FirewallPolicy

networkfirewall.services.k8s.aws/v1alpha1

TypeLink
GoDocnetworkfirewall-controller/apis/v1alpha1#FirewallPolicy

Metadata

PropertyValue
ScopeNamespaced
KindFirewallPolicy
ListKindFirewallPolicyList
Pluralfirewallpolicies
Singularfirewallpolicy

The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls.

This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.

Spec

description: string
encryptionConfiguration: 
  keyID: string
  type_: string
firewallPolicy: 
  policyVariables: 
    ruleVariables: {}
  statefulDefaultActions:
  - string
  statefulEngineOptions: 
    ruleOrder: string
    streamExceptionPolicy: string
  statefulRuleGroupReferences:
    override: 
      action: string
    priority: integer
    resourceARN: string
  statelessCustomActions:
    actionDefinition: 
      publishMetricAction: 
        dimensions:
        - value: string
    actionName: string
  statelessDefaultActions:
  - string
  statelessFragmentDefaultActions:
  - string
  statelessRuleGroupReferences:
  - priority: integer
    resourceARN: string
  tlsInspectionConfigurationARN: string
firewallPolicyName: string
tags:
- key: string
  value: string
FieldDescription
description
Optional
string
A description of the firewall policy.
encryptionConfiguration
Optional
object
A complex type that contains settings for encryption of your firewall policy
resources.
encryptionConfiguration.keyID
Optional
string
**encryptionConfiguration.type_**
Optional
string
firewallPolicy
Required
object
The rule groups and policy actions to use in the firewall policy.
firewallPolicy.policyVariables
Optional
object
Contains variables that you can use to override default Suricata settings
in your firewall policy.
firewallPolicy.policyVariables.ruleVariables
Optional
object
firewallPolicy.statefulDefaultActions
Optional
array
firewallPolicy.statefulDefaultActions.[]
Required
string
firewallPolicy.statefulEngineOptions.ruleOrder
Optional
string
firewallPolicy.statefulEngineOptions.streamExceptionPolicy
Optional
string
firewallPolicy.statefulRuleGroupReferences
Optional
array
firewallPolicy.statefulRuleGroupReferences.[]
Required
object
Identifier for a single stateful rule group, used in a firewall policy to
refer to a rule group.
firewallPolicy.statefulRuleGroupReferences.[].override.action
Optional
string
firewallPolicy.statefulRuleGroupReferences.[].priority
Optional
integer
firewallPolicy.statefulRuleGroupReferences.[].resourceARN
Optional
string
firewallPolicy.statelessCustomActions
Optional
array
firewallPolicy.statelessCustomActions.[]
Required
object
An optional, non-standard action to use for stateless packet handling. You
can define this in addition to the standard action that you must specify.

You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings.

You can use custom actions in the following places:

  • In a rule group’s StatelessRulesAndCustomActions specification. The custom actions are available for use by name inside the StatelessRulesAndCustomActions where you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule’s match attributes.

  • In a FirewallPolicy specification, in StatelessCustomActions. The custom actions are available for use inside the policy where you define them. You can use them for the policy’s default stateless actions settings to specify what to do with packets that don’t match any of the policy’s stateless rules. || firewallPolicy.statelessCustomActions.[].actionDefinition
    Optional | object
    A custom action to use in stateless rule actions settings. This is used in
    CustomAction. | | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction
    Optional | object
    Stateless inspection criteria that publishes the specified metrics to Amazon
    CloudWatch for the matching packet. This setting defines a CloudWatch dimension
    value to be published. | | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions
    Optional | array
    | | firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions.[]
    Required | object
    The value to use in an Amazon CloudWatch custom metric dimension. This is used in the PublishMetrics CustomAction. A CloudWatch custom metric dimension is a name/value pair that’s part of the identity of a metric.

Network Firewall sets the dimension name to CustomAction and you provide the dimension value.

For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html#usingDimensions) in the Amazon CloudWatch User Guide (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html). || firewallPolicy.statelessCustomActions.[].actionDefinition.publishMetricAction.dimensions.[].value
Optional | string
| | firewallPolicy.statelessCustomActions.[].actionName
Optional | string
| | firewallPolicy.statelessDefaultActions
Optional | array
| | firewallPolicy.statelessDefaultActions.[]
Required | string
|| firewallPolicy.statelessFragmentDefaultActions
Optional | array
| | firewallPolicy.statelessFragmentDefaultActions.[]
Required | string
|| firewallPolicy.statelessRuleGroupReferences
Optional | array
| | firewallPolicy.statelessRuleGroupReferences.[]
Required | object
Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group. || firewallPolicy.statelessRuleGroupReferences.[].priority
Optional | integer
| | firewallPolicy.statelessRuleGroupReferences.[].resourceARN
Optional | string
| | firewallPolicy.tlsInspectionConfigurationARN
Optional | string
| | firewallPolicyName
Required | string
The descriptive name of the firewall policy. You can’t change the name of
a firewall policy after you create it. | | tags
Optional | array
The key:value pairs to associate with the resource. | | tags.[]
Required | object
A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as “environment”) and the tag value represents a specific value within that category (such as “test,” “development,” or “production”). You can add up to 50 tags to each Amazon Web Services resource. || tags.[].key
Optional | string
| | tags.[].value
Optional | string
|

Status

ackResourceMetadata: 
  arn: string
  ownerAccountID: string
  region: string
conditions:
- lastTransitionTime: string
  message: string
  reason: string
  status: string
  type: string
firewallPolicyResponse: 
  consumedStatefulRuleCapacity: integer
  consumedStatelessRuleCapacity: integer
  description: string
  encryptionConfiguration: 
    keyID: string
    type_: string
  firewallPolicyARN: string
  firewallPolicyID: string
  firewallPolicyName: string
  firewallPolicyStatus: string
  lastModifiedTime: string
  numberOfAssociations: integer
  tags:
  - key: string
    value: string
updateToken: string
FieldDescription
ackResourceMetadata
Optional
object
All CRs managed by ACK have a common Status.ACKResourceMetadata member
that is used to contain resource sync state, account ownership,
constructed ARN for the resource
ackResourceMetadata.arn
Optional
string
ARN is the Amazon Resource Name for the resource. This is a
globally-unique identifier and is set only by the ACK service controller
once the controller has orchestrated the creation of the resource OR
when it has verified that an “adopted” resource (a resource where the
ARN annotation was set by the Kubernetes user on the CR) exists and
matches the supplied CR’s Spec field values.
https://github.com/aws/aws-controllers-k8s/issues/270
ackResourceMetadata.ownerAccountID
Required
string
OwnerAccountID is the AWS Account ID of the account that owns the
backend AWS service API resource.
ackResourceMetadata.region
Required
string
Region is the AWS region in which the resource exists or will exist.
conditions
Optional
array
All CRS managed by ACK have a common Status.Conditions member that
contains a collection of ackv1alpha1.Condition objects that describe
the various terminal states of the CR and its backend AWS service API
resource
conditions.[]
Required
object
Condition is the common struct used by all CRDs managed by ACK service
controllers to indicate terminal states of the CR and its backend AWS
service API resource
conditions.[].message
Optional
string
A human readable message indicating details about the transition.
conditions.[].reason
Optional
string
The reason for the condition’s last transition.
conditions.[].status
Optional
string
Status of the condition, one of True, False, Unknown.
conditions.[].type
Optional
string
Type is the type of the Condition
firewallPolicyResponse
Optional
object
The high-level properties of a firewall policy. This, along with the FirewallPolicy,
define the policy. You can retrieve all objects for a firewall policy by
calling DescribeFirewallPolicy.
firewallPolicyResponse.consumedStatefulRuleCapacity
Optional
integer
firewallPolicyResponse.consumedStatelessRuleCapacity
Optional
integer
firewallPolicyResponse.description
Optional
string
firewallPolicyResponse.encryptionConfiguration
Optional
object
A complex type that contains optional Amazon Web Services Key Management
Service (KMS) encryption settings for your Network Firewall resources. Your
data is encrypted by default with an Amazon Web Services owned key that Amazon
Web Services owns and manages for you. You can use either the Amazon Web
Services owned key, or provide your own customer managed key. To learn more
about KMS encryption of your Network Firewall resources, see Encryption at
rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html)
in the Network Firewall Developer Guide.
firewallPolicyResponse.encryptionConfiguration.keyID
Optional
string
**firewallPolicyResponse.encryptionConfiguration.type_**
Optional
string
firewallPolicyResponse.firewallPolicyARN
Optional
string
firewallPolicyResponse.firewallPolicyID
Optional
string
firewallPolicyResponse.firewallPolicyName
Optional
string
firewallPolicyResponse.firewallPolicyStatus
Optional
string
firewallPolicyResponse.lastModifiedTime
Optional
string
firewallPolicyResponse.numberOfAssociations
Optional
integer
firewallPolicyResponse.tags
Optional
array
firewallPolicyResponse.tags.[]
Required
object
A key:value pair associated with an Amazon Web Services resource. The key:value
pair can be anything you define. Typically, the tag key represents a category
(such as “environment”) and the tag value represents a specific value within
that category (such as “test,” “development,” or “production”). You can add
up to 50 tags to each Amazon Web Services resource.
firewallPolicyResponse.tags.[].value
Optional
string
updateToken
Optional
string
A token used for optimistic locking. Network Firewall returns a token to
your requests that access the firewall policy. The token marks the state
of the policy resource at the time of the request.

To make changes to the policy, you provide the token in your request. Network
Firewall uses the token to ensure that the policy hasn’t changed since you
last retrieved it. If it has changed, the operation fails with an InvalidTokenException.
If this happens, retrieve the firewall policy again to get a current copy
of it with current token. Reapply your changes as needed, then try the operation
again using the new token.