AWS v7.10.0 published on Friday, Oct 24, 2025 by Pulumi
aws.networkfirewall.RuleGroup
Provides an AWS Network Firewall Rule Group Resource
Example Usage
Stateful Inspection for denying access to a domain
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "DENYLIST",
"target_types": ["HTTP_HOST"],
"targets": ["test.example.com"],
},
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("DENYLIST"),
TargetTypes: pulumi.StringArray{
pulumi.String("HTTP_HOST"),
},
Targets: pulumi.StringArray{
pulumi.String("test.example.com"),
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "DENYLIST",
TargetTypes = new[]
{
"HTTP_HOST",
},
Targets = new[]
{
"test.example.com",
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection for permitting packets from a source IP address
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ips = [
"1.1.1.1/32",
"1.0.0.1/32",
];
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 50,
description: "Permits http traffic from source",
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
statefulRules: ips.map((v, k) => ({key: k, value: v})).map(entry => ({
action: "PASS",
header: {
destination: "ANY",
destinationPort: "ANY",
protocol: "HTTP",
direction: "ANY",
sourcePort: "ANY",
source: entry.value,
},
ruleOptions: [{
keyword: "sid",
settings: ["1"],
}],
})),
},
},
tags: {
Name: "permit HTTP from source",
},
});
import pulumi
import pulumi_aws as aws
ips = [
"1.1.1.1/32",
"1.0.0.1/32",
]
example = aws.networkfirewall.RuleGroup("example",
capacity=50,
description="Permits http traffic from source",
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"stateful_rules": [{
"action": "PASS",
"header": {
"destination": "ANY",
"destination_port": "ANY",
"protocol": "HTTP",
"direction": "ANY",
"source_port": "ANY",
"source": entry["value"],
},
"rule_options": [{
"keyword": "sid",
"settings": ["1"],
}],
} for entry in [{"key": k, "value": v} for k, v in ips]],
},
},
tags={
"Name": "permit HTTP from source",
})
Example coming soon!
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var ips = new[]
{
"1.1.1.1/32",
"1.0.0.1/32",
};
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 50,
Description = "Permits http traffic from source",
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatefulRules = ips.Select((v, k) => new { Key = k, Value = v }).Select(entry =>
{
return new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "PASS",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "ANY",
DestinationPort = "ANY",
Protocol = "HTTP",
Direction = "ANY",
SourcePort = "ANY",
Source = entry.Value,
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "sid",
Settings = new[]
{
"1",
},
},
},
};
}).ToList(),
},
},
Tags =
{
{ "Name", "permit HTTP from source" },
},
});
});
Example coming soon!
Example coming soon!
Stateful Inspection for blocking packets from going to an intended destination
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
statefulRules: [{
action: "DROP",
header: {
destination: "124.1.1.24/32",
destinationPort: "53",
direction: "ANY",
protocol: "TCP",
source: "1.2.3.4/32",
sourcePort: "53",
},
ruleOptions: [{
keyword: "sid",
settings: ["1"],
}],
}],
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"stateful_rules": [{
"action": "DROP",
"header": {
"destination": "124.1.1.24/32",
"destination_port": "53",
"direction": "ANY",
"protocol": "TCP",
"source": "1.2.3.4/32",
"source_port": "53",
},
"rule_options": [{
"keyword": "sid",
"settings": ["1"],
}],
}],
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
Action: pulumi.String("DROP"),
Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
Destination: pulumi.String("124.1.1.24/32"),
DestinationPort: pulumi.String("53"),
Direction: pulumi.String("ANY"),
Protocol: pulumi.String("TCP"),
Source: pulumi.String("1.2.3.4/32"),
SourcePort: pulumi.String("53"),
},
RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
Keyword: pulumi.String("sid"),
Settings: pulumi.StringArray{
pulumi.String("1"),
},
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatefulRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "DROP",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "124.1.1.24/32",
DestinationPort = "53",
Direction = "ANY",
Protocol = "TCP",
Source = "1.2.3.4/32",
SourcePort = "53",
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "sid",
Settings = new[]
{
"1",
},
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
.action("DROP")
.header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
.destination("124.1.1.24/32")
.destinationPort("53")
.direction("ANY")
.protocol("TCP")
.source("1.2.3.4/32")
.sourcePort("53")
.build())
.ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
.keyword("sid")
.settings("1")
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: DROP
header:
destination: 124.1.1.24/32
destinationPort: 53
direction: ANY
protocol: TCP
source: 1.2.3.4/32
sourcePort: 53
ruleOptions:
- keyword: sid
settings:
- '1'
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection from rules specifications defined in Suricata flat format
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as std from "@pulumi/std";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
rules: std.file({
input: "example.rules",
}).then(invoke => invoke.result),
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
import pulumi_std as std
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rules=std.file(input="example.rules").result,
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "example.rules",
}, nil)
if err != nil {
return err
}
_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
Rules: pulumi.String(invokeFile.Result),
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
Rules = Std.File.Invoke(new()
{
Input = "example.rules",
}).Apply(invoke => invoke.Result),
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.rules(StdFunctions.file(FileArgs.builder()
.input("example.rules")
.build()).result())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
rules:
fn::invoke:
function: std:file
arguments:
input: example.rules
return: result
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection from rule group specifications using rule variables and Suricata format rules
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as std from "@pulumi/std";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
ruleVariables: {
ipSets: [
{
key: "WEBSERVERS_HOSTS",
ipSet: {
definitions: [
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
],
},
},
{
key: "EXTERNAL_HOST",
ipSet: {
definitions: ["1.2.3.4/32"],
},
},
],
portSets: [{
key: "HTTP_PORTS",
portSet: {
definitions: [
"443",
"80",
],
},
}],
},
rulesSource: {
rulesString: std.file({
input: "suricata_rules_file",
}).then(invoke => invoke.result),
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
import pulumi_std as std
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rule_variables": {
"ip_sets": [
{
"key": "WEBSERVERS_HOSTS",
"ip_set": {
"definitions": [
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
],
},
},
{
"key": "EXTERNAL_HOST",
"ip_set": {
"definitions": ["1.2.3.4/32"],
},
},
],
"port_sets": [{
"key": "HTTP_PORTS",
"port_set": {
"definitions": [
"443",
"80",
],
},
}],
},
"rules_source": {
"rules_string": std.file(input="suricata_rules_file").result,
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "suricata_rules_file",
}, nil)
if err != nil {
return err
}
_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
Key: pulumi.String("WEBSERVERS_HOSTS"),
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("10.0.0.0/16"),
pulumi.String("10.0.1.0/24"),
pulumi.String("192.168.0.0/16"),
},
},
},
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
Key: pulumi.String("EXTERNAL_HOST"),
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("1.2.3.4/32"),
},
},
},
},
PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
Key: pulumi.String("HTTP_PORTS"),
PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("443"),
pulumi.String("80"),
},
},
},
},
},
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesString: pulumi.String(invokeFile.Result),
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
{
IpSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
Key = "WEBSERVERS_HOSTS",
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
},
},
},
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
Key = "EXTERNAL_HOST",
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"1.2.3.4/32",
},
},
},
},
PortSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
{
Key = "HTTP_PORTS",
PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
{
Definitions = new[]
{
"443",
"80",
},
},
},
},
},
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesString = Std.File.Invoke(new()
{
Input = "suricata_rules_file",
}).Apply(invoke => invoke.Result),
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("WEBSERVERS_HOSTS")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions(
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16")
.build())
.build(),
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("EXTERNAL_HOST")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions("1.2.3.4/32")
.build())
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("HTTP_PORTS")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions(
"443",
"80")
.build())
.build())
.build())
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesString(StdFunctions.file(FileArgs.builder()
.input("suricata_rules_file")
.build()).result())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
ruleVariables:
ipSets:
- key: WEBSERVERS_HOSTS
ipSet:
definitions:
- 10.0.0.0/16
- 10.0.1.0/24
- 192.168.0.0/16
- key: EXTERNAL_HOST
ipSet:
definitions:
- 1.2.3.4/32
portSets:
- key: HTTP_PORTS
portSet:
definitions:
- '443'
- '80'
rulesSource:
rulesString:
fn::invoke:
function: std:file
arguments:
input: suricata_rules_file
return: result
tags:
Tag1: Value1
Tag2: Value2
Stateless Inspection with a Custom Action
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
description: "Stateless Rate Limiting Rule",
capacity: 100,
name: "example",
type: "STATELESS",
ruleGroup: {
rulesSource: {
statelessRulesAndCustomActions: {
customActions: [{
actionDefinition: {
publishMetricAction: {
dimensions: [{
value: "2",
}],
},
},
actionName: "ExampleMetricsAction",
}],
statelessRules: [{
priority: 1,
ruleDefinition: {
actions: [
"aws:pass",
"ExampleMetricsAction",
],
matchAttributes: {
sources: [{
addressDefinition: "1.2.3.4/32",
}],
sourcePorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "124.1.1.5/32",
}],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
protocols: [6],
tcpFlags: [{
flags: ["SYN"],
masks: [
"SYN",
"ACK",
],
}],
},
},
}],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
description="Stateless Rate Limiting Rule",
capacity=100,
name="example",
type="STATELESS",
rule_group={
"rules_source": {
"stateless_rules_and_custom_actions": {
"custom_actions": [{
"action_definition": {
"publish_metric_action": {
"dimensions": [{
"value": "2",
}],
},
},
"action_name": "ExampleMetricsAction",
}],
"stateless_rules": [{
"priority": 1,
"rule_definition": {
"actions": [
"aws:pass",
"ExampleMetricsAction",
],
"match_attributes": {
"sources": [{
"address_definition": "1.2.3.4/32",
}],
"source_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "124.1.1.5/32",
}],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"protocols": [6],
"tcp_flags": [{
"flags": ["SYN"],
"masks": [
"SYN",
"ACK",
],
}],
},
},
}],
},
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Description: pulumi.String("Stateless Rate Limiting Rule"),
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATELESS"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
Value: pulumi.String("2"),
},
},
},
},
ActionName: pulumi.String("ExampleMetricsAction"),
},
},
StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
Priority: pulumi.Int(1),
RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
Actions: pulumi.StringArray{
pulumi.String("aws:pass"),
pulumi.String("ExampleMetricsAction"),
},
MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
AddressDefinition: pulumi.String("1.2.3.4/32"),
},
},
SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
AddressDefinition: pulumi.String("124.1.1.5/32"),
},
},
DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
Flags: pulumi.StringArray{
pulumi.String("SYN"),
},
Masks: pulumi.StringArray{
pulumi.String("SYN"),
pulumi.String("ACK"),
},
},
},
},
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Description = "Stateless Rate Limiting Rule",
Capacity = 100,
Name = "example",
Type = "STATELESS",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
{
CustomActions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
{
ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
{
PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
{
Dimensions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
{
Value = "2",
},
},
},
},
ActionName = "ExampleMetricsAction",
},
},
StatelessRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
{
Priority = 1,
RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
{
Actions = new[]
{
"aws:pass",
"ExampleMetricsAction",
},
MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
{
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
{
AddressDefinition = "1.2.3.4/32",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
{
AddressDefinition = "124.1.1.5/32",
},
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Protocols = new[]
{
6,
},
TcpFlags = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
{
Flags = new[]
{
"SYN",
},
Masks = new[]
{
"SYN",
"ACK",
},
},
},
},
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.description("Stateless Rate Limiting Rule")
.capacity(100)
.name("example")
.type("STATELESS")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
.customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
.actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
.publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
.dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
.value("2")
.build())
.build())
.build())
.actionName("ExampleMetricsAction")
.build())
.statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
.priority(1)
.ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
.actions(
"aws:pass",
"ExampleMetricsAction")
.matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
.sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
.addressDefinition("1.2.3.4/32")
.build())
.sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
.addressDefinition("124.1.1.5/32")
.build())
.destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.protocols(6)
.tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
.flags("SYN")
.masks(
"SYN",
"ACK")
.build())
.build())
.build())
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
description: Stateless Rate Limiting Rule
capacity: 100
name: example
type: STATELESS
ruleGroup:
rulesSource:
statelessRulesAndCustomActions:
customActions:
- actionDefinition:
publishMetricAction:
dimensions:
- value: '2'
actionName: ExampleMetricsAction
statelessRules:
- priority: 1
ruleDefinition:
actions:
- aws:pass
- ExampleMetricsAction
matchAttributes:
sources:
- addressDefinition: 1.2.3.4/32
sourcePorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 124.1.1.5/32
destinationPorts:
- fromPort: 443
toPort: 443
protocols:
- 6
tcpFlags:
- flags:
- SYN
masks:
- SYN
- ACK
tags:
Tag1: Value1
Tag2: Value2
IP Set References to the Rule Group
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
referenceSets: {
ipSetReferences: [{
key: "example",
ipSetReferences: [{
referenceArn: _this.arn,
}],
}],
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "DENYLIST",
"target_types": ["HTTP_HOST"],
"targets": ["test.example.com"],
},
},
"reference_sets": {
"ip_set_references": [{
"key": "example",
"ip_set_references": [{
"reference_arn": this["arn"],
}],
}],
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("DENYLIST"),
TargetTypes: pulumi.StringArray{
pulumi.String("HTTP_HOST"),
},
Targets: pulumi.StringArray{
pulumi.String("test.example.com"),
},
},
},
ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
Key: pulumi.String("example"),
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
ReferenceArn: pulumi.Any(this.Arn),
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "DENYLIST",
TargetTypes = new[]
{
"HTTP_HOST",
},
Targets = new[]
{
"test.example.com",
},
},
},
ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
{
Key = "example",
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
{
ReferenceArn = @this.Arn,
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
.key("example")
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
.referenceArn(this_.arn())
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
referenceSets:
ipSetReferences:
- key: example
ipSetReferences:
- referenceArn: ${this.arn}
tags:
Tag1: Value1
Tag2: Value2
Example with S3 as source for the suricata rules
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const suricataRules = aws.s3.getObject({
bucket: suricataRulesAwsS3Bucket.id,
key: "rules/custom.rules",
});
const s3RulesExample = new aws.networkfirewall.RuleGroup("s3_rules_example", {
capacity: 1000,
name: "my-terraform-s3-rules",
type: "STATEFUL",
ruleGroup: {
ruleVariables: {
ipSets: [{
key: "HOME_NET",
ipSet: {
definitions: [
"10.0.0.0/16",
"192.168.0.0/16",
"172.16.0.0/12",
],
},
}],
portSets: [{
key: "HTTP_PORTS",
portSet: {
definitions: [
"443",
"80",
],
},
}],
},
rulesSource: {
rulesString: suricataRules.then(suricataRules => suricataRules.body),
},
},
tags: {
ManagedBy: "terraform",
},
});
import pulumi
import pulumi_aws as aws
suricata_rules = aws.s3.get_object(bucket=suricata_rules_aws_s3_bucket["id"],
key="rules/custom.rules")
s3_rules_example = aws.networkfirewall.RuleGroup("s3_rules_example",
capacity=1000,
name="my-terraform-s3-rules",
type="STATEFUL",
rule_group={
"rule_variables": {
"ip_sets": [{
"key": "HOME_NET",
"ip_set": {
"definitions": [
"10.0.0.0/16",
"192.168.0.0/16",
"172.16.0.0/12",
],
},
}],
"port_sets": [{
"key": "HTTP_PORTS",
"port_set": {
"definitions": [
"443",
"80",
],
},
}],
},
"rules_source": {
"rules_string": suricata_rules.body,
},
},
tags={
"ManagedBy": "terraform",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/networkfirewall"
"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/s3"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
suricataRules, err := s3.GetObject(ctx, &s3.GetObjectArgs{
Bucket: suricataRulesAwsS3Bucket.Id,
Key: "rules/custom.rules",
}, nil)
if err != nil {
return err
}
_, err = networkfirewall.NewRuleGroup(ctx, "s3_rules_example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(1000),
Name: pulumi.String("my-terraform-s3-rules"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
Key: pulumi.String("HOME_NET"),
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("10.0.0.0/16"),
pulumi.String("192.168.0.0/16"),
pulumi.String("172.16.0.0/12"),
},
},
},
},
PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
Key: pulumi.String("HTTP_PORTS"),
PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("443"),
pulumi.String("80"),
},
},
},
},
},
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesString: pulumi.String(suricataRules.Body),
},
},
Tags: pulumi.StringMap{
"ManagedBy": pulumi.String("terraform"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var suricataRules = Aws.S3.GetObject.Invoke(new()
{
Bucket = suricataRulesAwsS3Bucket.Id,
Key = "rules/custom.rules",
});
var s3RulesExample = new Aws.NetworkFirewall.RuleGroup("s3_rules_example", new()
{
Capacity = 1000,
Name = "my-terraform-s3-rules",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
{
IpSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
Key = "HOME_NET",
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"10.0.0.0/16",
"192.168.0.0/16",
"172.16.0.0/12",
},
},
},
},
PortSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
{
Key = "HTTP_PORTS",
PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
{
Definitions = new[]
{
"443",
"80",
},
},
},
},
},
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesString = suricataRules.Apply(getObjectResult => getObjectResult.Body),
},
},
Tags =
{
{ "ManagedBy", "terraform" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.s3.S3Functions;
import com.pulumi.aws.s3.inputs.GetObjectArgs;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var suricataRules = S3Functions.getObject(GetObjectArgs.builder()
.bucket(suricataRulesAwsS3Bucket.id())
.key("rules/custom.rules")
.build());
var s3RulesExample = new RuleGroup("s3RulesExample", RuleGroupArgs.builder()
.capacity(1000)
.name("my-terraform-s3-rules")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("HOME_NET")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions(
"10.0.0.0/16",
"192.168.0.0/16",
"172.16.0.0/12")
.build())
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("HTTP_PORTS")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions(
"443",
"80")
.build())
.build())
.build())
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesString(suricataRules.body())
.build())
.build())
.tags(Map.of("ManagedBy", "terraform"))
.build());
}
}
resources:
s3RulesExample:
type: aws:networkfirewall:RuleGroup
name: s3_rules_example
properties:
capacity: 1000
name: my-terraform-s3-rules
type: STATEFUL
ruleGroup:
ruleVariables:
ipSets:
- key: HOME_NET
ipSet:
definitions:
- 10.0.0.0/16
- 192.168.0.0/16
- 172.16.0.0/12
portSets:
- key: HTTP_PORTS
portSet:
definitions:
- '443'
- '80'
rulesSource:
rulesString: ${suricataRules.body}
tags:
ManagedBy: terraform
variables:
suricataRules:
fn::invoke:
function: aws:s3:getObject
arguments:
bucket: ${suricataRulesAwsS3Bucket.id}
key: rules/custom.rules
Create RuleGroup Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RuleGroup(name: string, args: RuleGroupArgs, opts?: CustomResourceOptions);@overload
def RuleGroup(resource_name: str,
args: RuleGroupArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RuleGroup(resource_name: str,
opts: Optional[ResourceOptions] = None,
capacity: Optional[int] = None,
type: Optional[str] = None,
description: Optional[str] = None,
encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
name: Optional[str] = None,
region: Optional[str] = None,
rule_group: Optional[RuleGroupRuleGroupArgs] = None,
rules: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)func NewRuleGroup(ctx *Context, name string, args RuleGroupArgs, opts ...ResourceOption) (*RuleGroup, error)public RuleGroup(string name, RuleGroupArgs args, CustomResourceOptions? opts = null)
public RuleGroup(String name, RuleGroupArgs args)
public RuleGroup(String name, RuleGroupArgs args, CustomResourceOptions options)
type: aws:networkfirewall:RuleGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args RuleGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args RuleGroupArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args RuleGroupArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args RuleGroupArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args RuleGroupArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ruleGroupResource = new Aws.NetworkFirewall.RuleGroup("ruleGroupResource", new()
{
Capacity = 0,
Type = "string",
Description = "string",
EncryptionConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupEncryptionConfigurationArgs
{
Type = "string",
KeyId = "string",
},
Name = "string",
Region = "string",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "string",
TargetTypes = new[]
{
"string",
},
Targets = new[]
{
"string",
},
},
RulesString = "string",
StatefulRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "string",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "string",
DestinationPort = "string",
Direction = "string",
Protocol = "string",
Source = "string",
SourcePort = "string",
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "string",
Settings = new[]
{
"string",
},
},
},
},
},
StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
{
StatelessRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
{
Priority = 0,
RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
{
Actions = new[]
{
"string",
},
MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
{
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
{
FromPort = 0,
ToPort = 0,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
{
AddressDefinition = "string",
},
},
Protocols = new[]
{
0,
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
{
FromPort = 0,
ToPort = 0,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
{
AddressDefinition = "string",
},
},
TcpFlags = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
{
Flags = new[]
{
"string",
},
Masks = new[]
{
"string",
},
},
},
},
},
},
},
CustomActions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
{
ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
{
PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
{
Dimensions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
{
Value = "string",
},
},
},
},
ActionName = "string",
},
},
},
},
ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
{
ReferenceArn = "string",
},
},
Key = "string",
},
},
},
RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
{
IpSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"string",
},
},
Key = "string",
},
},
PortSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
{
Key = "string",
PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
{
Definitions = new[]
{
"string",
},
},
},
},
},
StatefulRuleOptions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupStatefulRuleOptionsArgs
{
RuleOrder = "string",
},
},
Rules = "string",
Tags =
{
{ "string", "string" },
},
});
example, err := networkfirewall.NewRuleGroup(ctx, "ruleGroupResource", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(0),
Type: pulumi.String("string"),
Description: pulumi.String("string"),
EncryptionConfiguration: &networkfirewall.RuleGroupEncryptionConfigurationArgs{
Type: pulumi.String("string"),
KeyId: pulumi.String("string"),
},
Name: pulumi.String("string"),
Region: pulumi.String("string"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("string"),
TargetTypes: pulumi.StringArray{
pulumi.String("string"),
},
Targets: pulumi.StringArray{
pulumi.String("string"),
},
},
RulesString: pulumi.String("string"),
StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
Action: pulumi.String("string"),
Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
Destination: pulumi.String("string"),
DestinationPort: pulumi.String("string"),
Direction: pulumi.String("string"),
Protocol: pulumi.String("string"),
Source: pulumi.String("string"),
SourcePort: pulumi.String("string"),
},
RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
Keyword: pulumi.String("string"),
Settings: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
Priority: pulumi.Int(0),
RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
Actions: pulumi.StringArray{
pulumi.String("string"),
},
MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
AddressDefinition: pulumi.String("string"),
},
},
Protocols: pulumi.IntArray{
pulumi.Int(0),
},
SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
AddressDefinition: pulumi.String("string"),
},
},
TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
Flags: pulumi.StringArray{
pulumi.String("string"),
},
Masks: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
},
},
CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
Value: pulumi.String("string"),
},
},
},
},
ActionName: pulumi.String("string"),
},
},
},
},
ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
ReferenceArn: pulumi.String("string"),
},
},
Key: pulumi.String("string"),
},
},
},
RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("string"),
},
},
Key: pulumi.String("string"),
},
},
PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
Key: pulumi.String("string"),
PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
StatefulRuleOptions: &networkfirewall.RuleGroupRuleGroupStatefulRuleOptionsArgs{
RuleOrder: pulumi.String("string"),
},
},
Rules: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var ruleGroupResource = new com.pulumi.aws.networkfirewall.RuleGroup("ruleGroupResource", com.pulumi.aws.networkfirewall.RuleGroupArgs.builder()
.capacity(0)
.type("string")
.description("string")
.encryptionConfiguration(RuleGroupEncryptionConfigurationArgs.builder()
.type("string")
.keyId("string")
.build())
.name("string")
.region("string")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("string")
.targetTypes("string")
.targets("string")
.build())
.rulesString("string")
.statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
.action("string")
.header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
.destination("string")
.destinationPort("string")
.direction("string")
.protocol("string")
.source("string")
.sourcePort("string")
.build())
.ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
.keyword("string")
.settings("string")
.build())
.build())
.statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
.statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
.priority(0)
.ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
.actions("string")
.matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
.destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
.fromPort(0)
.toPort(0)
.build())
.destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
.addressDefinition("string")
.build())
.protocols(0)
.sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
.fromPort(0)
.toPort(0)
.build())
.sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
.addressDefinition("string")
.build())
.tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
.flags("string")
.masks("string")
.build())
.build())
.build())
.build())
.customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
.actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
.publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
.dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
.value("string")
.build())
.build())
.build())
.actionName("string")
.build())
.build())
.build())
.referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
.referenceArn("string")
.build())
.key("string")
.build())
.build())
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions("string")
.build())
.key("string")
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("string")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions("string")
.build())
.build())
.build())
.statefulRuleOptions(RuleGroupRuleGroupStatefulRuleOptionsArgs.builder()
.ruleOrder("string")
.build())
.build())
.rules("string")
.tags(Map.of("string", "string"))
.build());
rule_group_resource = aws.networkfirewall.RuleGroup("ruleGroupResource",
capacity=0,
type="string",
description="string",
encryption_configuration={
"type": "string",
"key_id": "string",
},
name="string",
region="string",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "string",
"target_types": ["string"],
"targets": ["string"],
},
"rules_string": "string",
"stateful_rules": [{
"action": "string",
"header": {
"destination": "string",
"destination_port": "string",
"direction": "string",
"protocol": "string",
"source": "string",
"source_port": "string",
},
"rule_options": [{
"keyword": "string",
"settings": ["string"],
}],
}],
"stateless_rules_and_custom_actions": {
"stateless_rules": [{
"priority": 0,
"rule_definition": {
"actions": ["string"],
"match_attributes": {
"destination_ports": [{
"from_port": 0,
"to_port": 0,
}],
"destinations": [{
"address_definition": "string",
}],
"protocols": [0],
"source_ports": [{
"from_port": 0,
"to_port": 0,
}],
"sources": [{
"address_definition": "string",
}],
"tcp_flags": [{
"flags": ["string"],
"masks": ["string"],
}],
},
},
}],
"custom_actions": [{
"action_definition": {
"publish_metric_action": {
"dimensions": [{
"value": "string",
}],
},
},
"action_name": "string",
}],
},
},
"reference_sets": {
"ip_set_references": [{
"ip_set_references": [{
"reference_arn": "string",
}],
"key": "string",
}],
},
"rule_variables": {
"ip_sets": [{
"ip_set": {
"definitions": ["string"],
},
"key": "string",
}],
"port_sets": [{
"key": "string",
"port_set": {
"definitions": ["string"],
},
}],
},
"stateful_rule_options": {
"rule_order": "string",
},
},
rules="string",
tags={
"string": "string",
})
const ruleGroupResource = new aws.networkfirewall.RuleGroup("ruleGroupResource", {
capacity: 0,
type: "string",
description: "string",
encryptionConfiguration: {
type: "string",
keyId: "string",
},
name: "string",
region: "string",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "string",
targetTypes: ["string"],
targets: ["string"],
},
rulesString: "string",
statefulRules: [{
action: "string",
header: {
destination: "string",
destinationPort: "string",
direction: "string",
protocol: "string",
source: "string",
sourcePort: "string",
},
ruleOptions: [{
keyword: "string",
settings: ["string"],
}],
}],
statelessRulesAndCustomActions: {
statelessRules: [{
priority: 0,
ruleDefinition: {
actions: ["string"],
matchAttributes: {
destinationPorts: [{
fromPort: 0,
toPort: 0,
}],
destinations: [{
addressDefinition: "string",
}],
protocols: [0],
sourcePorts: [{
fromPort: 0,
toPort: 0,
}],
sources: [{
addressDefinition: "string",
}],
tcpFlags: [{
flags: ["string"],
masks: ["string"],
}],
},
},
}],
customActions: [{
actionDefinition: {
publishMetricAction: {
dimensions: [{
value: "string",
}],
},
},
actionName: "string",
}],
},
},
referenceSets: {
ipSetReferences: [{
ipSetReferences: [{
referenceArn: "string",
}],
key: "string",
}],
},
ruleVariables: {
ipSets: [{
ipSet: {
definitions: ["string"],
},
key: "string",
}],
portSets: [{
key: "string",
portSet: {
definitions: ["string"],
},
}],
},
statefulRuleOptions: {
ruleOrder: "string",
},
},
rules: "string",
tags: {
string: "string",
},
});
type: aws:networkfirewall:RuleGroup
properties:
capacity: 0
description: string
encryptionConfiguration:
keyId: string
type: string
name: string
region: string
ruleGroup:
referenceSets:
ipSetReferences:
- ipSetReferences:
- referenceArn: string
key: string
ruleVariables:
ipSets:
- ipSet:
definitions:
- string
key: string
portSets:
- key: string
portSet:
definitions:
- string
rulesSource:
rulesSourceList:
generatedRulesType: string
targetTypes:
- string
targets:
- string
rulesString: string
statefulRules:
- action: string
header:
destination: string
destinationPort: string
direction: string
protocol: string
source: string
sourcePort: string
ruleOptions:
- keyword: string
settings:
- string
statelessRulesAndCustomActions:
customActions:
- actionDefinition:
publishMetricAction:
dimensions:
- value: string
actionName: string
statelessRules:
- priority: 0
ruleDefinition:
actions:
- string
matchAttributes:
destinationPorts:
- fromPort: 0
toPort: 0
destinations:
- addressDefinition: string
protocols:
- 0
sourcePorts:
- fromPort: 0
toPort: 0
sources:
- addressDefinition: string
tcpFlags:
- flags:
- string
masks:
- string
statefulRuleOptions:
ruleOrder: string
rules: string
tags:
string: string
type: string
RuleGroup Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RuleGroup resource accepts the following input properties:
- Capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name string
- A friendly name of the rule group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Rule
Group RuleConfiguration Group Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Dictionary<string, string>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name string
- A friendly name of the rule group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Rule
Group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - map[string]string
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity Integer
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description String
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name String
- A friendly name of the rule group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String,String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity number
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description string
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name string
- A friendly name of the rule group.
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - {[key: string]: string}
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type str
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description str
- A friendly description of the rule group.
- encryption_
configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- name str
- A friendly name of the rule group.
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule_
group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules str
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Mapping[str, str]
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity Number
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description String
- A friendly description of the rule group.
- encryption
Configuration Property Map - KMS encryption configuration settings. See Encryption Configuration below for details.
- name String
- A friendly name of the rule group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group Property Map - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the RuleGroup resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Id string
- The provider-assigned unique ID for this managed resource.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Update
Token string - A string token used when updating the rule group.
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Id string
- The provider-assigned unique ID for this managed resource.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Update
Token string - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- id String
- The provider-assigned unique ID for this managed resource.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token String - A string token used when updating the rule group.
- arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- id string
- The provider-assigned unique ID for this managed resource.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token string - A string token used when updating the rule group.
- arn str
- The Amazon Resource Name (ARN) that identifies the rule group.
- id str
- The provider-assigned unique ID for this managed resource.
- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update_
token str - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- id String
- The provider-assigned unique ID for this managed resource.
- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token String - A string token used when updating the rule group.
Look up Existing RuleGroup Resource
Get an existing RuleGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RuleGroupState, opts?: CustomResourceOptions): RuleGroup@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
capacity: Optional[int] = None,
description: Optional[str] = None,
encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
name: Optional[str] = None,
region: Optional[str] = None,
rule_group: Optional[RuleGroupRuleGroupArgs] = None,
rules: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
type: Optional[str] = None,
update_token: Optional[str] = None) -> RuleGroupfunc GetRuleGroup(ctx *Context, name string, id IDInput, state *RuleGroupState, opts ...ResourceOption) (*RuleGroup, error)public static RuleGroup Get(string name, Input<string> id, RuleGroupState? state, CustomResourceOptions? opts = null)public static RuleGroup get(String name, Output<String> id, RuleGroupState state, CustomResourceOptions options)resources: _: type: aws:networkfirewall:RuleGroup get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name string
- A friendly name of the rule group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Rule
Group RuleConfiguration Group Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Dictionary<string, string>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Update
Token string - A string token used when updating the rule group.
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name string
- A friendly name of the rule group.
- Region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- Rule
Group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - map[string]string
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Update
Token string - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity Integer
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description String
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name String
- A friendly name of the rule group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String,String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token String - A string token used when updating the rule group.
- arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity number
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description string
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name string
- A friendly name of the rule group.
- region string
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - {[key: string]: string}
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token string - A string token used when updating the rule group.
- arn str
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity int
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description str
- A friendly description of the rule group.
- encryption_
configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- name str
- A friendly name of the rule group.
- region str
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule_
group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules str
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Mapping[str, str]
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type str
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update_
token str - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity Number
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description String
- A friendly description of the rule group.
- encryption
Configuration Property Map - KMS encryption configuration settings. See Encryption Configuration below for details.
- name String
- A friendly name of the rule group.
- region String
- Region where this resource will be managed. Defaults to the Region set in the provider configuration.
- rule
Group Property Map - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token String - A string token used when updating the rule group.
Supporting Types
RuleGroupEncryptionConfiguration, RuleGroupEncryptionConfigurationArgs
- Type string
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - Key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- Type string
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - Key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type String
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id String - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type string
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type str
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key_
id str - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type String
- The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id String - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
RuleGroupRuleGroup, RuleGroupRuleGroupArgs
- Rules
Source RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- Reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - Rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- Stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- Rules
Source RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- Reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - Rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- Stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules_
source RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference_
sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule_
variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful_
rule_ Ruleoptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source Property Map - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets Property Map - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables Property Map - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule Property MapOptions - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
RuleGroupRuleGroupReferenceSets, RuleGroupRuleGroupReferenceSetsArgs
RuleGroupRuleGroupReferenceSetsIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
- Ip
Set List<RuleReferences Group Rule Group Reference Sets Ip Set Reference Ip Set Reference> - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- Key string
- Ip
Set []RuleReferences Group Rule Group Reference Sets Ip Set Reference Ip Set Reference - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- Key string
- ip
Set List<RuleReferences Group Rule Group Reference Sets Ip Set Reference Ip Set Reference> - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key String
- ip
Set RuleReferences Group Rule Group Reference Sets Ip Set Reference Ip Set Reference[] - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key string
- ip_
set_ Sequence[Rulereferences Group Rule Group Reference Sets Ip Set Reference Ip Set Reference] - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key str
- ip
Set List<Property Map>References - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key String
RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
- Reference
Arn string - Set of Managed Prefix IP ARN(s)
- Reference
Arn string - Set of Managed Prefix IP ARN(s)
- reference
Arn String - Set of Managed Prefix IP ARN(s)
- reference
Arn string - Set of Managed Prefix IP ARN(s)
- reference_
arn str - Set of Managed Prefix IP ARN(s)
- reference
Arn String - Set of Managed Prefix IP ARN(s)
RuleGroupRuleGroupRuleVariables, RuleGroupRuleGroupRuleVariablesArgs
- Ip
Sets List<RuleGroup Rule Group Rule Variables Ip Set> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- Port
Sets List<RuleGroup Rule Group Rule Variables Port Set> - Set of configuration blocks that define port range information. See Port Sets below for details.
- Ip
Sets []RuleGroup Rule Group Rule Variables Ip Set - Set of configuration blocks that define IP address information. See IP Sets below for details.
- Port
Sets []RuleGroup Rule Group Rule Variables Port Set - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets List<RuleGroup Rule Group Rule Variables Ip Set> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets List<RuleGroup Rule Group Rule Variables Port Set> - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets RuleGroup Rule Group Rule Variables Ip Set[] - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets RuleGroup Rule Group Rule Variables Port Set[] - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip_
sets Sequence[RuleGroup Rule Group Rule Variables Ip Set] - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port_
sets Sequence[RuleGroup Rule Group Rule Variables Port Set] - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets List<Property Map> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets List<Property Map> - Set of configuration blocks that define port range information. See Port Sets below for details.
RuleGroupRuleGroupRuleVariablesIpSet, RuleGroupRuleGroupRuleVariablesIpSetArgs
- Ip
Set RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- Key string
- A unique alphanumeric string to identify the
ip_set.
- Ip
Set RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- Key string
- A unique alphanumeric string to identify the
ip_set.
- ip
Set RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key String
- A unique alphanumeric string to identify the
ip_set.
- ip
Set RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key string
- A unique alphanumeric string to identify the
ip_set.
- ip_
set RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key str
- A unique alphanumeric string to identify the
ip_set.
- ip
Set Property Map - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key String
- A unique alphanumeric string to identify the
ip_set.
RuleGroupRuleGroupRuleVariablesIpSetIpSet, RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
- Definitions List<string>
- Set of IP addresses and address ranges, in CIDR notation.
- Definitions []string
- Set of IP addresses and address ranges, in CIDR notation.
- definitions List<String>
- Set of IP addresses and address ranges, in CIDR notation.
- definitions string[]
- Set of IP addresses and address ranges, in CIDR notation.
- definitions Sequence[str]
- Set of IP addresses and address ranges, in CIDR notation.
- definitions List<String>
- Set of IP addresses and address ranges, in CIDR notation.
RuleGroupRuleGroupRuleVariablesPortSet, RuleGroupRuleGroupRuleVariablesPortSetArgs
- Key string
- An unique alphanumeric string to identify the
port_set. - Port
Set RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- Key string
- An unique alphanumeric string to identify the
port_set. - Port
Set RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key String
- An unique alphanumeric string to identify the
port_set. - port
Set RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key string
- An unique alphanumeric string to identify the
port_set. - port
Set RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key str
- An unique alphanumeric string to identify the
port_set. - port_
set RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key String
- An unique alphanumeric string to identify the
port_set. - port
Set Property Map - A configuration block that defines a set of port ranges. See Port Set below for details.
RuleGroupRuleGroupRuleVariablesPortSetPortSet, RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
- Definitions List<string>
- Set of port ranges.
- Definitions []string
- Set of port ranges.
- definitions List<String>
- Set of port ranges.
- definitions string[]
- Set of port ranges.
- definitions Sequence[str]
- Set of port ranges.
- definitions List<String>
- Set of port ranges.
RuleGroupRuleGroupRulesSource, RuleGroupRuleGroupRulesSourceArgs
- Rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- Rules
String string - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- Stateful
Rules List<RuleGroup Rule Group Rules Source Stateful Rule> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- Stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- Rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- Rules
String string - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- Stateful
Rules []RuleGroup Rule Group Rules Source Stateful Rule - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- Stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String String - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- stateful
Rules List<RuleGroup Rule Group Rules Source Stateful Rule> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String string - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- stateful
Rules RuleGroup Rule Group Rules Source Stateful Rule[] - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules_
source_ Rulelist Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules_
string str - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- stateful_
rules Sequence[RuleGroup Rule Group Rules Source Stateful Rule] - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless_
rules_ Ruleand_ custom_ actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source Property MapList - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String String - Stateful inspection criteria, provided in Suricata compatible rules. These rules contain the inspection criteria and the action to take for traffic that matches the criteria, so this type of rule group doesn’t have a separate action setting.
- stateful
Rules List<Property Map> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules Property MapAnd Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
RuleGroupRuleGroupRulesSourceRulesSourceList, RuleGroupRuleGroupRulesSourceRulesSourceListArgs
- Generated
Rules stringType - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - Target
Types List<string> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - Targets List<string>
- Set of domains that you want to inspect for in your traffic flows.
- Generated
Rules stringType - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - Target
Types []string - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - Targets []string
- Set of domains that you want to inspect for in your traffic flows.
- generated
Rules StringType - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types List<String> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets List<String>
- Set of domains that you want to inspect for in your traffic flows.
- generated
Rules stringType - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types string[] - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets string[]
- Set of domains that you want to inspect for in your traffic flows.
- generated_
rules_ strtype - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target_
types Sequence[str] - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets Sequence[str]
- Set of domains that you want to inspect for in your traffic flows.
- generated
Rules StringType - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types List<String> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets List<String>
- Set of domains that you want to inspect for in your traffic flows.
RuleGroupRuleGroupRulesSourceStatefulRule, RuleGroupRuleGroupRulesSourceStatefulRuleArgs
- Action string
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - Header
Rule
Group Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- Rule
Options List<RuleGroup Rule Group Rules Source Stateful Rule Rule Option> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- Action string
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - Header
Rule
Group Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- Rule
Options []RuleGroup Rule Group Rules Source Stateful Rule Rule Option - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action String
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
Rule
Group Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options List<RuleGroup Rule Group Rules Source Stateful Rule Rule Option> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action string
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
Rule
Group Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options RuleGroup Rule Group Rules Source Stateful Rule Rule Option[] - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action str
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
Rule
Group Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule_
options Sequence[RuleGroup Rule Group Rules Source Stateful Rule Rule Option] - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action String
- Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header Property Map
- A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options List<Property Map> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
RuleGroupRuleGroupRulesSourceStatefulRuleHeader, RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
- Destination string
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - Destination
Port string - The destination port to inspect for. To match with any address, specify
ANY. - Direction string
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - Protocol string
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - Source string
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - Source
Port string - The source port to inspect for. To match with any address, specify
ANY.
- Destination string
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - Destination
Port string - The destination port to inspect for. To match with any address, specify
ANY. - Direction string
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - Protocol string
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - Source string
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - Source
Port string - The source port to inspect for. To match with any address, specify
ANY.
- destination String
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port String - The destination port to inspect for. To match with any address, specify
ANY. - direction String
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol String
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source String
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port String - The source port to inspect for. To match with any address, specify
ANY.
- destination string
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port string - The destination port to inspect for. To match with any address, specify
ANY. - direction string
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol string
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source string
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port string - The source port to inspect for. To match with any address, specify
ANY.
- destination str
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination_
port str - The destination port to inspect for. To match with any address, specify
ANY. - direction str
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol str
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source str
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source_
port str - The source port to inspect for. To match with any address, specify
ANY.
- destination String
- The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port String - The destination port to inspect for. To match with any address, specify
ANY. - direction String
- The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol String
- The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source String
- The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port String - The source port to inspect for. To match with any address, specify
ANY.
RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption, RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
- Keyword string
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- Settings List<string>
- Set of strings for additional settings to use in stateful rule inspection.
- Keyword string
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- Settings []string
- Set of strings for additional settings to use in stateful rule inspection.
- keyword String
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings List<String>
- Set of strings for additional settings to use in stateful rule inspection.
- keyword string
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings string[]
- Set of strings for additional settings to use in stateful rule inspection.
- keyword str
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings Sequence[str]
- Set of strings for additional settings to use in stateful rule inspection.
- keyword String
- Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings List<String>
- Set of strings for additional settings to use in stateful rule inspection.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
- Stateless
Rules List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- Custom
Actions List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- Stateless
Rules []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- Custom
Actions []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule[] - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action[] - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless_
rules Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule] - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom_
actions Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action] - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules List<Property Map> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions List<Property Map> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
- Action
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - Action
Name string - A friendly name of the custom action.
- Action
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - Action
Name string - A friendly name of the custom action.
- action
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name String - A friendly name of the custom action.
- action
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name string - A friendly name of the custom action.
- action_
definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action_
name str - A friendly name of the custom action.
- action
Definition Property Map - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name String - A friendly name of the custom action.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
- Publish
Metric RuleAction Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- Publish
Metric RuleAction Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric RuleAction Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric RuleAction Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish_
metric_ Ruleaction Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric Property MapAction - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
- Dimensions
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension> - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- Dimensions
[]Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension> - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension[] - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
Sequence[Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension] - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions List<Property Map>
- Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
- Value string
- The value to use in the custom metric dimension.
- Value string
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
- value string
- The value to use in the custom metric dimension.
- value str
- The value to use in the custom metric dimension.
- value String
- The value to use in the custom metric dimension.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
- Priority int
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- Rule
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- Priority int
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- Rule
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority Integer
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority number
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority int
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule_
definition RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority Number
- A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition Property Map - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
- Actions List<string>
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - Match
Attributes RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- Actions []string
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - Match
Attributes RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions List<String>
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions string[]
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions Sequence[str]
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match_
attributes RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions List<String>
- Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes Property Map - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
- Destination
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- Destinations
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination> - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- Protocols List<int>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- Source
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- Sources
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source> - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- Tcp
Flags List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- Destination
Ports []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- Destinations
[]Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- Protocols []int
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- Source
Ports []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- Sources
[]Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- Tcp
Flags []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination> - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols List<Integer>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source> - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port[] - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination[] - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols number[]
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port[] - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source[] - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag[] - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination_
ports Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port] - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
Sequence[Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination] - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols Sequence[int]
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source_
ports Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port] - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
Sequence[Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source] - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp_
flags Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag] - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports List<Property Map> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations List<Property Map>
- Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols List<Number>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports List<Property Map> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources List<Property Map>
- Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags List<Property Map> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
- Address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- Address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address_
definition str - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
- Address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- Address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address_
definition str - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
- address
Definition String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4 and IPv6.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
- Flags List<string>
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - Masks List<string>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- Flags []string
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - Masks []string
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags List<String>
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks List<String>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags string[]
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks string[]
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags Sequence[str]
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks Sequence[str]
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags List<String>
- Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks List<String>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
RuleGroupRuleGroupStatefulRuleOptions, RuleGroupRuleGroupStatefulRuleOptionsArgs
- Rule
Order string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- Rule
Order string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order String - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule_
order str - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order String - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
Import
Using pulumi import, import Network Firewall Rule Groups using their arn. For example:
$ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
