1. Packages
  2. AWS
  3. API Docs
  4. networkfirewall
  5. RuleGroup
AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi

aws.networkfirewall.RuleGroup

Explore with Pulumi AI

aws logo
AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi

    Provides an AWS Network Firewall Rule Group Resource

    Example Usage

    Stateful Inspection for denying access to a domain

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        name: "example",
        type: "STATEFUL",
        ruleGroup: {
            rulesSource: {
                rulesSourceList: {
                    generatedRulesType: "DENYLIST",
                    targetTypes: ["HTTP_HOST"],
                    targets: ["test.example.com"],
                },
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        name="example",
        type="STATEFUL",
        rule_group={
            "rules_source": {
                "rules_source_list": {
                    "generated_rules_type": "DENYLIST",
                    "target_types": ["HTTP_HOST"],
                    "targets": ["test.example.com"],
                },
            },
        },
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Name:     pulumi.String("example"),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
    						GeneratedRulesType: pulumi.String("DENYLIST"),
    						TargetTypes: pulumi.StringArray{
    							pulumi.String("HTTP_HOST"),
    						},
    						Targets: pulumi.StringArray{
    							pulumi.String("test.example.com"),
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Name = "example",
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                    {
                        GeneratedRulesType = "DENYLIST",
                        TargetTypes = new[]
                        {
                            "HTTP_HOST",
                        },
                        Targets = new[]
                        {
                            "test.example.com",
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .capacity(100)
                .name("example")
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                            .generatedRulesType("DENYLIST")
                            .targetTypes("HTTP_HOST")
                            .targets("test.example.com")
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          name: example
          type: STATEFUL
          ruleGroup:
            rulesSource:
              rulesSourceList:
                generatedRulesType: DENYLIST
                targetTypes:
                  - HTTP_HOST
                targets:
                  - test.example.com
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateful Inspection for permitting packets from a source IP address

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const ips = [
        "1.1.1.1/32",
        "1.0.0.1/32",
    ];
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 50,
        description: "Permits http traffic from source",
        name: "example",
        type: "STATEFUL",
        ruleGroup: {
            rulesSource: {
                statefulRules: ips.map((v, k) => ({key: k, value: v})).map(entry => ({
                    action: "PASS",
                    header: {
                        destination: "ANY",
                        destinationPort: "ANY",
                        protocol: "HTTP",
                        direction: "ANY",
                        sourcePort: "ANY",
                        source: entry.value,
                    },
                    ruleOptions: [{
                        keyword: "sid",
                        settings: ["1"],
                    }],
                })),
            },
        },
        tags: {
            Name: "permit HTTP from source",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    ips = [
        "1.1.1.1/32",
        "1.0.0.1/32",
    ]
    example = aws.networkfirewall.RuleGroup("example",
        capacity=50,
        description="Permits http traffic from source",
        name="example",
        type="STATEFUL",
        rule_group={
            "rules_source": {
                "stateful_rules": [{
                    "action": "PASS",
                    "header": {
                        "destination": "ANY",
                        "destination_port": "ANY",
                        "protocol": "HTTP",
                        "direction": "ANY",
                        "source_port": "ANY",
                        "source": entry["value"],
                    },
                    "rule_options": [{
                        "keyword": "sid",
                        "settings": ["1"],
                    }],
                } for entry in [{"key": k, "value": v} for k, v in ips]],
            },
        },
        tags={
            "Name": "permit HTTP from source",
        })
    
    Coming soon!
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var ips = new[]
        {
            "1.1.1.1/32",
            "1.0.0.1/32",
        };
    
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 50,
            Description = "Permits http traffic from source",
            Name = "example",
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    StatefulRules = ips.Select((v, k) => new { Key = k, Value = v }).Select(entry => 
                    {
                        return new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
                        {
                            Action = "PASS",
                            Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
                            {
                                Destination = "ANY",
                                DestinationPort = "ANY",
                                Protocol = "HTTP",
                                Direction = "ANY",
                                SourcePort = "ANY",
                                Source = entry.Value,
                            },
                            RuleOptions = new[]
                            {
                                new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
                                {
                                    Keyword = "sid",
                                    Settings = new[]
                                    {
                                        "1",
                                    },
                                },
                            },
                        };
                    }).ToList(),
                },
            },
            Tags = 
            {
                { "Name", "permit HTTP from source" },
            },
        });
    
    });
    
    Coming soon!
    
    Coming soon!
    

    Stateful Inspection for blocking packets from going to an intended destination

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        name: "example",
        type: "STATEFUL",
        ruleGroup: {
            rulesSource: {
                statefulRules: [{
                    action: "DROP",
                    header: {
                        destination: "124.1.1.24/32",
                        destinationPort: "53",
                        direction: "ANY",
                        protocol: "TCP",
                        source: "1.2.3.4/32",
                        sourcePort: "53",
                    },
                    ruleOptions: [{
                        keyword: "sid",
                        settings: ["1"],
                    }],
                }],
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        name="example",
        type="STATEFUL",
        rule_group={
            "rules_source": {
                "stateful_rules": [{
                    "action": "DROP",
                    "header": {
                        "destination": "124.1.1.24/32",
                        "destination_port": "53",
                        "direction": "ANY",
                        "protocol": "TCP",
                        "source": "1.2.3.4/32",
                        "source_port": "53",
                    },
                    "rule_options": [{
                        "keyword": "sid",
                        "settings": ["1"],
                    }],
                }],
            },
        },
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Name:     pulumi.String("example"),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
    						&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
    							Action: pulumi.String("DROP"),
    							Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
    								Destination:     pulumi.String("124.1.1.24/32"),
    								DestinationPort: pulumi.String("53"),
    								Direction:       pulumi.String("ANY"),
    								Protocol:        pulumi.String("TCP"),
    								Source:          pulumi.String("1.2.3.4/32"),
    								SourcePort:      pulumi.String("53"),
    							},
    							RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
    								&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
    									Keyword: pulumi.String("sid"),
    									Settings: pulumi.StringArray{
    										pulumi.String("1"),
    									},
    								},
    							},
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Name = "example",
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    StatefulRules = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
                        {
                            Action = "DROP",
                            Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
                            {
                                Destination = "124.1.1.24/32",
                                DestinationPort = "53",
                                Direction = "ANY",
                                Protocol = "TCP",
                                Source = "1.2.3.4/32",
                                SourcePort = "53",
                            },
                            RuleOptions = new[]
                            {
                                new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
                                {
                                    Keyword = "sid",
                                    Settings = new[]
                                    {
                                        "1",
                                    },
                                },
                            },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .capacity(100)
                .name("example")
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
                            .action("DROP")
                            .header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
                                .destination("124.1.1.24/32")
                                .destinationPort(53)
                                .direction("ANY")
                                .protocol("TCP")
                                .source("1.2.3.4/32")
                                .sourcePort(53)
                                .build())
                            .ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
                                .keyword("sid")
                                .settings("1")
                                .build())
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          name: example
          type: STATEFUL
          ruleGroup:
            rulesSource:
              statefulRules:
                - action: DROP
                  header:
                    destination: 124.1.1.24/32
                    destinationPort: 53
                    direction: ANY
                    protocol: TCP
                    source: 1.2.3.4/32
                    sourcePort: 53
                  ruleOptions:
                    - keyword: sid
                      settings:
                        - '1'
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateful Inspection from rules specifications defined in Suricata flat format

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as std from "@pulumi/std";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        name: "example",
        type: "STATEFUL",
        rules: std.file({
            input: "example.rules",
        }).then(invoke => invoke.result),
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_std as std
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        name="example",
        type="STATEFUL",
        rules=std.file(input="example.rules").result,
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "example.rules",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Name:     pulumi.String("example"),
    			Type:     pulumi.String("STATEFUL"),
    			Rules:    pulumi.String(invokeFile.Result),
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Name = "example",
            Type = "STATEFUL",
            Rules = Std.File.Invoke(new()
            {
                Input = "example.rules",
            }).Apply(invoke => invoke.Result),
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .capacity(100)
                .name("example")
                .type("STATEFUL")
                .rules(StdFunctions.file(FileArgs.builder()
                    .input("example.rules")
                    .build()).result())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          name: example
          type: STATEFUL
          rules:
            fn::invoke:
              Function: std:file
              Arguments:
                input: example.rules
              Return: result
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateful Inspection from rule group specifications using rule variables and Suricata format rules

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as std from "@pulumi/std";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        name: "example",
        type: "STATEFUL",
        ruleGroup: {
            ruleVariables: {
                ipSets: [
                    {
                        key: "WEBSERVERS_HOSTS",
                        ipSet: {
                            definitions: [
                                "10.0.0.0/16",
                                "10.0.1.0/24",
                                "192.168.0.0/16",
                            ],
                        },
                    },
                    {
                        key: "EXTERNAL_HOST",
                        ipSet: {
                            definitions: ["1.2.3.4/32"],
                        },
                    },
                ],
                portSets: [{
                    key: "HTTP_PORTS",
                    portSet: {
                        definitions: [
                            "443",
                            "80",
                        ],
                    },
                }],
            },
            rulesSource: {
                rulesString: std.file({
                    input: "suricata_rules_file",
                }).then(invoke => invoke.result),
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    import pulumi_std as std
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        name="example",
        type="STATEFUL",
        rule_group={
            "rule_variables": {
                "ip_sets": [
                    {
                        "key": "WEBSERVERS_HOSTS",
                        "ip_set": {
                            "definitions": [
                                "10.0.0.0/16",
                                "10.0.1.0/24",
                                "192.168.0.0/16",
                            ],
                        },
                    },
                    {
                        "key": "EXTERNAL_HOST",
                        "ip_set": {
                            "definitions": ["1.2.3.4/32"],
                        },
                    },
                ],
                "port_sets": [{
                    "key": "HTTP_PORTS",
                    "port_set": {
                        "definitions": [
                            "443",
                            "80",
                        ],
                    },
                }],
            },
            "rules_source": {
                "rules_string": std.file(input="suricata_rules_file").result,
            },
        },
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi-std/sdk/go/std"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		invokeFile, err := std.File(ctx, &std.FileArgs{
    			Input: "suricata_rules_file",
    		}, nil)
    		if err != nil {
    			return err
    		}
    		_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Name:     pulumi.String("example"),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
    					IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
    							Key: pulumi.String("WEBSERVERS_HOSTS"),
    							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("10.0.0.0/16"),
    									pulumi.String("10.0.1.0/24"),
    									pulumi.String("192.168.0.0/16"),
    								},
    							},
    						},
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
    							Key: pulumi.String("EXTERNAL_HOST"),
    							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("1.2.3.4/32"),
    								},
    							},
    						},
    					},
    					PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
    							Key: pulumi.String("HTTP_PORTS"),
    							PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("443"),
    									pulumi.String("80"),
    								},
    							},
    						},
    					},
    				},
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesString: pulumi.String(invokeFile.Result),
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    using Std = Pulumi.Std;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Name = "example",
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
                {
                    IpSets = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "WEBSERVERS_HOSTS",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = new[]
                                {
                                    "10.0.0.0/16",
                                    "10.0.1.0/24",
                                    "192.168.0.0/16",
                                },
                            },
                        },
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "EXTERNAL_HOST",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = new[]
                                {
                                    "1.2.3.4/32",
                                },
                            },
                        },
                    },
                    PortSets = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
                        {
                            Key = "HTTP_PORTS",
                            PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
                            {
                                Definitions = new[]
                                {
                                    "443",
                                    "80",
                                },
                            },
                        },
                    },
                },
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesString = Std.File.Invoke(new()
                    {
                        Input = "suricata_rules_file",
                    }).Apply(invoke => invoke.Result),
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .capacity(100)
                .name("example")
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
                        .ipSets(                    
                            RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                                .key("WEBSERVERS_HOSTS")
                                .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                    .definitions(                                
                                        "10.0.0.0/16",
                                        "10.0.1.0/24",
                                        "192.168.0.0/16")
                                    .build())
                                .build(),
                            RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                                .key("EXTERNAL_HOST")
                                .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                    .definitions("1.2.3.4/32")
                                    .build())
                                .build())
                        .portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
                            .key("HTTP_PORTS")
                            .portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
                                .definitions(                            
                                    "443",
                                    "80")
                                .build())
                            .build())
                        .build())
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesString(StdFunctions.file(FileArgs.builder()
                            .input("suricata_rules_file")
                            .build()).result())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          name: example
          type: STATEFUL
          ruleGroup:
            ruleVariables:
              ipSets:
                - key: WEBSERVERS_HOSTS
                  ipSet:
                    definitions:
                      - 10.0.0.0/16
                      - 10.0.1.0/24
                      - 192.168.0.0/16
                - key: EXTERNAL_HOST
                  ipSet:
                    definitions:
                      - 1.2.3.4/32
              portSets:
                - key: HTTP_PORTS
                  portSet:
                    definitions:
                      - '443'
                      - '80'
            rulesSource:
              rulesString:
                fn::invoke:
                  Function: std:file
                  Arguments:
                    input: suricata_rules_file
                  Return: result
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateless Inspection with a Custom Action

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        description: "Stateless Rate Limiting Rule",
        capacity: 100,
        name: "example",
        type: "STATELESS",
        ruleGroup: {
            rulesSource: {
                statelessRulesAndCustomActions: {
                    customActions: [{
                        actionDefinition: {
                            publishMetricAction: {
                                dimensions: [{
                                    value: "2",
                                }],
                            },
                        },
                        actionName: "ExampleMetricsAction",
                    }],
                    statelessRules: [{
                        priority: 1,
                        ruleDefinition: {
                            actions: [
                                "aws:pass",
                                "ExampleMetricsAction",
                            ],
                            matchAttributes: {
                                sources: [{
                                    addressDefinition: "1.2.3.4/32",
                                }],
                                sourcePorts: [{
                                    fromPort: 443,
                                    toPort: 443,
                                }],
                                destinations: [{
                                    addressDefinition: "124.1.1.5/32",
                                }],
                                destinationPorts: [{
                                    fromPort: 443,
                                    toPort: 443,
                                }],
                                protocols: [6],
                                tcpFlags: [{
                                    flags: ["SYN"],
                                    masks: [
                                        "SYN",
                                        "ACK",
                                    ],
                                }],
                            },
                        },
                    }],
                },
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        description="Stateless Rate Limiting Rule",
        capacity=100,
        name="example",
        type="STATELESS",
        rule_group={
            "rules_source": {
                "stateless_rules_and_custom_actions": {
                    "custom_actions": [{
                        "action_definition": {
                            "publish_metric_action": {
                                "dimensions": [{
                                    "value": "2",
                                }],
                            },
                        },
                        "action_name": "ExampleMetricsAction",
                    }],
                    "stateless_rules": [{
                        "priority": 1,
                        "rule_definition": {
                            "actions": [
                                "aws:pass",
                                "ExampleMetricsAction",
                            ],
                            "match_attributes": {
                                "sources": [{
                                    "address_definition": "1.2.3.4/32",
                                }],
                                "source_ports": [{
                                    "from_port": 443,
                                    "to_port": 443,
                                }],
                                "destinations": [{
                                    "address_definition": "124.1.1.5/32",
                                }],
                                "destination_ports": [{
                                    "from_port": 443,
                                    "to_port": 443,
                                }],
                                "protocols": [6],
                                "tcp_flags": [{
                                    "flags": ["SYN"],
                                    "masks": [
                                        "SYN",
                                        "ACK",
                                    ],
                                }],
                            },
                        },
                    }],
                },
            },
        },
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Description: pulumi.String("Stateless Rate Limiting Rule"),
    			Capacity:    pulumi.Int(100),
    			Name:        pulumi.String("example"),
    			Type:        pulumi.String("STATELESS"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
    						CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
    							&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
    								ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
    									PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
    										Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
    												Value: pulumi.String("2"),
    											},
    										},
    									},
    								},
    								ActionName: pulumi.String("ExampleMetricsAction"),
    							},
    						},
    						StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
    							&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
    								Priority: pulumi.Int(1),
    								RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
    									Actions: pulumi.StringArray{
    										pulumi.String("aws:pass"),
    										pulumi.String("ExampleMetricsAction"),
    									},
    									MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
    										Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
    												AddressDefinition: pulumi.String("1.2.3.4/32"),
    											},
    										},
    										SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
    												FromPort: pulumi.Int(443),
    												ToPort:   pulumi.Int(443),
    											},
    										},
    										Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
    												AddressDefinition: pulumi.String("124.1.1.5/32"),
    											},
    										},
    										DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
    												FromPort: pulumi.Int(443),
    												ToPort:   pulumi.Int(443),
    											},
    										},
    										Protocols: pulumi.IntArray{
    											pulumi.Int(6),
    										},
    										TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
    											&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
    												Flags: pulumi.StringArray{
    													pulumi.String("SYN"),
    												},
    												Masks: pulumi.StringArray{
    													pulumi.String("SYN"),
    													pulumi.String("ACK"),
    												},
    											},
    										},
    									},
    								},
    							},
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Description = "Stateless Rate Limiting Rule",
            Capacity = 100,
            Name = "example",
            Type = "STATELESS",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
                    {
                        CustomActions = new[]
                        {
                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
                            {
                                ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
                                {
                                    PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
                                    {
                                        Dimensions = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
                                            {
                                                Value = "2",
                                            },
                                        },
                                    },
                                },
                                ActionName = "ExampleMetricsAction",
                            },
                        },
                        StatelessRules = new[]
                        {
                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
                            {
                                Priority = 1,
                                RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
                                {
                                    Actions = new[]
                                    {
                                        "aws:pass",
                                        "ExampleMetricsAction",
                                    },
                                    MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
                                    {
                                        Sources = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
                                            {
                                                AddressDefinition = "1.2.3.4/32",
                                            },
                                        },
                                        SourcePorts = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
                                            {
                                                FromPort = 443,
                                                ToPort = 443,
                                            },
                                        },
                                        Destinations = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
                                            {
                                                AddressDefinition = "124.1.1.5/32",
                                            },
                                        },
                                        DestinationPorts = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
                                            {
                                                FromPort = 443,
                                                ToPort = 443,
                                            },
                                        },
                                        Protocols = new[]
                                        {
                                            6,
                                        },
                                        TcpFlags = new[]
                                        {
                                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
                                            {
                                                Flags = new[]
                                                {
                                                    "SYN",
                                                },
                                                Masks = new[]
                                                {
                                                    "SYN",
                                                    "ACK",
                                                },
                                            },
                                        },
                                    },
                                },
                            },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .description("Stateless Rate Limiting Rule")
                .capacity(100)
                .name("example")
                .type("STATELESS")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
                            .customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
                                .actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
                                    .publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
                                        .dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
                                            .value("2")
                                            .build())
                                        .build())
                                    .build())
                                .actionName("ExampleMetricsAction")
                                .build())
                            .statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
                                .priority(1)
                                .ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
                                    .actions(                                
                                        "aws:pass",
                                        "ExampleMetricsAction")
                                    .matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
                                        .sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
                                            .addressDefinition("1.2.3.4/32")
                                            .build())
                                        .sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
                                            .fromPort(443)
                                            .toPort(443)
                                            .build())
                                        .destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
                                            .addressDefinition("124.1.1.5/32")
                                            .build())
                                        .destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
                                            .fromPort(443)
                                            .toPort(443)
                                            .build())
                                        .protocols(6)
                                        .tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
                                            .flags("SYN")
                                            .masks(                                        
                                                "SYN",
                                                "ACK")
                                            .build())
                                        .build())
                                    .build())
                                .build())
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          description: Stateless Rate Limiting Rule
          capacity: 100
          name: example
          type: STATELESS
          ruleGroup:
            rulesSource:
              statelessRulesAndCustomActions:
                customActions:
                  - actionDefinition:
                      publishMetricAction:
                        dimensions:
                          - value: '2'
                    actionName: ExampleMetricsAction
                statelessRules:
                  - priority: 1
                    ruleDefinition:
                      actions:
                        - aws:pass
                        - ExampleMetricsAction
                      matchAttributes:
                        sources:
                          - addressDefinition: 1.2.3.4/32
                        sourcePorts:
                          - fromPort: 443
                            toPort: 443
                        destinations:
                          - addressDefinition: 124.1.1.5/32
                        destinationPorts:
                          - fromPort: 443
                            toPort: 443
                        protocols:
                          - 6
                        tcpFlags:
                          - flags:
                              - SYN
                            masks:
                              - SYN
                              - ACK
          tags:
            Tag1: Value1
            Tag2: Value2
    

    IP Set References to the Rule Group

    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        name: "example",
        type: "STATEFUL",
        ruleGroup: {
            rulesSource: {
                rulesSourceList: {
                    generatedRulesType: "DENYLIST",
                    targetTypes: ["HTTP_HOST"],
                    targets: ["test.example.com"],
                },
            },
            referenceSets: {
                ipSetReferences: [{
                    key: "example",
                    ipSetReferences: [{
                        referenceArn: _this.arn,
                    }],
                }],
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        name="example",
        type="STATEFUL",
        rule_group={
            "rules_source": {
                "rules_source_list": {
                    "generated_rules_type": "DENYLIST",
                    "target_types": ["HTTP_HOST"],
                    "targets": ["test.example.com"],
                },
            },
            "reference_sets": {
                "ip_set_references": [{
                    "key": "example",
                    "ip_set_references": [{
                        "reference_arn": this["arn"],
                    }],
                }],
            },
        },
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Name:     pulumi.String("example"),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
    						GeneratedRulesType: pulumi.String("DENYLIST"),
    						TargetTypes: pulumi.StringArray{
    							pulumi.String("HTTP_HOST"),
    						},
    						Targets: pulumi.StringArray{
    							pulumi.String("test.example.com"),
    						},
    					},
    				},
    				ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
    					IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
    						&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
    							Key: pulumi.String("example"),
    							IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
    								&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
    									ReferenceArn: pulumi.Any(this.Arn),
    								},
    							},
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Name = "example",
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                    {
                        GeneratedRulesType = "DENYLIST",
                        TargetTypes = new[]
                        {
                            "HTTP_HOST",
                        },
                        Targets = new[]
                        {
                            "test.example.com",
                        },
                    },
                },
                ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
                {
                    IpSetReferences = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
                        {
                            Key = "example",
                            IpSetReferences = new[]
                            {
                                new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
                                {
                                    ReferenceArn = @this.Arn,
                                },
                            },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()
                .capacity(100)
                .name("example")
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                            .generatedRulesType("DENYLIST")
                            .targetTypes("HTTP_HOST")
                            .targets("test.example.com")
                            .build())
                        .build())
                    .referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
                        .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
                            .key("example")
                            .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
                                .referenceArn(this_.arn())
                                .build())
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          name: example
          type: STATEFUL
          ruleGroup:
            rulesSource:
              rulesSourceList:
                generatedRulesType: DENYLIST
                targetTypes:
                  - HTTP_HOST
                targets:
                  - test.example.com
            referenceSets:
              ipSetReferences:
                - key: example
                  ipSetReferences:
                    - referenceArn: ${this.arn}
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Create RuleGroup Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new RuleGroup(name: string, args: RuleGroupArgs, opts?: CustomResourceOptions);
    @overload
    def RuleGroup(resource_name: str,
                  args: RuleGroupArgs,
                  opts: Optional[ResourceOptions] = None)
    
    @overload
    def RuleGroup(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  capacity: Optional[int] = None,
                  type: Optional[str] = None,
                  description: Optional[str] = None,
                  encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
                  name: Optional[str] = None,
                  rule_group: Optional[RuleGroupRuleGroupArgs] = None,
                  rules: Optional[str] = None,
                  tags: Optional[Mapping[str, str]] = None)
    func NewRuleGroup(ctx *Context, name string, args RuleGroupArgs, opts ...ResourceOption) (*RuleGroup, error)
    public RuleGroup(string name, RuleGroupArgs args, CustomResourceOptions? opts = null)
    public RuleGroup(String name, RuleGroupArgs args)
    public RuleGroup(String name, RuleGroupArgs args, CustomResourceOptions options)
    
    type: aws:networkfirewall:RuleGroup
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    

    Parameters

    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var ruleGroupResource = new Aws.NetworkFirewall.RuleGroup("ruleGroupResource", new()
    {
        Capacity = 0,
        Type = "string",
        Description = "string",
        EncryptionConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupEncryptionConfigurationArgs
        {
            Type = "string",
            KeyId = "string",
        },
        Name = "string",
        RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
        {
            RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
            {
                RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                {
                    GeneratedRulesType = "string",
                    TargetTypes = new[]
                    {
                        "string",
                    },
                    Targets = new[]
                    {
                        "string",
                    },
                },
                RulesString = "string",
                StatefulRules = new[]
                {
                    new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
                    {
                        Action = "string",
                        Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
                        {
                            Destination = "string",
                            DestinationPort = "string",
                            Direction = "string",
                            Protocol = "string",
                            Source = "string",
                            SourcePort = "string",
                        },
                        RuleOptions = new[]
                        {
                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
                            {
                                Keyword = "string",
                                Settings = new[]
                                {
                                    "string",
                                },
                            },
                        },
                    },
                },
                StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
                {
                    StatelessRules = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
                        {
                            Priority = 0,
                            RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
                            {
                                Actions = new[]
                                {
                                    "string",
                                },
                                MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
                                {
                                    DestinationPorts = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
                                        {
                                            FromPort = 0,
                                            ToPort = 0,
                                        },
                                    },
                                    Destinations = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
                                        {
                                            AddressDefinition = "string",
                                        },
                                    },
                                    Protocols = new[]
                                    {
                                        0,
                                    },
                                    SourcePorts = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
                                        {
                                            FromPort = 0,
                                            ToPort = 0,
                                        },
                                    },
                                    Sources = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
                                        {
                                            AddressDefinition = "string",
                                        },
                                    },
                                    TcpFlags = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
                                        {
                                            Flags = new[]
                                            {
                                                "string",
                                            },
                                            Masks = new[]
                                            {
                                                "string",
                                            },
                                        },
                                    },
                                },
                            },
                        },
                    },
                    CustomActions = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
                        {
                            ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
                            {
                                PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
                                {
                                    Dimensions = new[]
                                    {
                                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
                                        {
                                            Value = "string",
                                        },
                                    },
                                },
                            },
                            ActionName = "string",
                        },
                    },
                },
            },
            ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
            {
                IpSetReferences = new[]
                {
                    new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
                    {
                        IpSetReferences = new[]
                        {
                            new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
                            {
                                ReferenceArn = "string",
                            },
                        },
                        Key = "string",
                    },
                },
            },
            RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
            {
                IpSets = new[]
                {
                    new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                    {
                        IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                        {
                            Definitions = new[]
                            {
                                "string",
                            },
                        },
                        Key = "string",
                    },
                },
                PortSets = new[]
                {
                    new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
                    {
                        Key = "string",
                        PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
                        {
                            Definitions = new[]
                            {
                                "string",
                            },
                        },
                    },
                },
            },
            StatefulRuleOptions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupStatefulRuleOptionsArgs
            {
                RuleOrder = "string",
            },
        },
        Rules = "string",
        Tags = 
        {
            { "string", "string" },
        },
    });
    
    example, err := networkfirewall.NewRuleGroup(ctx, "ruleGroupResource", &networkfirewall.RuleGroupArgs{
    	Capacity:    pulumi.Int(0),
    	Type:        pulumi.String("string"),
    	Description: pulumi.String("string"),
    	EncryptionConfiguration: &networkfirewall.RuleGroupEncryptionConfigurationArgs{
    		Type:  pulumi.String("string"),
    		KeyId: pulumi.String("string"),
    	},
    	Name: pulumi.String("string"),
    	RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    		RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    			RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
    				GeneratedRulesType: pulumi.String("string"),
    				TargetTypes: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    				Targets: pulumi.StringArray{
    					pulumi.String("string"),
    				},
    			},
    			RulesString: pulumi.String("string"),
    			StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
    				&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
    					Action: pulumi.String("string"),
    					Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
    						Destination:     pulumi.String("string"),
    						DestinationPort: pulumi.String("string"),
    						Direction:       pulumi.String("string"),
    						Protocol:        pulumi.String("string"),
    						Source:          pulumi.String("string"),
    						SourcePort:      pulumi.String("string"),
    					},
    					RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
    						&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
    							Keyword: pulumi.String("string"),
    							Settings: pulumi.StringArray{
    								pulumi.String("string"),
    							},
    						},
    					},
    				},
    			},
    			StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
    				StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
    					&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
    						Priority: pulumi.Int(0),
    						RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
    							Actions: pulumi.StringArray{
    								pulumi.String("string"),
    							},
    							MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
    								DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
    										FromPort: pulumi.Int(0),
    										ToPort:   pulumi.Int(0),
    									},
    								},
    								Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
    										AddressDefinition: pulumi.String("string"),
    									},
    								},
    								Protocols: pulumi.IntArray{
    									pulumi.Int(0),
    								},
    								SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
    										FromPort: pulumi.Int(0),
    										ToPort:   pulumi.Int(0),
    									},
    								},
    								Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
    										AddressDefinition: pulumi.String("string"),
    									},
    								},
    								TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
    										Flags: pulumi.StringArray{
    											pulumi.String("string"),
    										},
    										Masks: pulumi.StringArray{
    											pulumi.String("string"),
    										},
    									},
    								},
    							},
    						},
    					},
    				},
    				CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
    					&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
    						ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
    							PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
    								Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
    									&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
    										Value: pulumi.String("string"),
    									},
    								},
    							},
    						},
    						ActionName: pulumi.String("string"),
    					},
    				},
    			},
    		},
    		ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
    			IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
    				&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
    					IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
    						&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
    							ReferenceArn: pulumi.String("string"),
    						},
    					},
    					Key: pulumi.String("string"),
    				},
    			},
    		},
    		RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
    			IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
    				&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
    					IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
    						Definitions: pulumi.StringArray{
    							pulumi.String("string"),
    						},
    					},
    					Key: pulumi.String("string"),
    				},
    			},
    			PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
    				&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
    					Key: pulumi.String("string"),
    					PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
    						Definitions: pulumi.StringArray{
    							pulumi.String("string"),
    						},
    					},
    				},
    			},
    		},
    		StatefulRuleOptions: &networkfirewall.RuleGroupRuleGroupStatefulRuleOptionsArgs{
    			RuleOrder: pulumi.String("string"),
    		},
    	},
    	Rules: pulumi.String("string"),
    	Tags: pulumi.StringMap{
    		"string": pulumi.String("string"),
    	},
    })
    
    var ruleGroupResource = new RuleGroup("ruleGroupResource", RuleGroupArgs.builder()
        .capacity(0)
        .type("string")
        .description("string")
        .encryptionConfiguration(RuleGroupEncryptionConfigurationArgs.builder()
            .type("string")
            .keyId("string")
            .build())
        .name("string")
        .ruleGroup(RuleGroupRuleGroupArgs.builder()
            .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                    .generatedRulesType("string")
                    .targetTypes("string")
                    .targets("string")
                    .build())
                .rulesString("string")
                .statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
                    .action("string")
                    .header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
                        .destination("string")
                        .destinationPort("string")
                        .direction("string")
                        .protocol("string")
                        .source("string")
                        .sourcePort("string")
                        .build())
                    .ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
                        .keyword("string")
                        .settings("string")
                        .build())
                    .build())
                .statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
                    .statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
                        .priority(0)
                        .ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
                            .actions("string")
                            .matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
                                .destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
                                    .fromPort(0)
                                    .toPort(0)
                                    .build())
                                .destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
                                    .addressDefinition("string")
                                    .build())
                                .protocols(0)
                                .sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
                                    .fromPort(0)
                                    .toPort(0)
                                    .build())
                                .sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
                                    .addressDefinition("string")
                                    .build())
                                .tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
                                    .flags("string")
                                    .masks("string")
                                    .build())
                                .build())
                            .build())
                        .build())
                    .customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
                        .actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
                            .publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
                                .dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
                                    .value("string")
                                    .build())
                                .build())
                            .build())
                        .actionName("string")
                        .build())
                    .build())
                .build())
            .referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
                .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
                    .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
                        .referenceArn("string")
                        .build())
                    .key("string")
                    .build())
                .build())
            .ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
                .ipSets(RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                    .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                        .definitions("string")
                        .build())
                    .key("string")
                    .build())
                .portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
                    .key("string")
                    .portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
                        .definitions("string")
                        .build())
                    .build())
                .build())
            .statefulRuleOptions(RuleGroupRuleGroupStatefulRuleOptionsArgs.builder()
                .ruleOrder("string")
                .build())
            .build())
        .rules("string")
        .tags(Map.of("string", "string"))
        .build());
    
    rule_group_resource = aws.networkfirewall.RuleGroup("ruleGroupResource",
        capacity=0,
        type="string",
        description="string",
        encryption_configuration={
            "type": "string",
            "key_id": "string",
        },
        name="string",
        rule_group={
            "rules_source": {
                "rules_source_list": {
                    "generated_rules_type": "string",
                    "target_types": ["string"],
                    "targets": ["string"],
                },
                "rules_string": "string",
                "stateful_rules": [{
                    "action": "string",
                    "header": {
                        "destination": "string",
                        "destination_port": "string",
                        "direction": "string",
                        "protocol": "string",
                        "source": "string",
                        "source_port": "string",
                    },
                    "rule_options": [{
                        "keyword": "string",
                        "settings": ["string"],
                    }],
                }],
                "stateless_rules_and_custom_actions": {
                    "stateless_rules": [{
                        "priority": 0,
                        "rule_definition": {
                            "actions": ["string"],
                            "match_attributes": {
                                "destination_ports": [{
                                    "from_port": 0,
                                    "to_port": 0,
                                }],
                                "destinations": [{
                                    "address_definition": "string",
                                }],
                                "protocols": [0],
                                "source_ports": [{
                                    "from_port": 0,
                                    "to_port": 0,
                                }],
                                "sources": [{
                                    "address_definition": "string",
                                }],
                                "tcp_flags": [{
                                    "flags": ["string"],
                                    "masks": ["string"],
                                }],
                            },
                        },
                    }],
                    "custom_actions": [{
                        "action_definition": {
                            "publish_metric_action": {
                                "dimensions": [{
                                    "value": "string",
                                }],
                            },
                        },
                        "action_name": "string",
                    }],
                },
            },
            "reference_sets": {
                "ip_set_references": [{
                    "ip_set_references": [{
                        "reference_arn": "string",
                    }],
                    "key": "string",
                }],
            },
            "rule_variables": {
                "ip_sets": [{
                    "ip_set": {
                        "definitions": ["string"],
                    },
                    "key": "string",
                }],
                "port_sets": [{
                    "key": "string",
                    "port_set": {
                        "definitions": ["string"],
                    },
                }],
            },
            "stateful_rule_options": {
                "rule_order": "string",
            },
        },
        rules="string",
        tags={
            "string": "string",
        })
    
    const ruleGroupResource = new aws.networkfirewall.RuleGroup("ruleGroupResource", {
        capacity: 0,
        type: "string",
        description: "string",
        encryptionConfiguration: {
            type: "string",
            keyId: "string",
        },
        name: "string",
        ruleGroup: {
            rulesSource: {
                rulesSourceList: {
                    generatedRulesType: "string",
                    targetTypes: ["string"],
                    targets: ["string"],
                },
                rulesString: "string",
                statefulRules: [{
                    action: "string",
                    header: {
                        destination: "string",
                        destinationPort: "string",
                        direction: "string",
                        protocol: "string",
                        source: "string",
                        sourcePort: "string",
                    },
                    ruleOptions: [{
                        keyword: "string",
                        settings: ["string"],
                    }],
                }],
                statelessRulesAndCustomActions: {
                    statelessRules: [{
                        priority: 0,
                        ruleDefinition: {
                            actions: ["string"],
                            matchAttributes: {
                                destinationPorts: [{
                                    fromPort: 0,
                                    toPort: 0,
                                }],
                                destinations: [{
                                    addressDefinition: "string",
                                }],
                                protocols: [0],
                                sourcePorts: [{
                                    fromPort: 0,
                                    toPort: 0,
                                }],
                                sources: [{
                                    addressDefinition: "string",
                                }],
                                tcpFlags: [{
                                    flags: ["string"],
                                    masks: ["string"],
                                }],
                            },
                        },
                    }],
                    customActions: [{
                        actionDefinition: {
                            publishMetricAction: {
                                dimensions: [{
                                    value: "string",
                                }],
                            },
                        },
                        actionName: "string",
                    }],
                },
            },
            referenceSets: {
                ipSetReferences: [{
                    ipSetReferences: [{
                        referenceArn: "string",
                    }],
                    key: "string",
                }],
            },
            ruleVariables: {
                ipSets: [{
                    ipSet: {
                        definitions: ["string"],
                    },
                    key: "string",
                }],
                portSets: [{
                    key: "string",
                    portSet: {
                        definitions: ["string"],
                    },
                }],
            },
            statefulRuleOptions: {
                ruleOrder: "string",
            },
        },
        rules: "string",
        tags: {
            string: "string",
        },
    });
    
    type: aws:networkfirewall:RuleGroup
    properties:
        capacity: 0
        description: string
        encryptionConfiguration:
            keyId: string
            type: string
        name: string
        ruleGroup:
            referenceSets:
                ipSetReferences:
                    - ipSetReferences:
                        - referenceArn: string
                      key: string
            ruleVariables:
                ipSets:
                    - ipSet:
                        definitions:
                            - string
                      key: string
                portSets:
                    - key: string
                      portSet:
                        definitions:
                            - string
            rulesSource:
                rulesSourceList:
                    generatedRulesType: string
                    targetTypes:
                        - string
                    targets:
                        - string
                rulesString: string
                statefulRules:
                    - action: string
                      header:
                        destination: string
                        destinationPort: string
                        direction: string
                        protocol: string
                        source: string
                        sourcePort: string
                      ruleOptions:
                        - keyword: string
                          settings:
                            - string
                statelessRulesAndCustomActions:
                    customActions:
                        - actionDefinition:
                            publishMetricAction:
                                dimensions:
                                    - value: string
                          actionName: string
                    statelessRules:
                        - priority: 0
                          ruleDefinition:
                            actions:
                                - string
                            matchAttributes:
                                destinationPorts:
                                    - fromPort: 0
                                      toPort: 0
                                destinations:
                                    - addressDefinition: string
                                protocols:
                                    - 0
                                sourcePorts:
                                    - fromPort: 0
                                      toPort: 0
                                sources:
                                    - addressDefinition: string
                                tcpFlags:
                                    - flags:
                                        - string
                                      masks:
                                        - string
            statefulRuleOptions:
                ruleOrder: string
        rules: string
        tags:
            string: string
        type: string
    

    RuleGroup Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The RuleGroup resource accepts the following input properties:

    Capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    Type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    Description string
    A friendly description of the rule group.
    EncryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the rule group.
    RuleGroupConfiguration RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    Rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    Tags Dictionary<string, string>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    Capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    Type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    Description string
    A friendly description of the rule group.
    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the rule group.
    RuleGroup RuleGroupRuleGroupArgs
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    Rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    Tags map[string]string
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    capacity Integer
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    type String
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    description String
    A friendly description of the rule group.
    encryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the rule group.
    ruleGroup RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules String
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Map<String,String>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    capacity number
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    description string
    A friendly description of the rule group.
    encryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name string
    A friendly name of the rule group.
    ruleGroup RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags {[key: string]: string}
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    type str
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    description str
    A friendly description of the rule group.
    encryption_configuration RuleGroupEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name str
    A friendly name of the rule group.
    rule_group RuleGroupRuleGroupArgs
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules str
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Mapping[str, str]
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    capacity Number
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    type String
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    description String
    A friendly description of the rule group.
    encryptionConfiguration Property Map
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the rule group.
    ruleGroup Property Map
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules String
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Map<String>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RuleGroup resource produces the following output properties:

    Arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    UpdateToken string
    A string token used when updating the rule group.
    Arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    Id string
    The provider-assigned unique ID for this managed resource.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    UpdateToken string
    A string token used when updating the rule group.
    arn String
    The Amazon Resource Name (ARN) that identifies the rule group.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    updateToken String
    A string token used when updating the rule group.
    arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    id string
    The provider-assigned unique ID for this managed resource.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    updateToken string
    A string token used when updating the rule group.
    arn str
    The Amazon Resource Name (ARN) that identifies the rule group.
    id str
    The provider-assigned unique ID for this managed resource.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    update_token str
    A string token used when updating the rule group.
    arn String
    The Amazon Resource Name (ARN) that identifies the rule group.
    id String
    The provider-assigned unique ID for this managed resource.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    updateToken String
    A string token used when updating the rule group.

    Look up Existing RuleGroup Resource

    Get an existing RuleGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RuleGroupState, opts?: CustomResourceOptions): RuleGroup
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            capacity: Optional[int] = None,
            description: Optional[str] = None,
            encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
            name: Optional[str] = None,
            rule_group: Optional[RuleGroupRuleGroupArgs] = None,
            rules: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            type: Optional[str] = None,
            update_token: Optional[str] = None) -> RuleGroup
    func GetRuleGroup(ctx *Context, name string, id IDInput, state *RuleGroupState, opts ...ResourceOption) (*RuleGroup, error)
    public static RuleGroup Get(string name, Input<string> id, RuleGroupState? state, CustomResourceOptions? opts = null)
    public static RuleGroup get(String name, Output<String> id, RuleGroupState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    Capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    Description string
    A friendly description of the rule group.
    EncryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the rule group.
    RuleGroupConfiguration RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    Rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    Tags Dictionary<string, string>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll Dictionary<string, string>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    UpdateToken string
    A string token used when updating the rule group.
    Arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    Capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    Description string
    A friendly description of the rule group.
    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    Name string
    A friendly name of the rule group.
    RuleGroup RuleGroupRuleGroupArgs
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    Rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    Tags map[string]string
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    TagsAll map[string]string
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    Type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    UpdateToken string
    A string token used when updating the rule group.
    arn String
    The Amazon Resource Name (ARN) that identifies the rule group.
    capacity Integer
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    description String
    A friendly description of the rule group.
    encryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the rule group.
    ruleGroup RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules String
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Map<String,String>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String,String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    type String
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    updateToken String
    A string token used when updating the rule group.
    arn string
    The Amazon Resource Name (ARN) that identifies the rule group.
    capacity number
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    description string
    A friendly description of the rule group.
    encryptionConfiguration RuleGroupEncryptionConfiguration
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name string
    A friendly name of the rule group.
    ruleGroup RuleGroupRuleGroup
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules string
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags {[key: string]: string}
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll {[key: string]: string}
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    type string
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    updateToken string
    A string token used when updating the rule group.
    arn str
    The Amazon Resource Name (ARN) that identifies the rule group.
    capacity int
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    description str
    A friendly description of the rule group.
    encryption_configuration RuleGroupEncryptionConfigurationArgs
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name str
    A friendly name of the rule group.
    rule_group RuleGroupRuleGroupArgs
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules str
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Mapping[str, str]
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tags_all Mapping[str, str]
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    type str
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    update_token str
    A string token used when updating the rule group.
    arn String
    The Amazon Resource Name (ARN) that identifies the rule group.
    capacity Number
    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
    description String
    A friendly description of the rule group.
    encryptionConfiguration Property Map
    KMS encryption configuration settings. See Encryption Configuration below for details.
    name String
    A friendly name of the rule group.
    ruleGroup Property Map
    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
    rules String
    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.
    tags Map<String>
    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.
    tagsAll Map<String>
    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Deprecated: Please use tags instead.

    type String
    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.
    updateToken String
    A string token used when updating the rule group.

    Supporting Types

    RuleGroupEncryptionConfiguration, RuleGroupEncryptionConfigurationArgs

    Type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    KeyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    Type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    KeyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type String
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId String
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type string
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId string
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type str
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    key_id str
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
    type String
    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.
    keyId String
    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    RuleGroupRuleGroup, RuleGroupRuleGroupArgs

    RulesSource RuleGroupRuleGroupRulesSource
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    ReferenceSets RuleGroupRuleGroupReferenceSets
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    RuleVariables RuleGroupRuleGroupRuleVariables
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
    RulesSource RuleGroupRuleGroupRulesSource
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    ReferenceSets RuleGroupRuleGroupReferenceSets
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    RuleVariables RuleGroupRuleGroupRuleVariables
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
    rulesSource RuleGroupRuleGroupRulesSource
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    referenceSets RuleGroupRuleGroupReferenceSets
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    ruleVariables RuleGroupRuleGroupRuleVariables
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
    rulesSource RuleGroupRuleGroupRulesSource
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    referenceSets RuleGroupRuleGroupReferenceSets
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    ruleVariables RuleGroupRuleGroupRuleVariables
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
    rules_source RuleGroupRuleGroupRulesSource
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    reference_sets RuleGroupRuleGroupReferenceSets
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    rule_variables RuleGroupRuleGroupRuleVariables
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    stateful_rule_options RuleGroupRuleGroupStatefulRuleOptions
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
    rulesSource Property Map
    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
    referenceSets Property Map
    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
    ruleVariables Property Map
    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
    statefulRuleOptions Property Map
    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    RuleGroupRuleGroupReferenceSets, RuleGroupRuleGroupReferenceSetsArgs

    RuleGroupRuleGroupReferenceSetsIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs

    IpSetReferences List<RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference>
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    Key string
    IpSetReferences []RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    Key string
    ipSetReferences List<RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference>
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    key String
    ipSetReferences RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference[]
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    key string
    ip_set_references Sequence[RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference]
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    key str
    ipSetReferences List<Property Map>
    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
    key String

    RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs

    ReferenceArn string
    Set of Managed Prefix IP ARN(s)
    ReferenceArn string
    Set of Managed Prefix IP ARN(s)
    referenceArn String
    Set of Managed Prefix IP ARN(s)
    referenceArn string
    Set of Managed Prefix IP ARN(s)
    reference_arn str
    Set of Managed Prefix IP ARN(s)
    referenceArn String
    Set of Managed Prefix IP ARN(s)

    RuleGroupRuleGroupRuleVariables, RuleGroupRuleGroupRuleVariablesArgs

    IpSets List<RuleGroupRuleGroupRuleVariablesIpSet>
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    PortSets List<RuleGroupRuleGroupRuleVariablesPortSet>
    Set of configuration blocks that define port range information. See Port Sets below for details.
    IpSets []RuleGroupRuleGroupRuleVariablesIpSet
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    PortSets []RuleGroupRuleGroupRuleVariablesPortSet
    Set of configuration blocks that define port range information. See Port Sets below for details.
    ipSets List<RuleGroupRuleGroupRuleVariablesIpSet>
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    portSets List<RuleGroupRuleGroupRuleVariablesPortSet>
    Set of configuration blocks that define port range information. See Port Sets below for details.
    ipSets RuleGroupRuleGroupRuleVariablesIpSet[]
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    portSets RuleGroupRuleGroupRuleVariablesPortSet[]
    Set of configuration blocks that define port range information. See Port Sets below for details.
    ip_sets Sequence[RuleGroupRuleGroupRuleVariablesIpSet]
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    port_sets Sequence[RuleGroupRuleGroupRuleVariablesPortSet]
    Set of configuration blocks that define port range information. See Port Sets below for details.
    ipSets List<Property Map>
    Set of configuration blocks that define IP address information. See IP Sets below for details.
    portSets List<Property Map>
    Set of configuration blocks that define port range information. See Port Sets below for details.

    RuleGroupRuleGroupRuleVariablesIpSet, RuleGroupRuleGroupRuleVariablesIpSetArgs

    IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    Key string
    A unique alphanumeric string to identify the ip_set.
    IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    Key string
    A unique alphanumeric string to identify the ip_set.
    ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key String
    A unique alphanumeric string to identify the ip_set.
    ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key string
    A unique alphanumeric string to identify the ip_set.
    ip_set RuleGroupRuleGroupRuleVariablesIpSetIpSet
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key str
    A unique alphanumeric string to identify the ip_set.
    ipSet Property Map
    A configuration block that defines a set of IP addresses. See IP Set below for details.
    key String
    A unique alphanumeric string to identify the ip_set.

    RuleGroupRuleGroupRuleVariablesIpSetIpSet, RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs

    Definitions List<string>
    Set of IP addresses and address ranges, in CIDR notation.
    Definitions []string
    Set of IP addresses and address ranges, in CIDR notation.
    definitions List<String>
    Set of IP addresses and address ranges, in CIDR notation.
    definitions string[]
    Set of IP addresses and address ranges, in CIDR notation.
    definitions Sequence[str]
    Set of IP addresses and address ranges, in CIDR notation.
    definitions List<String>
    Set of IP addresses and address ranges, in CIDR notation.

    RuleGroupRuleGroupRuleVariablesPortSet, RuleGroupRuleGroupRuleVariablesPortSetArgs

    Key string
    An unique alphanumeric string to identify the port_set.
    PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet
    A configuration block that defines a set of port ranges. See Port Set below for details.
    Key string
    An unique alphanumeric string to identify the port_set.
    PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet
    A configuration block that defines a set of port ranges. See Port Set below for details.
    key String
    An unique alphanumeric string to identify the port_set.
    portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet
    A configuration block that defines a set of port ranges. See Port Set below for details.
    key string
    An unique alphanumeric string to identify the port_set.
    portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet
    A configuration block that defines a set of port ranges. See Port Set below for details.
    key str
    An unique alphanumeric string to identify the port_set.
    port_set RuleGroupRuleGroupRuleVariablesPortSetPortSet
    A configuration block that defines a set of port ranges. See Port Set below for details.
    key String
    An unique alphanumeric string to identify the port_set.
    portSet Property Map
    A configuration block that defines a set of port ranges. See Port Set below for details.

    RuleGroupRuleGroupRuleVariablesPortSetPortSet, RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs

    Definitions List<string>
    Set of port ranges.
    Definitions []string
    Set of port ranges.
    definitions List<String>
    Set of port ranges.
    definitions string[]
    Set of port ranges.
    definitions Sequence[str]
    Set of port ranges.
    definitions List<String>
    Set of port ranges.

    RuleGroupRuleGroupRulesSource, RuleGroupRuleGroupRulesSourceArgs

    RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    RulesString string
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    StatefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
    RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    RulesString string
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    StatefulRules []RuleGroupRuleGroupRulesSourceStatefulRule
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
    rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    rulesString String
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    statefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
    rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    rulesString string
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    statefulRules RuleGroupRuleGroupRulesSourceStatefulRule[]
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
    rules_source_list RuleGroupRuleGroupRulesSourceRulesSourceList
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    rules_string str
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    stateful_rules Sequence[RuleGroupRuleGroupRulesSourceStatefulRule]
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    stateless_rules_and_custom_actions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
    rulesSourceList Property Map
    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
    rulesString String
    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
    statefulRules List<Property Map>
    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
    statelessRulesAndCustomActions Property Map
    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    RuleGroupRuleGroupRulesSourceRulesSourceList, RuleGroupRuleGroupRulesSourceRulesSourceListArgs

    GeneratedRulesType string
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    TargetTypes List<string>
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    Targets List<string>
    Set of domains that you want to inspect for in your traffic flows.
    GeneratedRulesType string
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    TargetTypes []string
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    Targets []string
    Set of domains that you want to inspect for in your traffic flows.
    generatedRulesType String
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    targetTypes List<String>
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    targets List<String>
    Set of domains that you want to inspect for in your traffic flows.
    generatedRulesType string
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    targetTypes string[]
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    targets string[]
    Set of domains that you want to inspect for in your traffic flows.
    generated_rules_type str
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    target_types Sequence[str]
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    targets Sequence[str]
    Set of domains that you want to inspect for in your traffic flows.
    generatedRulesType String
    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.
    targetTypes List<String>
    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
    targets List<String>
    Set of domains that you want to inspect for in your traffic flows.

    RuleGroupRuleGroupRulesSourceStatefulRule, RuleGroupRuleGroupRulesSourceStatefulRuleArgs

    Action string
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    RuleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
    Action string
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    RuleOptions []RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
    action String
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    ruleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
    action string
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    ruleOptions RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption[]
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
    action str
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    rule_options Sequence[RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption]
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
    action String
    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP, PASS, or REJECT.
    header Property Map
    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
    ruleOptions List<Property Map>
    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    RuleGroupRuleGroupRulesSourceStatefulRuleHeader, RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs

    Destination string
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    DestinationPort string
    The destination port to inspect for. To match with any address, specify ANY.
    Direction string
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    Protocol string
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    Source string
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    SourcePort string
    The source port to inspect for. To match with any address, specify ANY.
    Destination string
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    DestinationPort string
    The destination port to inspect for. To match with any address, specify ANY.
    Direction string
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    Protocol string
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    Source string
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    SourcePort string
    The source port to inspect for. To match with any address, specify ANY.
    destination String
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    destinationPort String
    The destination port to inspect for. To match with any address, specify ANY.
    direction String
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    protocol String
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    source String
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    sourcePort String
    The source port to inspect for. To match with any address, specify ANY.
    destination string
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    destinationPort string
    The destination port to inspect for. To match with any address, specify ANY.
    direction string
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    protocol string
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    source string
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    sourcePort string
    The source port to inspect for. To match with any address, specify ANY.
    destination str
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    destination_port str
    The destination port to inspect for. To match with any address, specify ANY.
    direction str
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    protocol str
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    source str
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    source_port str
    The source port to inspect for. To match with any address, specify ANY.
    destination String
    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.
    destinationPort String
    The destination port to inspect for. To match with any address, specify ANY.
    direction String
    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.
    protocol String
    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.
    source String
    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.
    sourcePort String
    The source port to inspect for. To match with any address, specify ANY.

    RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption, RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs

    Keyword string
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    Settings List<string>
    Set of strings for additional settings to use in stateful rule inspection.
    Keyword string
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    Settings []string
    Set of strings for additional settings to use in stateful rule inspection.
    keyword String
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    settings List<String>
    Set of strings for additional settings to use in stateful rule inspection.
    keyword string
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    settings string[]
    Set of strings for additional settings to use in stateful rule inspection.
    keyword str
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    settings Sequence[str]
    Set of strings for additional settings to use in stateful rule inspection.
    keyword String
    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
    settings List<String>
    Set of strings for additional settings to use in stateful rule inspection.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs

    StatelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    CustomActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
    StatelessRules []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    CustomActions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
    statelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    customActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
    statelessRules RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule[]
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    customActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction[]
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
    stateless_rules Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule]
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    custom_actions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction]
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
    statelessRules List<Property Map>
    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
    customActions List<Property Map>
    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs

    ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    ActionName string
    A friendly name of the custom action.
    ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    ActionName string
    A friendly name of the custom action.
    actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName String
    A friendly name of the custom action.
    actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName string
    A friendly name of the custom action.
    action_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    action_name str
    A friendly name of the custom action.
    actionDefinition Property Map
    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
    actionName String
    A friendly name of the custom action.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs

    PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publish_metric_action RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
    publishMetricAction Property Map
    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs

    Dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
    Dimensions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
    dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
    dimensions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension[]
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
    dimensions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension]
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
    dimensions List<Property Map>
    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs

    Value string
    The value to use in the custom metric dimension.
    Value string
    The value to use in the custom metric dimension.
    value String
    The value to use in the custom metric dimension.
    value string
    The value to use in the custom metric dimension.
    value str
    The value to use in the custom metric dimension.
    value String
    The value to use in the custom metric dimension.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs

    Priority int
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
    Priority int
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
    priority Integer
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
    priority number
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
    priority int
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    rule_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
    priority Number
    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
    ruleDefinition Property Map
    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs

    Actions List<string>
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
    Actions []string
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
    actions List<String>
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
    actions string[]
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
    actions Sequence[str]
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    match_attributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
    actions List<String>
    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
    matchAttributes Property Map
    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs

    DestinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    Destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    Protocols List<int>
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    SourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    Sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    TcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
    DestinationPorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    Destinations []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    Protocols []int
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    SourcePorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    Sources []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    TcpFlags []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
    destinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    protocols List<Integer>
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    sourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    tcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
    destinationPorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort[]
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    destinations RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination[]
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    protocols number[]
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    sourcePorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort[]
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    sources RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource[]
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    tcpFlags RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag[]
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
    destination_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort]
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    destinations Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination]
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    protocols Sequence[int]
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    source_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort]
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    sources Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource]
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    tcp_flags Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag]
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
    destinationPorts List<Property Map>
    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
    destinations List<Property Map>
    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
    protocols List<Number>
    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
    sourcePorts List<Property Map>
    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
    sources List<Property Map>
    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
    tcpFlags List<Property Map>
    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs

    AddressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    AddressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition String
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    address_definition str
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition String
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs

    FromPort int
    The lower limit of the port range. This must be less than or equal to the to_port.
    ToPort int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    FromPort int
    The lower limit of the port range. This must be less than or equal to the to_port.
    ToPort int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort Integer
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort Integer
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort number
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort number
    The upper limit of the port range. This must be greater than or equal to the from_port.
    from_port int
    The lower limit of the port range. This must be less than or equal to the to_port.
    to_port int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort Number
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort Number
    The upper limit of the port range. This must be greater than or equal to the from_port.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs

    AddressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    AddressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition String
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition string
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    address_definition str
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
    addressDefinition String
    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs

    FromPort int
    The lower limit of the port range. This must be less than or equal to the to_port.
    ToPort int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    FromPort int
    The lower limit of the port range. This must be less than or equal to the to_port.
    ToPort int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort Integer
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort Integer
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort number
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort number
    The upper limit of the port range. This must be greater than or equal to the from_port.
    from_port int
    The lower limit of the port range. This must be less than or equal to the to_port.
    to_port int
    The upper limit of the port range. This must be greater than or equal to the from_port.
    fromPort Number
    The lower limit of the port range. This must be less than or equal to the to_port.
    toPort Number
    The upper limit of the port range. This must be greater than or equal to the from_port.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs

    Flags List<string>
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    Masks List<string>
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    Flags []string
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    Masks []string
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    flags List<String>
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    masks List<String>
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    flags string[]
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    masks string[]
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    flags Sequence[str]
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    masks Sequence[str]
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    flags List<String>
    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
    masks List<String>
    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    RuleGroupRuleGroupStatefulRuleOptions, RuleGroupRuleGroupStatefulRuleOptionsArgs

    RuleOrder string
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    RuleOrder string
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    ruleOrder String
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    ruleOrder string
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    rule_order str
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.
    ruleOrder String
    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    Import

    Using pulumi import, import Network Firewall Rule Groups using their arn. For example:

    $ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
    

    To learn more about importing existing cloud resources, see Importing resources.

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the aws Terraform Provider.
    aws logo
    AWS v6.64.0 published on Friday, Dec 6, 2024 by Pulumi