Docs Home
AWS v6.78.0 published on Thursday, Apr 24, 2025 by Pulumi
aws.networkfirewall.RuleGroup
Explore with Pulumi AI
- Example Usage
- Stateful Inspection for denying access to a domain
- Stateful Inspection for permitting packets from a source IP address
- Stateful Inspection for blocking packets from going to an intended destination
- Stateful Inspection from rules specifications defined in Suricata flat format
- Stateful Inspection from rule group specifications using rule variables and Suricata format rules
- Stateless Inspection with a Custom Action
- IP Set References to the Rule Group
- Create RuleGroup Resource
- Constructor syntax
- Constructor example
- RuleGroup Resource Properties
- Inputs
- Outputs
- Look up Existing RuleGroup Resource
- Supporting Types
- Import
- Package Details
Provides an AWS Network Firewall Rule Group Resource
Example Usage
Stateful Inspection for denying access to a domain
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "DENYLIST",
"target_types": ["HTTP_HOST"],
"targets": ["test.example.com"],
},
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("DENYLIST"),
TargetTypes: pulumi.StringArray{
pulumi.String("HTTP_HOST"),
},
Targets: pulumi.StringArray{
pulumi.String("test.example.com"),
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "DENYLIST",
TargetTypes = new[]
{
"HTTP_HOST",
},
Targets = new[]
{
"test.example.com",
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection for permitting packets from a source IP address
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const ips = [
"1.1.1.1/32",
"1.0.0.1/32",
];
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 50,
description: "Permits http traffic from source",
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
statefulRules: ips.map((v, k) => ({key: k, value: v})).map(entry => ({
action: "PASS",
header: {
destination: "ANY",
destinationPort: "ANY",
protocol: "HTTP",
direction: "ANY",
sourcePort: "ANY",
source: entry.value,
},
ruleOptions: [{
keyword: "sid",
settings: ["1"],
}],
})),
},
},
tags: {
Name: "permit HTTP from source",
},
});
import pulumi
import pulumi_aws as aws
ips = [
"1.1.1.1/32",
"1.0.0.1/32",
]
example = aws.networkfirewall.RuleGroup("example",
capacity=50,
description="Permits http traffic from source",
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"stateful_rules": [{
"action": "PASS",
"header": {
"destination": "ANY",
"destination_port": "ANY",
"protocol": "HTTP",
"direction": "ANY",
"source_port": "ANY",
"source": entry["value"],
},
"rule_options": [{
"keyword": "sid",
"settings": ["1"],
}],
} for entry in [{"key": k, "value": v} for k, v in ips]],
},
},
tags={
"Name": "permit HTTP from source",
})
Coming soon!
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var ips = new[]
{
"1.1.1.1/32",
"1.0.0.1/32",
};
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 50,
Description = "Permits http traffic from source",
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatefulRules = ips.Select((v, k) => new { Key = k, Value = v }).Select(entry =>
{
return new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "PASS",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "ANY",
DestinationPort = "ANY",
Protocol = "HTTP",
Direction = "ANY",
SourcePort = "ANY",
Source = entry.Value,
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "sid",
Settings = new[]
{
"1",
},
},
},
};
}).ToList(),
},
},
Tags =
{
{ "Name", "permit HTTP from source" },
},
});
});
Coming soon!
Coming soon!
Stateful Inspection for blocking packets from going to an intended destination
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
statefulRules: [{
action: "DROP",
header: {
destination: "124.1.1.24/32",
destinationPort: "53",
direction: "ANY",
protocol: "TCP",
source: "1.2.3.4/32",
sourcePort: "53",
},
ruleOptions: [{
keyword: "sid",
settings: ["1"],
}],
}],
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"stateful_rules": [{
"action": "DROP",
"header": {
"destination": "124.1.1.24/32",
"destination_port": "53",
"direction": "ANY",
"protocol": "TCP",
"source": "1.2.3.4/32",
"source_port": "53",
},
"rule_options": [{
"keyword": "sid",
"settings": ["1"],
}],
}],
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
Action: pulumi.String("DROP"),
Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
Destination: pulumi.String("124.1.1.24/32"),
DestinationPort: pulumi.String("53"),
Direction: pulumi.String("ANY"),
Protocol: pulumi.String("TCP"),
Source: pulumi.String("1.2.3.4/32"),
SourcePort: pulumi.String("53"),
},
RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
Keyword: pulumi.String("sid"),
Settings: pulumi.StringArray{
pulumi.String("1"),
},
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatefulRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "DROP",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "124.1.1.24/32",
DestinationPort = "53",
Direction = "ANY",
Protocol = "TCP",
Source = "1.2.3.4/32",
SourcePort = "53",
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "sid",
Settings = new[]
{
"1",
},
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
.action("DROP")
.header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
.destination("124.1.1.24/32")
.destinationPort("53")
.direction("ANY")
.protocol("TCP")
.source("1.2.3.4/32")
.sourcePort("53")
.build())
.ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
.keyword("sid")
.settings("1")
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
statefulRules:
- action: DROP
header:
destination: 124.1.1.24/32
destinationPort: 53
direction: ANY
protocol: TCP
source: 1.2.3.4/32
sourcePort: 53
ruleOptions:
- keyword: sid
settings:
- '1'
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection from rules specifications defined in Suricata flat format
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as std from "@pulumi/std";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
rules: std.file({
input: "example.rules",
}).then(invoke => invoke.result),
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
import pulumi_std as std
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rules=std.file(input="example.rules").result,
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "example.rules",
}, nil)
if err != nil {
return err
}
_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
Rules: pulumi.String(invokeFile.Result),
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
Rules = Std.File.Invoke(new()
{
Input = "example.rules",
}).Apply(invoke => invoke.Result),
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.rules(StdFunctions.file(FileArgs.builder()
.input("example.rules")
.build()).result())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
rules:
fn::invoke:
function: std:file
arguments:
input: example.rules
return: result
tags:
Tag1: Value1
Tag2: Value2
Stateful Inspection from rule group specifications using rule variables and Suricata format rules
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
import * as std from "@pulumi/std";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
ruleVariables: {
ipSets: [
{
key: "WEBSERVERS_HOSTS",
ipSet: {
definitions: [
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
],
},
},
{
key: "EXTERNAL_HOST",
ipSet: {
definitions: ["1.2.3.4/32"],
},
},
],
portSets: [{
key: "HTTP_PORTS",
portSet: {
definitions: [
"443",
"80",
],
},
}],
},
rulesSource: {
rulesString: std.file({
input: "suricata_rules_file",
}).then(invoke => invoke.result),
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
import pulumi_std as std
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rule_variables": {
"ip_sets": [
{
"key": "WEBSERVERS_HOSTS",
"ip_set": {
"definitions": [
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
],
},
},
{
"key": "EXTERNAL_HOST",
"ip_set": {
"definitions": ["1.2.3.4/32"],
},
},
],
"port_sets": [{
"key": "HTTP_PORTS",
"port_set": {
"definitions": [
"443",
"80",
],
},
}],
},
"rules_source": {
"rules_string": std.file(input="suricata_rules_file").result,
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi-std/sdk/go/std"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
invokeFile, err := std.File(ctx, &std.FileArgs{
Input: "suricata_rules_file",
}, nil)
if err != nil {
return err
}
_, err = networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
Key: pulumi.String("WEBSERVERS_HOSTS"),
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("10.0.0.0/16"),
pulumi.String("10.0.1.0/24"),
pulumi.String("192.168.0.0/16"),
},
},
},
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
Key: pulumi.String("EXTERNAL_HOST"),
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("1.2.3.4/32"),
},
},
},
},
PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
Key: pulumi.String("HTTP_PORTS"),
PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("443"),
pulumi.String("80"),
},
},
},
},
},
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesString: pulumi.String(invokeFile.Result),
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
using Std = Pulumi.Std;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
{
IpSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
Key = "WEBSERVERS_HOSTS",
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16",
},
},
},
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
Key = "EXTERNAL_HOST",
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"1.2.3.4/32",
},
},
},
},
PortSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
{
Key = "HTTP_PORTS",
PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
{
Definitions = new[]
{
"443",
"80",
},
},
},
},
},
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesString = Std.File.Invoke(new()
{
Input = "suricata_rules_file",
}).Apply(invoke => invoke.Result),
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.std.StdFunctions;
import com.pulumi.std.inputs.FileArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("WEBSERVERS_HOSTS")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions(
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16")
.build())
.build(),
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("EXTERNAL_HOST")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions("1.2.3.4/32")
.build())
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("HTTP_PORTS")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions(
"443",
"80")
.build())
.build())
.build())
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesString(StdFunctions.file(FileArgs.builder()
.input("suricata_rules_file")
.build()).result())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
ruleVariables:
ipSets:
- key: WEBSERVERS_HOSTS
ipSet:
definitions:
- 10.0.0.0/16
- 10.0.1.0/24
- 192.168.0.0/16
- key: EXTERNAL_HOST
ipSet:
definitions:
- 1.2.3.4/32
portSets:
- key: HTTP_PORTS
portSet:
definitions:
- '443'
- '80'
rulesSource:
rulesString:
fn::invoke:
function: std:file
arguments:
input: suricata_rules_file
return: result
tags:
Tag1: Value1
Tag2: Value2
Stateless Inspection with a Custom Action
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
description: "Stateless Rate Limiting Rule",
capacity: 100,
name: "example",
type: "STATELESS",
ruleGroup: {
rulesSource: {
statelessRulesAndCustomActions: {
customActions: [{
actionDefinition: {
publishMetricAction: {
dimensions: [{
value: "2",
}],
},
},
actionName: "ExampleMetricsAction",
}],
statelessRules: [{
priority: 1,
ruleDefinition: {
actions: [
"aws:pass",
"ExampleMetricsAction",
],
matchAttributes: {
sources: [{
addressDefinition: "1.2.3.4/32",
}],
sourcePorts: [{
fromPort: 443,
toPort: 443,
}],
destinations: [{
addressDefinition: "124.1.1.5/32",
}],
destinationPorts: [{
fromPort: 443,
toPort: 443,
}],
protocols: [6],
tcpFlags: [{
flags: ["SYN"],
masks: [
"SYN",
"ACK",
],
}],
},
},
}],
},
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
description="Stateless Rate Limiting Rule",
capacity=100,
name="example",
type="STATELESS",
rule_group={
"rules_source": {
"stateless_rules_and_custom_actions": {
"custom_actions": [{
"action_definition": {
"publish_metric_action": {
"dimensions": [{
"value": "2",
}],
},
},
"action_name": "ExampleMetricsAction",
}],
"stateless_rules": [{
"priority": 1,
"rule_definition": {
"actions": [
"aws:pass",
"ExampleMetricsAction",
],
"match_attributes": {
"sources": [{
"address_definition": "1.2.3.4/32",
}],
"source_ports": [{
"from_port": 443,
"to_port": 443,
}],
"destinations": [{
"address_definition": "124.1.1.5/32",
}],
"destination_ports": [{
"from_port": 443,
"to_port": 443,
}],
"protocols": [6],
"tcp_flags": [{
"flags": ["SYN"],
"masks": [
"SYN",
"ACK",
],
}],
},
},
}],
},
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Description: pulumi.String("Stateless Rate Limiting Rule"),
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATELESS"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
Value: pulumi.String("2"),
},
},
},
},
ActionName: pulumi.String("ExampleMetricsAction"),
},
},
StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
Priority: pulumi.Int(1),
RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
Actions: pulumi.StringArray{
pulumi.String("aws:pass"),
pulumi.String("ExampleMetricsAction"),
},
MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
AddressDefinition: pulumi.String("1.2.3.4/32"),
},
},
SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
AddressDefinition: pulumi.String("124.1.1.5/32"),
},
},
DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
FromPort: pulumi.Int(443),
ToPort: pulumi.Int(443),
},
},
Protocols: pulumi.IntArray{
pulumi.Int(6),
},
TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
Flags: pulumi.StringArray{
pulumi.String("SYN"),
},
Masks: pulumi.StringArray{
pulumi.String("SYN"),
pulumi.String("ACK"),
},
},
},
},
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Description = "Stateless Rate Limiting Rule",
Capacity = 100,
Name = "example",
Type = "STATELESS",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
{
CustomActions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
{
ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
{
PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
{
Dimensions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
{
Value = "2",
},
},
},
},
ActionName = "ExampleMetricsAction",
},
},
StatelessRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
{
Priority = 1,
RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
{
Actions = new[]
{
"aws:pass",
"ExampleMetricsAction",
},
MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
{
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
{
AddressDefinition = "1.2.3.4/32",
},
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
{
AddressDefinition = "124.1.1.5/32",
},
},
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
{
FromPort = 443,
ToPort = 443,
},
},
Protocols = new[]
{
6,
},
TcpFlags = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
{
Flags = new[]
{
"SYN",
},
Masks = new[]
{
"SYN",
"ACK",
},
},
},
},
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.description("Stateless Rate Limiting Rule")
.capacity(100)
.name("example")
.type("STATELESS")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
.customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
.actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
.publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
.dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
.value("2")
.build())
.build())
.build())
.actionName("ExampleMetricsAction")
.build())
.statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
.priority(1)
.ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
.actions(
"aws:pass",
"ExampleMetricsAction")
.matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
.sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
.addressDefinition("1.2.3.4/32")
.build())
.sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
.addressDefinition("124.1.1.5/32")
.build())
.destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
.fromPort(443)
.toPort(443)
.build())
.protocols(6)
.tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
.flags("SYN")
.masks(
"SYN",
"ACK")
.build())
.build())
.build())
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
description: Stateless Rate Limiting Rule
capacity: 100
name: example
type: STATELESS
ruleGroup:
rulesSource:
statelessRulesAndCustomActions:
customActions:
- actionDefinition:
publishMetricAction:
dimensions:
- value: '2'
actionName: ExampleMetricsAction
statelessRules:
- priority: 1
ruleDefinition:
actions:
- aws:pass
- ExampleMetricsAction
matchAttributes:
sources:
- addressDefinition: 1.2.3.4/32
sourcePorts:
- fromPort: 443
toPort: 443
destinations:
- addressDefinition: 124.1.1.5/32
destinationPorts:
- fromPort: 443
toPort: 443
protocols:
- 6
tcpFlags:
- flags:
- SYN
masks:
- SYN
- ACK
tags:
Tag1: Value1
Tag2: Value2
IP Set References to the Rule Group
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const example = new aws.networkfirewall.RuleGroup("example", {
capacity: 100,
name: "example",
type: "STATEFUL",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "DENYLIST",
targetTypes: ["HTTP_HOST"],
targets: ["test.example.com"],
},
},
referenceSets: {
ipSetReferences: [{
key: "example",
ipSetReferences: [{
referenceArn: _this.arn,
}],
}],
},
},
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
});
import pulumi
import pulumi_aws as aws
example = aws.networkfirewall.RuleGroup("example",
capacity=100,
name="example",
type="STATEFUL",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "DENYLIST",
"target_types": ["HTTP_HOST"],
"targets": ["test.example.com"],
},
},
"reference_sets": {
"ip_set_references": [{
"key": "example",
"ip_set_references": [{
"reference_arn": this["arn"],
}],
}],
},
},
tags={
"Tag1": "Value1",
"Tag2": "Value2",
})
package main
import (
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/networkfirewall"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
_, err := networkfirewall.NewRuleGroup(ctx, "example", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(100),
Name: pulumi.String("example"),
Type: pulumi.String("STATEFUL"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("DENYLIST"),
TargetTypes: pulumi.StringArray{
pulumi.String("HTTP_HOST"),
},
Targets: pulumi.StringArray{
pulumi.String("test.example.com"),
},
},
},
ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
Key: pulumi.String("example"),
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
ReferenceArn: pulumi.Any(this.Arn),
},
},
},
},
},
},
Tags: pulumi.StringMap{
"Tag1": pulumi.String("Value1"),
"Tag2": pulumi.String("Value2"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var example = new Aws.NetworkFirewall.RuleGroup("example", new()
{
Capacity = 100,
Name = "example",
Type = "STATEFUL",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "DENYLIST",
TargetTypes = new[]
{
"HTTP_HOST",
},
Targets = new[]
{
"test.example.com",
},
},
},
ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
{
Key = "example",
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
{
ReferenceArn = @this.Arn,
},
},
},
},
},
},
Tags =
{
{ "Tag1", "Value1" },
{ "Tag2", "Value2" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.name("example")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
.key("example")
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
.referenceArn(this_.arn())
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}
resources:
example:
type: aws:networkfirewall:RuleGroup
properties:
capacity: 100
name: example
type: STATEFUL
ruleGroup:
rulesSource:
rulesSourceList:
generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
referenceSets:
ipSetReferences:
- key: example
ipSetReferences:
- referenceArn: ${this.arn}
tags:
Tag1: Value1
Tag2: Value2
Create RuleGroup Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new RuleGroup(name: string, args: RuleGroupArgs, opts?: CustomResourceOptions);@overload
def RuleGroup(resource_name: str,
args: RuleGroupArgs,
opts: Optional[ResourceOptions] = None)
@overload
def RuleGroup(resource_name: str,
opts: Optional[ResourceOptions] = None,
capacity: Optional[int] = None,
type: Optional[str] = None,
description: Optional[str] = None,
encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
name: Optional[str] = None,
rule_group: Optional[RuleGroupRuleGroupArgs] = None,
rules: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None)func NewRuleGroup(ctx *Context, name string, args RuleGroupArgs, opts ...ResourceOption) (*RuleGroup, error)public RuleGroup(string name, RuleGroupArgs args, CustomResourceOptions? opts = null)public RuleGroup(String name, RuleGroupArgs args)
public RuleGroup(String name, RuleGroupArgs args, CustomResourceOptions options)
type: aws:networkfirewall:RuleGroup
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name
This property is required. string - The unique name of the resource.
- args
This property is required. RuleGroupArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name
This property is required. str - The unique name of the resource.
- args
This property is required. RuleGroupArgs - The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. RuleGroupArgs - The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name
This property is required. string - The unique name of the resource.
- args
This property is required. RuleGroupArgs - The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name
This property is required. String - The unique name of the resource.
- args
This property is required. RuleGroupArgs - The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var ruleGroupResource = new Aws.NetworkFirewall.RuleGroup("ruleGroupResource", new()
{
Capacity = 0,
Type = "string",
Description = "string",
EncryptionConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupEncryptionConfigurationArgs
{
Type = "string",
KeyId = "string",
},
Name = "string",
RuleGroupConfiguration = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupArgs
{
RulesSource = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceArgs
{
RulesSourceList = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs
{
GeneratedRulesType = "string",
TargetTypes = new[]
{
"string",
},
Targets = new[]
{
"string",
},
},
RulesString = "string",
StatefulRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleArgs
{
Action = "string",
Header = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
{
Destination = "string",
DestinationPort = "string",
Direction = "string",
Protocol = "string",
Source = "string",
SourcePort = "string",
},
RuleOptions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
{
Keyword = "string",
Settings = new[]
{
"string",
},
},
},
},
},
StatelessRulesAndCustomActions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
{
StatelessRules = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
{
Priority = 0,
RuleDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
{
Actions = new[]
{
"string",
},
MatchAttributes = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
{
DestinationPorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
{
FromPort = 0,
ToPort = 0,
},
},
Destinations = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
{
AddressDefinition = "string",
},
},
Protocols = new[]
{
0,
},
SourcePorts = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
{
FromPort = 0,
ToPort = 0,
},
},
Sources = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
{
AddressDefinition = "string",
},
},
TcpFlags = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
{
Flags = new[]
{
"string",
},
Masks = new[]
{
"string",
},
},
},
},
},
},
},
CustomActions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
{
ActionDefinition = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
{
PublishMetricAction = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
{
Dimensions = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
{
Value = "string",
},
},
},
},
ActionName = "string",
},
},
},
},
ReferenceSets = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
{
IpSetReferences = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
{
ReferenceArn = "string",
},
},
Key = "string",
},
},
},
RuleVariables = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesArgs
{
IpSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetArgs
{
IpSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
{
Definitions = new[]
{
"string",
},
},
Key = "string",
},
},
PortSets = new[]
{
new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetArgs
{
Key = "string",
PortSet = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
{
Definitions = new[]
{
"string",
},
},
},
},
},
StatefulRuleOptions = new Aws.NetworkFirewall.Inputs.RuleGroupRuleGroupStatefulRuleOptionsArgs
{
RuleOrder = "string",
},
},
Rules = "string",
Tags =
{
{ "string", "string" },
},
});
example, err := networkfirewall.NewRuleGroup(ctx, "ruleGroupResource", &networkfirewall.RuleGroupArgs{
Capacity: pulumi.Int(0),
Type: pulumi.String("string"),
Description: pulumi.String("string"),
EncryptionConfiguration: &networkfirewall.RuleGroupEncryptionConfigurationArgs{
Type: pulumi.String("string"),
KeyId: pulumi.String("string"),
},
Name: pulumi.String("string"),
RuleGroup: &networkfirewall.RuleGroupRuleGroupArgs{
RulesSource: &networkfirewall.RuleGroupRuleGroupRulesSourceArgs{
RulesSourceList: &networkfirewall.RuleGroupRuleGroupRulesSourceRulesSourceListArgs{
GeneratedRulesType: pulumi.String("string"),
TargetTypes: pulumi.StringArray{
pulumi.String("string"),
},
Targets: pulumi.StringArray{
pulumi.String("string"),
},
},
RulesString: pulumi.String("string"),
StatefulRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleArgs{
Action: pulumi.String("string"),
Header: &networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs{
Destination: pulumi.String("string"),
DestinationPort: pulumi.String("string"),
Direction: pulumi.String("string"),
Protocol: pulumi.String("string"),
Source: pulumi.String("string"),
SourcePort: pulumi.String("string"),
},
RuleOptions: networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs{
Keyword: pulumi.String("string"),
Settings: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
StatelessRulesAndCustomActions: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs{
StatelessRules: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs{
Priority: pulumi.Int(0),
RuleDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs{
Actions: pulumi.StringArray{
pulumi.String("string"),
},
MatchAttributes: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs{
DestinationPorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
Destinations: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs{
AddressDefinition: pulumi.String("string"),
},
},
Protocols: pulumi.IntArray{
pulumi.Int(0),
},
SourcePorts: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs{
FromPort: pulumi.Int(0),
ToPort: pulumi.Int(0),
},
},
Sources: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs{
AddressDefinition: pulumi.String("string"),
},
},
TcpFlags: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs{
Flags: pulumi.StringArray{
pulumi.String("string"),
},
Masks: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
},
},
CustomActions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs{
ActionDefinition: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs{
PublishMetricAction: &networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs{
Dimensions: networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArray{
&networkfirewall.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs{
Value: pulumi.String("string"),
},
},
},
},
ActionName: pulumi.String("string"),
},
},
},
},
ReferenceSets: &networkfirewall.RuleGroupRuleGroupReferenceSetsArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs{
IpSetReferences: networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArray{
&networkfirewall.RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs{
ReferenceArn: pulumi.String("string"),
},
},
Key: pulumi.String("string"),
},
},
},
RuleVariables: &networkfirewall.RuleGroupRuleGroupRuleVariablesArgs{
IpSets: networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetArgs{
IpSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("string"),
},
},
Key: pulumi.String("string"),
},
},
PortSets: networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArray{
&networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetArgs{
Key: pulumi.String("string"),
PortSet: &networkfirewall.RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs{
Definitions: pulumi.StringArray{
pulumi.String("string"),
},
},
},
},
},
StatefulRuleOptions: &networkfirewall.RuleGroupRuleGroupStatefulRuleOptionsArgs{
RuleOrder: pulumi.String("string"),
},
},
Rules: pulumi.String("string"),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var ruleGroupResource = new com.pulumi.aws.networkfirewall.RuleGroup("ruleGroupResource", com.pulumi.aws.networkfirewall.RuleGroupArgs.builder()
.capacity(0)
.type("string")
.description("string")
.encryptionConfiguration(RuleGroupEncryptionConfigurationArgs.builder()
.type("string")
.keyId("string")
.build())
.name("string")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("string")
.targetTypes("string")
.targets("string")
.build())
.rulesString("string")
.statefulRules(RuleGroupRuleGroupRulesSourceStatefulRuleArgs.builder()
.action("string")
.header(RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs.builder()
.destination("string")
.destinationPort("string")
.direction("string")
.protocol("string")
.source("string")
.sourcePort("string")
.build())
.ruleOptions(RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs.builder()
.keyword("string")
.settings("string")
.build())
.build())
.statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
.statelessRules(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs.builder()
.priority(0)
.ruleDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs.builder()
.actions("string")
.matchAttributes(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs.builder()
.destinationPorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs.builder()
.fromPort(0)
.toPort(0)
.build())
.destinations(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs.builder()
.addressDefinition("string")
.build())
.protocols(0)
.sourcePorts(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs.builder()
.fromPort(0)
.toPort(0)
.build())
.sources(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs.builder()
.addressDefinition("string")
.build())
.tcpFlags(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs.builder()
.flags("string")
.masks("string")
.build())
.build())
.build())
.build())
.customActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs.builder()
.actionDefinition(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs.builder()
.publishMetricAction(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs.builder()
.dimensions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs.builder()
.value("string")
.build())
.build())
.build())
.actionName("string")
.build())
.build())
.build())
.referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
.referenceArn("string")
.build())
.key("string")
.build())
.build())
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions("string")
.build())
.key("string")
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("string")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions("string")
.build())
.build())
.build())
.statefulRuleOptions(RuleGroupRuleGroupStatefulRuleOptionsArgs.builder()
.ruleOrder("string")
.build())
.build())
.rules("string")
.tags(Map.of("string", "string"))
.build());
rule_group_resource = aws.networkfirewall.RuleGroup("ruleGroupResource",
capacity=0,
type="string",
description="string",
encryption_configuration={
"type": "string",
"key_id": "string",
},
name="string",
rule_group={
"rules_source": {
"rules_source_list": {
"generated_rules_type": "string",
"target_types": ["string"],
"targets": ["string"],
},
"rules_string": "string",
"stateful_rules": [{
"action": "string",
"header": {
"destination": "string",
"destination_port": "string",
"direction": "string",
"protocol": "string",
"source": "string",
"source_port": "string",
},
"rule_options": [{
"keyword": "string",
"settings": ["string"],
}],
}],
"stateless_rules_and_custom_actions": {
"stateless_rules": [{
"priority": 0,
"rule_definition": {
"actions": ["string"],
"match_attributes": {
"destination_ports": [{
"from_port": 0,
"to_port": 0,
}],
"destinations": [{
"address_definition": "string",
}],
"protocols": [0],
"source_ports": [{
"from_port": 0,
"to_port": 0,
}],
"sources": [{
"address_definition": "string",
}],
"tcp_flags": [{
"flags": ["string"],
"masks": ["string"],
}],
},
},
}],
"custom_actions": [{
"action_definition": {
"publish_metric_action": {
"dimensions": [{
"value": "string",
}],
},
},
"action_name": "string",
}],
},
},
"reference_sets": {
"ip_set_references": [{
"ip_set_references": [{
"reference_arn": "string",
}],
"key": "string",
}],
},
"rule_variables": {
"ip_sets": [{
"ip_set": {
"definitions": ["string"],
},
"key": "string",
}],
"port_sets": [{
"key": "string",
"port_set": {
"definitions": ["string"],
},
}],
},
"stateful_rule_options": {
"rule_order": "string",
},
},
rules="string",
tags={
"string": "string",
})
const ruleGroupResource = new aws.networkfirewall.RuleGroup("ruleGroupResource", {
capacity: 0,
type: "string",
description: "string",
encryptionConfiguration: {
type: "string",
keyId: "string",
},
name: "string",
ruleGroup: {
rulesSource: {
rulesSourceList: {
generatedRulesType: "string",
targetTypes: ["string"],
targets: ["string"],
},
rulesString: "string",
statefulRules: [{
action: "string",
header: {
destination: "string",
destinationPort: "string",
direction: "string",
protocol: "string",
source: "string",
sourcePort: "string",
},
ruleOptions: [{
keyword: "string",
settings: ["string"],
}],
}],
statelessRulesAndCustomActions: {
statelessRules: [{
priority: 0,
ruleDefinition: {
actions: ["string"],
matchAttributes: {
destinationPorts: [{
fromPort: 0,
toPort: 0,
}],
destinations: [{
addressDefinition: "string",
}],
protocols: [0],
sourcePorts: [{
fromPort: 0,
toPort: 0,
}],
sources: [{
addressDefinition: "string",
}],
tcpFlags: [{
flags: ["string"],
masks: ["string"],
}],
},
},
}],
customActions: [{
actionDefinition: {
publishMetricAction: {
dimensions: [{
value: "string",
}],
},
},
actionName: "string",
}],
},
},
referenceSets: {
ipSetReferences: [{
ipSetReferences: [{
referenceArn: "string",
}],
key: "string",
}],
},
ruleVariables: {
ipSets: [{
ipSet: {
definitions: ["string"],
},
key: "string",
}],
portSets: [{
key: "string",
portSet: {
definitions: ["string"],
},
}],
},
statefulRuleOptions: {
ruleOrder: "string",
},
},
rules: "string",
tags: {
string: "string",
},
});
type: aws:networkfirewall:RuleGroup
properties:
capacity: 0
description: string
encryptionConfiguration:
keyId: string
type: string
name: string
ruleGroup:
referenceSets:
ipSetReferences:
- ipSetReferences:
- referenceArn: string
key: string
ruleVariables:
ipSets:
- ipSet:
definitions:
- string
key: string
portSets:
- key: string
portSet:
definitions:
- string
rulesSource:
rulesSourceList:
generatedRulesType: string
targetTypes:
- string
targets:
- string
rulesString: string
statefulRules:
- action: string
header:
destination: string
destinationPort: string
direction: string
protocol: string
source: string
sourcePort: string
ruleOptions:
- keyword: string
settings:
- string
statelessRulesAndCustomActions:
customActions:
- actionDefinition:
publishMetricAction:
dimensions:
- value: string
actionName: string
statelessRules:
- priority: 0
ruleDefinition:
actions:
- string
matchAttributes:
destinationPorts:
- fromPort: 0
toPort: 0
destinations:
- addressDefinition: string
protocols:
- 0
sourcePorts:
- fromPort: 0
toPort: 0
sources:
- addressDefinition: string
tcpFlags:
- flags:
- string
masks:
- string
statefulRuleOptions:
ruleOrder: string
rules: string
tags:
string: string
type: string
RuleGroup Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The RuleGroup resource accepts the following input properties:
- Capacity
int
This property is required. 
Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Type
This property is required. string - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name
- A friendly name of the rule group.
- Rule
Group RuleConfiguration Group Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Dictionary<string, string>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- Capacity
int
This property is required. Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Type
This property is required. string - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name
- A friendly name of the rule group.
- Rule
Group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - map[string]string
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity
Integer
This property is required. Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type
This property is required. String - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description String
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String,String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity
number
This property is required. Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type
This property is required. string - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description string
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - {[key: string]: string}
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity
int
This property is required. Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type
This property is required. str - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description str
- A friendly description of the rule group.
- encryption_
configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule_
group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules str
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Mapping[str, str]
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
- capacity
Number
This property is required. Changes to this property will trigger replacement. - The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- type
This property is required. String - Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - description String
- A friendly description of the rule group.
- encryption
Configuration Property Map - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group Property Map - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Outputs
All input properties are implicitly available as output properties. Additionally, the RuleGroup resource produces the following output properties:
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Id string
- The provider-assigned unique ID for this managed resource.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Update
Token string - A string token used when updating the rule group.
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Id string
- The provider-assigned unique ID for this managed resource.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Update
Token string - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- id String
- The provider-assigned unique ID for this managed resource.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token String - A string token used when updating the rule group.
- arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- id string
- The provider-assigned unique ID for this managed resource.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token string - A string token used when updating the rule group.
- arn str
- The Amazon Resource Name (ARN) that identifies the rule group.
- id str
- The provider-assigned unique ID for this managed resource.
- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update_
token str - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- id String
- The provider-assigned unique ID for this managed resource.
- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - update
Token String - A string token used when updating the rule group.
Look up Existing RuleGroup Resource
Get an existing RuleGroup resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: RuleGroupState, opts?: CustomResourceOptions): RuleGroup@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
capacity: Optional[int] = None,
description: Optional[str] = None,
encryption_configuration: Optional[RuleGroupEncryptionConfigurationArgs] = None,
name: Optional[str] = None,
rule_group: Optional[RuleGroupRuleGroupArgs] = None,
rules: Optional[str] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None,
type: Optional[str] = None,
update_token: Optional[str] = None) -> RuleGroupfunc GetRuleGroup(ctx *Context, name string, id IDInput, state *RuleGroupState, opts ...ResourceOption) (*RuleGroup, error)public static RuleGroup Get(string name, Input<string> id, RuleGroupState? state, CustomResourceOptions? opts = null)public static RuleGroup get(String name, Output<String> id, RuleGroupState state, CustomResourceOptions options)resources: _: type: aws:networkfirewall:RuleGroup get: id: ${id}- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
This property is required. - The unique name of the resulting resource.
- id
This property is required. - The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
The following state arguments are supported:
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name
- A friendly name of the rule group.
- Rule
Group RuleConfiguration Group Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Dictionary<string, string>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Update
Token string - A string token used when updating the rule group.
- Arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- Capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- Description string
- A friendly description of the rule group.
- Encryption
Configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- Name
- A friendly name of the rule group.
- Rule
Group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - Rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - map[string]string
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - Type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - Update
Token string - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description String
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String,String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token String - A string token used when updating the rule group.
- arn string
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description string
- A friendly description of the rule group.
- encryption
Configuration RuleGroup Encryption Configuration - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group RuleGroup Rule Group - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules string
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - {[key: string]: string}
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type string
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token string - A string token used when updating the rule group.
- arn str
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description str
- A friendly description of the rule group.
- encryption_
configuration RuleGroup Encryption Configuration Args - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule_
group RuleGroup Rule Group Args - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules str
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Mapping[str, str]
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type str
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update_
token str - A string token used when updating the rule group.
- arn String
- The Amazon Resource Name (ARN) that identifies the rule group.
- capacity
- The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
- description String
- A friendly description of the rule group.
- encryption
Configuration Property Map - KMS encryption configuration settings. See Encryption Configuration below for details.
- name
- A friendly name of the rule group.
- rule
Group Property Map - A configuration block that defines the rule group rules. Required unless
rulesis specified. See Rule Group below for details. - rules String
- The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless
rule_groupis specified. - Map<String>
- A map of key:value pairs to associate with the resource. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level. - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block. - type String
- Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include:
STATEFULorSTATELESS. - update
Token String - A string token used when updating the rule group.
Supporting Types
RuleGroupEncryptionConfiguration, RuleGroupEncryptionConfigurationArgs
, RuleGroupEncryptionConfigurationArgs
- Type
This property is required. string - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - Key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- Type
This property is required. string - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - Key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type
This property is required. String - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id String - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type
This property is required. string - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id string - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type
This property is required. str - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key_
id str - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
- type
This property is required. String - The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are
CUSTOMER_KMSandAWS_OWNED_KMS_KEY. - key
Id String - The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
RuleGroupRuleGroup, RuleGroupRuleGroupArgs
, RuleGroupRuleGroupArgs
- Rules
Source This property is required. RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- Reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - Rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- Stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- Rules
Source This property is required. RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- Reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - Rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- Stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source This property is required. RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source This property is required. RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule RuleOptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules_
source This property is required. RuleGroup Rule Group Rules Source - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference_
sets RuleGroup Rule Group Reference Sets - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule_
variables RuleGroup Rule Group Rule Variables - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful_
rule_ Ruleoptions Group Rule Group Stateful Rule Options - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
- rules
Source This property is required. Property Map - A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
- reference
Sets Property Map - A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5
reference_setsin arule_group. See the AWS documentation for details. - rule
Variables Property Map - A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
- stateful
Rule Property MapOptions - A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
RuleGroupRuleGroupReferenceSets, RuleGroupRuleGroupReferenceSetsArgs
, RuleGroupRuleGroupReferenceSetsArgs
RuleGroupRuleGroupReferenceSetsIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
, RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs
- Ip
Set References This property is required. List<RuleGroup Rule Group Reference Sets Ip Set Reference Ip Set Reference> - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- Key
This property is required. string
- Ip
Set References This property is required. []RuleGroup Rule Group Reference Sets Ip Set Reference Ip Set Reference - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- Key
This property is required. string
- ip
Set References This property is required. List<RuleGroup Rule Group Reference Sets Ip Set Reference Ip Set Reference> - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key
This property is required. String
- ip
Set References This property is required. RuleGroup Rule Group Reference Sets Ip Set Reference Ip Set Reference[] - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key
This property is required. string
- ip_
set_ references This property is required. Sequence[RuleGroup Rule Group Reference Sets Ip Set Reference Ip Set Reference] - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key
This property is required. str
- ip
Set References This property is required. List<Property Map> - Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
- key
This property is required. String
RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReference, RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
, RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs
- Reference
Arn This property is required. string - Set of Managed Prefix IP ARN(s)
- Reference
Arn This property is required. string - Set of Managed Prefix IP ARN(s)
- reference
Arn This property is required. String - Set of Managed Prefix IP ARN(s)
- reference
Arn This property is required. string - Set of Managed Prefix IP ARN(s)
- reference_
arn This property is required. str - Set of Managed Prefix IP ARN(s)
- reference
Arn This property is required. String - Set of Managed Prefix IP ARN(s)
RuleGroupRuleGroupRuleVariables, RuleGroupRuleGroupRuleVariablesArgs
, RuleGroupRuleGroupRuleVariablesArgs
- Ip
Sets List<RuleGroup Rule Group Rule Variables Ip Set> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- Port
Sets List<RuleGroup Rule Group Rule Variables Port Set> - Set of configuration blocks that define port range information. See Port Sets below for details.
- Ip
Sets []RuleGroup Rule Group Rule Variables Ip Set - Set of configuration blocks that define IP address information. See IP Sets below for details.
- Port
Sets []RuleGroup Rule Group Rule Variables Port Set - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets List<RuleGroup Rule Group Rule Variables Ip Set> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets List<RuleGroup Rule Group Rule Variables Port Set> - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets RuleGroup Rule Group Rule Variables Ip Set[] - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets RuleGroup Rule Group Rule Variables Port Set[] - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip_
sets Sequence[RuleGroup Rule Group Rule Variables Ip Set] - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port_
sets Sequence[RuleGroup Rule Group Rule Variables Port Set] - Set of configuration blocks that define port range information. See Port Sets below for details.
- ip
Sets List<Property Map> - Set of configuration blocks that define IP address information. See IP Sets below for details.
- port
Sets List<Property Map> - Set of configuration blocks that define port range information. See Port Sets below for details.
RuleGroupRuleGroupRuleVariablesIpSet, RuleGroupRuleGroupRuleVariablesIpSetArgs
, RuleGroupRuleGroupRuleVariablesIpSetArgs
- Ip
Set This property is required. RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- Key
This property is required. string - A unique alphanumeric string to identify the
ip_set.
- Ip
Set This property is required. RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- Key
This property is required. string - A unique alphanumeric string to identify the
ip_set.
- ip
Set This property is required. RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key
This property is required. String - A unique alphanumeric string to identify the
ip_set.
- ip
Set This property is required. RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key
This property is required. string - A unique alphanumeric string to identify the
ip_set.
- ip_
set This property is required. RuleGroup Rule Group Rule Variables Ip Set Ip Set - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key
This property is required. str - A unique alphanumeric string to identify the
ip_set.
- ip
Set This property is required. Property Map - A configuration block that defines a set of IP addresses. See IP Set below for details.
- key
This property is required. String - A unique alphanumeric string to identify the
ip_set.
RuleGroupRuleGroupRuleVariablesIpSetIpSet, RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
, RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs
- Definitions
This property is required. List<string> - Set of IP addresses and address ranges, in CIDR notation.
- Definitions
This property is required. []string - Set of IP addresses and address ranges, in CIDR notation.
- definitions
This property is required. List<String> - Set of IP addresses and address ranges, in CIDR notation.
- definitions
This property is required. string[] - Set of IP addresses and address ranges, in CIDR notation.
- definitions
This property is required. Sequence[str] - Set of IP addresses and address ranges, in CIDR notation.
- definitions
This property is required. List<String> - Set of IP addresses and address ranges, in CIDR notation.
RuleGroupRuleGroupRuleVariablesPortSet, RuleGroupRuleGroupRuleVariablesPortSetArgs
, RuleGroupRuleGroupRuleVariablesPortSetArgs
- Key
This property is required. string - An unique alphanumeric string to identify the
port_set. - Port
Set This property is required. RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- Key
This property is required. string - An unique alphanumeric string to identify the
port_set. - Port
Set This property is required. RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key
This property is required. String - An unique alphanumeric string to identify the
port_set. - port
Set This property is required. RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key
This property is required. string - An unique alphanumeric string to identify the
port_set. - port
Set This property is required. RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key
This property is required. str - An unique alphanumeric string to identify the
port_set. - port_
set This property is required. RuleGroup Rule Group Rule Variables Port Set Port Set - A configuration block that defines a set of port ranges. See Port Set below for details.
- key
This property is required. String - An unique alphanumeric string to identify the
port_set. - port
Set This property is required. Property Map - A configuration block that defines a set of port ranges. See Port Set below for details.
RuleGroupRuleGroupRuleVariablesPortSetPortSet, RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
, RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs
- Definitions
This property is required. List<string> - Set of port ranges.
- Definitions
This property is required. []string - Set of port ranges.
- definitions
This property is required. List<String> - Set of port ranges.
- definitions
This property is required. string[] - Set of port ranges.
- definitions
This property is required. Sequence[str] - Set of port ranges.
- definitions
This property is required. List<String> - Set of port ranges.
RuleGroupRuleGroupRulesSource, RuleGroupRuleGroupRulesSourceArgs
, RuleGroupRuleGroupRulesSourceArgs
- Rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- Rules
String string - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- Stateful
Rules List<RuleGroup Rule Group Rules Source Stateful Rule> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- Stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- Rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- Rules
String string - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- Stateful
Rules []RuleGroup Rule Group Rules Source Stateful Rule - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- Stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String String - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- stateful
Rules List<RuleGroup Rule Group Rules Source Stateful Rule> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source RuleList Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String string - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- stateful
Rules RuleGroup Rule Group Rules Source Stateful Rule[] - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules RuleAnd Custom Actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules_
source_ Rulelist Group Rule Group Rules Source Rules Source List - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules_
string str - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- stateful_
rules Sequence[RuleGroup Rule Group Rules Source Stateful Rule] - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless_
rules_ Ruleand_ custom_ actions Group Rule Group Rules Source Stateless Rules And Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
- rules
Source Property MapList - A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
- rules
String String - The fully qualified name of a file in an S3 bucket that contains Suricata compatible intrusion preventions system (IPS) rules or the Suricata rules as a string. These rules contain stateful inspection criteria and the action to take for traffic that matches the criteria.
- stateful
Rules List<Property Map> - Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
- stateless
Rules Property MapAnd Custom Actions - A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
RuleGroupRuleGroupRulesSourceRulesSourceList, RuleGroupRuleGroupRulesSourceRulesSourceListArgs
, RuleGroupRuleGroupRulesSourceRulesSourceListArgs
- Generated
Rules Type This property is required. string - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - Target
Types This property is required. List<string> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - Targets
This property is required. List<string> - Set of domains that you want to inspect for in your traffic flows.
- Generated
Rules Type This property is required. string - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - Target
Types This property is required. []string - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - Targets
This property is required. []string - Set of domains that you want to inspect for in your traffic flows.
- generated
Rules Type This property is required. String - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types This property is required. List<String> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets
This property is required. List<String> - Set of domains that you want to inspect for in your traffic flows.
- generated
Rules Type This property is required. string - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types This property is required. string[] - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets
This property is required. string[] - Set of domains that you want to inspect for in your traffic flows.
- generated_
rules_ type This property is required. str - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target_
types This property is required. Sequence[str] - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets
This property is required. Sequence[str] - Set of domains that you want to inspect for in your traffic flows.
- generated
Rules Type This property is required. String - String value to specify whether domains in the target list are allowed or denied access. Valid values:
ALLOWLIST,DENYLIST. - target
Types This property is required. List<String> - Set of types of domain specifications that are provided in the
targetsargument. Valid values:HTTP_HOST,TLS_SNI. - targets
This property is required. List<String> - Set of domains that you want to inspect for in your traffic flows.
RuleGroupRuleGroupRulesSourceStatefulRule, RuleGroupRuleGroupRulesSourceStatefulRuleArgs
, RuleGroupRuleGroupRulesSourceStatefulRuleArgs
- Action
This property is required. string - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - Header
This property is required. RuleGroup Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- Rule
Options This property is required. List<RuleGroup Rule Group Rules Source Stateful Rule Rule Option> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- Action
This property is required. string - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - Header
This property is required. RuleGroup Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- Rule
Options This property is required. []RuleGroup Rule Group Rules Source Stateful Rule Rule Option - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action
This property is required. String - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
This property is required. RuleGroup Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options This property is required. List<RuleGroup Rule Group Rules Source Stateful Rule Rule Option> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action
This property is required. string - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
This property is required. RuleGroup Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options This property is required. RuleGroup Rule Group Rules Source Stateful Rule Rule Option[] - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action
This property is required. str - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
This property is required. RuleGroup Rule Group Rules Source Stateful Rule Header - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule_
options This property is required. Sequence[RuleGroup Rule Group Rules Source Stateful Rule Rule Option] - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
- action
This property is required. String - Action to take with packets in a traffic flow when the flow matches the stateful rule criteria. For all actions, AWS Network Firewall performs the specified action and discontinues stateful inspection of the traffic flow. Valid values:
ALERT,DROP,PASS, orREJECT. - header
This property is required. Property Map - A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
- rule
Options This property is required. List<Property Map> - Set of configuration blocks containing additional settings for a stateful rule. See Rule Option below for details.
RuleGroupRuleGroupRulesSourceStatefulRuleHeader, RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
, RuleGroupRuleGroupRulesSourceStatefulRuleHeaderArgs
- Destination
This property is required. string - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - Destination
Port This property is required. string - The destination port to inspect for. To match with any address, specify
ANY. - Direction
This property is required. string - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - Protocol
This property is required. string - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - Source
This property is required. string - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - Source
Port This property is required. string - The source port to inspect for. To match with any address, specify
ANY.
- Destination
This property is required. string - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - Destination
Port This property is required. string - The destination port to inspect for. To match with any address, specify
ANY. - Direction
This property is required. string - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - Protocol
This property is required. string - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - Source
This property is required. string - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - Source
Port This property is required. string - The source port to inspect for. To match with any address, specify
ANY.
- destination
This property is required. String - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port This property is required. String - The destination port to inspect for. To match with any address, specify
ANY. - direction
This property is required. String - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol
This property is required. String - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source
This property is required. String - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port This property is required. String - The source port to inspect for. To match with any address, specify
ANY.
- destination
This property is required. string - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port This property is required. string - The destination port to inspect for. To match with any address, specify
ANY. - direction
This property is required. string - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol
This property is required. string - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source
This property is required. string - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port This property is required. string - The source port to inspect for. To match with any address, specify
ANY.
- destination
This property is required. str - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination_
port This property is required. str - The destination port to inspect for. To match with any address, specify
ANY. - direction
This property is required. str - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol
This property is required. str - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source
This property is required. str - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source_
port This property is required. str - The source port to inspect for. To match with any address, specify
ANY.
- destination
This property is required. String - The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY. - destination
Port This property is required. String - The destination port to inspect for. To match with any address, specify
ANY. - direction
This property is required. String - The direction of traffic flow to inspect. Valid values:
ANYorFORWARD. - protocol
This property is required. String - The protocol to inspect. Valid values:
IP,TCP,UDP,ICMP,HTTP,FTP,TLS,SMB,DNS,DCERPC,SSH,SMTP,IMAP,MSN,KRB5,IKEV2,TFTP,NTP,DHCP. - source
This property is required. String - The source IP address or address range for, in CIDR notation. To match with any address, specify
ANY. - source
Port This property is required. String - The source port to inspect for. To match with any address, specify
ANY.
RuleGroupRuleGroupRulesSourceStatefulRuleRuleOption, RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
, RuleGroupRuleGroupRulesSourceStatefulRuleRuleOptionArgs
- Keyword
This property is required. string - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- Settings List<string>
- Set of strings for additional settings to use in stateful rule inspection.
- Keyword
This property is required. string - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- Settings []string
- Set of strings for additional settings to use in stateful rule inspection.
- keyword
This property is required. String - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings List<String>
- Set of strings for additional settings to use in stateful rule inspection.
- keyword
This property is required. string - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings string[]
- Set of strings for additional settings to use in stateful rule inspection.
- keyword
This property is required. str - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings Sequence[str]
- Set of strings for additional settings to use in stateful rule inspection.
- keyword
This property is required. String - Keyword defined by open source detection systems like Snort or Suricata for stateful rule inspection. See Snort General Rule Options or Suricata Rule Options for more details.
- settings List<String>
- Set of strings for additional settings to use in stateful rule inspection.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActions, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs
- Stateless
Rules This property is required. List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- Custom
Actions List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- Stateless
Rules This property is required. []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- Custom
Actions []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules This property is required. List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule[] - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action[] - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless_
rules This property is required. Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule] - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom_
actions Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action] - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
- stateless
Rules This property is required. List<Property Map> - Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
- custom
Actions List<Property Map> - Set of configuration blocks containing custom action definitions that are available for use by the set of
stateless rule. See Custom Action below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionArgs
- Action
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - Action
Name stringThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
- Action
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - Action
Name stringThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
- action
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name StringThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
- action
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name stringThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
- action_
definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action_
name strThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
- action
Definition This property is required. Property Map - A configuration block describing the custom action associated with the
action_name. See Action Definition below for details. - action
Name StringThis property is required. Changes to this property will trigger replacement. - A friendly name of the custom action.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionArgs
- Publish
Metric Action This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- Publish
Metric Action This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric Action This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric Action This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish_
metric_ action This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
- publish
Metric Action This property is required. Property Map - A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricAction, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionArgs
- Dimensions
This property is required. List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension> - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- Dimensions
This property is required. []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
This property is required. List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension> - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension[] - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
This property is required. Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Custom Action Action Definition Publish Metric Action Dimension] - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
- dimensions
This property is required. List<Property Map> - Set of configuration blocks containing the dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimension, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsCustomActionActionDefinitionPublishMetricActionDimensionArgs
- Value
This property is required. string - The value to use in the custom metric dimension.
- Value
This property is required. string - The value to use in the custom metric dimension.
- value
This property is required. String - The value to use in the custom metric dimension.
- value
This property is required. string - The value to use in the custom metric dimension.
- value
This property is required. str - The value to use in the custom metric dimension.
- value
This property is required. String - The value to use in the custom metric dimension.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRule, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleArgs
- Priority
This property is required. int - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- Rule
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- Priority
This property is required. int - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- Rule
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority
This property is required. Integer - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority
This property is required. number - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority
This property is required. int - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule_
definition This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
- priority
This property is required. Number - A setting that indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. AWS Network Firewall evaluates the rules in a rule group starting with the lowest priority setting.
- rule
Definition This property is required. Property Map - A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinition, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionArgs
- Actions
This property is required. List<string> - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - Match
Attributes This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- Actions
This property is required. []string - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - Match
Attributes This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions
This property is required. List<String> - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions
This property is required. string[] - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions
This property is required. Sequence[str] - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match_
attributes This property is required. RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
- actions
This property is required. List<String> - Set of actions to take on a packet that matches one of the stateless rule definition's
match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include:aws:pass,aws:drop,aws:forward_to_sfe. - match
Attributes This property is required. Property Map - A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributes, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesArgs
- Destination
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- Destinations
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination> - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- Protocols List<int>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- Source
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- Sources
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source> - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- Tcp
Flags List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- Destination
Ports []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- Destinations
[]Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- Protocols []int
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- Source
Ports []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- Sources
[]Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- Tcp
Flags []RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination> - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols List<Integer>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
List<Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source> - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags List<RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port[] - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination[] - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols number[]
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port[] - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source[] - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag[] - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination_
ports Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination Port] - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations
Sequence[Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Destination] - Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols Sequence[int]
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source_
ports Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source Port] - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources
Sequence[Rule
Group Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Source] - Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp_
flags Sequence[RuleGroup Rule Group Rules Source Stateless Rules And Custom Actions Stateless Rule Rule Definition Match Attributes Tcp Flag] - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
- destination
Ports List<Property Map> - Set of configuration blocks describing the destination ports to inspect for. If not specified, this matches with any destination port. See Destination Port below for details.
- destinations List<Property Map>
- Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
- protocols List<Number>
- Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
- source
Ports List<Property Map> - Set of configuration blocks describing the source ports to inspect for. If not specified, this matches with any source port. See Source Port below for details.
- sources List<Property Map>
- Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
- tcp
Flags List<Property Map> - Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestination, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationArgs
- Address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- Address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address_
definition This property is required. str - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesDestinationPortArgs
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSource, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourceArgs
- Address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- Address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. string - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address_
definition This property is required. str - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
- address
Definition This property is required. String - An IP address or a block of IP addresses in CIDR notation. AWS Network Firewall supports all address ranges for IPv4.
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePort, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesSourcePortArgs
RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlag, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
, RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsStatelessRuleRuleDefinitionMatchAttributesTcpFlagArgs
- Flags
This property is required. List<string> - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - Masks List<string>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- Flags
This property is required. []string - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - Masks []string
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags
This property is required. List<String> - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks List<String>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags
This property is required. string[] - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks string[]
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags
This property is required. Sequence[str] - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks Sequence[str]
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
- flags
This property is required. List<String> - Set of flags to look for in a packet. This setting can only specify values that are also specified in
masks. Valid values:FIN,SYN,RST,PSH,ACK,URG,ECE,CWR. - masks List<String>
- Set of flags to consider in the inspection. To inspect all flags, leave this empty.
Valid values:
FIN,SYN,RST,PSH,ACK,URG,ECE,CWR.
RuleGroupRuleGroupStatefulRuleOptions, RuleGroupRuleGroupStatefulRuleOptionsArgs
, RuleGroupRuleGroupStatefulRuleOptionsArgs
- Rule
Order This property is required. string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- Rule
Order This property is required. string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order This property is required. String - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order This property is required. string - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule_
order This property is required. str - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
- rule
Order This property is required. String - Indicates how to manage the order of the rule evaluation for the rule group. Default value:
DEFAULT_ACTION_ORDER. Valid values:DEFAULT_ACTION_ORDER,STRICT_ORDER.
Import
Using pulumi import, import Network Firewall Rule Groups using their arn. For example:
$ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.
- Example Usage
- Stateful Inspection for denying access to a domain
- Stateful Inspection for permitting packets from a source IP address
- Stateful Inspection for blocking packets from going to an intended destination
- Stateful Inspection from rules specifications defined in Suricata flat format
- Stateful Inspection from rule group specifications using rule variables and Suricata format rules
- Stateless Inspection with a Custom Action
- IP Set References to the Rule Group
- Create RuleGroup Resource
- Constructor syntax
- Constructor example
- RuleGroup Resource Properties
- Inputs
- Outputs
- Look up Existing RuleGroup Resource
- Supporting Types
- Import
- Package Details