Skip to content

Resource: awsNetworkfirewallFirewallPolicy

Provides an AWS Network Firewall Firewall Policy Resource

Example Usage

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallFirewallPolicy.NetworkfirewallFirewallPolicy(
  this,
  "example",
  {
    firewallPolicy: {
      statelessDefaultActions: ["aws:pass"],
      statelessFragmentDefaultActions: ["aws:drop"],
      statelessRuleGroupReference: [
        {
          priority: 1,
          resourceArn: "${aws_networkfirewall_rule_group.example.arn}",
        },
      ],
    },
    name: "example",
    tags: {
      Tag1: "Value1",
      Tag2: "Value2",
    },
  }
);

Policy with a Custom Action for Stateless Inspection

/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.networkfirewallFirewallPolicy.NetworkfirewallFirewallPolicy(
  this,
  "test",
  {
    firewallPolicy: {
      statelessCustomAction: [
        {
          actionDefinition: {
            publishMetricAction: {
              dimension: [
                {
                  value: "1",
                },
              ],
            },
          },
          actionName: "ExampleCustomAction",
        },
      ],
      statelessDefaultActions: ["aws:pass", "ExampleCustomAction"],
      statelessFragmentDefaultActions: ["aws:drop"],
    },
    name: "example",
  }
);

Argument Reference

The following arguments are supported:

  • description - (Optional) A friendly description of the firewall policy.

  • encryptionConfiguration - (Optional) KMS encryption configuration settings. See Encryption Configuration below for details.

  • firewallPolicy - (Required) A configuration block describing the rule groups and policy actions to use in the firewall policy. See Firewall Policy below for details.

  • name - (Required, Forces new resource) A friendly name of the firewall policy.

  • tags - (Optional) Map of resource tags to associate with the resource. If configured with a provider defaultTags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Encryption Configuration

encryptionConfiguration settings for customer managed KMS keys. Remove this block to use the default AWS-managed KMS encryption (rather than setting type to AWS_OWNED_KMS_KEY).

  • keyId - (Optional) The ID of the customer managed key. You can use any of the key identifiers that KMS supports, unless you're using a key that's managed by another account. If you're using a key managed by another account, then specify the key ARN.
  • type - (Required) The type of AWS KMS key to use for encryption of your Network Firewall resources. Valid values are CUSTOMER_KMS and AWS_OWNED_KMS_KEY.

Firewall Policy

The firewallPolicy block supports the following arguments:

  • statefulDefaultActions - (Optional) Set of actions to take on a packet if it does not match any stateful rules in the policy. This can only be specified if the policy has a statefulEngineOptions block with a ruleOrder value of STRICT_ORDER. You can specify one of either or neither values of aws:dropStrict or aws:dropEstablished, as well as any combination of aws:alertStrict and aws:alertEstablished.

  • statefulEngineOptions - (Optional) A configuration block that defines options on how the policy handles stateful rules. See Stateful Engine Options below for details.

  • statefulRuleGroupReference - (Optional) Set of configuration blocks containing references to the stateful rule groups that are used in the policy. See Stateful Rule Group Reference below for details.

  • statelessCustomAction - (Optional) Set of configuration blocks describing the custom action definitions that are available for use in the firewall policy's statelessDefaultActions. See Stateless Custom Action below for details.

  • statelessDefaultActions - (Required) Set of actions to take on a packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forwardToSfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forwardToSfe.

  • statelessFragmentDefaultActions - (Required) Set of actions to take on a fragmented packet if it does not match any of the stateless rules in the policy. You must specify one of the standard actions including: aws:drop, aws:pass, or aws:forwardToSfe. In addition, you can specify custom actions that are compatible with your standard action choice. If you want non-matching packets to be forwarded for stateful inspection, specify aws:forwardToSfe.

  • statelessRuleGroupReference - (Optional) Set of configuration blocks containing references to the stateless rule groups that are used in the policy. See Stateless Rule Group Reference below for details.

Stateful Engine Options

The statefulEngineOptions block supports the following argument:

\~> NOTE: If the STRICT_ORDER rule order is specified, this firewall policy can only reference stateful rule groups that utilize STRICT_ORDER.

  • ruleOrder - (Required) Indicates how to manage the order of stateful rule evaluation for the policy. Default value: DEFAULT_ACTION_ORDER. Valid values: DEFAULT_ACTION_ORDER, STRICT_ORDER.

Stateful Rule Group Reference

The statefulRuleGroupReference block supports the following arguments:

  • priority - (Optional) An integer setting that indicates the order in which to apply the stateful rule groups in a single policy. This argument must be specified if the policy has a statefulEngineOptions block with a ruleOrder value of STRICT_ORDER. AWS Network Firewall applies each stateful rule group to a packet starting with the group that has the lowest priority setting.

  • resourceArn - (Required) The Amazon Resource Name (ARN) of the stateful rule group.

  • override - (Optional) Configuration block for override values

Override

  • action - (Optional) The action that changes the rule group from DROP to ALERT . This only applies to managed rule groups.

Stateless Custom Action

The statelessCustomAction block supports the following arguments:

  • actionDefinition - (Required) A configuration block describing the custom action associated with the actionName. See Action Definition below for details.

  • actionName - (Required, Forces new resource) A friendly name of the custom action.

Stateless Rule Group Reference

The statelessRuleGroupReference block supports the following arguments:

  • priority - (Required) An integer setting that indicates the order in which to run the stateless rule groups in a single policy. AWS Network Firewall applies each stateless rule group to a packet starting with the group that has the lowest priority setting.

  • resourceArn - (Required) The Amazon Resource Name (ARN) of the stateless rule group.

Action Definition

The actionDefinition block supports the following argument:

  • publishMetricAction - (Required) A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.

Publish Metric Action

The publishMetricAction block supports the following argument:

  • dimension - (Required) Set of configuration blocks describing dimension settings to use for Amazon CloudWatch custom metrics. See Dimension below for more details.

Dimension

The dimension block supports the following argument:

  • value - (Required) The string value to use in the custom metric dimension.

Attributes Reference

In addition to all arguments above, the following attributes are exported:

  • id - The Amazon Resource Name (ARN) that identifies the firewall policy.

  • arn - The Amazon Resource Name (ARN) that identifies the firewall policy.

  • tagsAll - A map of tags assigned to the resource, including those inherited from the provider defaultTags configuration block.

  • updateToken - A string token used when updating a firewall policy.

Import

Network Firewall Policies can be imported using their arn.

$ terraform import aws_networkfirewall_firewall_policy.example arn:aws:network-firewall:us-west-1:123456789012:firewall-policy/example