1. Packages
  2. AWS Classic
  3. API Docs
  4. networkfirewall
  5. RuleGroup

Try AWS Native preview for resources not in the classic version.

AWS Classic v5.41.0 published on Monday, May 15, 2023 by Pulumi

aws.networkfirewall.RuleGroup

Explore with Pulumi AI

aws logo

Try AWS Native preview for resources not in the classic version.

AWS Classic v5.41.0 published on Monday, May 15, 2023 by Pulumi

    Provides an AWS Network Firewall Rule Group Resource

    Example Usage

    Stateful Inspection for denying access to a domain

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                    {
                        GeneratedRulesType = "DENYLIST",
                        TargetTypes = new[]
                        {
                            "HTTP_HOST",
                        },
                        Targets = new[]
                        {
                            "test.example.com",
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
            Type = "STATEFUL",
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
    						GeneratedRulesType: pulumi.String("DENYLIST"),
    						TargetTypes: pulumi.StringArray{
    							pulumi.String("HTTP_HOST"),
    						},
    						Targets: pulumi.StringArray{
    							pulumi.String("test.example.com"),
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    			Type: pulumi.String("STATEFUL"),
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                            .generatedRulesType("DENYLIST")
                            .targetTypes("HTTP_HOST")
                            .targets("test.example.com")
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .type("STATEFUL")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
            rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
                rules_source_list=aws.networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs(
                    generated_rules_type="DENYLIST",
                    target_types=["HTTP_HOST"],
                    targets=["test.example.com"],
                ),
            ),
        ),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        },
        type="STATEFUL")
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        ruleGroup: {
            rulesSource: {
                rulesSourceList: {
                    generatedRulesType: "DENYLIST",
                    targetTypes: ["HTTP_HOST"],
                    targets: ["test.example.com"],
                },
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
        type: "STATEFUL",
    });
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          ruleGroup:
            rulesSource:
              rulesSourceList:
                generatedRulesType: DENYLIST
                targetTypes:
                  - HTTP_HOST
                targets:
                  - test.example.com
          tags:
            Tag1: Value1
            Tag2: Value2
          type: STATEFUL
    

    Stateful Inspection for permitting packets from a source IP address

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            final var ips =         
                "1.1.1.1/32",
                "1.0.0.1/32";
    
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(50)
                .description("Permits http traffic from source")
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .dynamic(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .build())
                    .build())
                .tags(Map.of("Name", "permit HTTP from source"))
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 50
          description: Permits http traffic from source
          type: STATEFUL
          ruleGroup:
            rulesSource:
              dynamic:
                - forEach: ${ips}
                  content:
                    - action: PASS
                      header:
                        - destination: ANY
                          destinationPort: ANY
                          protocol: HTTP
                          direction: ANY
                          sourcePort: ANY
                          source: ${stateful_rule.value}
                      ruleOption:
                        - keyword: sid
                          settings:
                            - '1'
          tags:
            Name: permit HTTP from source
    variables:
      ips:
        - 1.1.1.1/32
        - 1.0.0.1/32
    

    Stateful Inspection for blocking packets from going to an intended destination

    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Type = "STATEFUL",
            Rules = File.ReadAllText("example.rules"),
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package main
    
    import (
    	"os"
    
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Type:     pulumi.String("STATEFUL"),
    			Rules:    readFileOrPanic("example.rules"),
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .statefulRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .type("STATEFUL")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        type="STATEFUL",
        rules=(lambda path: open(path).read())("example.rules"),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as fs from "fs";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        type: "STATEFUL",
        rules: fs.readFileSync("example.rules"),
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          ruleGroup:
            rulesSource:
              statefulRule:
                - action: DROP
                  header:
                    destination: 124.1.1.24/32
                    destinationPort: 53
                    direction: ANY
                    protocol: TCP
                    source: 1.2.3.4/32
                    sourcePort: 53
                  ruleOption:
                    - keyword: sid
                      settings:
                        - '1'
          tags:
            Tag1: Value1
            Tag2: Value2
          type: STATEFUL
    

    Stateful Inspection from rules specifications defined in Suricata flat format

    using System.Collections.Generic;
    using System.IO;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
                {
                    IpSets = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "WEBSERVERS_HOSTS",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = new[]
                                {
                                    "10.0.0.0/16",
                                    "10.0.1.0/24",
                                    "192.168.0.0/16",
                                },
                            },
                        },
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "EXTERNAL_HOST",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = new[]
                                {
                                    "1.2.3.4/32",
                                },
                            },
                        },
                    },
                    PortSets = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
                        {
                            Key = "HTTP_PORTS",
                            PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
                            {
                                Definitions = new[]
                                {
                                    "443",
                                    "80",
                                },
                            },
                        },
                    },
                },
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesString = File.ReadAllText("suricata_rules_file"),
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package main
    
    import (
    	"os"
    
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func readFileOrPanic(path string) pulumi.StringPtrInput {
    	data, err := os.ReadFile(path)
    	if err != nil {
    		panic(err.Error())
    	}
    	return pulumi.String(string(data))
    }
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
    					IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
    							Key: pulumi.String("WEBSERVERS_HOSTS"),
    							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("10.0.0.0/16"),
    									pulumi.String("10.0.1.0/24"),
    									pulumi.String("192.168.0.0/16"),
    								},
    							},
    						},
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
    							Key: pulumi.String("EXTERNAL_HOST"),
    							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("1.2.3.4/32"),
    								},
    							},
    						},
    					},
    					PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
    						&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
    							Key: pulumi.String("HTTP_PORTS"),
    							PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
    								Definitions: pulumi.StringArray{
    									pulumi.String("443"),
    									pulumi.String("80"),
    								},
    							},
    						},
    					},
    				},
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesString: readFileOrPanic("suricata_rules_file"),
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .type("STATEFUL")
                .rules(Files.readString(Paths.get("example.rules")))
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        type="STATEFUL",
        rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
            rule_variables=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesArgs(
                ip_sets=[
                    aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs(
                        key="WEBSERVERS_HOSTS",
                        ip_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs(
                            definitions=[
                                "10.0.0.0/16",
                                "10.0.1.0/24",
                                "192.168.0.0/16",
                            ],
                        ),
                    ),
                    aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs(
                        key="EXTERNAL_HOST",
                        ip_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs(
                            definitions=["1.2.3.4/32"],
                        ),
                    ),
                ],
                port_sets=[aws.networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs(
                    key="HTTP_PORTS",
                    port_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs(
                        definitions=[
                            "443",
                            "80",
                        ],
                    ),
                )],
            ),
            rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
                rules_string=(lambda path: open(path).read())("suricata_rules_file"),
            ),
        ),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    import * as fs from "fs";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        type: "STATEFUL",
        ruleGroup: {
            ruleVariables: {
                ipSets: [
                    {
                        key: "WEBSERVERS_HOSTS",
                        ipSet: {
                            definitions: [
                                "10.0.0.0/16",
                                "10.0.1.0/24",
                                "192.168.0.0/16",
                            ],
                        },
                    },
                    {
                        key: "EXTERNAL_HOST",
                        ipSet: {
                            definitions: ["1.2.3.4/32"],
                        },
                    },
                ],
                portSets: [{
                    key: "HTTP_PORTS",
                    portSet: {
                        definitions: [
                            "443",
                            "80",
                        ],
                    },
                }],
            },
            rulesSource: {
                rulesString: fs.readFileSync("suricata_rules_file"),
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          type: STATEFUL
          rules:
            fn::readFile: example.rules
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateful Inspection from rule group specifications using rule variables and Suricata format rules

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
                        .ipSets(                    
                            RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                                .key("WEBSERVERS_HOSTS")
                                .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                    .definitions(                                
                                        "10.0.0.0/16",
                                        "10.0.1.0/24",
                                        "192.168.0.0/16")
                                    .build())
                                .build(),
                            RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                                .key("EXTERNAL_HOST")
                                .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                    .definitions("1.2.3.4/32")
                                    .build())
                                .build())
                        .portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
                            .key("HTTP_PORTS")
                            .portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
                                .definitions(                            
                                    "443",
                                    "80")
                                .build())
                            .build())
                        .build())
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesString(Files.readString(Paths.get("suricata_rules_file")))
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          type: STATEFUL
          ruleGroup:
            ruleVariables:
              ipSets:
                - key: WEBSERVERS_HOSTS
                  ipSet:
                    definitions:
                      - 10.0.0.0/16
                      - 10.0.1.0/24
                      - 192.168.0.0/16
                - key: EXTERNAL_HOST
                  ipSet:
                    definitions:
                      - 1.2.3.4/32
              portSets:
                - key: HTTP_PORTS
                  portSet:
                    definitions:
                      - '443'
                      - '80'
            rulesSource:
              rulesString:
                fn::readFile: suricata_rules_file
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Stateless Inspection with a Custom Action

    using System.Collections.Generic;
    using System.Linq;
    using Pulumi;
    using Aws = Pulumi.Aws;
    
    return await Deployment.RunAsync(() => 
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new()
        {
            Capacity = 100,
            Type = "STATEFUL",
            RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                    {
                        GeneratedRulesType = "DENYLIST",
                        TargetTypes = new[]
                        {
                            "HTTP_HOST",
                        },
                        Targets = new[]
                        {
                            "test.example.com",
                        },
                    },
                },
                ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
                {
                    IpSetReferences = new[]
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
                        {
                            Key = "example",
                            IpSetReferences = new[]
                            {
                                new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
                                {
                                    ReferenceArn = aws_ec2_managed_prefix_list.This.Arn,
                                },
                            },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    
    });
    
    package main
    
    import (
    	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
    	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
    )
    
    func main() {
    	pulumi.Run(func(ctx *pulumi.Context) error {
    		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
    			Capacity: pulumi.Int(100),
    			Type:     pulumi.String("STATEFUL"),
    			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
    				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
    					RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
    						GeneratedRulesType: pulumi.String("DENYLIST"),
    						TargetTypes: pulumi.StringArray{
    							pulumi.String("HTTP_HOST"),
    						},
    						Targets: pulumi.StringArray{
    							pulumi.String("test.example.com"),
    						},
    					},
    				},
    				ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
    					IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
    						&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
    							Key: pulumi.String("example"),
    							IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
    								&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
    									ReferenceArn: pulumi.Any(aws_ec2_managed_prefix_list.This.Arn),
    								},
    							},
    						},
    					},
    				},
    			},
    			Tags: pulumi.StringMap{
    				"Tag1": pulumi.String("Value1"),
    				"Tag2": pulumi.String("Value2"),
    			},
    		})
    		if err != nil {
    			return err
    		}
    		return nil
    	})
    }
    
    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .description("Stateless Rate Limiting Rule")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
                            .customAction(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                            .statelessRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .type("STATELESS")
                .build());
    
        }
    }
    
    import pulumi
    import pulumi_aws as aws
    
    example = aws.networkfirewall.RuleGroup("example",
        capacity=100,
        type="STATEFUL",
        rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
            rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
                rules_source_list=aws.networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs(
                    generated_rules_type="DENYLIST",
                    target_types=["HTTP_HOST"],
                    targets=["test.example.com"],
                ),
            ),
            reference_sets=aws.networkfirewall.RuleGroupRuleGroupReferenceSetsArgs(
                ip_set_references=[aws.networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs(
                    key="example",
                    ip_set_references=[aws.networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs(
                        reference_arn=aws_ec2_managed_prefix_list["this"]["arn"],
                    )],
                )],
            ),
        ),
        tags={
            "Tag1": "Value1",
            "Tag2": "Value2",
        })
    
    import * as pulumi from "@pulumi/pulumi";
    import * as aws from "@pulumi/aws";
    
    const example = new aws.networkfirewall.RuleGroup("example", {
        capacity: 100,
        type: "STATEFUL",
        ruleGroup: {
            rulesSource: {
                rulesSourceList: {
                    generatedRulesType: "DENYLIST",
                    targetTypes: ["HTTP_HOST"],
                    targets: ["test.example.com"],
                },
            },
            referenceSets: {
                ipSetReferences: [{
                    key: "example",
                    ipSetReferences: [{
                        referenceArn: aws_ec2_managed_prefix_list["this"].arn,
                    }],
                }],
            },
        },
        tags: {
            Tag1: "Value1",
            Tag2: "Value2",
        },
    });
    
    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          description: Stateless Rate Limiting Rule
          ruleGroup:
            rulesSource:
              statelessRulesAndCustomActions:
                customAction:
                  - actionDefinition:
                      publishMetricAction:
                        dimension:
                          - value: '2'
                    actionName: ExampleMetricsAction
                statelessRule:
                  - priority: 1
                    ruleDefinition:
                      actions:
                        - aws:pass
                        - ExampleMetricsAction
                      matchAttributes:
                        destination:
                          - addressDefinition: 124.1.1.5/32
                        destinationPort:
                          - fromPort: 443
                            toPort: 443
                        protocols:
                          - 6
                        source:
                          - addressDefinition: 1.2.3.4/32
                        sourcePort:
                          - fromPort: 443
                            toPort: 443
                        tcpFlag:
                          - flags:
                              - SYN
                            masks:
                              - SYN
                              - ACK
          tags:
            Tag1: Value1
            Tag2: Value2
          type: STATELESS
    

    IP Set References to the Rule Group

    Coming soon!

    Coming soon!

    package generated_program;
    
    import com.pulumi.Context;
    import com.pulumi.Pulumi;
    import com.pulumi.core.Output;
    import com.pulumi.aws.networkfirewall.RuleGroup;
    import com.pulumi.aws.networkfirewall.RuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
    import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
    import java.util.List;
    import java.util.ArrayList;
    import java.util.Map;
    import java.io.File;
    import java.nio.file.Files;
    import java.nio.file.Paths;
    
    public class App {
        public static void main(String[] args) {
            Pulumi.run(App::stack);
        }
    
        public static void stack(Context ctx) {
            var example = new RuleGroup("example", RuleGroupArgs.builder()        
                .capacity(100)
                .type("STATEFUL")
                .ruleGroup(RuleGroupRuleGroupArgs.builder()
                    .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                        .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                            .generatedRulesType("DENYLIST")
                            .targetTypes("HTTP_HOST")
                            .targets("test.example.com")
                            .build())
                        .build())
                    .referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
                        .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
                            .key("example")
                            .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
                                .referenceArn(aws_ec2_managed_prefix_list.this().arn())
                                .build())
                            .build())
                        .build())
                    .build())
                .tags(Map.ofEntries(
                    Map.entry("Tag1", "Value1"),
                    Map.entry("Tag2", "Value2")
                ))
                .build());
    
        }
    }
    

    Coming soon!

    Coming soon!

    resources:
      example:
        type: aws:networkfirewall:RuleGroup
        properties:
          capacity: 100
          type: STATEFUL
          ruleGroup:
            rulesSource:
              rulesSourceList:
                generatedRulesType: DENYLIST
                targetTypes:
                  - HTTP_HOST
                targets:
                  - test.example.com
            referenceSets:
              ipSetReferences:
                - key: example
                  ipSetReferences:
                    - referenceArn: ${aws_ec2_managed_prefix_list.this.arn}
          tags:
            Tag1: Value1
            Tag2: Value2
    

    Create RuleGroup Resource

    new RuleGroup(name: string, args: RuleGroupArgs, opts?: CustomResourceOptions);
    @overload
    def RuleGroup(resource_name: str,
                  opts: Optional[ResourceOptions] = None,
                  capacity: Optional[int] = None,
                  description: Optional[str] = None,
                  encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
                  name: Optional[str] = None,
                  rule_group: Optional[RuleGroupRuleGroupArgs] = None,
                  rules: Optional[str] = None,
                  tags: Optional[Mapping[str, str]] = None,
                  type: Optional[str] = None)
    @overload
    def RuleGroup(resource_name: str,
                  args: RuleGroupArgs,
                  opts: Optional[ResourceOptions] = None)
    func NewRuleGroup(ctx *Context, name string, args RuleGroupArgs, opts ...ResourceOption) (*RuleGroup, error)
    public RuleGroup(string name, RuleGroupArgs args, CustomResourceOptions? opts = null)
    public RuleGroup(String name, RuleGroupArgs args)
    public RuleGroup(String name, RuleGroupArgs args, CustomResourceOptions options)
    
    type: aws:networkfirewall:RuleGroup
    properties: # The arguments to resource properties.
    options: # Bag of options to control resource's behavior.
    
    
    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args RuleGroupArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    RuleGroup Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    The RuleGroup resource accepts the following input properties:

    Capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    Type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    Description string

    A friendly description of the rule group.

    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    Name string

    A friendly name of the rule group.

    RuleGroupConfiguration RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    Rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    Tags Dictionary<string, string>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    Type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    Description string

    A friendly description of the rule group.

    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    Name string

    A friendly name of the rule group.

    RuleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    Rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    Tags map[string]string

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    capacity Integer

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    type String

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    description String

    A friendly description of the rule group.

    encryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name String

    A friendly name of the rule group.

    ruleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules String

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Map<String,String>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    capacity number

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    description string

    A friendly description of the rule group.

    encryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name string

    A friendly name of the rule group.

    ruleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags {[key: string]: string}

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    type str

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    description str

    A friendly description of the rule group.

    encryption_configuration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name str

    A friendly name of the rule group.

    rule_group RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules str

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Mapping[str, str]

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    capacity Number

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    type String

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    description String

    A friendly description of the rule group.

    encryptionConfiguration Property Map

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name String

    A friendly name of the rule group.

    ruleGroup Property Map

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules String

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Map<String>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the RuleGroup resource produces the following output properties:

    Arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll Dictionary<string, string>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    UpdateToken string

    A string token used when updating the rule group.

    Arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    Id string

    The provider-assigned unique ID for this managed resource.

    TagsAll map[string]string

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    UpdateToken string

    A string token used when updating the rule group.

    arn String

    The Amazon Resource Name (ARN) that identifies the rule group.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String,String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    updateToken String

    A string token used when updating the rule group.

    arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    id string

    The provider-assigned unique ID for this managed resource.

    tagsAll {[key: string]: string}

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    updateToken string

    A string token used when updating the rule group.

    arn str

    The Amazon Resource Name (ARN) that identifies the rule group.

    id str

    The provider-assigned unique ID for this managed resource.

    tags_all Mapping[str, str]

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    update_token str

    A string token used when updating the rule group.

    arn String

    The Amazon Resource Name (ARN) that identifies the rule group.

    id String

    The provider-assigned unique ID for this managed resource.

    tagsAll Map<String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    updateToken String

    A string token used when updating the rule group.

    Look up Existing RuleGroup Resource

    Get an existing RuleGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: RuleGroupState, opts?: CustomResourceOptions): RuleGroup
    @staticmethod
    def get(resource_name: str,
            id: str,
            opts: Optional[ResourceOptions] = None,
            arn: Optional[str] = None,
            capacity: Optional[int] = None,
            description: Optional[str] = None,
            encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
            name: Optional[str] = None,
            rule_group: Optional[RuleGroupRuleGroupArgs] = None,
            rules: Optional[str] = None,
            tags: Optional[Mapping[str, str]] = None,
            tags_all: Optional[Mapping[str, str]] = None,
            type: Optional[str] = None,
            update_token: Optional[str] = None) -> RuleGroup
    func GetRuleGroup(ctx *Context, name string, id IDInput, state *RuleGroupState, opts ...ResourceOption) (*RuleGroup, error)
    public static RuleGroup Get(string name, Input<string> id, RuleGroupState? state, CustomResourceOptions? opts = null)
    public static RuleGroup get(String name, Output<String> id, RuleGroupState state, CustomResourceOptions options)
    Resource lookup is not supported in YAML
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    Arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    Capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    Description string

    A friendly description of the rule group.

    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    Name string

    A friendly name of the rule group.

    RuleGroupConfiguration RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    Rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    Tags Dictionary<string, string>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll Dictionary<string, string>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    UpdateToken string

    A string token used when updating the rule group.

    Arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    Capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    Description string

    A friendly description of the rule group.

    EncryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    Name string

    A friendly name of the rule group.

    RuleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    Rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    Tags map[string]string

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    TagsAll map[string]string

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    Type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    UpdateToken string

    A string token used when updating the rule group.

    arn String

    The Amazon Resource Name (ARN) that identifies the rule group.

    capacity Integer

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    description String

    A friendly description of the rule group.

    encryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name String

    A friendly name of the rule group.

    ruleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules String

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Map<String,String>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String,String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    type String

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    updateToken String

    A string token used when updating the rule group.

    arn string

    The Amazon Resource Name (ARN) that identifies the rule group.

    capacity number

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    description string

    A friendly description of the rule group.

    encryptionConfiguration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name string

    A friendly name of the rule group.

    ruleGroup RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules string

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags {[key: string]: string}

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll {[key: string]: string}

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    type string

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    updateToken string

    A string token used when updating the rule group.

    arn str

    The Amazon Resource Name (ARN) that identifies the rule group.

    capacity int

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    description str

    A friendly description of the rule group.

    encryption_configuration RuleGroupEncryptionConfigurationArgs

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name str

    A friendly name of the rule group.

    rule_group RuleGroupRuleGroupArgs

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules str

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Mapping[str, str]

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tags_all Mapping[str, str]

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    type str

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    update_token str

    A string token used when updating the rule group.

    arn String

    The Amazon Resource Name (ARN) that identifies the rule group.

    capacity Number

    The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

    description String

    A friendly description of the rule group.

    encryptionConfiguration Property Map

    KMS encryption configuration settings. See Encryption Configuration below for details.

    name String

    A friendly name of the rule group.

    ruleGroup Property Map

    A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

    rules String

    The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

    tags Map<String>

    A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

    tagsAll Map<String>

    A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

    type String

    Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

    updateToken String

    A string token used when updating the rule group.

    Supporting Types

    RuleGroupEncryptionConfiguration

    Type string

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    KeyId string

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    Type string

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    KeyId string

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    type String

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    keyId String

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    type string

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    keyId string

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    type str

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    key_id str

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    type String

    The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

    keyId String

    The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.

    RuleGroupRuleGroup

    RulesSource RuleGroupRuleGroupRulesSource

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    ReferenceSets RuleGroupRuleGroupReferenceSets

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    RuleVariables RuleGroupRuleGroupRuleVariables

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    RulesSource RuleGroupRuleGroupRulesSource

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    ReferenceSets RuleGroupRuleGroupReferenceSets

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    RuleVariables RuleGroupRuleGroupRuleVariables

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    rulesSource RuleGroupRuleGroupRulesSource

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    referenceSets RuleGroupRuleGroupReferenceSets

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    ruleVariables RuleGroupRuleGroupRuleVariables

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    rulesSource RuleGroupRuleGroupRulesSource

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    referenceSets RuleGroupRuleGroupReferenceSets

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    ruleVariables RuleGroupRuleGroupRuleVariables

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    rules_source RuleGroupRuleGroupRulesSource

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    reference_sets RuleGroupRuleGroupReferenceSets

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    rule_variables RuleGroupRuleGroupRuleVariables

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    stateful_rule_options RuleGroupRuleGroupStatefulRuleOptions

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    rulesSource Property Map

    A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

    referenceSets Property Map

    A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.

    ruleVariables Property Map

    A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

    statefulRuleOptions Property Map

    A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

    RuleGroupRuleGroupReferenceSets

    RuleGroupRuleGroupReferenceSetsIpSetReference

    IpSetReferences List<RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference>

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    Key string

    A unique alphanumeric string to identify the ip_set.

    IpSetReferences []RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    Key string

    A unique alphanumeric string to identify the ip_set.

    ipSetReferences List<RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference>

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    key String

    A unique alphanumeric string to identify the ip_set.

    ipSetReferences RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference[]

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    key string

    A unique alphanumeric string to identify the ip_set.

    ip_set_references Sequence[RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference]

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    key str

    A unique alphanumeric string to identify the ip_set.

    ipSetReferences List<Property Map>

    Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.

    key String

    A unique alphanumeric string to identify the ip_set.

    RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference

    ReferenceArn string

    Set of Managed Prefix IP ARN(s)

    ReferenceArn string

    Set of Managed Prefix IP ARN(s)

    referenceArn String

    Set of Managed Prefix IP ARN(s)

    referenceArn string

    Set of Managed Prefix IP ARN(s)

    reference_arn str

    Set of Managed Prefix IP ARN(s)

    referenceArn String

    Set of Managed Prefix IP ARN(s)

    RuleGroupRuleGroupRuleVariables

    IpSets List<RuleGroupRuleGroupRuleVariablesIpSet>

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    PortSets List<RuleGroupRuleGroupRuleVariablesPortSet>

    Set of configuration blocks that define port range information. See Port Sets below for details.

    IpSets []RuleGroupRuleGroupRuleVariablesIpSet

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    PortSets []RuleGroupRuleGroupRuleVariablesPortSet

    Set of configuration blocks that define port range information. See Port Sets below for details.

    ipSets List<RuleGroupRuleGroupRuleVariablesIpSet>

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    portSets List<RuleGroupRuleGroupRuleVariablesPortSet>

    Set of configuration blocks that define port range information. See Port Sets below for details.

    ipSets RuleGroupRuleGroupRuleVariablesIpSet[]

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    portSets RuleGroupRuleGroupRuleVariablesPortSet[]

    Set of configuration blocks that define port range information. See Port Sets below for details.

    ip_sets Sequence[RuleGroupRuleGroupRuleVariablesIpSet]

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    port_sets Sequence[RuleGroupRuleGroupRuleVariablesPortSet]

    Set of configuration blocks that define port range information. See Port Sets below for details.

    ipSets List<Property Map>

    Set of configuration blocks that define IP address information. See IP Sets below for details.

    portSets List<Property Map>

    Set of configuration blocks that define port range information. See Port Sets below for details.

    RuleGroupRuleGroupRuleVariablesIpSet

    IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    Key string

    A unique alphanumeric string to identify the ip_set.

    IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    Key string

    A unique alphanumeric string to identify the ip_set.

    ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    key String

    A unique alphanumeric string to identify the ip_set.

    ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    key string

    A unique alphanumeric string to identify the ip_set.

    ip_set RuleGroupRuleGroupRuleVariablesIpSetIpSet

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    key str

    A unique alphanumeric string to identify the ip_set.

    ipSet Property Map

    A configuration block that defines a set of IP addresses. See IP Set below for details.

    key String

    A unique alphanumeric string to identify the ip_set.

    RuleGroupRuleGroupRuleVariablesIpSetIpSet

    Definitions List<string>

    Set of IP addresses and address ranges, in CIDR notation.

    Definitions []string

    Set of IP addresses and address ranges, in CIDR notation.

    definitions List<String>

    Set of IP addresses and address ranges, in CIDR notation.

    definitions string[]

    Set of IP addresses and address ranges, in CIDR notation.

    definitions Sequence[str]

    Set of IP addresses and address ranges, in CIDR notation.

    definitions List<String>

    Set of IP addresses and address ranges, in CIDR notation.

    RuleGroupRuleGroupRuleVariablesPortSet

    Key string

    An unique alphanumeric string to identify the port_set.

    PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

    A configuration block that defines a set of port ranges. See Port Set below for details.

    Key string

    An unique alphanumeric string to identify the port_set.

    PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

    A configuration block that defines a set of port ranges. See Port Set below for details.

    key String

    An unique alphanumeric string to identify the port_set.

    portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

    A configuration block that defines a set of port ranges. See Port Set below for details.

    key string

    An unique alphanumeric string to identify the port_set.

    portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

    A configuration block that defines a set of port ranges. See Port Set below for details.

    key str

    An unique alphanumeric string to identify the port_set.

    port_set RuleGroupRuleGroupRuleVariablesPortSetPortSet

    A configuration block that defines a set of port ranges. See Port Set below for details.

    key String

    An unique alphanumeric string to identify the port_set.

    portSet Property Map

    A configuration block that defines a set of port ranges. See Port Set below for details.

    RuleGroupRuleGroupRuleVariablesPortSetPortSet

    Definitions List<string>

    Set of port ranges.

    Definitions []string

    Set of port ranges.

    definitions List<String>

    Set of port ranges.

    definitions string[]

    Set of port ranges.

    definitions Sequence[str]

    Set of port ranges.

    definitions List<String>

    Set of port ranges.

    RuleGroupRuleGroupRulesSource

    RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    RulesString string

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    StatefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    RulesString string

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    StatefulRules []RuleGroupRuleGroupRulesSourceStatefulRule

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    rulesString String

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    statefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    rulesString string

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    statefulRules RuleGroupRuleGroupRulesSourceStatefulRule[]

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    rules_source_list RuleGroupRuleGroupRulesSourceRulesSourceList

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    rules_string str

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    stateful_rules Sequence[RuleGroupRuleGroupRulesSourceStatefulRule]

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    stateless_rules_and_custom_actions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    rulesSourceList Property Map

    A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

    rulesString String

    The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

    statefulRules List<Property Map>

    Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

    statelessRulesAndCustomActions Property Map

    A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

    RuleGroupRuleGroupRulesSourceRulesSourceList

    GeneratedRulesType string

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    TargetTypes List<string>

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    Targets List<string>

    Set of domains that you want to inspect for in your traffic flows.

    GeneratedRulesType string

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    TargetTypes []string

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    Targets []string

    Set of domains that you want to inspect for in your traffic flows.

    generatedRulesType String

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    targetTypes List<String>

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    targets List<String>

    Set of domains that you want to inspect for in your traffic flows.

    generatedRulesType string

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    targetTypes string[]

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    targets string[]

    Set of domains that you want to inspect for in your traffic flows.

    generated_rules_type str

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    target_types Sequence[str]

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    targets Sequence[str]

    Set of domains that you want to inspect for in your traffic flows.

    generatedRulesType String

    String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

    targetTypes List<String>

    Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

    targets List<String>

    Set of domains that you want to inspect for in your traffic flows.

    RuleGroupRuleGroupRulesSourceStatefulRule

    Action string

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    RuleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    Action string

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    RuleOptions []RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    action String

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    ruleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    action string

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    ruleOptions RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption[]

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    action str

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    rule_options Sequence[RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption]

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    action String

    Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

    header Property Map

    A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

    ruleOptions List<Property Map>

    Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

    RuleGroupRuleGroupRulesSourceStatefulRuleHeader

    Destination string

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    DestinationPort string

    The destination port to inspect for. To match with any address, specify ANY.

    Direction string

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    Protocol string

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    Source string

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    SourcePort string

    The source port to inspect for. To match with any address, specify ANY.

    Destination string

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    DestinationPort string

    The destination port to inspect for. To match with any address, specify ANY.

    Direction string

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    Protocol string

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    Source string

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    SourcePort string

    The source port to inspect for. To match with any address, specify ANY.

    destination String

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    destinationPort String

    The destination port to inspect for. To match with any address, specify ANY.

    direction String

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    protocol String

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    source String

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    sourcePort String

    The source port to inspect for. To match with any address, specify ANY.

    destination string

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    destinationPort string

    The destination port to inspect for. To match with any address, specify ANY.

    direction string

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    protocol string

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    source string

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    sourcePort string

    The source port to inspect for. To match with any address, specify ANY.

    destination str

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    destination_port str

    The destination port to inspect for. To match with any address, specify ANY.

    direction str

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    protocol str

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    source str

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    source_port str

    The source port to inspect for. To match with any address, specify ANY.

    destination String

    The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

    destinationPort String

    The destination port to inspect for. To match with any address, specify ANY.

    direction String

    The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

    protocol String

    The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

    source String

    The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

    sourcePort String

    The source port to inspect for. To match with any address, specify ANY.

    RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption

    Keyword string

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    Settings List<string>

    Set of strings for additional settings to use in stateful rule inspection.

    Keyword string

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    Settings []string

    Set of strings for additional settings to use in stateful rule inspection.

    keyword String

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    settings List<String>

    Set of strings for additional settings to use in stateful rule inspection.

    keyword string

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    settings string[]

    Set of strings for additional settings to use in stateful rule inspection.

    keyword str

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    settings Sequence[str]

    Set of strings for additional settings to use in stateful rule inspection.

    keyword String

    Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

    settings List<String>

    Set of strings for additional settings to use in stateful rule inspection.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

    StatelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    CustomActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    StatelessRules []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    CustomActions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    statelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    customActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    statelessRules RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule[]

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    customActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction[]

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    stateless_rules Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule]

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    custom_actions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction]

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    statelessRules List<Property Map>

    Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

    customActions List<Property Map>

    Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction

    ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    ActionName string

    A friendly name of the custom action.

    ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    ActionName string

    A friendly name of the custom action.

    actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    actionName String

    A friendly name of the custom action.

    actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    actionName string

    A friendly name of the custom action.

    action_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    action_name str

    A friendly name of the custom action.

    actionDefinition Property Map

    A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

    actionName String

    A friendly name of the custom action.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

    PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    publish_metric_action RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    publishMetricAction Property Map

    A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

    Dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    Dimensions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    dimensions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension[]

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    dimensions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension]

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    dimensions List<Property Map>

    Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension

    Value string

    The value to use in the custom metric dimension.

    Value string

    The value to use in the custom metric dimension.

    value String

    The value to use in the custom metric dimension.

    value string

    The value to use in the custom metric dimension.

    value str

    The value to use in the custom metric dimension.

    value String

    The value to use in the custom metric dimension.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule

    Priority int

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    Priority int

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    priority Integer

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    priority number

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    priority int

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    rule_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    priority Number

    A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

    ruleDefinition Property Map

    A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

    Actions List<string>

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    Actions []string

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    actions List<String>

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    actions string[]

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    actions Sequence[str]

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    match_attributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    actions List<String>

    Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

    matchAttributes Property Map

    A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

    DestinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    Destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    Protocols List<int>

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    SourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    Sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    TcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    DestinationPorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    Destinations []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    Protocols []int

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    SourcePorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    Sources []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    TcpFlags []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    destinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    protocols List<Integer>

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    sourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    tcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    destinationPorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort[]

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    destinations RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination[]

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    protocols number[]

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    sourcePorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort[]

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    sources RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource[]

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    tcpFlags RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag[]

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    destination_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort]

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    destinations Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination]

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    protocols Sequence[int]

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    source_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort]

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    sources Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource]

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    tcp_flags Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag]

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    destinationPorts List<Property Map>

    Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

    destinations List<Property Map>

    Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

    protocols List<Number>

    Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

    sourcePorts List<Property Map>

    Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

    sources List<Property Map>

    Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

    tcpFlags List<Property Map>

    Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination

    AddressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    AddressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition String

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    address_definition str

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition String

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort

    FromPort int

    The lower limit of the port range. This must be less than or equal to the to_port.

    ToPort int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    FromPort int

    The lower limit of the port range. This must be less than or equal to the to_port.

    ToPort int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort Integer

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort Integer

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort number

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort number

    The upper limit of the port range. This must be greater than or equal to the from_port.

    from_port int

    The lower limit of the port range. This must be less than or equal to the to_port.

    to_port int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort Number

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort Number

    The upper limit of the port range. This must be greater than or equal to the from_port.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource

    AddressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    AddressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition String

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition string

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    address_definition str

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    addressDefinition String

    An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort

    FromPort int

    The lower limit of the port range. This must be less than or equal to the to_port.

    ToPort int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    FromPort int

    The lower limit of the port range. This must be less than or equal to the to_port.

    ToPort int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort Integer

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort Integer

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort number

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort number

    The upper limit of the port range. This must be greater than or equal to the from_port.

    from_port int

    The lower limit of the port range. This must be less than or equal to the to_port.

    to_port int

    The upper limit of the port range. This must be greater than or equal to the from_port.

    fromPort Number

    The lower limit of the port range. This must be less than or equal to the to_port.

    toPort Number

    The upper limit of the port range. This must be greater than or equal to the from_port.

    RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag

    Flags List<string>

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    Masks List<string>

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    Flags []string

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    Masks []string

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    flags List<String>

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    masks List<String>

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    flags string[]

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    masks string[]

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    flags Sequence[str]

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    masks Sequence[str]

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    flags List<String>

    Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    masks List<String>

    Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

    RuleGroupRuleGroupStatefulRuleOptions

    RuleOrder string

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    RuleOrder string

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    ruleOrder String

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    ruleOrder string

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    rule_order str

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    ruleOrder String

    Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

    Import

    Network Firewall Rule Groups can be imported using their ARN.

     $ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
    

    Package Details

    Repository
    AWS Classic pulumi/pulumi-aws
    License
    Apache-2.0
    Notes

    This Pulumi package is based on the aws Terraform Provider.

    aws logo

    Try AWS Native preview for resources not in the classic version.

    AWS Classic v5.41.0 published on Monday, May 15, 2023 by Pulumi