
    								},
    							},
    						},
    						ActionName: pulumi.String("ExampleCustomAction"),
    					},
    				},
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var test = new Aws.NetworkFirewall.FirewallPolicy("test", new()
        {
            Name = "example",
            FirewallPolicyConfiguration = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyArgs
            {
                StatelessDefaultActions = new[]
                {
                    "aws:pass",
                    "ExampleCustomAction",
                },
                StatelessFragmentDefaultActions = new[]
                {
                    "aws:drop",
                },
                StatelessCustomActions = new[]
                {
                    new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessCustomActionArgs
                    {
                        ActionDefinition = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionArgs
                        {
                            PublishMetricAction = new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionArgs
                            {
                                Dimensions = new[]
                                {
                                    new Aws.NetworkFirewall.Inputs.FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArgs
                                    {
                                        Value = "1",
                                    },
                                },
                            },
                        },
                        ActionName = "ExampleCustomAction",
                    },
                },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.FirewallPolicy;
    import com.pulumi.aws.networkfirewall.FirewallPolicyArgs;
    import com.pulumi.aws.networkfirewall.inputs.FirewallPolicyFirewallPolicyArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var test = new FirewallPolicy("test", FirewallPolicyArgs.builder()        
                .name("example")
                .firewallPolicy(FirewallPolicyFirewallPolicyArgs.builder()
                    .statelessDefaultActions(                
                        "aws:pass",
                        "ExampleCustomAction")
                    .statelessFragmentDefaultActions("aws:drop")
                    .statelessCustomActions(FirewallPolicyFirewallPolicyStatelessCustomActionArgs.builder()
                        .actionDefinition(FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionArgs.builder()
                            .publishMetricAction(FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionArgs.builder()
                                .dimensions(FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
                                    .value("1")
                                    .build())
                                .build())
                            .build())
                        .actionName("ExampleCustomAction")
                        .build())
                    .build())
                .build());
    
        }
    }
    
    resources:
      test:
        type: aws:networkfirewall:FirewallPolicy
        properties:
          name: example
          firewallPolicy:
            statelessDefaultActions:
              - aws:pass
              - ExampleCustomAction
            statelessFragmentDefaultActions:
              - aws:drop
            statelessCustomActions:
              - actionDefinition:
                  publishMetricAction:
                    dimensions:
                      - value: '1'
                actionName: ExampleCustomAction
    

    Create FirewallPolicy Resource

    new FirewallPolicy(name: string, args: FirewallPolicyArgs, opts?: CustomResourceOptions);
    @overload
    def FirewallPolicy(resource_name: str,
                       opts: Optional[ResourceOptions] = None,
                       description: Optional[str] = None,
                       encryption_configuration: Optional[FirewallPolicyEncryptionConfigurationArgs] = None,
                       firewall_policy: Optional[FirewallPolicyFirewallPolicyArgs] = None,
                       name: Optional[str] = None,
                       tags: Optional[Mapping[str, str]] = None)
    @overload
    def FirewallPolicy(resource_name: str,
                       args: FirewallPolicyArgs,
                       opts: Optional[ResourceOptions] = None)
    func NewFirewallPolicy(ctx *Context, name string, args FirewallPolicyArgs, opts ...ResourceOption) (*FirewallPolicy, error)
    public FirewallPolicy(string name, FirewallPolicyArgs args, CustomResourceOptions? opts = null)
    public FirewallPolicy(String name, FirewallPolicyArgs args)
    public FirewallPolicy(String name, FirewallPolicyArgs args, CustomResourceOptions options)
    
    type: aws:networkfirewall:FirewallPolicy
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args FirewallPolicyArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    FirewallPolicy Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The FirewallPolicy resource accepts the following input properties:

    FirewallPolicyConfiguration FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    Description string
    A friendly description of the firewall policy.
    EncryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the firewall policy.
    Tags Dictionary<string, string>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    FirewallPolicy FirewallPolicyFirewallPolicyArgs
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    Description string
    A friendly description of the firewall policy.
    EncryptionConfiguration FirewallPolicyEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the firewall policy.
    Tags map[string]string
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    firewallPolicy FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    description String
    A friendly description of the firewall policy.
    encryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the firewall policy.
    tags Map<String,String>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    firewallPolicy FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    description string
    A friendly description of the firewall policy.
    encryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name string
    A friendly name of the firewall policy.
    tags {[key: string]: string}
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    firewall_policy FirewallPolicyFirewallPolicyArgs
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    description str
    A friendly description of the firewall policy.
    encryption_configuration FirewallPolicyEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name str
    A friendly name of the firewall policy.
    tags Mapping[str, str]
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    firewallPolicy Property Map
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    description String
    A friendly description of the firewall policy.
    encryptionConfiguration Property Map
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the firewall policy.
    tags Map<String>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the FirewallPolicy resource produces the following output properties:

    Arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UpdateToken string
    A string token used when updating a firewall policy.
    Arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UpdateToken string
    A string token used when updating a firewall policy.
    arn String
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken String
    A string token used when updating a firewall policy.
    arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    id string
    The provider-assigned unique ID for this managed resource.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken string
    A string token used when updating a firewall policy.
    arn str
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    id str
    The provider-assigned unique ID for this managed resource.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    update_token str
    A string token used when updating a firewall policy.
    arn String
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken String
    A string token used when updating a firewall policy.

    Look up Existing FirewallPolicy Resource

    Get an existing FirewallPolicy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: FirewallPolicyState, opts?: CustomResourceOptions): FirewallPolicy
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            description: Optional[str] = None,
            encryption_configuration: Optional[FirewallPolicyEncryptionConfigurationArgs] = None,
            firewall_policy: Optional[FirewallPolicyFirewallPolicyArgs] = None,
            name: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            update_token: Optional[str] = None) -> FirewallPolicy
    func GetFirewallPolicy(ctx *Context, name string, id IDInput, state *FirewallPolicyState, opts ...ResourceOption) (*FirewallPolicy, error)
    public static FirewallPolicy Get(string name, Input<string> id, FirewallPolicyState? state, CustomResourceOptions? opts = null)
    public static FirewallPolicy get(String name, Output<String> id, FirewallPolicyState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    Description string
    A friendly description of the firewall policy.
    EncryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    FirewallPolicyConfiguration FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    Name string
    A friendly name of the firewall policy.
    Tags Dictionary<string, string>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UpdateToken string
    A string token used when updating a firewall policy.
    Arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    Description string
    A friendly description of the firewall policy.
    EncryptionConfiguration FirewallPolicyEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    FirewallPolicy FirewallPolicyFirewallPolicyArgs
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    Name string
    A friendly name of the firewall policy.
    Tags map[string]string
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    UpdateToken string
    A string token used when updating a firewall policy.
    arn String
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    description String
    A friendly description of the firewall policy.
    encryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    firewallPolicy FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    name String
    A friendly name of the firewall policy.
    tags Map<String,String>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken String
    A string token used when updating a firewall policy.
    arn string
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    description string
    A friendly description of the firewall policy.
    encryptionConfiguration FirewallPolicyEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    firewallPolicy FirewallPolicyFirewallPolicy
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    name string
    A friendly name of the firewall policy.
    tags {[key: string]: string}
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken string
    A string token used when updating a firewall policy.
    arn str
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    description str
    A friendly description of the firewall policy.
    encryption_configuration FirewallPolicyEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    firewall_policy FirewallPolicyFirewallPolicyArgs
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    name str
    A friendly name of the firewall policy.
    tags Mapping[str, str]
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    update_token str
    A string token used when updating a firewall policy.
    arn String
    The Amazon Resource Name (ARN) that identifies the firewall policy.
    description String
    A friendly description of the firewall policy.
    encryptionConfiguration Property Map
    KMS encryption configuration settings. See Encryption Configuration below for details.
    firewallPolicy Property Map
    A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.
    name String
    A friendly name of the firewall policy.
    tags Map<String>
    Map of resource tags to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated:Please use tags instead.

    updateToken String
    A string token used when updating a firewall policy.

    Supporting Types

    FirewallPolicyEncryptionConfiguration, FirewallPolicyEncryptionConfigurationArgs

    Type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    KeyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    Type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    KeyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type String
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId String
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type str
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    key_id str
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type String
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId String
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    FirewallPolicyFirewallPolicy, FirewallPolicyFirewallPolicyArgs

    StatelessDefaultActions List<string>
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    StatelessFragmentDefaultActions List<string>
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    PolicyVariables FirewallPolicyFirewallPolicyPolicyVariables
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    StatefulDefaultActions List<string>
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    StatefulEngineOptions FirewallPolicyFirewallPolicyStatefulEngineOptions
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    StatefulRuleGroupReferences List<FirewallPolicyFirewallPolicyStatefulRuleGroupReference>
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    StatelessCustomActions List<FirewallPolicyFirewallPolicyStatelessCustomAction>
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    StatelessRuleGroupReferences List<FirewallPolicyFirewallPolicyStatelessRuleGroupReference>
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    TlsInspectionConfigurationArn string
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.
    StatelessDefaultActions []string
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    StatelessFragmentDefaultActions []string
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    PolicyVariables FirewallPolicyFirewallPolicyPolicyVariables
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    StatefulDefaultActions []string
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    StatefulEngineOptions FirewallPolicyFirewallPolicyStatefulEngineOptions
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    StatefulRuleGroupReferences []FirewallPolicyFirewallPolicyStatefulRuleGroupReference
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    StatelessCustomActions []FirewallPolicyFirewallPolicyStatelessCustomAction
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    StatelessRuleGroupReferences []FirewallPolicyFirewallPolicyStatelessRuleGroupReference
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    TlsInspectionConfigurationArn string
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.
    statelessDefaultActions List<String>
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    statelessFragmentDefaultActions List<String>
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    policyVariables FirewallPolicyFirewallPolicyPolicyVariables
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    statefulDefaultActions List<String>
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    statefulEngineOptions FirewallPolicyFirewallPolicyStatefulEngineOptions
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    statefulRuleGroupReferences List<FirewallPolicyFirewallPolicyStatefulRuleGroupReference>
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    statelessCustomActions List<FirewallPolicyFirewallPolicyStatelessCustomAction>
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    statelessRuleGroupReferences List<FirewallPolicyFirewallPolicyStatelessRuleGroupReference>
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    tlsInspectionConfigurationArn String
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.
    statelessDefaultActions string[]
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    statelessFragmentDefaultActions string[]
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    policyVariables FirewallPolicyFirewallPolicyPolicyVariables
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    statefulDefaultActions string[]
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    statefulEngineOptions FirewallPolicyFirewallPolicyStatefulEngineOptions
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    statefulRuleGroupReferences FirewallPolicyFirewallPolicyStatefulRuleGroupReference[]
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    statelessCustomActions FirewallPolicyFirewallPolicyStatelessCustomAction[]
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    statelessRuleGroupReferences FirewallPolicyFirewallPolicyStatelessRuleGroupReference[]
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    tlsInspectionConfigurationArn string
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.
    stateless_default_actions Sequence[str]
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    stateless_fragment_default_actions Sequence[str]
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    policy_variables FirewallPolicyFirewallPolicyPolicyVariables
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    stateful_default_actions Sequence[str]
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    stateful_engine_options FirewallPolicyFirewallPolicyStatefulEngineOptions
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    stateful_rule_group_references Sequence[FirewallPolicyFirewallPolicyStatefulRuleGroupReference]
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    stateless_custom_actions Sequence[FirewallPolicyFirewallPolicyStatelessCustomAction]
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    stateless_rule_group_references Sequence[FirewallPolicyFirewallPolicyStatelessRuleGroupReference]
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    tls_inspection_configuration_arn str
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.
    statelessDefaultActions List<String>
    Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    statelessFragmentDefaultActions List<String>
    Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forward_to_sfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forward_to_sfe.
    policyVariables Property Map
    . Contains variables that you can use to override default Suricata settings in your firewall policy. See Rule Variables for details.
    statefulDefaultActions List<String>
    Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. You can specify one of either or neither values of aws:drop_strict or aws:drop_established, as well as any combination of aws:alert_strict and aws:alert_established.
    statefulEngineOptions Property Map
    A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.
    statefulRuleGroupReferences List<Property Map>
    Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.
    statelessCustomActions List<Property Map>
    Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's stateless_default_actions. See Stateless Custom Action below for details.
    statelessRuleGroupReferences List<Property Map>
    Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
    tlsInspectionConfigurationArn String
    The (ARN) of the TLS Inspection policy to attach to the FW Policy. This must be added at creation of the resource per AWS documentation. "You can only add a TLS inspection configuration to a new policy, not to an existing policy." This cannot be removed from a FW Policy.

    FirewallPolicyFirewallPolicyPolicyVariables, FirewallPolicyFirewallPolicyPolicyVariablesArgs

    FirewallPolicyFirewallPolicyPolicyVariablesRuleVariable, FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableArgs

    IpSet FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    Key string
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET
    IpSet FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    Key string
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET
    ipSet FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key String
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET
    ipSet FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key string
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET
    ip_set FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key str
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET
    ipSet Property Map
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key String
    An alphanumeric string to identify the ip_set. Valid values: HOME_NET

    FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSet, FirewallPolicyFirewallPolicyPolicyVariablesRuleVariableIpSetArgs

    Definitions List<string>
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.
    Definitions []string
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.
    definitions List<String>
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.
    definitions string[]
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.
    definitions Sequence[str]
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.
    definitions List<String>
    Set of IPv4 or IPv6 addresses in CIDR notation to use for the Suricata HOME_NET variable.

    FirewallPolicyFirewallPolicyStatefulEngineOptions, FirewallPolicyFirewallPolicyStatefulEngineOptionsArgs

    RuleOrder string
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    StreamExceptionPolicy string
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.
    RuleOrder string
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    StreamExceptionPolicy string
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.
    ruleOrder String
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    streamExceptionPolicy String
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.
    ruleOrder string
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    streamExceptionPolicy string
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.
    rule_order str
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    stream_exception_policy str
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.
    ruleOrder String
    Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    streamExceptionPolicy String
    Describes how to treat traffic which has broken midstream. Default value: DROP. Valid values: DROP, CONTINUE, REJECT.

    FirewallPolicyFirewallPolicyStatefulRuleGroupReference, FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceArgs

    ResourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    Override FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride
    Configuration block for override values
    Priority int
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.
    ResourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    Override FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride
    Configuration block for override values
    Priority int
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride
    Configuration block for override values
    priority Integer
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn string
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride
    Configuration block for override values
    priority number
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.
    resource_arn str
    The Amazon Resource Name (ARN) of the stateful rule group.
    override FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride
    Configuration block for override values
    priority int
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateful rule group.
    override Property Map
    Configuration block for override values
    priority Number
    An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a stateful_engine_options block with a rule_order value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.

    FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverride, FirewallPolicyFirewallPolicyStatefulRuleGroupReferenceOverrideArgs

    Action string
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    Action string
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action String
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action string
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action str
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
    action String
    The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

    FirewallPolicyFirewallPolicyStatelessCustomAction, FirewallPolicyFirewallPolicyStatelessCustomActionArgs

    ActionDefinition FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    ActionName string
    A friendly name of the custom action.
    ActionDefinition FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    ActionName string
    A friendly name of the custom action.
    actionDefinition FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName String
    A friendly name of the custom action.
    actionDefinition FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName string
    A friendly name of the custom action.
    action_definition FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    action_name str
    A friendly name of the custom action.
    actionDefinition Property Map
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName String
    A friendly name of the custom action.

    FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinition, FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionArgs

    PublishMetricAction FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    PublishMetricAction FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publish_metric_action FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction Property Map
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricAction, FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionArgs

    Dimensions List<FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension>
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
    Dimensions []FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
    dimensions List<FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension>
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
    dimensions FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension[]
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
    dimensions Sequence[FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension]
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
    dimensions List<Property Map>
    Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.

    FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimension, FirewallPolicyFirewallPolicyStatelessCustomActionActionDefinitionPublishMetricActionDimensionArgs

    Value string
    The string value to use in the custom metric dimension.
    Value string
    The string value to use in the custom metric dimension.
    value String
    The string value to use in the custom metric dimension.
    value string
    The string value to use in the custom metric dimension.
    value str
    The string value to use in the custom metric dimension.
    value String
    The string value to use in the custom metric dimension.

    FirewallPolicyFirewallPolicyStatelessRuleGroupReference, FirewallPolicyFirewallPolicyStatelessRuleGroupReferenceArgs

    Priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    ResourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    Priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    ResourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority Integer
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority number
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn string
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority int
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    resource_arn str
    The Amazon Resource Name (ARN) of the stateless rule group.
    priority Number
    An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.
    resourceArn String
    The Amazon Resource Name (ARN) of the stateless rule group.

    Import

    Using pulumi import, import Network Firewall Policies using their arn. For example:

    $ pulumi import aws:networkfirewall/firewallPolicy:FirewallPolicy example arn:aws:network-firewall:us-west-1:123456789012:firewall-policy/example
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v6.27.0 published on Monday, Mar 18, 2024 by Pulumi