Resource: awsShieldProtectionGroup
Creates a grouping of protected resources so they can be handled as a collective. This resource grouping improves the accuracy of detection and reduces false positives. For more information see Managing AWS Shield Advanced protection groups
Example Usage
Create protection group for all resources
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example", {
aggregation: "MAX",
pattern: "ALL",
protectionGroupId: "example",
});
Create protection group for arbitrary number of resources
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsEipExample = new aws.eip.Eip(this, "example", {
vpc: true,
});
const dataAwsCallerIdentityCurrent =
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
this,
"current_2",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsRegionCurrent.overrideLogicalId("current");
const awsShieldProtectionExample = new aws.shieldProtection.ShieldProtection(
this,
"example_3",
{
name: "example",
resourceArn: `arn:aws:ec2:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:eip-allocation/\${${awsEipExample.id}}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionExample.overrideLogicalId("example");
const awsShieldProtectionGroupExample =
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example_4", {
aggregation: "MEAN",
depends_on: [`\${${awsShieldProtectionExample.fqn}}`],
members: [
`arn:aws:ec2:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:eip-allocation/\${${awsEipExample.id}}`,
],
pattern: "ARBITRARY",
protectionGroupId: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionGroupExample.overrideLogicalId("example");
Create protection group for a type of resource
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example", {
aggregation: "SUM",
pattern: "BY_RESOURCE_TYPE",
protectionGroupId: "example",
resourceType: "ELASTIC_IP_ALLOCATION",
});
Argument Reference
The following arguments are supported:
aggregation
- (Required) Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.members
- (Optional) The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you setpattern
to ARBITRARY and you must not set it for any otherpattern
setting.pattern
- (Required) The criteria to use to choose the protected resources for inclusion in the group.protectionGroupId
- (Required) The name of the protection group.resourceType
- (Optional) The resource type to include in the protection group. You must set this when you setpattern
to BY_RESOURCE_TYPE and you must not set it for any otherpattern
setting.tags
- (Optional) Key-value map of resource tags. If configured with a providerdefaultTags
configuration block present, tags with matching keys will overwrite those defined at the provider-level.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
protectionGroupArn
- The ARN (Amazon Resource Name) of the protection group.tagsAll
- A map of tags assigned to the resource, including those inherited from the providerdefaultTags
configuration block.
Import
Shield protection group resources can be imported by specifying their protection group id.