AWS Classic

Pulumi Official
Package maintained by Pulumi
v5.10.0 published on Monday, Jul 11, 2022 by Pulumi

RuleGroup

Provides an AWS Network Firewall Rule Group Resource

Example Usage

Stateful Inspection for denying access to a domain

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 100,
            RuleGroup = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
                    {
                        GeneratedRulesType = "DENYLIST",
                        TargetTypes = 
                        {
                            "HTTP_HOST",
                        },
                        Targets = 
                        {
                            "test.example.com",
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
            Type = "STATEFUL",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity: pulumi.Int(100),
			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
					RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
						GeneratedRulesType: pulumi.String("DENYLIST"),
						TargetTypes: pulumi.StringArray{
							pulumi.String("HTTP_HOST"),
						},
						Targets: pulumi.StringArray{
							pulumi.String("test.example.com"),
						},
					},
				},
			},
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
			Type: pulumi.String("STATEFUL"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(100)
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                        .generatedRulesType("DENYLIST")
                        .targetTypes("HTTP_HOST")
                        .targets("test.example.com")
                        .build())
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATEFUL")
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.RuleGroup("example",
    capacity=100,
    rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
        rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
            rules_source_list=aws.networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs(
                generated_rules_type="DENYLIST",
                target_types=["HTTP_HOST"],
                targets=["test.example.com"],
            ),
        ),
    ),
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    },
    type="STATEFUL")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 100,
    ruleGroup: {
        rulesSource: {
            rulesSourceList: {
                generatedRulesType: "DENYLIST",
                targetTypes: ["HTTP_HOST"],
                targets: ["test.example.com"],
            },
        },
    },
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
    type: "STATEFUL",
});
resources:
  example:
    type: aws:networkfirewall:RuleGroup
    properties:
      capacity: 100
      ruleGroup:
        rulesSource:
          rulesSourceList:
            generatedRulesType: DENYLIST
            targetTypes:
              - HTTP_HOST
            targets:
              - test.example.com
      tags:
        Tag1: Value1
        Tag2: Value2
      type: STATEFUL

Stateful Inspection for permitting packets from a source IP address

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var ips = 
        {
            "1.1.1.1/32",
            "1.0.0.1/32",
        };
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 50,
            Description = "Permits http traffic from source",
            Type = "STATEFUL",
            RuleGroup = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    Dynamic = 
                    {
                        
                        {
                            { "forEach", ips },
                            { "content", 
                            {
                                
                                {
                                    { "action", "PASS" },
                                    { "header", 
                                    {
                                        
                                        {
                                            { "destination", "ANY" },
                                            { "destinationPort", "ANY" },
                                            { "protocol", "HTTP" },
                                            { "direction", "ANY" },
                                            { "sourcePort", "ANY" },
                                            { "source", stateful_rule.Value },
                                        },
                                    } },
                                    { "ruleOption", 
                                    {
                                        
                                        {
                                            { "keyword", "sid:1" },
                                        },
                                    } },
                                },
                            } },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Name", "permit HTTP from source" },
            },
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		ips := []string{
			"1.1.1.1/32",
			"1.0.0.1/32",
		}
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity:    pulumi.Int(50),
			Description: pulumi.String("Permits http traffic from source"),
			Type:        pulumi.String("STATEFUL"),
			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
					Dynamic: []map[string]interface{}{
						map[string]interface{}{
							"forEach": ips,
							"content": []map[string]interface{}{
								map[string]interface{}{
									"action": "PASS",
									"header": []map[string]interface{}{
										map[string]interface{}{
											"destination":     "ANY",
											"destinationPort": "ANY",
											"protocol":        "HTTP",
											"direction":       "ANY",
											"sourcePort":      "ANY",
											"source":          stateful_rule.Value,
										},
									},
									"ruleOption": []map[string]interface{}{
										map[string]interface{}{
											"keyword": "sid:1",
										},
									},
								},
							},
						},
					},
				},
			},
			Tags: pulumi.StringMap{
				"Name": pulumi.String("permit HTTP from source"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        final var ips =         
            "1.1.1.1/32",
            "1.0.0.1/32";

        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(50)
            .description("Permits http traffic from source")
            .type("STATEFUL")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .dynamic(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                    .build())
                .build())
            .tags(Map.of("Name", "permit HTTP from source"))
            .build());

    }
}
import pulumi
import pulumi_aws as aws

ips = [
    "1.1.1.1/32",
    "1.0.0.1/32",
]
example = aws.networkfirewall.RuleGroup("example",
    capacity=50,
    description="Permits http traffic from source",
    type="STATEFUL",
    rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
        rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
            dynamic=[{
                "forEach": ips,
                "content": [{
                    "action": "PASS",
                    "header": [{
                        "destination": "ANY",
                        "destinationPort": "ANY",
                        "protocol": "HTTP",
                        "direction": "ANY",
                        "sourcePort": "ANY",
                        "source": stateful_rule["value"],
                    }],
                    "ruleOption": [{
                        "keyword": "sid:1",
                    }],
                }],
            }],
        ),
    ),
    tags={
        "Name": "permit HTTP from source",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const ips = [
    "1.1.1.1/32",
    "1.0.0.1/32",
];
const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 50,
    description: "Permits http traffic from source",
    type: "STATEFUL",
    ruleGroup: {
        rulesSource: {
            dynamic: [{
                forEach: ips,
                content: [{
                    action: "PASS",
                    header: [{
                        destination: "ANY",
                        destinationPort: "ANY",
                        protocol: "HTTP",
                        direction: "ANY",
                        sourcePort: "ANY",
                        source: stateful_rule.value,
                    }],
                    ruleOption: [{
                        keyword: "sid:1",
                    }],
                }],
            }],
        },
    },
    tags: {
        Name: "permit HTTP from source",
    },
});
resources:
  example:
    type: aws:networkfirewall:RuleGroup
    properties:
      capacity: 50
      description: Permits http traffic from source
      type: STATEFUL
      ruleGroup:
        rulesSource:
          dynamic:
            - forEach: ${ips}
              content:
                - action: PASS
                  header:
                    - destination: ANY
                      destinationPort: ANY
                      protocol: HTTP
                      direction: ANY
                      sourcePort: ANY
                      source: ${stateful_rule.value}
                  ruleOption:
                    - keyword: sid:1
      tags:
        Name: permit HTTP from source
variables:
  ips:
    - 1.1.1.1/32
    - 1.0.0.1/32

Stateful Inspection for blocking packets from going to an intended destination

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 100,
            RuleGroup = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    StatefulRule = 
                    {
                        
                        {
                            { "action", "DROP" },
                            { "header", 
                            {
                                { "destination", "124.1.1.24/32" },
                                { "destinationPort", 53 },
                                { "direction", "ANY" },
                                { "protocol", "TCP" },
                                { "source", "1.2.3.4/32" },
                                { "sourcePort", 53 },
                            } },
                            { "ruleOption", 
                            {
                                
                                {
                                    { "keyword", "sid:1" },
                                },
                            } },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
            Type = "STATEFUL",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity: pulumi.Int(100),
			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
					StatefulRule: []map[string]interface{}{
						map[string]interface{}{
							"action": "DROP",
							"header": map[string]interface{}{
								"destination":     "124.1.1.24/32",
								"destinationPort": 53,
								"direction":       "ANY",
								"protocol":        "TCP",
								"source":          "1.2.3.4/32",
								"sourcePort":      53,
							},
							"ruleOption": []map[string]interface{}{
								map[string]interface{}{
									"keyword": "sid:1",
								},
							},
						},
					},
				},
			},
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
			Type: pulumi.String("STATEFUL"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(100)
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .statefulRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATEFUL")
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.RuleGroup("example",
    capacity=100,
    rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
        rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
            stateful_rule=[{
                "action": "DROP",
                "header": {
                    "destination": "124.1.1.24/32",
                    "destinationPort": 53,
                    "direction": "ANY",
                    "protocol": "TCP",
                    "source": "1.2.3.4/32",
                    "sourcePort": 53,
                },
                "ruleOption": [{
                    "keyword": "sid:1",
                }],
            }],
        ),
    ),
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    },
    type="STATEFUL")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 100,
    ruleGroup: {
        rulesSource: {
            statefulRules: [{
                action: "DROP",
                header: {
                    destination: "124.1.1.24/32",
                    destinationPort: "53",
                    direction: "ANY",
                    protocol: "TCP",
                    source: "1.2.3.4/32",
                    sourcePort: "53",
                },
                ruleOptions: [{
                    keyword: "sid:1",
                }],
            }],
        },
    },
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
    type: "STATEFUL",
});
resources:
  example:
    type: aws:networkfirewall:RuleGroup
    properties:
      capacity: 100
      ruleGroup:
        rulesSource:
          statefulRule:
            - action: DROP
              header:
                destination: 124.1.1.24/32
                destinationPort: 53
                direction: ANY
                protocol: TCP
                source: 1.2.3.4/32
                sourcePort: 53
              ruleOption:
                - keyword: sid:1
      tags:
        Tag1: Value1
        Tag2: Value2
      type: STATEFUL

Stateful Inspection from rules specifications defined in Suricata flat format

using System.IO;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 100,
            Type = "STATEFUL",
            Rules = File.ReadAllText("example.rules"),
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    }

}
package main

import (
	"io/ioutil"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity: pulumi.Int(100),
			Type:     pulumi.String("STATEFUL"),
			Rules:    readFileOrPanic("example.rules"),
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(100)
            .type("STATEFUL")
            .rules(Files.readString("example.rules"))
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.RuleGroup("example",
    capacity=100,
    type="STATEFUL",
    rules=(lambda path: open(path).read())("example.rules"),
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * from "fs";

const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 100,
    type: "STATEFUL",
    rules: fs.readFileSync("example.rules"),
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
});

Coming soon!

Stateful Inspection from rule group specifications using rule variables and Suricata format rules

using System.IO;
using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 100,
            Type = "STATEFUL",
            RuleGroup = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
                {
                    IpSets = 
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "WEBSERVERS_HOSTS",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = 
                                {
                                    "10.0.0.0/16",
                                    "10.0.1.0/24",
                                    "192.168.0.0/16",
                                },
                            },
                        },
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
                        {
                            Key = "EXTERNAL_HOST",
                            IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
                            {
                                Definitions = 
                                {
                                    "1.2.3.4/32",
                                },
                            },
                        },
                    },
                    PortSets = 
                    {
                        new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
                        {
                            Key = "HTTP_PORTS",
                            PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
                            {
                                Definitions = 
                                {
                                    "443",
                                    "80",
                                },
                            },
                        },
                    },
                },
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    RulesString = File.ReadAllText("suricata_rules_file"),
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
        });
    }

}
package main

import (
	"io/ioutil"

	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func readFileOrPanic(path string) pulumi.StringPtrInput {
	data, err := ioutil.ReadFile(path)
	if err != nil {
		panic(err.Error())
	}
	return pulumi.String(string(data))
}

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity: pulumi.Int(100),
			Type:     pulumi.String("STATEFUL"),
			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
				RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
					IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
							Key: pulumi.String("WEBSERVERS_HOSTS"),
							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
								Definitions: pulumi.StringArray{
									pulumi.String("10.0.0.0/16"),
									pulumi.String("10.0.1.0/24"),
									pulumi.String("192.168.0.0/16"),
								},
							},
						},
						&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
							Key: pulumi.String("EXTERNAL_HOST"),
							IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
								Definitions: pulumi.StringArray{
									pulumi.String("1.2.3.4/32"),
								},
							},
						},
					},
					PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
						&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
							Key: pulumi.String("HTTP_PORTS"),
							PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
								Definitions: pulumi.StringArray{
									pulumi.String("443"),
									pulumi.String("80"),
								},
							},
						},
					},
				},
				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
					RulesString: readFileOrPanic("suricata_rules_file"),
				},
			},
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(100)
            .type("STATEFUL")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
                    .ipSets(                    
                        RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                            .key("WEBSERVERS_HOSTS")
                            .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                .definitions(                                
                                    "10.0.0.0/16",
                                    "10.0.1.0/24",
                                    "192.168.0.0/16")
                                .build())
                            .build(),
                        RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                            .key("EXTERNAL_HOST")
                            .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                .definitions("1.2.3.4/32")
                                .build())
                            .build())
                    .portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
                        .key("HTTP_PORTS")
                        .portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
                            .definitions(                            
                                "443",
                                "80")
                            .build())
                        .build())
                    .build())
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .rulesString(Files.readString("suricata_rules_file"))
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.RuleGroup("example",
    capacity=100,
    type="STATEFUL",
    rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
        rule_variables=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesArgs(
            ip_sets=[
                aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs(
                    key="WEBSERVERS_HOSTS",
                    ip_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs(
                        definitions=[
                            "10.0.0.0/16",
                            "10.0.1.0/24",
                            "192.168.0.0/16",
                        ],
                    ),
                ),
                aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs(
                    key="EXTERNAL_HOST",
                    ip_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs(
                        definitions=["1.2.3.4/32"],
                    ),
                ),
            ],
            port_sets=[aws.networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs(
                key="HTTP_PORTS",
                port_set=aws.networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs(
                    definitions=[
                        "443",
                        "80",
                    ],
                ),
            )],
        ),
        rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
            rules_string=(lambda path: open(path).read())("suricata_rules_file"),
        ),
    ),
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    })
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * from "fs";

const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 100,
    type: "STATEFUL",
    ruleGroup: {
        ruleVariables: {
            ipSets: [
                {
                    key: "WEBSERVERS_HOSTS",
                    ipSet: {
                        definitions: [
                            "10.0.0.0/16",
                            "10.0.1.0/24",
                            "192.168.0.0/16",
                        ],
                    },
                },
                {
                    key: "EXTERNAL_HOST",
                    ipSet: {
                        definitions: ["1.2.3.4/32"],
                    },
                },
            ],
            portSets: [{
                key: "HTTP_PORTS",
                portSet: {
                    definitions: [
                        "443",
                        "80",
                    ],
                },
            }],
        },
        rulesSource: {
            rulesString: fs.readFileSync("suricata_rules_file"),
        },
    },
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
});

Coming soon!

Stateless Inspection with a Custom Action

using Pulumi;
using Aws = Pulumi.Aws;

class MyStack : Stack
{
    public MyStack()
    {
        var example = new Aws.NetworkFirewall.RuleGroup("example", new Aws.NetworkFirewall.RuleGroupArgs
        {
            Capacity = 100,
            Description = "Stateless Rate Limiting Rule",
            RuleGroup = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
            {
                RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
                {
                    StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
                    {
                        CustomAction = 
                        {
                            
                            {
                                { "actionDefinition", 
                                {
                                    { "publishMetricAction", 
                                    {
                                        { "dimension", 
                                        {
                                            
                                            {
                                                { "value", "2" },
                                            },
                                        } },
                                    } },
                                } },
                                { "actionName", "ExampleMetricsAction" },
                            },
                        },
                        StatelessRule = 
                        {
                            
                            {
                                { "priority", 1 },
                                { "ruleDefinition", 
                                {
                                    { "actions", 
                                    {
                                        "aws:pass",
                                        "ExampleMetricsAction",
                                    } },
                                    { "matchAttributes", 
                                    {
                                        { "destination", 
                                        {
                                            
                                            {
                                                { "addressDefinition", "124.1.1.5/32" },
                                            },
                                        } },
                                        { "destinationPort", 
                                        {
                                            
                                            {
                                                { "fromPort", 443 },
                                                { "toPort", 443 },
                                            },
                                        } },
                                        { "protocols", 
                                        {
                                            6,
                                        } },
                                        { "source", 
                                        {
                                            
                                            {
                                                { "addressDefinition", "1.2.3.4/32" },
                                            },
                                        } },
                                        { "sourcePort", 
                                        {
                                            
                                            {
                                                { "fromPort", 443 },
                                                { "toPort", 443 },
                                            },
                                        } },
                                        { "tcpFlag", 
                                        {
                                            
                                            {
                                                { "flags", 
                                                {
                                                    "SYN",
                                                } },
                                                { "masks", 
                                                {
                                                    "SYN",
                                                    "ACK",
                                                } },
                                            },
                                        } },
                                    } },
                                } },
                            },
                        },
                    },
                },
            },
            Tags = 
            {
                { "Tag1", "Value1" },
                { "Tag2", "Value2" },
            },
            Type = "STATELESS",
        });
    }

}
package main

import (
	"github.com/pulumi/pulumi-aws/sdk/v5/go/aws/networkfirewall"
	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
	pulumi.Run(func(ctx *pulumi.Context) error {
		_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
			Capacity:    pulumi.Int(100),
			Description: pulumi.String("Stateless Rate Limiting Rule"),
			RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
				RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
					StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
						CustomAction: []map[string]interface{}{
							map[string]interface{}{
								"actionDefinition": map[string]interface{}{
									"publishMetricAction": map[string]interface{}{
										"dimension": []map[string]interface{}{
											map[string]interface{}{
												"value": "2",
											},
										},
									},
								},
								"actionName": "ExampleMetricsAction",
							},
						},
						StatelessRule: []map[string]interface{}{
							map[string]interface{}{
								"priority": 1,
								"ruleDefinition": map[string]interface{}{
									"actions": []string{
										"aws:pass",
										"ExampleMetricsAction",
									},
									"matchAttributes": map[string]interface{}{
										"destination": []map[string]interface{}{
											map[string]interface{}{
												"addressDefinition": "124.1.1.5/32",
											},
										},
										"destinationPort": []map[string]interface{}{
											map[string]interface{}{
												"fromPort": 443,
												"toPort":   443,
											},
										},
										"protocols": []float64{
											6,
										},
										"source": []map[string]interface{}{
											map[string]interface{}{
												"addressDefinition": "1.2.3.4/32",
											},
										},
										"sourcePort": []map[string]interface{}{
											map[string]interface{}{
												"fromPort": 443,
												"toPort":   443,
											},
										},
										"tcpFlag": []map[string]interface{}{
											map[string]interface{}{
												"flags": []string{
													"SYN",
												},
												"masks": []string{
													"SYN",
													"ACK",
												},
											},
										},
									},
								},
							},
						},
					},
				},
			},
			Tags: pulumi.StringMap{
				"Tag1": pulumi.String("Value1"),
				"Tag2": pulumi.String("Value2"),
			},
			Type: pulumi.String("STATELESS"),
		})
		if err != nil {
			return err
		}
		return nil
	})
}
package generated_program;

import java.util.*;
import java.io.*;
import java.nio.*;
import com.pulumi.*;

public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }

    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()        
            .capacity(100)
            .description("Stateless Rate Limiting Rule")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
                        .customAction(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .statelessRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .build())
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATELESS")
            .build());

    }
}
import pulumi
import pulumi_aws as aws

example = aws.networkfirewall.RuleGroup("example",
    capacity=100,
    description="Stateless Rate Limiting Rule",
    rule_group=aws.networkfirewall.RuleGroupRuleGroupArgs(
        rules_source=aws.networkfirewall.RuleGroupRuleGroupRulesSourceArgs(
            stateless_rules_and_custom_actions=aws.networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs(
                custom_action=[{
                    "actionDefinition": {
                        "publishMetricAction": {
                            "dimension": [{
                                "value": "2",
                            }],
                        },
                    },
                    "actionName": "ExampleMetricsAction",
                }],
                stateless_rule=[{
                    "priority": 1,
                    "ruleDefinition": {
                        "actions": [
                            "aws:pass",
                            "ExampleMetricsAction",
                        ],
                        "matchAttributes": {
                            "destination": [{
                                "addressDefinition": "124.1.1.5/32",
                            }],
                            "destinationPort": [{
                                "fromPort": 443,
                                "toPort": 443,
                            }],
                            "protocols": [6],
                            "source": [{
                                "addressDefinition": "1.2.3.4/32",
                            }],
                            "sourcePort": [{
                                "fromPort": 443,
                                "toPort": 443,
                            }],
                            "tcpFlag": [{
                                "flags": ["SYN"],
                                "masks": [
                                    "SYN",
                                    "ACK",
                                ],
                            }],
                        },
                    },
                }],
            ),
        ),
    ),
    tags={
        "Tag1": "Value1",
        "Tag2": "Value2",
    },
    type="STATELESS")
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const example = new aws.networkfirewall.RuleGroup("example", {
    capacity: 100,
    description: "Stateless Rate Limiting Rule",
    ruleGroup: {
        rulesSource: {
            statelessRulesAndCustomActions: {
                customActions: [{
                    actionDefinition: {
                        publishMetricAction: {
                            dimensions: [{
                                value: "2",
                            }],
                        },
                    },
                    actionName: "ExampleMetricsAction",
                }],
                statelessRules: [{
                    priority: 1,
                    ruleDefinition: {
                        actions: [
                            "aws:pass",
                            "ExampleMetricsAction",
                        ],
                        matchAttributes: {
                            destinations: [{
                                addressDefinition: "124.1.1.5/32",
                            }],
                            destinationPorts: [{
                                fromPort: 443,
                                toPort: 443,
                            }],
                            protocols: [6],
                            sources: [{
                                addressDefinition: "1.2.3.4/32",
                            }],
                            sourcePorts: [{
                                fromPort: 443,
                                toPort: 443,
                            }],
                            tcpFlags: [{
                                flags: ["SYN"],
                                masks: [
                                    "SYN",
                                    "ACK",
                                ],
                            }],
                        },
                    },
                }],
            },
        },
    },
    tags: {
        Tag1: "Value1",
        Tag2: "Value2",
    },
    type: "STATELESS",
});
resources:
  example:
    type: aws:networkfirewall:RuleGroup
    properties:
      capacity: 100
      description: Stateless Rate Limiting Rule
      ruleGroup:
        rulesSource:
          statelessRulesAndCustomActions:
            customAction:
              - actionDefinition:
                  publishMetricAction:
                    dimension:
                      - value: 2
                actionName: ExampleMetricsAction
            statelessRule:
              - priority: 1
                ruleDefinition:
                  actions:
                    - aws:pass
                    - ExampleMetricsAction
                  matchAttributes:
                    destination:
                      - addressDefinition: 124.1.1.5/32
                    destinationPort:
                      - fromPort: 443
                        toPort: 443
                    protocols:
                      - 6
                    source:
                      - addressDefinition: 1.2.3.4/32
                    sourcePort:
                      - fromPort: 443
                        toPort: 443
                    tcpFlag:
                      - flags:
                          - SYN
                        masks:
                          - SYN
                          - ACK
      tags:
        Tag1: Value1
        Tag2: Value2
      type: STATELESS

Create a RuleGroup Resource

new RuleGroup(name: string, args: RuleGroupArgs, opts?: CustomResourceOptions);
@overload
def RuleGroup(resource_name: str,
              opts: Optional[ResourceOptions] = None,
              capacity: Optional[int] = None,
              description: Optional[str] = None,
              name: Optional[str] = None,
              rule_group: Optional[RuleGroupRuleGroupArgs] = None,
              rules: Optional[str] = None,
              tags: Optional[Mapping[str, str]] = None,
              type: Optional[str] = None)
@overload
def RuleGroup(resource_name: str,
              args: RuleGroupArgs,
              opts: Optional[ResourceOptions] = None)
func NewRuleGroup(ctx *Context, name string, args RuleGroupArgs, opts ...ResourceOption) (*RuleGroup, error)
public RuleGroup(string name, RuleGroupArgs args, CustomResourceOptions? opts = null)
public RuleGroup(String name, RuleGroupArgs args)
public RuleGroup(String name, RuleGroupArgs args, CustomResourceOptions options)
type: aws:networkfirewall:RuleGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

name string
The unique name of the resource.
args RuleGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
resource_name str
The unique name of the resource.
args RuleGroupArgs
The arguments to resource properties.
opts ResourceOptions
Bag of options to control resource's behavior.
ctx Context
Context object for the current deployment.
name string
The unique name of the resource.
args RuleGroupArgs
The arguments to resource properties.
opts ResourceOption
Bag of options to control resource's behavior.
name string
The unique name of the resource.
args RuleGroupArgs
The arguments to resource properties.
opts CustomResourceOptions
Bag of options to control resource's behavior.
name String
The unique name of the resource.
args RuleGroupArgs
The arguments to resource properties.
options CustomResourceOptions
Bag of options to control resource's behavior.

RuleGroup Resource Properties

To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

Inputs

The RuleGroup resource accepts the following input properties:

Capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

Type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

Description string

A friendly description of the rule group.

Name string

A friendly name of the rule group.

RuleGroupConfiguration RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

Rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

Tags Dictionary<string, string>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

Type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

Description string

A friendly description of the rule group.

Name string

A friendly name of the rule group.

RuleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

Rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

Tags map[string]string

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

capacity Integer

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

type String

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

description String

A friendly description of the rule group.

name String

A friendly name of the rule group.

ruleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules String

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Map<String,String>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

capacity number

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

description string

A friendly description of the rule group.

name string

A friendly name of the rule group.

ruleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags {[key: string]: string}

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

type str

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

description str

A friendly description of the rule group.

name str

A friendly name of the rule group.

rule_group RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules str

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Mapping[str, str]

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

capacity Number

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

type String

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

description String

A friendly description of the rule group.

name String

A friendly name of the rule group.

ruleGroup Property Map

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules String

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Map<String>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Outputs

All input properties are implicitly available as output properties. Additionally, the RuleGroup resource produces the following output properties:

Arn string

The Amazon Resource Name (ARN) that identifies the rule group.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider .

UpdateToken string

A string token used when updating the rule group.

Arn string

The Amazon Resource Name (ARN) that identifies the rule group.

Id string

The provider-assigned unique ID for this managed resource.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider .

UpdateToken string

A string token used when updating the rule group.

arn String

The Amazon Resource Name (ARN) that identifies the rule group.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider .

updateToken String

A string token used when updating the rule group.

arn string

The Amazon Resource Name (ARN) that identifies the rule group.

id string

The provider-assigned unique ID for this managed resource.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider .

updateToken string

A string token used when updating the rule group.

arn str

The Amazon Resource Name (ARN) that identifies the rule group.

id str

The provider-assigned unique ID for this managed resource.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider .

update_token str

A string token used when updating the rule group.

arn String

The Amazon Resource Name (ARN) that identifies the rule group.

id String

The provider-assigned unique ID for this managed resource.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider .

updateToken String

A string token used when updating the rule group.

Look up an Existing RuleGroup Resource

Get an existing RuleGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

public static get(name: string, id: Input<ID>, state?: RuleGroupState, opts?: CustomResourceOptions): RuleGroup
@staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        arn: Optional[str] = None,
        capacity: Optional[int] = None,
        description: Optional[str] = None,
        name: Optional[str] = None,
        rule_group: Optional[RuleGroupRuleGroupArgs] = None,
        rules: Optional[str] = None,
        tags: Optional[Mapping[str, str]] = None,
        tags_all: Optional[Mapping[str, str]] = None,
        type: Optional[str] = None,
        update_token: Optional[str] = None) -> RuleGroup
func GetRuleGroup(ctx *Context, name string, id IDInput, state *RuleGroupState, opts ...ResourceOption) (*RuleGroup, error)
public static RuleGroup Get(string name, Input<string> id, RuleGroupState? state, CustomResourceOptions? opts = null)
public static RuleGroup get(String name, Output<String> id, RuleGroupState state, CustomResourceOptions options)
Resource lookup is not supported in YAML
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
resource_name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
name
The unique name of the resulting resource.
id
The unique provider ID of the resource to lookup.
state
Any extra arguments used during the lookup.
opts
A bag of options that control this resource's behavior.
The following state arguments are supported:
Arn string

The Amazon Resource Name (ARN) that identifies the rule group.

Capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

Description string

A friendly description of the rule group.

Name string

A friendly name of the rule group.

RuleGroupConfiguration RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

Rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

Tags Dictionary<string, string>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll Dictionary<string, string>

A map of tags assigned to the resource, including those inherited from the provider .

Type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

UpdateToken string

A string token used when updating the rule group.

Arn string

The Amazon Resource Name (ARN) that identifies the rule group.

Capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

Description string

A friendly description of the rule group.

Name string

A friendly name of the rule group.

RuleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

Rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

Tags map[string]string

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

TagsAll map[string]string

A map of tags assigned to the resource, including those inherited from the provider .

Type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

UpdateToken string

A string token used when updating the rule group.

arn String

The Amazon Resource Name (ARN) that identifies the rule group.

capacity Integer

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

description String

A friendly description of the rule group.

name String

A friendly name of the rule group.

ruleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules String

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Map<String,String>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String,String>

A map of tags assigned to the resource, including those inherited from the provider .

type String

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

updateToken String

A string token used when updating the rule group.

arn string

The Amazon Resource Name (ARN) that identifies the rule group.

capacity number

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

description string

A friendly description of the rule group.

name string

A friendly name of the rule group.

ruleGroup RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules string

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags {[key: string]: string}

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll {[key: string]: string}

A map of tags assigned to the resource, including those inherited from the provider .

type string

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

updateToken string

A string token used when updating the rule group.

arn str

The Amazon Resource Name (ARN) that identifies the rule group.

capacity int

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

description str

A friendly description of the rule group.

name str

A friendly name of the rule group.

rule_group RuleGroupRuleGroupArgs

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules str

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Mapping[str, str]

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tags_all Mapping[str, str]

A map of tags assigned to the resource, including those inherited from the provider .

type str

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

update_token str

A string token used when updating the rule group.

arn String

The Amazon Resource Name (ARN) that identifies the rule group.

capacity Number

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

description String

A friendly description of the rule group.

name String

A friendly name of the rule group.

ruleGroup Property Map

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

rules String

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

tags Map<String>

A map of key:value pairs to associate with the resource. .If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

tagsAll Map<String>

A map of tags assigned to the resource, including those inherited from the provider .

type String

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

updateToken String

A string token used when updating the rule group.

Supporting Types

RuleGroupRuleGroup

RulesSource RuleGroupRuleGroupRulesSource

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

RuleVariables RuleGroupRuleGroupRuleVariables

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

RulesSource RuleGroupRuleGroupRulesSource

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

RuleVariables RuleGroupRuleGroupRuleVariables

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

StatefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

rulesSource RuleGroupRuleGroupRulesSource

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

ruleVariables RuleGroupRuleGroupRuleVariables

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

rulesSource RuleGroupRuleGroupRulesSource

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

ruleVariables RuleGroupRuleGroupRuleVariables

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

statefulRuleOptions RuleGroupRuleGroupStatefulRuleOptions

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

rules_source RuleGroupRuleGroupRulesSource

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

rule_variables RuleGroupRuleGroupRuleVariables

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

stateful_rule_options RuleGroupRuleGroupStatefulRuleOptions

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

rulesSource Property Map

A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.

ruleVariables Property Map

A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.

statefulRuleOptions Property Map

A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.

RuleGroupRuleGroupRuleVariables

IpSets List<RuleGroupRuleGroupRuleVariablesIpSet>

Set of configuration blocks that define IP address information. See IP Sets below for details.

PortSets List<RuleGroupRuleGroupRuleVariablesPortSet>

Set of configuration blocks that define port range information. See Port Sets below for details.

IpSets []RuleGroupRuleGroupRuleVariablesIpSet

Set of configuration blocks that define IP address information. See IP Sets below for details.

PortSets []RuleGroupRuleGroupRuleVariablesPortSet

Set of configuration blocks that define port range information. See Port Sets below for details.

ipSets List<RuleGroupRuleGroupRuleVariablesIpSet>

Set of configuration blocks that define IP address information. See IP Sets below for details.

portSets List<RuleGroupRuleGroupRuleVariablesPortSet>

Set of configuration blocks that define port range information. See Port Sets below for details.

ipSets RuleGroupRuleGroupRuleVariablesIpSet[]

Set of configuration blocks that define IP address information. See IP Sets below for details.

portSets RuleGroupRuleGroupRuleVariablesPortSet[]

Set of configuration blocks that define port range information. See Port Sets below for details.

ip_sets Sequence[RuleGroupRuleGroupRuleVariablesIpSet]

Set of configuration blocks that define IP address information. See IP Sets below for details.

port_sets Sequence[RuleGroupRuleGroupRuleVariablesPortSet]

Set of configuration blocks that define port range information. See Port Sets below for details.

ipSets List<Property Map>

Set of configuration blocks that define IP address information. See IP Sets below for details.

portSets List<Property Map>

Set of configuration blocks that define port range information. See Port Sets below for details.

RuleGroupRuleGroupRuleVariablesIpSet

IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

A configuration block that defines a set of IP addresses. See IP Set below for details.

Key string

A unique alphanumeric string to identify the ip_set.

IpSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

A configuration block that defines a set of IP addresses. See IP Set below for details.

Key string

A unique alphanumeric string to identify the ip_set.

ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

A configuration block that defines a set of IP addresses. See IP Set below for details.

key String

A unique alphanumeric string to identify the ip_set.

ipSet RuleGroupRuleGroupRuleVariablesIpSetIpSet

A configuration block that defines a set of IP addresses. See IP Set below for details.

key string

A unique alphanumeric string to identify the ip_set.

ip_set RuleGroupRuleGroupRuleVariablesIpSetIpSet

A configuration block that defines a set of IP addresses. See IP Set below for details.

key str

A unique alphanumeric string to identify the ip_set.

ipSet Property Map

A configuration block that defines a set of IP addresses. See IP Set below for details.

key String

A unique alphanumeric string to identify the ip_set.

RuleGroupRuleGroupRuleVariablesIpSetIpSet

Definitions List<string>

Set of IP addresses and address ranges, in CIDR notation.

Definitions []string

Set of IP addresses and address ranges, in CIDR notation.

definitions List<String>

Set of IP addresses and address ranges, in CIDR notation.

definitions string[]

Set of IP addresses and address ranges, in CIDR notation.

definitions Sequence[str]

Set of IP addresses and address ranges, in CIDR notation.

definitions List<String>

Set of IP addresses and address ranges, in CIDR notation.

RuleGroupRuleGroupRuleVariablesPortSet

Key string

An unique alphanumeric string to identify the port_set.

PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

A configuration block that defines a set of port ranges. See Port Set below for details.

Key string

An unique alphanumeric string to identify the port_set.

PortSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

A configuration block that defines a set of port ranges. See Port Set below for details.

key String

An unique alphanumeric string to identify the port_set.

portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

A configuration block that defines a set of port ranges. See Port Set below for details.

key string

An unique alphanumeric string to identify the port_set.

portSet RuleGroupRuleGroupRuleVariablesPortSetPortSet

A configuration block that defines a set of port ranges. See Port Set below for details.

key str

An unique alphanumeric string to identify the port_set.

port_set RuleGroupRuleGroupRuleVariablesPortSetPortSet

A configuration block that defines a set of port ranges. See Port Set below for details.

key String

An unique alphanumeric string to identify the port_set.

portSet Property Map

A configuration block that defines a set of port ranges. See Port Set below for details.

RuleGroupRuleGroupRuleVariablesPortSetPortSet

Definitions List<string>

Set of port ranges.

Definitions []string

Set of port ranges.

definitions List<String>

Set of port ranges.

definitions string[]

Set of port ranges.

definitions Sequence[str]

Set of port ranges.

definitions List<String>

Set of port ranges.

RuleGroupRuleGroupRulesSource

RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

RulesString string

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

StatefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

RulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

RulesString string

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

StatefulRules []RuleGroupRuleGroupRulesSourceStatefulRule

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

StatelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

rulesString String

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

statefulRules List<RuleGroupRuleGroupRulesSourceStatefulRule>

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

rulesSourceList RuleGroupRuleGroupRulesSourceRulesSourceList

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

rulesString string

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

statefulRules RuleGroupRuleGroupRulesSourceStatefulRule[]

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

statelessRulesAndCustomActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

rules_source_list RuleGroupRuleGroupRulesSourceRulesSourceList

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

rules_string str

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

stateful_rules Sequence[RuleGroupRuleGroupRulesSourceStatefulRule]

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

stateless_rules_and_custom_actions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

rulesSourceList Property Map

A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.

rulesString String

The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.

statefulRules List<Property Map>

Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.

statelessRulesAndCustomActions Property Map

A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.

RuleGroupRuleGroupRulesSourceRulesSourceList

GeneratedRulesType string

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

TargetTypes List<string>

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

Targets List<string>

Set of domains that you want to inspect for in your traffic flows.

GeneratedRulesType string

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

TargetTypes []string

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

Targets []string

Set of domains that you want to inspect for in your traffic flows.

generatedRulesType String

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

targetTypes List<String>

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

targets List<String>

Set of domains that you want to inspect for in your traffic flows.

generatedRulesType string

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

targetTypes string[]

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

targets string[]

Set of domains that you want to inspect for in your traffic flows.

generated_rules_type str

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

target_types Sequence[str]

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

targets Sequence[str]

Set of domains that you want to inspect for in your traffic flows.

generatedRulesType String

String value to specify whether domains in the target list are allowed or denied access. Valid values: ALLOWLIST, DENYLIST.

targetTypes List<String>

Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.

targets List<String>

Set of domains that you want to inspect for in your traffic flows.

RuleGroupRuleGroupRulesSourceStatefulRule

Action string

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

RuleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

Action string

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

Header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

RuleOptions []RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

action String

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

ruleOptions List<RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption>

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

action string

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

ruleOptions RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption[]

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

action str

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

header RuleGroupRuleGroupRulesSourceStatefulRuleHeader

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

rule_options Sequence[RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption]

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

action String

Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values: ALERT, DROP or PASS.

header Property Map

A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.

ruleOptions List<Property Map>

Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.

RuleGroupRuleGroupRulesSourceStatefulRuleHeader

Destination string

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

DestinationPort string

The destination port to inspect for. To match with any address, specify ANY.

Direction string

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

Protocol string

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

Source string

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

SourcePort string

The source port to inspect for. To match with any address, specify ANY.

Destination string

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

DestinationPort string

The destination port to inspect for. To match with any address, specify ANY.

Direction string

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

Protocol string

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

Source string

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

SourcePort string

The source port to inspect for. To match with any address, specify ANY.

destination String

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

destinationPort String

The destination port to inspect for. To match with any address, specify ANY.

direction String

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

protocol String

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

source String

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

sourcePort String

The source port to inspect for. To match with any address, specify ANY.

destination string

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

destinationPort string

The destination port to inspect for. To match with any address, specify ANY.

direction string

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

protocol string

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

source string

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

sourcePort string

The source port to inspect for. To match with any address, specify ANY.

destination str

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

destination_port str

The destination port to inspect for. To match with any address, specify ANY.

direction str

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

protocol str

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

source str

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

source_port str

The source port to inspect for. To match with any address, specify ANY.

destination String

The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify ANY.

destinationPort String

The destination port to inspect for. To match with any address, specify ANY.

direction String

The direction of traffic flow to inspect. Valid values: ANY or FORWARD.

protocol String

The protocol to inspect. Valid values: IP, TCP, UDP, ICMP, HTTP, FTP, TLS, SMB, DNS, DCERPC, SSH, SMTP, IMAP, MSN, KRB5, IKEV2, TFTP, NTP, DHCP.

source String

The source IP address or address range for, in CIDR notation. To match with any address, specify ANY.

sourcePort String

The source port to inspect for. To match with any address, specify ANY.

RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption

Keyword string

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

Settings List<string>

Set of strings for additional settings to use in stateful rule inspection.

Keyword string

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

Settings []string

Set of strings for additional settings to use in stateful rule inspection.

keyword String

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

settings List<String>

Set of strings for additional settings to use in stateful rule inspection.

keyword string

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

settings string[]

Set of strings for additional settings to use in stateful rule inspection.

keyword str

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

settings Sequence[str]

Set of strings for additional settings to use in stateful rule inspection.

keyword String

Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.

settings List<String>

Set of strings for additional settings to use in stateful rule inspection.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions

StatelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

CustomActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

StatelessRules []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

CustomActions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

statelessRules List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule>

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

customActions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction>

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

statelessRules RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule[]

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

customActions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction[]

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

stateless_rules Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule]

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

custom_actions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction]

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

statelessRules List<Property Map>

Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.

customActions List<Property Map>

Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction

ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

ActionName string

A friendly name of the custom action.

ActionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

ActionName string

A friendly name of the custom action.

actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

actionName String

A friendly name of the custom action.

actionDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

actionName string

A friendly name of the custom action.

action_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

action_name str

A friendly name of the custom action.

actionDefinition Property Map

A configuration block describing the custom action associated with the action_name. See Action Definition below for details.

actionName String

A friendly name of the custom action.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition

PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

PublishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

publishMetricAction RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

publish_metric_action RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

publishMetricAction Property Map

A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction

Dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

Dimensions []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

dimensions List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension>

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

dimensions RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension[]

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

dimensions Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension]

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

dimensions List<Property Map>

Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension

Value string

The value to use in the custom metric dimension.

Value string

The value to use in the custom metric dimension.

value String

The value to use in the custom metric dimension.

value string

The value to use in the custom metric dimension.

value str

The value to use in the custom metric dimension.

value String

The value to use in the custom metric dimension.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule

Priority int

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

Priority int

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

RuleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

priority Integer

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

priority number

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

ruleDefinition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

priority int

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

rule_definition RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

priority Number

A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.

ruleDefinition Property Map

A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition

Actions List<string>

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

Actions []string

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

MatchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

actions List<String>

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

actions string[]

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

matchAttributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

actions Sequence[str]

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

match_attributes RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

actions List<String>

Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.

matchAttributes Property Map

A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes

DestinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

Destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

Protocols List<int>

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

SourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

Sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

TcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

DestinationPorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

Destinations []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

Protocols []int

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

SourcePorts []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

Sources []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

TcpFlags []RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

destinationPorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort>

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

destinations List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination>

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

protocols List<Integer>

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

sourcePorts List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort>

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

sources List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource>

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

tcpFlags List<RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag>

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

destinationPorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort[]

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

destinations RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination[]

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

protocols number[]

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

sourcePorts RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort[]

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

sources RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource[]

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

tcpFlags RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag[]

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

destination_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort]

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

destinations Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination]

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

protocols Sequence[int]

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

source_ports Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort]

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

sources Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource]

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

tcp_flags Sequence[RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag]

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

destinationPorts List<Property Map>

Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.

destinations List<Property Map>

Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.

protocols List<Number>

Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

sourcePorts List<Property Map>

Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.

sources List<Property Map>

Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.

tcpFlags List<Property Map>

Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination

AddressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

AddressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition String

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

address_definition str

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition String

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort

FromPort int

The lower limit of the port range. This must be less than or equal to the to_port.

ToPort int

The upper limit of the port range. This must be greater than or equal to the from_port.

FromPort int

The lower limit of the port range. This must be less than or equal to the to_port.

ToPort int

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort Integer

The lower limit of the port range. This must be less than or equal to the to_port.

toPort Integer

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort number

The lower limit of the port range. This must be less than or equal to the to_port.

toPort number

The upper limit of the port range. This must be greater than or equal to the from_port.

from_port int

The lower limit of the port range. This must be less than or equal to the to_port.

to_port int

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort Number

The lower limit of the port range. This must be less than or equal to the to_port.

toPort Number

The upper limit of the port range. This must be greater than or equal to the from_port.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource

AddressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

AddressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition String

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition string

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

address_definition str

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

addressDefinition String

An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort

FromPort int

The lower limit of the port range. This must be less than or equal to the to_port.

ToPort int

The upper limit of the port range. This must be greater than or equal to the from_port.

FromPort int

The lower limit of the port range. This must be less than or equal to the to_port.

ToPort int

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort Integer

The lower limit of the port range. This must be less than or equal to the to_port.

toPort Integer

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort number

The lower limit of the port range. This must be less than or equal to the to_port.

toPort number

The upper limit of the port range. This must be greater than or equal to the from_port.

from_port int

The lower limit of the port range. This must be less than or equal to the to_port.

to_port int

The upper limit of the port range. This must be greater than or equal to the from_port.

fromPort Number

The lower limit of the port range. This must be less than or equal to the to_port.

toPort Number

The upper limit of the port range. This must be greater than or equal to the from_port.

RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag

Flags List<string>

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

Masks List<string>

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

Flags []string

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

Masks []string

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

flags List<String>

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

masks List<String>

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

flags string[]

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

masks string[]

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

flags Sequence[str]

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

masks Sequence[str]

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

flags List<String>

Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

masks List<String>

Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.

RuleGroupRuleGroupStatefulRuleOptions

RuleOrder string

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

RuleOrder string

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

ruleOrder String

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

ruleOrder string

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

rule_order str

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

ruleOrder String

Indicates how to manage the order of the rule evaluation for the rule group. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

Import

Network Firewall Rule Groups can be imported using their ARN.

 $ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example

Package Details

Repository
https://github.com/pulumi/pulumi-aws
License
Apache-2.0
Notes

This Pulumi package is based on the aws Terraform Provider.