Resource: awsNetworkfirewallFirewallPolicy
Provides an AWS Network Firewall Firewall Policy Resource
Example Usage
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallFirewallPolicy.NetworkfirewallFirewallPolicy(
this,
"example",
{
firewallPolicy: {
statelessDefaultActions: ["aws:pass"],
statelessFragmentDefaultActions: ["aws:drop"],
statelessRuleGroupReference: [
{
priority: 1,
resourceArn: "${aws_networkfirewall_rule_group.example.arn}",
},
],
},
name: "example",
tags: {
Tag1: "Value1",
Tag2: "Value2",
},
}
);
Policy with a Custom Action for Stateless Inspection
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallFirewallPolicy.NetworkfirewallFirewallPolicy(
this,
"test",
{
firewallPolicy: {
statelessCustomAction: [
{
actionDefinition: {
publishMetricAction: {
dimension: [
{
value: "1",
},
],
},
},
actionName: "ExampleCustomAction",
},
],
statelessDefaultActions: ["aws:pass", "ExampleCustomAction"],
statelessFragmentDefaultActions: ["aws:drop"],
},
name: "example",
}
);
Argument Reference
The following arguments are supported:
-
description
- (Optional) A friendly description of the firewall policy. -
encryptionConfiguration
- (Optional) KMS encryption configuration settings. See Encryption Configuration below for details. -
firewallPolicy
- (Required) A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details. -
name
- (Required, Forces new resource) A friendly name of the firewall policy. -
tags
- (Optional) Map of resource tags to associate with the resource. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Encryption Configuration
encryptionConfiguration
settings for customer managed KMS keys. Remove this block to use the default AWS-managed KMS encryption (rather than setting type
to AWS_OWNED_KMS_KEY
).
keyId
- (Optional) The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.type
- (Required) The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values areCUSTOMER_KMS
andAWS_OWNED_KMS_KEY
.
Firewall Policy
The firewallPolicy
block supports the following arguments:
-
statefulDefaultActions
- (Optional) Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has astatefulEngineOptions
block with aruleOrder
value ofSTRICT_ORDER
. You can specify one of either or neither values ofaws:dropStrict
oraws:dropEstablished
, as well as any combination ofaws:alertStrict
andaws:alertEstablished
. -
statefulEngineOptions
- (Optional) A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details. -
statefulRuleGroupReference
- (Optional) Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details. -
statelessCustomAction
- (Optional) Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy'sstatelessDefaultActions
. See Stateless Custom Action below for details. -
statelessDefaultActions
- (Required) Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including:aws:drop
,aws:pass
, oraws:forwardToSfe
. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specifyaws:forwardToSfe
. -
statelessFragmentDefaultActions
- (Required) Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including:aws:drop
,aws:pass
, oraws:forwardToSfe
. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specifyaws:forwardToSfe
. -
statelessRuleGroupReference
- (Optional) Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.
Stateful Engine Options
The statefulEngineOptions
block supports the following argument:
\~> NOTE: If the STRICT_ORDER
rule order is specified, this firewall policy can only reference stateful rule groups that utilize STRICT_ORDER
.
ruleOrder
- (Required) Indicates how to manage the order of stateful rule evaluation for the policy. Default value:DEFAULT_ACTION_ORDER
. Valid values:DEFAULT_ACTION_ORDER
,STRICT_ORDER
.
Stateful Rule Group Reference
The statefulRuleGroupReference
block supports the following arguments:
-
priority
- (Optional) An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has astatefulEngineOptions
block with aruleOrder
value ofSTRICT_ORDER
. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting. -
resourceArn
- (Required) The Amazon Resource Name (ARN) of the stateful rule group. -
override
- (Optional) Configuration block for override values
Override
action
- (Optional) The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.
Stateless Custom Action
The statelessCustomAction
block supports the following arguments:
-
actionDefinition
- (Required) A configuration block describing the custom action associated with theactionName
. See Action Definition below for details. -
actionName
- (Required, Forces new resource) A friendly name of the custom action.
Stateless Rule Group Reference
The statelessRuleGroupReference
block supports the following arguments:
-
priority
- (Required) An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting. -
resourceArn
- (Required) The Amazon Resource Name (ARN) of the stateless rule group.
Action Definition
The actionDefinition
block supports the following argument:
publishMetricAction
- (Required) A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Publish Metric Action
The publishMetricAction
block supports the following argument:
dimension
- (Required) Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.
Dimension
The dimension
block supports the following argument:
value
- (Required) The string value to use in the custom metric dimension.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
-
id
- The Amazon Resource Name (ARN) that identifies the firewall policy. -
arn
- The Amazon Resource Name (ARN) that identifies the firewall policy. -
tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block. -
updateToken
- A string token used when updating a firewall policy.
Import
Network Firewall Policies can be imported using their arn
.