Resource: awsShieldProtectionGroup
Creates a grouping of protected resources so they can be handled as a collective. This resource grouping improves the accuracy of detection and reduces false positives. For more information see Managing AWS Shield Advanced protection groups
Example Usage
Create protection group for all resources
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example", {
aggregation: "MAX",
pattern: "ALL",
protectionGroupId: "example",
});
Create protection group for arbitrary number of resources
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
const awsEipExample = new aws.eip.Eip(this, "example", {
vpc: true,
});
const dataAwsCallerIdentityCurrent =
new aws.dataAwsCallerIdentity.DataAwsCallerIdentity(this, "current", {});
const dataAwsRegionCurrent = new aws.dataAwsRegion.DataAwsRegion(
this,
"current_2",
{}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
dataAwsRegionCurrent.overrideLogicalId("current");
const awsShieldProtectionExample = new aws.shieldProtection.ShieldProtection(
this,
"example_3",
{
name: "example",
resourceArn: `arn:aws:ec2:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:eip-allocation/\${${awsEipExample.id}}`,
}
);
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionExample.overrideLogicalId("example");
const awsShieldProtectionGroupExample =
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example_4", {
aggregation: "MEAN",
depends_on: [`\${${awsShieldProtectionExample.fqn}}`],
members: [
`arn:aws:ec2:\${${dataAwsRegionCurrent.name}}:\${${dataAwsCallerIdentityCurrent.accountId}}:eip-allocation/\${${awsEipExample.id}}`,
],
pattern: "ARBITRARY",
protectionGroupId: "example",
});
/*This allows the Terraform resource name to match the original name. You can remove the call if you don't need them to match.*/
awsShieldProtectionGroupExample.overrideLogicalId("example");
Create protection group for a type of resource
/*Provider bindings are generated by running cdktf get.
See https://cdk.tf/provider-generation for more details.*/
import * as aws from "./.gen/providers/aws";
new aws.shieldProtectionGroup.ShieldProtectionGroup(this, "example", {
aggregation: "SUM",
pattern: "BY_RESOURCE_TYPE",
protectionGroupId: "example",
resourceType: "ELASTIC_IP_ALLOCATION",
});
Argument Reference
The following arguments are supported:
aggregation- (Required) Defines how AWS Shield combines resource data for the group in order to detect, mitigate, and report events.members- (Optional) The Amazon Resource Names (ARNs) of the resources to include in the protection group. You must set this when you setpatternto ARBITRARY and you must not set it for any otherpatternsetting.pattern- (Required) The criteria to use to choose the protected resources for inclusion in the group.protectionGroupId- (Required) The name of the protection group.resourceType- (Optional) The resource type to include in the protection group. You must set this when you setpatternto BY_RESOURCE_TYPE and you must not set it for any otherpatternsetting.tags- (Optional) Key-value map of resource tags. If configured with a providerdefaultTagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level.
Attributes Reference
In addition to all arguments above, the following attributes are exported:
protectionGroupArn- The ARN (Amazon Resource Name) of the protection group.tagsAll- A map of tags assigned to the resource, including those inherited from the providerdefaultTagsconfiguration block.
Import
Shield protection group resources can be imported by specifying their protection group id.