Firewall

networkfirewall.services.k8s.aws/v1alpha1

TypeLink
GoDocnetworkfirewall-controller/apis/v1alpha1#Firewall

Metadata

PropertyValue
ScopeNamespaced
KindFirewall
ListKindFirewallList
Pluralfirewalls
Singularfirewall

The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource.

The status of the firewall, for example whether it’s ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.

Spec

deleteProtection: boolean
description: string
encryptionConfiguration: 
  keyID: string
  type_: string
firewallName: string
firewallPolicyARN: string
firewallPolicyChangeProtection: boolean
subnetChangeProtection: boolean
subnetMappings:
- ipAddressType: string
  subnetID: string
tags:
- key: string
  value: string
vpcID: string
FieldDescription
deleteProtection
Optional
boolean
A flag indicating whether it is possible to delete the firewall. A setting
of TRUE indicates that the firewall is protected against deletion. Use this
setting to protect against accidentally deleting a firewall that is in use.
When you create a firewall, the operation initializes this flag to TRUE.
description
Optional
string
A description of the firewall.
encryptionConfiguration
Optional
object
A complex type that contains settings for encryption of your firewall resources.
encryptionConfiguration.keyID
Optional
string
**encryptionConfiguration.type_**
Optional
string
firewallName
Required
string
The descriptive name of the firewall. You can’t change the name of a firewall
after you create it.
firewallPolicyARN
Required
string
The Amazon Resource Name (ARN) of the FirewallPolicy that you want to use
for the firewall.
firewallPolicyChangeProtection
Optional
boolean
A setting indicating whether the firewall is protected against a change to
the firewall policy association. Use this setting to protect against accidentally
modifying the firewall policy for a firewall that is in use. When you create
a firewall, the operation initializes this setting to TRUE.
subnetChangeProtection
Optional
boolean
A setting indicating whether the firewall is protected against changes to
the subnet associations. Use this setting to protect against accidentally
modifying the subnet associations for a firewall that is in use. When you
create a firewall, the operation initializes this setting to TRUE.
subnetMappings
Required
array
The public subnets to use for your Network Firewall firewalls. Each subnet
must belong to a different Availability Zone in the VPC. Network Firewall
creates a firewall endpoint in each subnet.
subnetMappings.[]
Required
object
The ID for a subnet that you want to associate with the firewall. This is
used with CreateFirewall and AssociateSubnets. Network Firewall creates an
instance of the associated firewall in each subnet that you specify, to filter
traffic in the subnet’s Availability Zone.
subnetMappings.[].subnetID
Optional
string
tags
Optional
array
The key:value pairs to associate with the resource.
tags.[]
Required
object
A key:value pair associated with an Amazon Web Services resource. The key:value
pair can be anything you define. Typically, the tag key represents a category
(such as “environment”) and the tag value represents a specific value within
that category (such as “test,” “development,” or “production”). You can add
up to 50 tags to each Amazon Web Services resource.
tags.[].value
Optional
string
vpcID
Required
string
The unique identifier of the VPC where Network Firewall should create the
firewall.

You can’t change this setting after you create the firewall.

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
firewall: 
  deleteProtection: boolean
  description: string
  encryptionConfiguration: 
    keyID: string
    type_: string
  firewallARN: string
  firewallID: string
  firewallName: string
  firewallPolicyARN: string
  firewallPolicyChangeProtection: boolean
  subnetChangeProtection: boolean
  subnetMappings:
  - ipAddressType: string
    subnetID: string
  tags:
  - key: string
    value: string
  vpcID: string
firewallStatus: 
  capacityUsageSummary: 
    cidrs: 
      availableCIDRCount: integer
      ipSetReferences: {}
      utilizedCIDRCount: integer
  configurationSyncStateSummary: string
  status: string
  syncStates: {}
FieldDescription
ackResourceMetadata
Optional
object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional
string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required
string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required
string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional
array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required
object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional
string
A human readable message indicating details about the transition.
conditions.[].reason
Optional
string
The reason for the condition’s last transition.
conditions.[].status
Optional
string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional
string
Type is the type of the Condition
firewall
Optional
object
The configuration settings for the firewall. These settings include the firewall
policy and the subnets in your VPC to use for the firewall endpoints.
firewall.deleteProtection
Optional
boolean
firewall.description
Optional
string
firewall.encryptionConfiguration
Optional
object
A complex type that contains optional Amazon Web Services Key Management
Service (KMS) encryption settings for your Network Firewall resources. Your
data is encrypted by default with an Amazon Web Services owned key that Amazon
Web Services owns and manages for you. You can use either the Amazon Web
Services owned key, or provide your own customer managed key. To learn more
about KMS encryption of your Network Firewall resources, see Encryption at
rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html)
in the Network Firewall Developer Guide.
firewall.encryptionConfiguration.keyID
Optional
string
**firewall.encryptionConfiguration.type_**
Optional
string
firewall.firewallARN
Optional
string
firewall.firewallID
Optional
string
firewall.firewallName
Optional
string
firewall.firewallPolicyARN
Optional
string
firewall.firewallPolicyChangeProtection
Optional
boolean
firewall.subnetChangeProtection
Optional
boolean
firewall.subnetMappings
Optional
array
firewall.subnetMappings.[]
Required
object
The ID for a subnet that you want to associate with the firewall. This is
used with CreateFirewall and AssociateSubnets. Network Firewall creates an
instance of the associated firewall in each subnet that you specify, to filter
traffic in the subnet’s Availability Zone.
firewall.subnetMappings.[].subnetID
Optional
string
firewall.tags
Optional
array
firewall.tags.[]
Required
object
A key:value pair associated with an Amazon Web Services resource. The key:value
pair can be anything you define. Typically, the tag key represents a category
(such as “environment”) and the tag value represents a specific value within
that category (such as “test,” “development,” or “production”). You can add
up to 50 tags to each Amazon Web Services resource.
firewall.tags.[].value
Optional
string
firewall.vpcID
Optional
string
firewallStatus
Optional
object
Detailed information about the current status of a Firewall. You can retrieve
this for a firewall by calling DescribeFirewall and providing the firewall
name and ARN.
firewallStatus.capacityUsageSummary
Optional
object
The capacity usage summary of the resources used by the ReferenceSets in
a firewall.
firewallStatus.capacityUsageSummary.cidrs
Optional
object
Summarizes the CIDR blocks used by the IP set references in a firewall. Network
Firewall calculates the number of CIDRs by taking an aggregated count of
all CIDRs used by the IP sets you are referencing.
firewallStatus.capacityUsageSummary.cidrs.availableCIDRCount
Optional
integer
firewallStatus.capacityUsageSummary.cidrs.ipSetReferences
Optional
object
firewallStatus.capacityUsageSummary.cidrs.utilizedCIDRCount
Optional
integer
firewallStatus.configurationSyncStateSummary
Optional
string
firewallStatus.status
Optional
string
firewallStatus.syncStates
Optional
object