Skip to content

Resource: awsFmsPolicy

Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.fmsPolicy.FmsPolicy(this, "example", {
  excludeResourceTags: false,
  name: "FMS-Policy-Example",
  remediationEnabled: false,
  resourceType: "AWS::ElasticLoadBalancingV2::LoadBalancer",
  securityServicePolicyData: {
    managedServiceData:
      '${jsonencode({\n      type = "WAF",\n      ruleGroups = [{\n        id = aws_wafregional_rule_group.example.id\n        overrideAction = {\n          type = "COUNT"\n        }\n      }]\n      defaultAction = {\n        type = "BLOCK"\n      }\n      overrideCustomerWebACLAssociation = false\n    })}',
    type: "WAF",
  },
  tags: {
    Name: "example-fms-policy",
  },
});
const awsWafregionalRuleGroupExample =
  new aws.wafregionalRuleGroup.WafregionalRuleGroup(this, "example_1", {
    metricName: "WAFRuleGroupExample",
    name: "WAF-Rule-Group-Example",
  });
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsWafregionalRuleGroupExample.overrideLogicalId("example");

Argument Reference

The following arguments are supported:

  • name - (Required, Forces new resource) The friendly name of the AWS Firewall Manager Policy.
  • deleteAllPolicyResources - (Optional) If true, the request will also perform a clean-up process. Defaults to true. More information can be found here AWS Firewall Manager delete policy
  • deleteUnusedFmManagedResources - (Optional) If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to false. More information can be found here AWS Firewall Manager policy contents
  • description - (Optional) The description of the AWS Network Firewall firewall policy.
  • excludeMap - (Optional) A map of lists of accounts and OU's to exclude from the policy.
  • excludeResourceTags - (Required, Forces new resource) A boolean value, if true the tags that are specified in the resourceTags are not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy.
  • includeMap - (Optional) A map of lists of accounts and OU's to include in the policy.
  • remediationEnabled - (Required) A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
  • resourceTags - (Optional) A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
  • resourceType - (Optional) A resource type to protect. Conflicts with resourceTypeList. See the FMS API Reference for more information about supported values.
  • resourceTypeList - (Optional) A list of resource types to protect. Conflicts with resourceType. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead use resourceType.
  • securityServicePolicyData - (Required) The objects to include in Security Service Policy Data. Documented below.
  • tags - (Optional) Key-value mapping of resource tags. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

excludeMap Configuration Block

  • account - (Optional) A list of AWS Organization member Accounts that you want to exclude from this AWS FMS Policy.
  • orgunit - (Optional) A list of AWS Organizational Units that you want to exclude from this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an includeMap, AWS Firewall Manager applies the policy to all accounts specified by the includeMap, and does not evaluate any excludeMap specifications. If you do not specify an includeMap, then Firewall Manager applies the policy to all accounts except for those specified by the excludeMap.

includeMap Configuration Block

  • account - (Optional) A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
  • orgunit - (Optional) A list of AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an includeMap, AWS Firewall Manager applies the policy to all accounts specified by the includeMap, and does not evaluate any excludeMap specifications. If you do not specify an includeMap, then Firewall Manager applies the policy to all accounts except for those specified by the excludeMap.

securityServicePolicyData Configuration Block

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The AWS account ID of the AWS Firewall Manager administrator account.
  • policyUpdateToken - A unique identifier for each update to the policy.
  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

Import

Firewall Manager policies can be imported using the policy ID, e.g.,

$ terraform import aws_fms_policy.example 5be49585-a7e3-4c49-dde1-a179fe4a619a