FirewallPolicy
networkfirewall.services.k8s.aws/v1alpha1
| Type | Link |
|---|---|
| GoDoc | networkfirewall-controller/apis/v1alpha1#FirewallPolicy |
Metadata
| Property | Value |
|---|---|
| Scope | Namespaced |
| Kind | FirewallPolicy |
| ListKind | FirewallPolicyList |
| Plural | firewallpolicies |
| Singular | firewallpolicy |
The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.
This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.
Spec
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallPolicy:
policyVariables:
ruleVariables: {}
statefulDefaultActions:
- string
statefulEngineOptions:
ruleOrder: string
streamExceptionPolicy: string
statefulRuleGroupReferences:
override:
action: string
priority: integer
resourceARN: string
statelessCustomActions:
actionDefinition:
publishMetricAction:
dimensions:
- value: string
actionName: string
statelessDefaultActions:
- string
statelessFragmentDefaultActions:
- string
statelessRuleGroupReferences:
- priority: integer
resourceARN: string
tlsInspectionConfigurationARN: string
firewallPolicyName: string
tags:
- key: string
value: string
| Field | Description |
|---|---|
| description Optional | string A description of the firewall policy. |
| encryptionConfiguration Optional | object A complex type that contains settings for encryption of your firewall policy resources. |
| encryptionConfiguration.keyID Optional | string |
| **encryptionConfiguration.type_** Optional | string |
| firewallPolicy Required | object The rule groups and policy actions to use in the firewall policy. |
| firewallPolicy.policyVariables Optional | object Contains variables that you can use to override default Suricata settings in your firewall policy. |
| firewallPolicy.policyVariables.ruleVariables Optional | object |
| firewallPolicy.statefulDefaultActions Optional | array |
| firewallPolicy.statefulDefaultActions.[] Required | string |
| firewallPolicy.statefulEngineOptions.ruleOrder Optional | string |
| firewallPolicy.statefulEngineOptions.streamExceptionPolicy Optional | string |
| firewallPolicy.statefulRuleGroupReferences Optional | array |
| firewallPolicy.statefulRuleGroupReferences.[] Required | object Identifier for a single stateful rule group, used in a firewall policy to |
| refer to a rule group. | |
| firewallPolicy.statefulRuleGroupReferences.[].override.action Optional | string |
| firewallPolicy.statefulRuleGroupReferences.[].priority Optional | integer |
| firewallPolicy.statefulRuleGroupReferences.[].resourceARN Optional | string |
| firewallPolicy.statelessCustomActions Optional | array |
| firewallPolicy.statelessCustomActions.[] Required | object An optional, non-standard action to use for stateless packet handling. You |
| can define this in addition to the standard action that you must specify. |
You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings.
You can use custom actions in the following places:
In a rule group’s StatelessRulesAndCustomActions specification. The custom actions are available for use by name inside the StatelessRulesAndCustomActions where you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule’s match attributes.
In a FirewallPolicy specification, in StatelessCustomActions. The custom actions are available for use inside the policy where you define them. You can use them for the policy’s default stateless actions settings to specify what to do with packets that don’t match any of the policy’s stateless rules. || firewallPolicy.statelessCustomActions.[].actionDefinition
Optional | object
A custom action to use in stateless rule actions settings. This is used in
CustomAction. | | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction
Optional | object
Stateless inspection criteria that publishes the specified metrics to Amazon
CloudWatch for the matching packet. This setting defines a CloudWatch dimension
value to be published. | | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions
Optional | array
| | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions.[]
Required | object
The value to use in an Amazon CloudWatch custom metric dimension. This is used in the PublishMetrics CustomAction. A CloudWatch custom metric dimension is a name/value pair that’s part of the identity of a metric.
Network Firewall sets the dimension name to CustomAction and you provide the dimension value.
For more information about CloudWatch custom metric dimensions, see Publishing
Custom Metrics (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html#usingDimensions)
in the Amazon CloudWatch User Guide (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html). || firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions.[].value
Optional | string
|
| firewallPolicy.statelessCustomActions.[].actionName
Optional | string
|
| firewallPolicy.statelessDefaultActions
Optional | array
|
| firewallPolicy.statelessDefaultActions.[]
Required | string
|| firewallPolicy.statelessFragmentDefaultActions
Optional | array
|
| firewallPolicy.statelessFragmentDefaultActions.[]
Required | string
|| firewallPolicy.statelessRuleGroupReferences
Optional | array
|
| firewallPolicy.statelessRuleGroupReferences.[]
Required | object
Identifier for a single stateless rule group, used in a firewall policy to
refer to the rule group. || firewallPolicy.statelessRuleGroupReferences.[].priority
Optional | integer
|
| firewallPolicy.statelessRuleGroupReferences.[].resourceARN
Optional | string
|
| firewallPolicy.tlsInspectionConfigurationARN
Optional | string
|
| firewallPolicyName
Required | string
The descriptive name of the firewall policy. You can’t change the name of
a firewall policy after you create it. |
| tags
Optional | array
The key:value pairs to associate with the resource. |
| tags.[]
Required | object
A key:value pair associated with an Amazon Web Services resource. The key:value
pair can be anything you define. Typically, the tag key represents a category
(such as “environment”) and the tag value represents a specific value within
that category (such as “test,” “development,” or “production”). You can add
up to 50 tags to each Amazon Web Services resource. || tags.[].key
Optional | string
|
| tags.[].value
Optional | string
|
Status
ackResourceMetadata:
arn: string
ownerAccountID: string
region: string
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
firewallPolicyResponse:
consumedStatefulRuleCapacity: integer
consumedStatelessRuleCapacity: integer
description: string
encryptionConfiguration:
keyID: string
type_: string
firewallPolicyARN: string
firewallPolicyID: string
firewallPolicyName: string
firewallPolicyStatus: string
lastModifiedTime: string
numberOfAssociations: integer
tags:
- key: string
value: string
updateToken: string
| Field | Description |
|---|---|
| ackResourceMetadata Optional | object All CRs managed by ACK have a common Status.ACKResourceMetadata memberthat is used to contain resource sync state, account ownership, constructed ARN for the resource |
| ackResourceMetadata.arn Optional | string ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an “adopted” resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR’s Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270 |
| ackResourceMetadata.ownerAccountID Required | string OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource. |
| ackResourceMetadata.region Required | string Region is the AWS region in which the resource exists or will exist. |
| conditions Optional | array All CRS managed by ACK have a common Status.Conditions member thatcontains a collection of ackv1alpha1.Condition objects that describethe various terminal states of the CR and its backend AWS service API resource |
| conditions.[] Required | object Condition is the common struct used by all CRDs managed by ACK service |
| controllers to indicate terminal states of the CR and its backend AWS | |
| service API resource | |
| conditions.[].message Optional | string A human readable message indicating details about the transition. |
| conditions.[].reason Optional | string The reason for the condition’s last transition. |
| conditions.[].status Optional | string Status of the condition, one of True, False, Unknown. |
| conditions.[].type Optional | string Type is the type of the Condition |
| firewallPolicyResponse Optional | object The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy. |
| firewallPolicyResponse.consumedStatefulRuleCapacity Optional | integer |
| firewallPolicyResponse.consumedStatelessRuleCapacity Optional | integer |
| firewallPolicyResponse.description Optional | string |
| firewallPolicyResponse.encryptionConfiguration Optional | object A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html) in the Network Firewall Developer Guide. |
| firewallPolicyResponse.encryptionConfiguration.keyID Optional | string |
| **firewallPolicyResponse.encryptionConfiguration.type_** Optional | string |
| firewallPolicyResponse.firewallPolicyARN Optional | string |
| firewallPolicyResponse.firewallPolicyID Optional | string |
| firewallPolicyResponse.firewallPolicyName Optional | string |
| firewallPolicyResponse.firewallPolicyStatus Optional | string |
| firewallPolicyResponse.lastModifiedTime Optional | string |
| firewallPolicyResponse.numberOfAssociations Optional | integer |
| firewallPolicyResponse.tags Optional | array |
| firewallPolicyResponse.tags.[] Required | object A key:value pair associated with an Amazon Web Services resource. The key:value |
| pair can be anything you define. Typically, the tag key represents a category | |
| (such as “environment”) and the tag value represents a specific value within | |
| that category (such as “test,” “development,” or “production”). You can add | |
| up to 50 tags to each Amazon Web Services resource. | |
| firewallPolicyResponse.tags.[].value Optional | string |
| updateToken Optional | string A token used for optimistic locking. Network Firewall returns a token to your requests that access the firewall policy. The token marks the state of the policy resource at the time of the request. To make changes to the policy, you provide the token in your request. Network Firewall uses the token to ensure that the policy hasn’t changed since you last retrieved it. If it has changed, the operation fails with an InvalidTokenException. If this happens, retrieve the firewall policy again to get a current copy of it with current token. Reapply your changes as needed, then try the operation again using the new token. |