@pulumi/aws
Version:
A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.
414 lines • 13.6 kB
JavaScript
"use strict";
// *** WARNING: this file was generated by pulumi-language-nodejs. ***
// *** Do not edit by hand unless you're certain you know what you are doing! ***
Object.defineProperty(exports, "__esModule", { value: true });
exports.RuleGroup = void 0;
const pulumi = require("@pulumi/pulumi");
const utilities = require("../utilities");
/**
* Provides an AWS Network Firewall Rule Group Resource
*
* ## Example Usage
*
* ### Stateful Inspection for denying access to a domain
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 100,
* name: "example",
* type: "STATEFUL",
* ruleGroup: {
* rulesSource: {
* rulesSourceList: {
* generatedRulesType: "DENYLIST",
* targetTypes: ["HTTP_HOST"],
* targets: ["test.example.com"],
* },
* },
* },
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### Stateful Inspection for permitting packets from a source IP address
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const ips = [
* "1.1.1.1/32",
* "1.0.0.1/32",
* ];
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 50,
* description: "Permits http traffic from source",
* name: "example",
* type: "STATEFUL",
* ruleGroup: {
* rulesSource: {
* statefulRules: ips.map((v, k) => ({key: k, value: v})).map(entry => ({
* action: "PASS",
* header: {
* destination: "ANY",
* destinationPort: "ANY",
* protocol: "HTTP",
* direction: "ANY",
* sourcePort: "ANY",
* source: entry.value,
* },
* ruleOptions: [{
* keyword: "sid",
* settings: ["1"],
* }],
* })),
* },
* },
* tags: {
* Name: "permit HTTP from source",
* },
* });
* ```
*
* ### Stateful Inspection for blocking packets from going to an intended destination
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 100,
* name: "example",
* type: "STATEFUL",
* ruleGroup: {
* rulesSource: {
* statefulRules: [{
* action: "DROP",
* header: {
* destination: "124.1.1.24/32",
* destinationPort: "53",
* direction: "ANY",
* protocol: "TCP",
* source: "1.2.3.4/32",
* sourcePort: "53",
* },
* ruleOptions: [{
* keyword: "sid",
* settings: ["1"],
* }],
* }],
* },
* },
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### Stateful Inspection from rules specifications defined in Suricata flat format
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
* import * as std from "@pulumi/std";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 100,
* name: "example",
* type: "STATEFUL",
* rules: std.file({
* input: "example.rules",
* }).then(invoke => invoke.result),
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### Stateful Inspection from rule group specifications using rule variables and Suricata format rules
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
* import * as std from "@pulumi/std";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 100,
* name: "example",
* type: "STATEFUL",
* ruleGroup: {
* ruleVariables: {
* ipSets: [
* {
* key: "WEBSERVERS_HOSTS",
* ipSet: {
* definitions: [
* "10.0.0.0/16",
* "10.0.1.0/24",
* "192.168.0.0/16",
* ],
* },
* },
* {
* key: "EXTERNAL_HOST",
* ipSet: {
* definitions: ["1.2.3.4/32"],
* },
* },
* ],
* portSets: [{
* key: "HTTP_PORTS",
* portSet: {
* definitions: [
* "443",
* "80",
* ],
* },
* }],
* },
* rulesSource: {
* rulesString: std.file({
* input: "suricata_rules_file",
* }).then(invoke => invoke.result),
* },
* },
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### Stateless Inspection with a Custom Action
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* description: "Stateless Rate Limiting Rule",
* capacity: 100,
* name: "example",
* type: "STATELESS",
* ruleGroup: {
* rulesSource: {
* statelessRulesAndCustomActions: {
* customActions: [{
* actionDefinition: {
* publishMetricAction: {
* dimensions: [{
* value: "2",
* }],
* },
* },
* actionName: "ExampleMetricsAction",
* }],
* statelessRules: [{
* priority: 1,
* ruleDefinition: {
* actions: [
* "aws:pass",
* "ExampleMetricsAction",
* ],
* matchAttributes: {
* sources: [{
* addressDefinition: "1.2.3.4/32",
* }],
* sourcePorts: [{
* fromPort: 443,
* toPort: 443,
* }],
* destinations: [{
* addressDefinition: "124.1.1.5/32",
* }],
* destinationPorts: [{
* fromPort: 443,
* toPort: 443,
* }],
* protocols: [6],
* tcpFlags: [{
* flags: ["SYN"],
* masks: [
* "SYN",
* "ACK",
* ],
* }],
* },
* },
* }],
* },
* },
* },
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### IP Set References to the Rule Group
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const example = new aws.networkfirewall.RuleGroup("example", {
* capacity: 100,
* name: "example",
* type: "STATEFUL",
* ruleGroup: {
* rulesSource: {
* rulesSourceList: {
* generatedRulesType: "DENYLIST",
* targetTypes: ["HTTP_HOST"],
* targets: ["test.example.com"],
* },
* },
* referenceSets: {
* ipSetReferences: [{
* key: "example",
* ipSetReferences: [{
* referenceArn: _this.arn,
* }],
* }],
* },
* },
* tags: {
* Tag1: "Value1",
* Tag2: "Value2",
* },
* });
* ```
*
* ### Example with S3 as source for the suricata rules
*
* ```typescript
* import * as pulumi from "@pulumi/pulumi";
* import * as aws from "@pulumi/aws";
*
* const suricataRules = aws.s3.getObject({
* bucket: suricataRulesAwsS3Bucket.id,
* key: "rules/custom.rules",
* });
* const s3RulesExample = new aws.networkfirewall.RuleGroup("s3_rules_example", {
* capacity: 1000,
* name: "my-terraform-s3-rules",
* type: "STATEFUL",
* ruleGroup: {
* ruleVariables: {
* ipSets: [{
* key: "HOME_NET",
* ipSet: {
* definitions: [
* "10.0.0.0/16",
* "192.168.0.0/16",
* "172.16.0.0/12",
* ],
* },
* }],
* portSets: [{
* key: "HTTP_PORTS",
* portSet: {
* definitions: [
* "443",
* "80",
* ],
* },
* }],
* },
* rulesSource: {
* rulesString: suricataRules.then(suricataRules => suricataRules.body),
* },
* },
* tags: {
* ManagedBy: "terraform",
* },
* });
* ```
*
* ## Import
*
* Using `pulumi import`, import Network Firewall Rule Groups using their `arn`. For example:
*
* ```sh
* $ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
* ```
*/
class RuleGroup extends pulumi.CustomResource {
/**
* Get an existing RuleGroup resource's state with the given name, ID, and optional extra
* properties used to qualify the lookup.
*
* @param name The _unique_ name of the resulting resource.
* @param id The _unique_ provider ID of the resource to lookup.
* @param state Any extra arguments used during the lookup.
* @param opts Optional settings to control the behavior of the CustomResource.
*/
static get(name, id, state, opts) {
return new RuleGroup(name, state, { ...opts, id: id });
}
/**
* Returns true if the given object is an instance of RuleGroup. This is designed to work even
* when multiple copies of the Pulumi SDK have been loaded into the same process.
*/
static isInstance(obj) {
if (obj === undefined || obj === null) {
return false;
}
return obj['__pulumiType'] === RuleGroup.__pulumiType;
}
constructor(name, argsOrState, opts) {
let resourceInputs = {};
opts = opts || {};
if (opts.id) {
const state = argsOrState;
resourceInputs["arn"] = state?.arn;
resourceInputs["capacity"] = state?.capacity;
resourceInputs["description"] = state?.description;
resourceInputs["encryptionConfiguration"] = state?.encryptionConfiguration;
resourceInputs["name"] = state?.name;
resourceInputs["region"] = state?.region;
resourceInputs["ruleGroup"] = state?.ruleGroup;
resourceInputs["rules"] = state?.rules;
resourceInputs["tags"] = state?.tags;
resourceInputs["tagsAll"] = state?.tagsAll;
resourceInputs["type"] = state?.type;
resourceInputs["updateToken"] = state?.updateToken;
}
else {
const args = argsOrState;
if (args?.capacity === undefined && !opts.urn) {
throw new Error("Missing required property 'capacity'");
}
if (args?.type === undefined && !opts.urn) {
throw new Error("Missing required property 'type'");
}
resourceInputs["capacity"] = args?.capacity;
resourceInputs["description"] = args?.description;
resourceInputs["encryptionConfiguration"] = args?.encryptionConfiguration;
resourceInputs["name"] = args?.name;
resourceInputs["region"] = args?.region;
resourceInputs["ruleGroup"] = args?.ruleGroup;
resourceInputs["rules"] = args?.rules;
resourceInputs["tags"] = args?.tags;
resourceInputs["type"] = args?.type;
resourceInputs["arn"] = undefined /*out*/;
resourceInputs["tagsAll"] = undefined /*out*/;
resourceInputs["updateToken"] = undefined /*out*/;
}
opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
super(RuleGroup.__pulumiType, name, resourceInputs, opts);
}
}
exports.RuleGroup = RuleGroup;
/** @internal */
RuleGroup.__pulumiType = 'aws:networkfirewall/ruleGroup:RuleGroup';
//# sourceMappingURL=ruleGroup.js.map