fms

package
v0.111.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 9, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	PolicyFirewallDeploymentModelDistributed = PolicyFirewallDeploymentModel("DISTRIBUTED")
	PolicyFirewallDeploymentModelCentralized = PolicyFirewallDeploymentModel("CENTRALIZED")
)
View Source 
const (
	PolicyNetworkAclEntryRuleActionAllow = PolicyNetworkAclEntryRuleAction("allow")
	PolicyNetworkAclEntryRuleActionDeny  = PolicyNetworkAclEntryRuleAction("deny")
)
View Source 
const (
	PolicyTypeWaf                        = PolicyType("WAF")
	PolicyTypeWafv2                      = PolicyType("WAFV2")
	PolicyTypeShieldAdvanced             = PolicyType("SHIELD_ADVANCED")
	PolicyTypeSecurityGroupsCommon       = PolicyType("SECURITY_GROUPS_COMMON")
	PolicyTypeSecurityGroupsContentAudit = PolicyType("SECURITY_GROUPS_CONTENT_AUDIT")
	PolicyTypeSecurityGroupsUsageAudit   = PolicyType("SECURITY_GROUPS_USAGE_AUDIT")
	PolicyTypeNetworkFirewall            = PolicyType("NETWORK_FIREWALL")
	PolicyTypeThirdPartyFirewall         = PolicyType("THIRD_PARTY_FIREWALL")
	PolicyTypeDnsFirewall                = PolicyType("DNS_FIREWALL")
	PolicyTypeImportNetworkFirewall      = PolicyType("IMPORT_NETWORK_FIREWALL")
	PolicyTypeNetworkAclCommon           = PolicyType("NETWORK_ACL_COMMON")
)

Variables

This section is empty.

Functions

This section is empty.

Types

type LookupNotificationChannelArgs added in v0.12.0 

type LookupNotificationChannelArgs struct {
	// The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .
	SnsTopicArn string `pulumi:"snsTopicArn"`
}

type LookupNotificationChannelOutputArgs added in v0.12.0 

type LookupNotificationChannelOutputArgs struct {
	// The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .
	SnsTopicArn pulumi.StringInput `pulumi:"snsTopicArn"`
}

func (LookupNotificationChannelOutputArgs) ElementType added in v0.12.0 

func (LookupNotificationChannelOutputArgs) ElementType() reflect.Type

type LookupNotificationChannelResult added in v0.12.0 

type LookupNotificationChannelResult struct {
	// The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.
	SnsRoleName *string `pulumi:"snsRoleName"`
	// The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .
	SnsTopicArn *string `pulumi:"snsTopicArn"`
}

func LookupNotificationChannel added in v0.12.0 

func LookupNotificationChannel(ctx *pulumi.Context, args *LookupNotificationChannelArgs, opts ...pulumi.InvokeOption) (*LookupNotificationChannelResult, error)

Designates the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager uses to record SNS logs.

type LookupNotificationChannelResultOutput added in v0.12.0 

type LookupNotificationChannelResultOutput struct{ *pulumi.OutputState }

func LookupNotificationChannelOutput added in v0.12.0 

func LookupNotificationChannelOutput(ctx *pulumi.Context, args LookupNotificationChannelOutputArgs, opts ...pulumi.InvokeOption) LookupNotificationChannelResultOutput

func (LookupNotificationChannelResultOutput) ElementType added in v0.12.0 

func (LookupNotificationChannelResultOutput) ElementType() reflect.Type

func (LookupNotificationChannelResultOutput) SnsRoleName added in v0.12.0 

func (o LookupNotificationChannelResultOutput) SnsRoleName() pulumi.StringPtrOutput

The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.

func (LookupNotificationChannelResultOutput) SnsTopicArn added in v0.12.0 

func (o LookupNotificationChannelResultOutput) SnsTopicArn() pulumi.StringPtrOutput

The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .

func (LookupNotificationChannelResultOutput) ToLookupNotificationChannelResultOutput added in v0.12.0 

func (o LookupNotificationChannelResultOutput) ToLookupNotificationChannelResultOutput() LookupNotificationChannelResultOutput

func (LookupNotificationChannelResultOutput) ToLookupNotificationChannelResultOutputWithContext added in v0.12.0 

func (o LookupNotificationChannelResultOutput) ToLookupNotificationChannelResultOutputWithContext(ctx context.Context) LookupNotificationChannelResultOutput

type LookupPolicyArgs added in v0.12.0 

type LookupPolicyArgs struct {
	// The ID of the policy.
	Id string `pulumi:"id"`
}

type LookupPolicyOutputArgs added in v0.12.0 

type LookupPolicyOutputArgs struct {
	// The ID of the policy.
	Id pulumi.StringInput `pulumi:"id"`
}

func (LookupPolicyOutputArgs) ElementType added in v0.12.0 

func (LookupPolicyOutputArgs) ElementType() reflect.Type

type LookupPolicyResult added in v0.12.0 

type LookupPolicyResult struct {
	// The Amazon Resource Name (ARN) of the policy.
	Arn *string `pulumi:"arn"`
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	ExcludeMap *PolicyIeMap `pulumi:"excludeMap"`
	// Used only when tags are specified in the `ResourceTags` property. If this property is `True` , resources with the specified tags are not in scope of the policy. If it's `False` , only resources with the specified tags are in scope of the policy.
	ExcludeResourceTags *bool `pulumi:"excludeResourceTags"`
	// The ID of the policy.
	Id *string `pulumi:"id"`
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	IncludeMap *PolicyIeMap `pulumi:"includeMap"`
	// Your description of the AWS Firewall Manager policy.
	PolicyDescription *string `pulumi:"policyDescription"`
	// The name of the AWS Firewall Manager policy.
	PolicyName *string `pulumi:"policyName"`
	// Indicates if the policy should be automatically applied to new resources.
	RemediationEnabled *bool `pulumi:"remediationEnabled"`
	// The unique identifiers of the resource sets used by the policy.
	ResourceSetIds []string `pulumi:"resourceSetIds"`
	// An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .
	ResourceTags []PolicyResourceTag `pulumi:"resourceTags"`
	// The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .
	//
	// The following are valid resource types for each Firewall Manager policy type:
	//
	// - AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .
	// - AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .
	// - Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .
	// - Network ACL - `AWS::EC2::Subnet` .
	// - Security group usage audit - `AWS::EC2::SecurityGroup` .
	// - Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .
	// - DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .
	ResourceType *string `pulumi:"resourceType"`
	// An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .
	ResourceTypeList []string `pulumi:"resourceTypeList"`
	// Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.
	//
	// By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
	//
	// This option is not available for Shield Advanced or AWS WAF Classic policies.
	ResourcesCleanUp *bool `pulumi:"resourcesCleanUp"`
	// Details about the security service that is being used to protect the resources.
	//
	// This contains the following settings:
	//
	// - Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .
	//
	// Valid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`
	// - ManagedServiceData - Details about the service that are specific to the service type, in JSON format.
	//
	// - Example: `DNS_FIREWALL`
	//
	// `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`
	//
	// > Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
	// - Example: `NETWORK_FIREWALL` - Centralized deployment model
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model
	//
	// `"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model
	//
	// `"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	// - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions
	//
	// `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`
	//
	// For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`
	//
	// The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .
	//
	// For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
	// - Example: `WAFV2`
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .
	// - Example: `AWS WAF Classic`
	//
	// `"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"`
	// - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.
	// - Example: `SECURITY_GROUPS_COMMON`
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: `SECURITY_GROUPS_CONTENT_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`
	//
	// The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
	// - Example: `SECURITY_GROUPS_USAGE_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`
	SecurityServicePolicyData *PolicySecurityServicePolicyData `pulumi:"securityServicePolicyData"`
	// A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.
	Tags []aws.Tag `pulumi:"tags"`
}

func LookupPolicy added in v0.12.0 

func LookupPolicy(ctx *pulumi.Context, args *LookupPolicyArgs, opts ...pulumi.InvokeOption) (*LookupPolicyResult, error)

Creates an AWS Firewall Manager policy.

type LookupPolicyResultOutput added in v0.12.0 

type LookupPolicyResultOutput struct{ *pulumi.OutputState }

func LookupPolicyOutput added in v0.12.0 

func LookupPolicyOutput(ctx *pulumi.Context, args LookupPolicyOutputArgs, opts ...pulumi.InvokeOption) LookupPolicyResultOutput

func (LookupPolicyResultOutput) Arn added in v0.12.0 

func (o LookupPolicyResultOutput) Arn() pulumi.StringPtrOutput

The Amazon Resource Name (ARN) of the policy.

func (LookupPolicyResultOutput) ElementType added in v0.12.0 

func (LookupPolicyResultOutput) ElementType() reflect.Type

func (LookupPolicyResultOutput) ExcludeMap added in v0.12.0 

func (o LookupPolicyResultOutput) ExcludeMap() PolicyIeMapPtrOutput

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .

You can specify account IDs, OUs, or a combination:

- Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` . - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .

func (LookupPolicyResultOutput) ExcludeResourceTags added in v0.12.0 

func (o LookupPolicyResultOutput) ExcludeResourceTags() pulumi.BoolPtrOutput

Used only when tags are specified in the `ResourceTags` property. If this property is `True` , resources with the specified tags are not in scope of the policy. If it's `False` , only resources with the specified tags are in scope of the policy.

func (LookupPolicyResultOutput) Id added in v0.12.0 

func (o LookupPolicyResultOutput) Id() pulumi.StringPtrOutput

The ID of the policy.

func (LookupPolicyResultOutput) IncludeMap added in v0.12.0 

func (o LookupPolicyResultOutput) IncludeMap() PolicyIeMapPtrOutput

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .

You can specify account IDs, OUs, or a combination:

- Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` . - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .

func (LookupPolicyResultOutput) PolicyDescription added in v0.48.0 

func (o LookupPolicyResultOutput) PolicyDescription() pulumi.StringPtrOutput

Your description of the AWS Firewall Manager policy.

func (LookupPolicyResultOutput) PolicyName added in v0.12.0 

func (o LookupPolicyResultOutput) PolicyName() pulumi.StringPtrOutput

The name of the AWS Firewall Manager policy.

func (LookupPolicyResultOutput) RemediationEnabled added in v0.12.0 

func (o LookupPolicyResultOutput) RemediationEnabled() pulumi.BoolPtrOutput

Indicates if the policy should be automatically applied to new resources.

func (LookupPolicyResultOutput) ResourceSetIds added in v0.48.0 

func (o LookupPolicyResultOutput) ResourceSetIds() pulumi.StringArrayOutput

The unique identifiers of the resource sets used by the policy.

func (LookupPolicyResultOutput) ResourceTags added in v0.12.0 

func (o LookupPolicyResultOutput) ResourceTags() PolicyResourceTagArrayOutput

An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .

func (LookupPolicyResultOutput) ResourceType added in v0.12.0 

func (o LookupPolicyResultOutput) ResourceType() pulumi.StringPtrOutput

The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .

The following are valid resource types for each Firewall Manager policy type:

- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` . - AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` . - Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` . - Network ACL - `AWS::EC2::Subnet` . - Security group usage audit - `AWS::EC2::SecurityGroup` . - Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . - DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .

func (LookupPolicyResultOutput) ResourceTypeList added in v0.12.0 

func (o LookupPolicyResultOutput) ResourceTypeList() pulumi.StringArrayOutput

An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .

func (LookupPolicyResultOutput) ResourcesCleanUp added in v0.12.0 

func (o LookupPolicyResultOutput) ResourcesCleanUp() pulumi.BoolPtrOutput

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

This option is not available for Shield Advanced or AWS WAF Classic policies.

func (LookupPolicyResultOutput) SecurityServicePolicyData added in v0.12.0 

func (o LookupPolicyResultOutput) SecurityServicePolicyData() PolicySecurityServicePolicyDataPtrOutput

Details about the security service that is being used to protect the resources.

This contains the following settings:

- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .

Valid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF` - ManagedServiceData - Details about the service that are specific to the service type, in JSON format.

- Example: `DNS_FIREWALL`

`"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`

> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000. - Example: `NETWORK_FIREWALL` - Centralized deployment model

`"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model

`"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model

`"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` . - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions

`"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`

For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`

The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .

For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string. - Example: `WAFV2`

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` . - Example: `AWS WAF Classic`

`"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"` - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group. - Example: `SECURITY_GROUPS_COMMON`

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: `SECURITY_GROUPS_CONTENT_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`

The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group. - Example: `SECURITY_GROUPS_USAGE_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`

func (LookupPolicyResultOutput) Tags added in v0.12.0 

func (o LookupPolicyResultOutput) Tags() aws.TagArrayOutput

A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.

func (LookupPolicyResultOutput) ToLookupPolicyResultOutput added in v0.12.0 

func (o LookupPolicyResultOutput) ToLookupPolicyResultOutput() LookupPolicyResultOutput

func (LookupPolicyResultOutput) ToLookupPolicyResultOutputWithContext added in v0.12.0 

func (o LookupPolicyResultOutput) ToLookupPolicyResultOutputWithContext(ctx context.Context) LookupPolicyResultOutput

type LookupResourceSetArgs added in v0.51.0 

type LookupResourceSetArgs struct {
	// A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
	Id string `pulumi:"id"`
}

type LookupResourceSetOutputArgs added in v0.51.0 

type LookupResourceSetOutputArgs struct {
	// A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
	Id pulumi.StringInput `pulumi:"id"`
}

func (LookupResourceSetOutputArgs) ElementType added in v0.51.0 

func (LookupResourceSetOutputArgs) ElementType() reflect.Type

type LookupResourceSetResult added in v0.51.0 

type LookupResourceSetResult struct {
	// A description of the resource set.
	Description *string `pulumi:"description"`
	// A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
	Id *string `pulumi:"id"`
	// The descriptive name of the resource set. You can't change the name of a resource set after you create it.
	Name *string `pulumi:"name"`
	// Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.
	ResourceTypeList []string  `pulumi:"resourceTypeList"`
	Resources        []string  `pulumi:"resources"`
	Tags             []aws.Tag `pulumi:"tags"`
}

func LookupResourceSet added in v0.51.0 

func LookupResourceSet(ctx *pulumi.Context, args *LookupResourceSetArgs, opts ...pulumi.InvokeOption) (*LookupResourceSetResult, error)

Creates an AWS Firewall Manager resource set.

type LookupResourceSetResultOutput added in v0.51.0 

type LookupResourceSetResultOutput struct{ *pulumi.OutputState }

func LookupResourceSetOutput added in v0.51.0 

func LookupResourceSetOutput(ctx *pulumi.Context, args LookupResourceSetOutputArgs, opts ...pulumi.InvokeOption) LookupResourceSetResultOutput

func (LookupResourceSetResultOutput) Description added in v0.51.0 

func (o LookupResourceSetResultOutput) Description() pulumi.StringPtrOutput

A description of the resource set.

func (LookupResourceSetResultOutput) ElementType added in v0.51.0 

func (LookupResourceSetResultOutput) ElementType() reflect.Type

func (LookupResourceSetResultOutput) Id added in v0.51.0 

func (o LookupResourceSetResultOutput) Id() pulumi.StringPtrOutput

A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

func (LookupResourceSetResultOutput) Name added in v0.51.0 

func (o LookupResourceSetResultOutput) Name() pulumi.StringPtrOutput

The descriptive name of the resource set. You can't change the name of a resource set after you create it.

func (LookupResourceSetResultOutput) ResourceTypeList added in v0.51.0 

func (o LookupResourceSetResultOutput) ResourceTypeList() pulumi.StringArrayOutput

Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.

func (LookupResourceSetResultOutput) Resources added in v0.51.0 

func (o LookupResourceSetResultOutput) Resources() pulumi.StringArrayOutput

func (LookupResourceSetResultOutput) Tags added in v0.51.0 

func (o LookupResourceSetResultOutput) Tags() aws.TagArrayOutput

func (LookupResourceSetResultOutput) ToLookupResourceSetResultOutput added in v0.51.0 

func (o LookupResourceSetResultOutput) ToLookupResourceSetResultOutput() LookupResourceSetResultOutput

func (LookupResourceSetResultOutput) ToLookupResourceSetResultOutputWithContext added in v0.51.0 

func (o LookupResourceSetResultOutput) ToLookupResourceSetResultOutputWithContext(ctx context.Context) LookupResourceSetResultOutput

type NotificationChannel 

type NotificationChannel struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.
	SnsRoleName pulumi.StringOutput `pulumi:"snsRoleName"`
	// The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .
	SnsTopicArn pulumi.StringOutput `pulumi:"snsTopicArn"`
}

Designates the IAM role and Amazon Simple Notification Service (SNS) topic that AWS Firewall Manager uses to record SNS logs.

func GetNotificationChannel 

func GetNotificationChannel(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *NotificationChannelState, opts ...pulumi.ResourceOption) (*NotificationChannel, error)

GetNotificationChannel gets an existing NotificationChannel resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewNotificationChannel 

func NewNotificationChannel(ctx *pulumi.Context,
	name string, args *NotificationChannelArgs, opts ...pulumi.ResourceOption) (*NotificationChannel, error)

NewNotificationChannel registers a new resource with the given unique name, arguments, and options.

func (*NotificationChannel) ElementType 

func (*NotificationChannel) ElementType() reflect.Type

func (*NotificationChannel) ToNotificationChannelOutput 

func (i *NotificationChannel) ToNotificationChannelOutput() NotificationChannelOutput

func (*NotificationChannel) ToNotificationChannelOutputWithContext 

func (i *NotificationChannel) ToNotificationChannelOutputWithContext(ctx context.Context) NotificationChannelOutput

type NotificationChannelArgs 

type NotificationChannelArgs struct {
	// The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.
	SnsRoleName pulumi.StringInput
	// The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .
	SnsTopicArn pulumi.StringInput
}

The set of arguments for constructing a NotificationChannel resource.

func (NotificationChannelArgs) ElementType 

func (NotificationChannelArgs) ElementType() reflect.Type

type NotificationChannelInput 

type NotificationChannelInput interface {
	pulumi.Input

	ToNotificationChannelOutput() NotificationChannelOutput
	ToNotificationChannelOutputWithContext(ctx context.Context) NotificationChannelOutput
}

type NotificationChannelOutput 

type NotificationChannelOutput struct{ *pulumi.OutputState }

func (NotificationChannelOutput) ElementType 

func (NotificationChannelOutput) ElementType() reflect.Type

func (NotificationChannelOutput) SnsRoleName added in v0.17.0 

func (o NotificationChannelOutput) SnsRoleName() pulumi.StringOutput

The Amazon Resource Name (ARN) of the IAM role that allows Amazon SNS to record AWS Firewall Manager activity.

func (NotificationChannelOutput) SnsTopicArn added in v0.17.0 

func (o NotificationChannelOutput) SnsTopicArn() pulumi.StringOutput

The Amazon Resource Name (ARN) of the SNS topic that collects notifications from AWS Firewall Manager .

func (NotificationChannelOutput) ToNotificationChannelOutput 

func (o NotificationChannelOutput) ToNotificationChannelOutput() NotificationChannelOutput

func (NotificationChannelOutput) ToNotificationChannelOutputWithContext 

func (o NotificationChannelOutput) ToNotificationChannelOutputWithContext(ctx context.Context) NotificationChannelOutput

type NotificationChannelState 

type NotificationChannelState struct {
}

func (NotificationChannelState) ElementType 

func (NotificationChannelState) ElementType() reflect.Type

type Policy 

type Policy struct {
	pulumi.CustomResourceState

	// The Amazon Resource Name (ARN) of the policy.
	Arn pulumi.StringOutput `pulumi:"arn"`
	// The ID of the policy.
	AwsId pulumi.StringOutput `pulumi:"awsId"`
	// Used when deleting a policy. If `true` , Firewall Manager performs cleanup according to the policy type.
	//
	// For AWS WAF and Shield Advanced policies, Firewall Manager does the following:
	//
	// - Deletes rule groups created by Firewall Manager
	// - Removes web ACLs from in-scope resources
	// - Deletes web ACLs that contain no rules or rule groups
	//
	// For security group policies, Firewall Manager does the following for each security group in the policy:
	//
	// - Disassociates the security group from in-scope resources
	// - Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy
	//
	// After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you create and accounts that you associate with the policy. When creating the policy, if you specify that only resources in specific accounts or with specific tags are in scope of the policy, those accounts and resources are handled by the policy. All others are out of scope. If you don't specify tags or accounts, all resources are in scope.
	DeleteAllPolicyResources pulumi.BoolPtrOutput `pulumi:"deleteAllPolicyResources"`
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	ExcludeMap PolicyIeMapPtrOutput `pulumi:"excludeMap"`
	// Used only when tags are specified in the `ResourceTags` property. If this property is `True` , resources with the specified tags are not in scope of the policy. If it's `False` , only resources with the specified tags are in scope of the policy.
	ExcludeResourceTags pulumi.BoolOutput `pulumi:"excludeResourceTags"`
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	IncludeMap PolicyIeMapPtrOutput `pulumi:"includeMap"`
	// Your description of the AWS Firewall Manager policy.
	PolicyDescription pulumi.StringPtrOutput `pulumi:"policyDescription"`
	// The name of the AWS Firewall Manager policy.
	PolicyName pulumi.StringOutput `pulumi:"policyName"`
	// Indicates if the policy should be automatically applied to new resources.
	RemediationEnabled pulumi.BoolOutput `pulumi:"remediationEnabled"`
	// The unique identifiers of the resource sets used by the policy.
	ResourceSetIds pulumi.StringArrayOutput `pulumi:"resourceSetIds"`
	// An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .
	ResourceTags PolicyResourceTagArrayOutput `pulumi:"resourceTags"`
	// The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .
	//
	// The following are valid resource types for each Firewall Manager policy type:
	//
	// - AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .
	// - AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .
	// - Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .
	// - Network ACL - `AWS::EC2::Subnet` .
	// - Security group usage audit - `AWS::EC2::SecurityGroup` .
	// - Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .
	// - DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .
	ResourceType pulumi.StringPtrOutput `pulumi:"resourceType"`
	// An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .
	ResourceTypeList pulumi.StringArrayOutput `pulumi:"resourceTypeList"`
	// Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.
	//
	// By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
	//
	// This option is not available for Shield Advanced or AWS WAF Classic policies.
	ResourcesCleanUp pulumi.BoolPtrOutput `pulumi:"resourcesCleanUp"`
	// Details about the security service that is being used to protect the resources.
	//
	// This contains the following settings:
	//
	// - Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .
	//
	// Valid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`
	// - ManagedServiceData - Details about the service that are specific to the service type, in JSON format.
	//
	// - Example: `DNS_FIREWALL`
	//
	// `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`
	//
	// > Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
	// - Example: `NETWORK_FIREWALL` - Centralized deployment model
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model
	//
	// `"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model
	//
	// `"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	// - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions
	//
	// `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`
	//
	// For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`
	//
	// The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .
	//
	// For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
	// - Example: `WAFV2`
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .
	// - Example: `AWS WAF Classic`
	//
	// `"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"`
	// - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.
	// - Example: `SECURITY_GROUPS_COMMON`
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: `SECURITY_GROUPS_CONTENT_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`
	//
	// The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
	// - Example: `SECURITY_GROUPS_USAGE_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`
	SecurityServicePolicyData PolicySecurityServicePolicyDataOutput `pulumi:"securityServicePolicyData"`
	// A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.
	Tags aws.TagArrayOutput `pulumi:"tags"`
}

Creates an AWS Firewall Manager policy.

func GetPolicy 

func GetPolicy(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *PolicyState, opts ...pulumi.ResourceOption) (*Policy, error)

GetPolicy gets an existing Policy resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewPolicy 

func NewPolicy(ctx *pulumi.Context,
	name string, args *PolicyArgs, opts ...pulumi.ResourceOption) (*Policy, error)

NewPolicy registers a new resource with the given unique name, arguments, and options.

func (*Policy) ElementType 

func (*Policy) ElementType() reflect.Type

func (*Policy) ToPolicyOutput 

func (i *Policy) ToPolicyOutput() PolicyOutput

func (*Policy) ToPolicyOutputWithContext 

func (i *Policy) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicyArgs 

type PolicyArgs struct {
	// Used when deleting a policy. If `true` , Firewall Manager performs cleanup according to the policy type.
	//
	// For AWS WAF and Shield Advanced policies, Firewall Manager does the following:
	//
	// - Deletes rule groups created by Firewall Manager
	// - Removes web ACLs from in-scope resources
	// - Deletes web ACLs that contain no rules or rule groups
	//
	// For security group policies, Firewall Manager does the following for each security group in the policy:
	//
	// - Disassociates the security group from in-scope resources
	// - Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy
	//
	// After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you create and accounts that you associate with the policy. When creating the policy, if you specify that only resources in specific accounts or with specific tags are in scope of the policy, those accounts and resources are handled by the policy. All others are out of scope. If you don't specify tags or accounts, all resources are in scope.
	DeleteAllPolicyResources pulumi.BoolPtrInput
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	ExcludeMap PolicyIeMapPtrInput
	// Used only when tags are specified in the `ResourceTags` property. If this property is `True` , resources with the specified tags are not in scope of the policy. If it's `False` , only resources with the specified tags are in scope of the policy.
	ExcludeResourceTags pulumi.BoolInput
	// Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
	//
	// You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .
	//
	// You can specify account IDs, OUs, or a combination:
	//
	// - Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` .
	// - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` .
	// - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .
	IncludeMap PolicyIeMapPtrInput
	// Your description of the AWS Firewall Manager policy.
	PolicyDescription pulumi.StringPtrInput
	// The name of the AWS Firewall Manager policy.
	PolicyName pulumi.StringPtrInput
	// Indicates if the policy should be automatically applied to new resources.
	RemediationEnabled pulumi.BoolInput
	// The unique identifiers of the resource sets used by the policy.
	ResourceSetIds pulumi.StringArrayInput
	// An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .
	ResourceTags PolicyResourceTagArrayInput
	// The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .
	//
	// The following are valid resource types for each Firewall Manager policy type:
	//
	// - AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` .
	// - AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` .
	// - Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` .
	// - Network ACL - `AWS::EC2::Subnet` .
	// - Security group usage audit - `AWS::EC2::SecurityGroup` .
	// - Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` .
	// - DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .
	ResourceType pulumi.StringPtrInput
	// An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .
	ResourceTypeList pulumi.StringArrayInput
	// Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.
	//
	// By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.
	//
	// This option is not available for Shield Advanced or AWS WAF Classic policies.
	ResourcesCleanUp pulumi.BoolPtrInput
	// Details about the security service that is being used to protect the resources.
	//
	// This contains the following settings:
	//
	// - Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .
	//
	// Valid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF`
	// - ManagedServiceData - Details about the service that are specific to the service type, in JSON format.
	//
	// - Example: `DNS_FIREWALL`
	//
	// `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`
	//
	// > Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
	// - Example: `NETWORK_FIREWALL` - Centralized deployment model
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model
	//
	// `"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model
	//
	// `"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	// - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions
	//
	// `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`
	//
	// For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`
	//
	// The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .
	//
	// For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
	// - Example: `WAFV2`
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .
	// - Example: `AWS WAF Classic`
	//
	// `"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"`
	// - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.
	// - Example: `SECURITY_GROUPS_COMMON`
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: `SECURITY_GROUPS_CONTENT_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`
	//
	// The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
	// - Example: `SECURITY_GROUPS_USAGE_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`
	SecurityServicePolicyData PolicySecurityServicePolicyDataInput
	// A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.
	Tags aws.TagArrayInput
}

The set of arguments for constructing a Policy resource.

func (PolicyArgs) ElementType 

func (PolicyArgs) ElementType() reflect.Type

type PolicyFirewallDeploymentModel added in v0.21.0 

type PolicyFirewallDeploymentModel string

Firewall deployment mode.

func (PolicyFirewallDeploymentModel) ElementType added in v0.21.0 

func (PolicyFirewallDeploymentModel) ElementType() reflect.Type

func (PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelOutput added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelOutput() PolicyFirewallDeploymentModelOutput

func (PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelOutputWithContext added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelOutputWithContext(ctx context.Context) PolicyFirewallDeploymentModelOutput

func (PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelPtrOutput added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelPtrOutput() PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelPtrOutputWithContext added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToPolicyFirewallDeploymentModelPtrOutputWithContext(ctx context.Context) PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModel) ToStringOutput added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToStringOutput() pulumi.StringOutput

func (PolicyFirewallDeploymentModel) ToStringOutputWithContext added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyFirewallDeploymentModel) ToStringPtrOutput added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyFirewallDeploymentModel) ToStringPtrOutputWithContext added in v0.21.0 

func (e PolicyFirewallDeploymentModel) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyFirewallDeploymentModelInput added in v0.21.0 

type PolicyFirewallDeploymentModelInput interface {
	pulumi.Input

	ToPolicyFirewallDeploymentModelOutput() PolicyFirewallDeploymentModelOutput
	ToPolicyFirewallDeploymentModelOutputWithContext(context.Context) PolicyFirewallDeploymentModelOutput
}

PolicyFirewallDeploymentModelInput is an input type that accepts values of the PolicyFirewallDeploymentModel enum A concrete instance of `PolicyFirewallDeploymentModelInput` can be one of the following: 

PolicyFirewallDeploymentModelDistributed
PolicyFirewallDeploymentModelCentralized

type PolicyFirewallDeploymentModelOutput added in v0.21.0 

type PolicyFirewallDeploymentModelOutput struct{ *pulumi.OutputState }

func (PolicyFirewallDeploymentModelOutput) ElementType added in v0.21.0 

func (PolicyFirewallDeploymentModelOutput) ElementType() reflect.Type

func (PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelOutput() PolicyFirewallDeploymentModelOutput

func (PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelOutputWithContext(ctx context.Context) PolicyFirewallDeploymentModelOutput

func (PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelPtrOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelPtrOutput() PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelPtrOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToPolicyFirewallDeploymentModelPtrOutputWithContext(ctx context.Context) PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModelOutput) ToStringOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToStringOutput() pulumi.StringOutput

func (PolicyFirewallDeploymentModelOutput) ToStringOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyFirewallDeploymentModelOutput) ToStringPtrOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyFirewallDeploymentModelOutput) ToStringPtrOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyFirewallDeploymentModelPtrInput added in v0.21.0 

type PolicyFirewallDeploymentModelPtrInput interface {
	pulumi.Input

	ToPolicyFirewallDeploymentModelPtrOutput() PolicyFirewallDeploymentModelPtrOutput
	ToPolicyFirewallDeploymentModelPtrOutputWithContext(context.Context) PolicyFirewallDeploymentModelPtrOutput
}

func PolicyFirewallDeploymentModelPtr added in v0.21.0 

func PolicyFirewallDeploymentModelPtr(v string) PolicyFirewallDeploymentModelPtrInput

type PolicyFirewallDeploymentModelPtrOutput added in v0.21.0 

type PolicyFirewallDeploymentModelPtrOutput struct{ *pulumi.OutputState }

func (PolicyFirewallDeploymentModelPtrOutput) Elem added in v0.21.0 

func (o PolicyFirewallDeploymentModelPtrOutput) Elem() PolicyFirewallDeploymentModelOutput

func (PolicyFirewallDeploymentModelPtrOutput) ElementType added in v0.21.0 

func (PolicyFirewallDeploymentModelPtrOutput) ElementType() reflect.Type

func (PolicyFirewallDeploymentModelPtrOutput) ToPolicyFirewallDeploymentModelPtrOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelPtrOutput) ToPolicyFirewallDeploymentModelPtrOutput() PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModelPtrOutput) ToPolicyFirewallDeploymentModelPtrOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelPtrOutput) ToPolicyFirewallDeploymentModelPtrOutputWithContext(ctx context.Context) PolicyFirewallDeploymentModelPtrOutput

func (PolicyFirewallDeploymentModelPtrOutput) ToStringPtrOutput added in v0.21.0 

func (o PolicyFirewallDeploymentModelPtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyFirewallDeploymentModelPtrOutput) ToStringPtrOutputWithContext added in v0.21.0 

func (o PolicyFirewallDeploymentModelPtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyIeMap added in v0.72.0 

type PolicyIeMap struct {
	// The account list for the map.
	Account []string `pulumi:"account"`
	// The organizational unit list for the map.
	Orgunit []string `pulumi:"orgunit"`
}

An FMS includeMap or excludeMap.

type PolicyIeMapArgs added in v0.72.0 

type PolicyIeMapArgs struct {
	// The account list for the map.
	Account pulumi.StringArrayInput `pulumi:"account"`
	// The organizational unit list for the map.
	Orgunit pulumi.StringArrayInput `pulumi:"orgunit"`
}

An FMS includeMap or excludeMap.

func (PolicyIeMapArgs) ElementType added in v0.72.0 

func (PolicyIeMapArgs) ElementType() reflect.Type

func (PolicyIeMapArgs) ToPolicyIeMapOutput added in v0.72.0 

func (i PolicyIeMapArgs) ToPolicyIeMapOutput() PolicyIeMapOutput

func (PolicyIeMapArgs) ToPolicyIeMapOutputWithContext added in v0.72.0 

func (i PolicyIeMapArgs) ToPolicyIeMapOutputWithContext(ctx context.Context) PolicyIeMapOutput

func (PolicyIeMapArgs) ToPolicyIeMapPtrOutput added in v0.72.0 

func (i PolicyIeMapArgs) ToPolicyIeMapPtrOutput() PolicyIeMapPtrOutput

func (PolicyIeMapArgs) ToPolicyIeMapPtrOutputWithContext added in v0.72.0 

func (i PolicyIeMapArgs) ToPolicyIeMapPtrOutputWithContext(ctx context.Context) PolicyIeMapPtrOutput

type PolicyIeMapInput added in v0.72.0 

type PolicyIeMapInput interface {
	pulumi.Input

	ToPolicyIeMapOutput() PolicyIeMapOutput
	ToPolicyIeMapOutputWithContext(context.Context) PolicyIeMapOutput
}

PolicyIeMapInput is an input type that accepts PolicyIeMap and PolicyIeMapOutput values. You can construct a concrete instance of `PolicyIeMapInput` via: 

PolicyIeMap{ "key": PolicyIeArgs{...} }

type PolicyIeMapOutput added in v0.72.0 

type PolicyIeMapOutput struct{ *pulumi.OutputState }

An FMS includeMap or excludeMap.

func (PolicyIeMapOutput) Account added in v0.72.0 

func (o PolicyIeMapOutput) Account() pulumi.StringArrayOutput

The account list for the map.

func (PolicyIeMapOutput) ElementType added in v0.72.0 

func (PolicyIeMapOutput) ElementType() reflect.Type

func (PolicyIeMapOutput) Orgunit added in v0.72.0 

func (o PolicyIeMapOutput) Orgunit() pulumi.StringArrayOutput

The organizational unit list for the map.

func (PolicyIeMapOutput) ToPolicyIeMapOutput added in v0.72.0 

func (o PolicyIeMapOutput) ToPolicyIeMapOutput() PolicyIeMapOutput

func (PolicyIeMapOutput) ToPolicyIeMapOutputWithContext added in v0.72.0 

func (o PolicyIeMapOutput) ToPolicyIeMapOutputWithContext(ctx context.Context) PolicyIeMapOutput

func (PolicyIeMapOutput) ToPolicyIeMapPtrOutput added in v0.72.0 

func (o PolicyIeMapOutput) ToPolicyIeMapPtrOutput() PolicyIeMapPtrOutput

func (PolicyIeMapOutput) ToPolicyIeMapPtrOutputWithContext added in v0.72.0 

func (o PolicyIeMapOutput) ToPolicyIeMapPtrOutputWithContext(ctx context.Context) PolicyIeMapPtrOutput

type PolicyIeMapPtrInput added in v0.72.0 

type PolicyIeMapPtrInput interface {
	pulumi.Input

	ToPolicyIeMapPtrOutput() PolicyIeMapPtrOutput
	ToPolicyIeMapPtrOutputWithContext(context.Context) PolicyIeMapPtrOutput
}

PolicyIeMapPtrInput is an input type that accepts PolicyIeMapArgs, PolicyIeMapPtr and PolicyIeMapPtrOutput values. You can construct a concrete instance of `PolicyIeMapPtrInput` via: 

        PolicyIeMapArgs{...}

or:

        nil

func PolicyIeMapPtr added in v0.72.0 

func PolicyIeMapPtr(v *PolicyIeMapArgs) PolicyIeMapPtrInput

type PolicyIeMapPtrOutput added in v0.72.0 

type PolicyIeMapPtrOutput struct{ *pulumi.OutputState }

func (PolicyIeMapPtrOutput) Account added in v0.72.0 

func (o PolicyIeMapPtrOutput) Account() pulumi.StringArrayOutput

The account list for the map.

func (PolicyIeMapPtrOutput) Elem added in v0.72.0 

func (o PolicyIeMapPtrOutput) Elem() PolicyIeMapOutput

func (PolicyIeMapPtrOutput) ElementType added in v0.72.0 

func (PolicyIeMapPtrOutput) ElementType() reflect.Type

func (PolicyIeMapPtrOutput) Orgunit added in v0.72.0 

func (o PolicyIeMapPtrOutput) Orgunit() pulumi.StringArrayOutput

The organizational unit list for the map.

func (PolicyIeMapPtrOutput) ToPolicyIeMapPtrOutput added in v0.72.0 

func (o PolicyIeMapPtrOutput) ToPolicyIeMapPtrOutput() PolicyIeMapPtrOutput

func (PolicyIeMapPtrOutput) ToPolicyIeMapPtrOutputWithContext added in v0.72.0 

func (o PolicyIeMapPtrOutput) ToPolicyIeMapPtrOutputWithContext(ctx context.Context) PolicyIeMapPtrOutput

type PolicyInput 

type PolicyInput interface {
	pulumi.Input

	ToPolicyOutput() PolicyOutput
	ToPolicyOutputWithContext(ctx context.Context) PolicyOutput
}

type PolicyNetworkAclCommonPolicy added in v0.105.0 

type PolicyNetworkAclCommonPolicy struct {
	// The definition of the first and last rules for the network ACL policy.
	NetworkAclEntrySet PolicyNetworkAclEntrySet `pulumi:"networkAclEntrySet"`
}

Network ACL common policy.

type PolicyNetworkAclCommonPolicyArgs added in v0.105.0 

type PolicyNetworkAclCommonPolicyArgs struct {
	// The definition of the first and last rules for the network ACL policy.
	NetworkAclEntrySet PolicyNetworkAclEntrySetInput `pulumi:"networkAclEntrySet"`
}

Network ACL common policy.

func (PolicyNetworkAclCommonPolicyArgs) ElementType added in v0.105.0 

func (PolicyNetworkAclCommonPolicyArgs) ElementType() reflect.Type

func (PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyOutput added in v0.105.0 

func (i PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyOutput() PolicyNetworkAclCommonPolicyOutput

func (PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyOutputWithContext(ctx context.Context) PolicyNetworkAclCommonPolicyOutput

func (PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyPtrOutput added in v0.105.0 

func (i PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyPtrOutput() PolicyNetworkAclCommonPolicyPtrOutput

func (PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclCommonPolicyArgs) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkAclCommonPolicyPtrOutput

type PolicyNetworkAclCommonPolicyInput added in v0.105.0 

type PolicyNetworkAclCommonPolicyInput interface {
	pulumi.Input

	ToPolicyNetworkAclCommonPolicyOutput() PolicyNetworkAclCommonPolicyOutput
	ToPolicyNetworkAclCommonPolicyOutputWithContext(context.Context) PolicyNetworkAclCommonPolicyOutput
}

PolicyNetworkAclCommonPolicyInput is an input type that accepts PolicyNetworkAclCommonPolicyArgs and PolicyNetworkAclCommonPolicyOutput values. You can construct a concrete instance of `PolicyNetworkAclCommonPolicyInput` via: 

PolicyNetworkAclCommonPolicyArgs{...}

type PolicyNetworkAclCommonPolicyOutput added in v0.105.0 

type PolicyNetworkAclCommonPolicyOutput struct{ *pulumi.OutputState }

Network ACL common policy.

func (PolicyNetworkAclCommonPolicyOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclCommonPolicyOutput) ElementType() reflect.Type

func (PolicyNetworkAclCommonPolicyOutput) NetworkAclEntrySet added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyOutput) NetworkAclEntrySet() PolicyNetworkAclEntrySetOutput

The definition of the first and last rules for the network ACL policy.

func (PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyOutput added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyOutput() PolicyNetworkAclCommonPolicyOutput

func (PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyOutputWithContext(ctx context.Context) PolicyNetworkAclCommonPolicyOutput

func (PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyPtrOutput added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyPtrOutput() PolicyNetworkAclCommonPolicyPtrOutput

func (PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyOutput) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkAclCommonPolicyPtrOutput

type PolicyNetworkAclCommonPolicyPtrInput added in v0.105.0 

type PolicyNetworkAclCommonPolicyPtrInput interface {
	pulumi.Input

	ToPolicyNetworkAclCommonPolicyPtrOutput() PolicyNetworkAclCommonPolicyPtrOutput
	ToPolicyNetworkAclCommonPolicyPtrOutputWithContext(context.Context) PolicyNetworkAclCommonPolicyPtrOutput
}

PolicyNetworkAclCommonPolicyPtrInput is an input type that accepts PolicyNetworkAclCommonPolicyArgs, PolicyNetworkAclCommonPolicyPtr and PolicyNetworkAclCommonPolicyPtrOutput values. You can construct a concrete instance of `PolicyNetworkAclCommonPolicyPtrInput` via: 

        PolicyNetworkAclCommonPolicyArgs{...}

or:

        nil

func PolicyNetworkAclCommonPolicyPtr added in v0.105.0 

func PolicyNetworkAclCommonPolicyPtr(v *PolicyNetworkAclCommonPolicyArgs) PolicyNetworkAclCommonPolicyPtrInput

type PolicyNetworkAclCommonPolicyPtrOutput added in v0.105.0 

type PolicyNetworkAclCommonPolicyPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclCommonPolicyPtrOutput) Elem added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyPtrOutput) Elem() PolicyNetworkAclCommonPolicyOutput

func (PolicyNetworkAclCommonPolicyPtrOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclCommonPolicyPtrOutput) ElementType() reflect.Type

func (PolicyNetworkAclCommonPolicyPtrOutput) NetworkAclEntrySet added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyPtrOutput) NetworkAclEntrySet() PolicyNetworkAclEntrySetPtrOutput

The definition of the first and last rules for the network ACL policy.

func (PolicyNetworkAclCommonPolicyPtrOutput) ToPolicyNetworkAclCommonPolicyPtrOutput added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyPtrOutput) ToPolicyNetworkAclCommonPolicyPtrOutput() PolicyNetworkAclCommonPolicyPtrOutput

func (PolicyNetworkAclCommonPolicyPtrOutput) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclCommonPolicyPtrOutput) ToPolicyNetworkAclCommonPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkAclCommonPolicyPtrOutput

type PolicyNetworkAclEntry added in v0.105.0 

type PolicyNetworkAclEntry struct {
	// CIDR block.
	CidrBlock *string `pulumi:"cidrBlock"`
	// Whether the entry is an egress entry.
	Egress bool `pulumi:"egress"`
	// ICMP type and code.
	IcmpTypeCode *PolicyNetworkAclEntryIcmpTypeCodeProperties `pulumi:"icmpTypeCode"`
	// IPv6 CIDR block.
	Ipv6CidrBlock *string `pulumi:"ipv6CidrBlock"`
	// Port range.
	PortRange *PolicyNetworkAclEntryPortRangeProperties `pulumi:"portRange"`
	// Protocol.
	Protocol string `pulumi:"protocol"`
	// Rule Action.
	RuleAction PolicyNetworkAclEntryRuleAction `pulumi:"ruleAction"`
}

Network ACL entry.

type PolicyNetworkAclEntryArgs added in v0.105.0 

type PolicyNetworkAclEntryArgs struct {
	// CIDR block.
	CidrBlock pulumi.StringPtrInput `pulumi:"cidrBlock"`
	// Whether the entry is an egress entry.
	Egress pulumi.BoolInput `pulumi:"egress"`
	// ICMP type and code.
	IcmpTypeCode PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput `pulumi:"icmpTypeCode"`
	// IPv6 CIDR block.
	Ipv6CidrBlock pulumi.StringPtrInput `pulumi:"ipv6CidrBlock"`
	// Port range.
	PortRange PolicyNetworkAclEntryPortRangePropertiesPtrInput `pulumi:"portRange"`
	// Protocol.
	Protocol pulumi.StringInput `pulumi:"protocol"`
	// Rule Action.
	RuleAction PolicyNetworkAclEntryRuleActionInput `pulumi:"ruleAction"`
}

Network ACL entry.

func (PolicyNetworkAclEntryArgs) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryArgs) ElementType() reflect.Type

func (PolicyNetworkAclEntryArgs) ToPolicyNetworkAclEntryOutput added in v0.105.0 

func (i PolicyNetworkAclEntryArgs) ToPolicyNetworkAclEntryOutput() PolicyNetworkAclEntryOutput

func (PolicyNetworkAclEntryArgs) ToPolicyNetworkAclEntryOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryArgs) ToPolicyNetworkAclEntryOutputWithContext(ctx context.Context) PolicyNetworkAclEntryOutput

type PolicyNetworkAclEntryArray added in v0.105.0 

type PolicyNetworkAclEntryArray []PolicyNetworkAclEntryInput

func (PolicyNetworkAclEntryArray) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryArray) ElementType() reflect.Type

func (PolicyNetworkAclEntryArray) ToPolicyNetworkAclEntryArrayOutput added in v0.105.0 

func (i PolicyNetworkAclEntryArray) ToPolicyNetworkAclEntryArrayOutput() PolicyNetworkAclEntryArrayOutput

func (PolicyNetworkAclEntryArray) ToPolicyNetworkAclEntryArrayOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryArray) ToPolicyNetworkAclEntryArrayOutputWithContext(ctx context.Context) PolicyNetworkAclEntryArrayOutput

type PolicyNetworkAclEntryArrayInput added in v0.105.0 

type PolicyNetworkAclEntryArrayInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryArrayOutput() PolicyNetworkAclEntryArrayOutput
	ToPolicyNetworkAclEntryArrayOutputWithContext(context.Context) PolicyNetworkAclEntryArrayOutput
}

PolicyNetworkAclEntryArrayInput is an input type that accepts PolicyNetworkAclEntryArray and PolicyNetworkAclEntryArrayOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryArrayInput` via: 

PolicyNetworkAclEntryArray{ PolicyNetworkAclEntryArgs{...} }

type PolicyNetworkAclEntryArrayOutput added in v0.105.0 

type PolicyNetworkAclEntryArrayOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntryArrayOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryArrayOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryArrayOutput) Index added in v0.105.0 

func (o PolicyNetworkAclEntryArrayOutput) Index(i pulumi.IntInput) PolicyNetworkAclEntryOutput

func (PolicyNetworkAclEntryArrayOutput) ToPolicyNetworkAclEntryArrayOutput added in v0.105.0 

func (o PolicyNetworkAclEntryArrayOutput) ToPolicyNetworkAclEntryArrayOutput() PolicyNetworkAclEntryArrayOutput

func (PolicyNetworkAclEntryArrayOutput) ToPolicyNetworkAclEntryArrayOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryArrayOutput) ToPolicyNetworkAclEntryArrayOutputWithContext(ctx context.Context) PolicyNetworkAclEntryArrayOutput

type PolicyNetworkAclEntryIcmpTypeCodeProperties added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodeProperties struct {
	// Code.
	Code int `pulumi:"code"`
	// Type.
	Type int `pulumi:"type"`
}

ICMP type and code.

type PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs struct {
	// Code.
	Code pulumi.IntInput `pulumi:"code"`
	// Type.
	Type pulumi.IntInput `pulumi:"type"`
}

ICMP type and code.

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ElementType() reflect.Type

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutput added in v0.105.0 

func (i PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutputWithContext(ctx context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput added in v0.105.0 

func (i PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

type PolicyNetworkAclEntryIcmpTypeCodePropertiesInput added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodePropertiesInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput
	ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutputWithContext(context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput
}

PolicyNetworkAclEntryIcmpTypeCodePropertiesInput is an input type that accepts PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs and PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryIcmpTypeCodePropertiesInput` via: 

PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs{...}

type PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput struct{ *pulumi.OutputState }

ICMP type and code.

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) Code added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) Code() pulumi.IntOutput

Code.

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutput added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesOutputWithContext(ctx context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) Type added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput) Type() pulumi.IntOutput

Type.

type PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput
	ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext(context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput
}

PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput is an input type that accepts PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs, PolicyNetworkAclEntryIcmpTypeCodePropertiesPtr and PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput` via: 

        PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs{...}

or:

        nil

func PolicyNetworkAclEntryIcmpTypeCodePropertiesPtr added in v0.105.0 

func PolicyNetworkAclEntryIcmpTypeCodePropertiesPtr(v *PolicyNetworkAclEntryIcmpTypeCodePropertiesArgs) PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrInput

type PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput added in v0.105.0 

type PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Code added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Code() pulumi.IntPtrOutput

Code.

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Elem added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Elem() PolicyNetworkAclEntryIcmpTypeCodePropertiesOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput() PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) ToPolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

func (PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Type added in v0.105.0 

func (o PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput) Type() pulumi.IntPtrOutput

Type.

type PolicyNetworkAclEntryInput added in v0.105.0 

type PolicyNetworkAclEntryInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryOutput() PolicyNetworkAclEntryOutput
	ToPolicyNetworkAclEntryOutputWithContext(context.Context) PolicyNetworkAclEntryOutput
}

PolicyNetworkAclEntryInput is an input type that accepts PolicyNetworkAclEntryArgs and PolicyNetworkAclEntryOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryInput` via: 

PolicyNetworkAclEntryArgs{...}

type PolicyNetworkAclEntryOutput added in v0.105.0 

type PolicyNetworkAclEntryOutput struct{ *pulumi.OutputState }

Network ACL entry.

func (PolicyNetworkAclEntryOutput) CidrBlock added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) CidrBlock() pulumi.StringPtrOutput

CIDR block.

func (PolicyNetworkAclEntryOutput) Egress added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) Egress() pulumi.BoolOutput

Whether the entry is an egress entry.

func (PolicyNetworkAclEntryOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryOutput) IcmpTypeCode added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) IcmpTypeCode() PolicyNetworkAclEntryIcmpTypeCodePropertiesPtrOutput

ICMP type and code.

func (PolicyNetworkAclEntryOutput) Ipv6CidrBlock added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) Ipv6CidrBlock() pulumi.StringPtrOutput

IPv6 CIDR block.

func (PolicyNetworkAclEntryOutput) PortRange added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) PortRange() PolicyNetworkAclEntryPortRangePropertiesPtrOutput

Port range.

func (PolicyNetworkAclEntryOutput) Protocol added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) Protocol() pulumi.StringOutput

Protocol.

func (PolicyNetworkAclEntryOutput) RuleAction added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) RuleAction() PolicyNetworkAclEntryRuleActionOutput

Rule Action.

func (PolicyNetworkAclEntryOutput) ToPolicyNetworkAclEntryOutput added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) ToPolicyNetworkAclEntryOutput() PolicyNetworkAclEntryOutput

func (PolicyNetworkAclEntryOutput) ToPolicyNetworkAclEntryOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryOutput) ToPolicyNetworkAclEntryOutputWithContext(ctx context.Context) PolicyNetworkAclEntryOutput

type PolicyNetworkAclEntryPortRangeProperties added in v0.105.0 

type PolicyNetworkAclEntryPortRangeProperties struct {
	// From Port.
	From int `pulumi:"from"`
	// To Port.
	To int `pulumi:"to"`
}

Port range.

type PolicyNetworkAclEntryPortRangePropertiesArgs added in v0.105.0 

type PolicyNetworkAclEntryPortRangePropertiesArgs struct {
	// From Port.
	From pulumi.IntInput `pulumi:"from"`
	// To Port.
	To pulumi.IntInput `pulumi:"to"`
}

Port range.

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ElementType() reflect.Type

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesOutput added in v0.105.0 

func (i PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesOutput() PolicyNetworkAclEntryPortRangePropertiesOutput

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesOutputWithContext(ctx context.Context) PolicyNetworkAclEntryPortRangePropertiesOutput

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput added in v0.105.0 

func (i PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput() PolicyNetworkAclEntryPortRangePropertiesPtrOutput

func (PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntryPortRangePropertiesArgs) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryPortRangePropertiesPtrOutput

type PolicyNetworkAclEntryPortRangePropertiesInput added in v0.105.0 

type PolicyNetworkAclEntryPortRangePropertiesInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryPortRangePropertiesOutput() PolicyNetworkAclEntryPortRangePropertiesOutput
	ToPolicyNetworkAclEntryPortRangePropertiesOutputWithContext(context.Context) PolicyNetworkAclEntryPortRangePropertiesOutput
}

PolicyNetworkAclEntryPortRangePropertiesInput is an input type that accepts PolicyNetworkAclEntryPortRangePropertiesArgs and PolicyNetworkAclEntryPortRangePropertiesOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryPortRangePropertiesInput` via: 

PolicyNetworkAclEntryPortRangePropertiesArgs{...}

type PolicyNetworkAclEntryPortRangePropertiesOutput added in v0.105.0 

type PolicyNetworkAclEntryPortRangePropertiesOutput struct{ *pulumi.OutputState }

Port range.

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryPortRangePropertiesOutput) From added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) From() pulumi.IntOutput

From Port.

func (PolicyNetworkAclEntryPortRangePropertiesOutput) To added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) To() pulumi.IntOutput

To Port.

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesOutput added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesOutput() PolicyNetworkAclEntryPortRangePropertiesOutput

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesOutputWithContext(ctx context.Context) PolicyNetworkAclEntryPortRangePropertiesOutput

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput() PolicyNetworkAclEntryPortRangePropertiesPtrOutput

func (PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryPortRangePropertiesPtrOutput

type PolicyNetworkAclEntryPortRangePropertiesPtrInput added in v0.105.0 

type PolicyNetworkAclEntryPortRangePropertiesPtrInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput() PolicyNetworkAclEntryPortRangePropertiesPtrOutput
	ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext(context.Context) PolicyNetworkAclEntryPortRangePropertiesPtrOutput
}

PolicyNetworkAclEntryPortRangePropertiesPtrInput is an input type that accepts PolicyNetworkAclEntryPortRangePropertiesArgs, PolicyNetworkAclEntryPortRangePropertiesPtr and PolicyNetworkAclEntryPortRangePropertiesPtrOutput values. You can construct a concrete instance of `PolicyNetworkAclEntryPortRangePropertiesPtrInput` via: 

        PolicyNetworkAclEntryPortRangePropertiesArgs{...}

or:

        nil

func PolicyNetworkAclEntryPortRangePropertiesPtr added in v0.105.0 

func PolicyNetworkAclEntryPortRangePropertiesPtr(v *PolicyNetworkAclEntryPortRangePropertiesArgs) PolicyNetworkAclEntryPortRangePropertiesPtrInput

type PolicyNetworkAclEntryPortRangePropertiesPtrOutput added in v0.105.0 

type PolicyNetworkAclEntryPortRangePropertiesPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) Elem added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesPtrOutput) Elem() PolicyNetworkAclEntryPortRangePropertiesOutput

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) From added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesPtrOutput) From() pulumi.IntPtrOutput

From Port.

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) To added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesPtrOutput) To() pulumi.IntPtrOutput

To Port.

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutput() PolicyNetworkAclEntryPortRangePropertiesPtrOutput

func (PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryPortRangePropertiesPtrOutput) ToPolicyNetworkAclEntryPortRangePropertiesPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryPortRangePropertiesPtrOutput

type PolicyNetworkAclEntryRuleAction added in v0.105.0 

type PolicyNetworkAclEntryRuleAction string

Rule Action.

func (PolicyNetworkAclEntryRuleAction) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryRuleAction) ElementType() reflect.Type

func (PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionOutput added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionOutput() PolicyNetworkAclEntryRuleActionOutput

func (PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionOutputWithContext added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionOutputWithContext(ctx context.Context) PolicyNetworkAclEntryRuleActionOutput

func (PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionPtrOutput added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionPtrOutput() PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleAction) ToStringOutput added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToStringOutput() pulumi.StringOutput

func (PolicyNetworkAclEntryRuleAction) ToStringOutputWithContext added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyNetworkAclEntryRuleAction) ToStringPtrOutput added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyNetworkAclEntryRuleAction) ToStringPtrOutputWithContext added in v0.105.0 

func (e PolicyNetworkAclEntryRuleAction) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyNetworkAclEntryRuleActionInput added in v0.105.0 

type PolicyNetworkAclEntryRuleActionInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryRuleActionOutput() PolicyNetworkAclEntryRuleActionOutput
	ToPolicyNetworkAclEntryRuleActionOutputWithContext(context.Context) PolicyNetworkAclEntryRuleActionOutput
}

PolicyNetworkAclEntryRuleActionInput is an input type that accepts values of the PolicyNetworkAclEntryRuleAction enum A concrete instance of `PolicyNetworkAclEntryRuleActionInput` can be one of the following: 

PolicyNetworkAclEntryRuleActionAllow
PolicyNetworkAclEntryRuleActionDeny

type PolicyNetworkAclEntryRuleActionOutput added in v0.105.0 

type PolicyNetworkAclEntryRuleActionOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntryRuleActionOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryRuleActionOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionOutput() PolicyNetworkAclEntryRuleActionOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionOutputWithContext(ctx context.Context) PolicyNetworkAclEntryRuleActionOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionPtrOutput() PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToStringOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToStringOutput() pulumi.StringOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToStringOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToStringPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyNetworkAclEntryRuleActionOutput) ToStringPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyNetworkAclEntryRuleActionPtrInput added in v0.105.0 

type PolicyNetworkAclEntryRuleActionPtrInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntryRuleActionPtrOutput() PolicyNetworkAclEntryRuleActionPtrOutput
	ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext(context.Context) PolicyNetworkAclEntryRuleActionPtrOutput
}

func PolicyNetworkAclEntryRuleActionPtr added in v0.105.0 

func PolicyNetworkAclEntryRuleActionPtr(v string) PolicyNetworkAclEntryRuleActionPtrInput

type PolicyNetworkAclEntryRuleActionPtrOutput added in v0.105.0 

type PolicyNetworkAclEntryRuleActionPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntryRuleActionPtrOutput) Elem added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionPtrOutput) Elem() PolicyNetworkAclEntryRuleActionOutput

func (PolicyNetworkAclEntryRuleActionPtrOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntryRuleActionPtrOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntryRuleActionPtrOutput) ToPolicyNetworkAclEntryRuleActionPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionPtrOutput) ToPolicyNetworkAclEntryRuleActionPtrOutput() PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleActionPtrOutput) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionPtrOutput) ToPolicyNetworkAclEntryRuleActionPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntryRuleActionPtrOutput

func (PolicyNetworkAclEntryRuleActionPtrOutput) ToStringPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionPtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyNetworkAclEntryRuleActionPtrOutput) ToStringPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntryRuleActionPtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyNetworkAclEntrySet added in v0.105.0 

type PolicyNetworkAclEntrySet struct {
	// The rules that you want to run first in the Firewall Manager managed network ACLs.
	//
	// > Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
	//
	// You must specify at least one first entry or one last entry in any network ACL policy.
	FirstEntries []PolicyNetworkAclEntry `pulumi:"firstEntries"`
	// Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
	//
	// If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .
	ForceRemediateForFirstEntries bool `pulumi:"forceRemediateForFirstEntries"`
	// Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
	//
	// If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .
	ForceRemediateForLastEntries bool `pulumi:"forceRemediateForLastEntries"`
	// The rules that you want to run last in the Firewall Manager managed network ACLs.
	//
	// > Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
	//
	// You must specify at least one first entry or one last entry in any network ACL policy.
	LastEntries []PolicyNetworkAclEntry `pulumi:"lastEntries"`
}

Network ACL entry set.

type PolicyNetworkAclEntrySetArgs added in v0.105.0 

type PolicyNetworkAclEntrySetArgs struct {
	// The rules that you want to run first in the Firewall Manager managed network ACLs.
	//
	// > Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
	//
	// You must specify at least one first entry or one last entry in any network ACL policy.
	FirstEntries PolicyNetworkAclEntryArrayInput `pulumi:"firstEntries"`
	// Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
	//
	// If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .
	ForceRemediateForFirstEntries pulumi.BoolInput `pulumi:"forceRemediateForFirstEntries"`
	// Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.
	//
	// If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .
	ForceRemediateForLastEntries pulumi.BoolInput `pulumi:"forceRemediateForLastEntries"`
	// The rules that you want to run last in the Firewall Manager managed network ACLs.
	//
	// > Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.
	//
	// You must specify at least one first entry or one last entry in any network ACL policy.
	LastEntries PolicyNetworkAclEntryArrayInput `pulumi:"lastEntries"`
}

Network ACL entry set.

func (PolicyNetworkAclEntrySetArgs) ElementType added in v0.105.0 

func (PolicyNetworkAclEntrySetArgs) ElementType() reflect.Type

func (PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetOutput added in v0.105.0 

func (i PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetOutput() PolicyNetworkAclEntrySetOutput

func (PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetOutputWithContext(ctx context.Context) PolicyNetworkAclEntrySetOutput

func (PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetPtrOutput added in v0.105.0 

func (i PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetPtrOutput() PolicyNetworkAclEntrySetPtrOutput

func (PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetPtrOutputWithContext added in v0.105.0 

func (i PolicyNetworkAclEntrySetArgs) ToPolicyNetworkAclEntrySetPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntrySetPtrOutput

type PolicyNetworkAclEntrySetInput added in v0.105.0 

type PolicyNetworkAclEntrySetInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntrySetOutput() PolicyNetworkAclEntrySetOutput
	ToPolicyNetworkAclEntrySetOutputWithContext(context.Context) PolicyNetworkAclEntrySetOutput
}

PolicyNetworkAclEntrySetInput is an input type that accepts PolicyNetworkAclEntrySetArgs and PolicyNetworkAclEntrySetOutput values. You can construct a concrete instance of `PolicyNetworkAclEntrySetInput` via: 

PolicyNetworkAclEntrySetArgs{...}

type PolicyNetworkAclEntrySetOutput added in v0.105.0 

type PolicyNetworkAclEntrySetOutput struct{ *pulumi.OutputState }

Network ACL entry set.

func (PolicyNetworkAclEntrySetOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntrySetOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntrySetOutput) FirstEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) FirstEntries() PolicyNetworkAclEntryArrayOutput

The rules that you want to run first in the Firewall Manager managed network ACLs.

> Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.

You must specify at least one first entry or one last entry in any network ACL policy.

func (PolicyNetworkAclEntrySetOutput) ForceRemediateForFirstEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ForceRemediateForFirstEntries() pulumi.BoolOutput

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .

func (PolicyNetworkAclEntrySetOutput) ForceRemediateForLastEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ForceRemediateForLastEntries() pulumi.BoolOutput

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .

func (PolicyNetworkAclEntrySetOutput) LastEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) LastEntries() PolicyNetworkAclEntryArrayOutput

The rules that you want to run last in the Firewall Manager managed network ACLs.

> Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.

You must specify at least one first entry or one last entry in any network ACL policy.

func (PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetOutput added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetOutput() PolicyNetworkAclEntrySetOutput

func (PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetOutputWithContext(ctx context.Context) PolicyNetworkAclEntrySetOutput

func (PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetPtrOutput() PolicyNetworkAclEntrySetPtrOutput

func (PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntrySetOutput) ToPolicyNetworkAclEntrySetPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntrySetPtrOutput

type PolicyNetworkAclEntrySetPtrInput added in v0.105.0 

type PolicyNetworkAclEntrySetPtrInput interface {
	pulumi.Input

	ToPolicyNetworkAclEntrySetPtrOutput() PolicyNetworkAclEntrySetPtrOutput
	ToPolicyNetworkAclEntrySetPtrOutputWithContext(context.Context) PolicyNetworkAclEntrySetPtrOutput
}

PolicyNetworkAclEntrySetPtrInput is an input type that accepts PolicyNetworkAclEntrySetArgs, PolicyNetworkAclEntrySetPtr and PolicyNetworkAclEntrySetPtrOutput values. You can construct a concrete instance of `PolicyNetworkAclEntrySetPtrInput` via: 

        PolicyNetworkAclEntrySetArgs{...}

or:

        nil

func PolicyNetworkAclEntrySetPtr added in v0.105.0 

func PolicyNetworkAclEntrySetPtr(v *PolicyNetworkAclEntrySetArgs) PolicyNetworkAclEntrySetPtrInput

type PolicyNetworkAclEntrySetPtrOutput added in v0.105.0 

type PolicyNetworkAclEntrySetPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkAclEntrySetPtrOutput) Elem added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) Elem() PolicyNetworkAclEntrySetOutput

func (PolicyNetworkAclEntrySetPtrOutput) ElementType added in v0.105.0 

func (PolicyNetworkAclEntrySetPtrOutput) ElementType() reflect.Type

func (PolicyNetworkAclEntrySetPtrOutput) FirstEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) FirstEntries() PolicyNetworkAclEntryArrayOutput

The rules that you want to run first in the Firewall Manager managed network ACLs.

> Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.

You must specify at least one first entry or one last entry in any network ACL policy.

func (PolicyNetworkAclEntrySetPtrOutput) ForceRemediateForFirstEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) ForceRemediateForFirstEntries() pulumi.BoolPtrOutput

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .

func (PolicyNetworkAclEntrySetPtrOutput) ForceRemediateForLastEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) ForceRemediateForLastEntries() pulumi.BoolPtrOutput

Applies only when remediation is enabled for the policy as a whole. Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries.

If forced remediation is disabled, Firewall Manager marks the network ACL as noncompliant and does not try to remediate. For more information about the remediation behavior, see [Remediation for managed network ACLs](https://docs.aws.amazon.com/waf/latest/developerguide/network-acl-policies.html#network-acls-remediation) in the *AWS Firewall Manager Developer Guide* .

func (PolicyNetworkAclEntrySetPtrOutput) LastEntries added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) LastEntries() PolicyNetworkAclEntryArrayOutput

The rules that you want to run last in the Firewall Manager managed network ACLs.

> Provide these in the order in which you want them to run. Firewall Manager will assign the specific rule numbers for you, in the network ACLs that it creates.

You must specify at least one first entry or one last entry in any network ACL policy.

func (PolicyNetworkAclEntrySetPtrOutput) ToPolicyNetworkAclEntrySetPtrOutput added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) ToPolicyNetworkAclEntrySetPtrOutput() PolicyNetworkAclEntrySetPtrOutput

func (PolicyNetworkAclEntrySetPtrOutput) ToPolicyNetworkAclEntrySetPtrOutputWithContext added in v0.105.0 

func (o PolicyNetworkAclEntrySetPtrOutput) ToPolicyNetworkAclEntrySetPtrOutputWithContext(ctx context.Context) PolicyNetworkAclEntrySetPtrOutput

type PolicyNetworkFirewallPolicy added in v0.21.0 

type PolicyNetworkFirewallPolicy struct {
	// Defines the deployment model to use for the firewall policy. To use a distributed model, set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	FirewallDeploymentModel PolicyFirewallDeploymentModel `pulumi:"firewallDeploymentModel"`
}

Network firewall policy.

type PolicyNetworkFirewallPolicyArgs added in v0.21.0 

type PolicyNetworkFirewallPolicyArgs struct {
	// Defines the deployment model to use for the firewall policy. To use a distributed model, set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	FirewallDeploymentModel PolicyFirewallDeploymentModelInput `pulumi:"firewallDeploymentModel"`
}

Network firewall policy.

func (PolicyNetworkFirewallPolicyArgs) ElementType added in v0.21.0 

func (PolicyNetworkFirewallPolicyArgs) ElementType() reflect.Type

func (PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyOutput added in v0.21.0 

func (i PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyOutput() PolicyNetworkFirewallPolicyOutput

func (PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyOutputWithContext added in v0.21.0 

func (i PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyOutputWithContext(ctx context.Context) PolicyNetworkFirewallPolicyOutput

func (PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyPtrOutput added in v0.21.0 

func (i PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyPtrOutput() PolicyNetworkFirewallPolicyPtrOutput

func (PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (i PolicyNetworkFirewallPolicyArgs) ToPolicyNetworkFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkFirewallPolicyPtrOutput

type PolicyNetworkFirewallPolicyInput added in v0.21.0 

type PolicyNetworkFirewallPolicyInput interface {
	pulumi.Input

	ToPolicyNetworkFirewallPolicyOutput() PolicyNetworkFirewallPolicyOutput
	ToPolicyNetworkFirewallPolicyOutputWithContext(context.Context) PolicyNetworkFirewallPolicyOutput
}

PolicyNetworkFirewallPolicyInput is an input type that accepts PolicyNetworkFirewallPolicyArgs and PolicyNetworkFirewallPolicyOutput values. You can construct a concrete instance of `PolicyNetworkFirewallPolicyInput` via: 

PolicyNetworkFirewallPolicyArgs{...}

type PolicyNetworkFirewallPolicyOutput added in v0.21.0 

type PolicyNetworkFirewallPolicyOutput struct{ *pulumi.OutputState }

Network firewall policy.

func (PolicyNetworkFirewallPolicyOutput) ElementType added in v0.21.0 

func (PolicyNetworkFirewallPolicyOutput) ElementType() reflect.Type

func (PolicyNetworkFirewallPolicyOutput) FirewallDeploymentModel added in v0.21.0 

func (o PolicyNetworkFirewallPolicyOutput) FirewallDeploymentModel() PolicyFirewallDeploymentModelOutput

Defines the deployment model to use for the firewall policy. To use a distributed model, set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .

func (PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyOutput added in v0.21.0 

func (o PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyOutput() PolicyNetworkFirewallPolicyOutput

func (PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyOutputWithContext added in v0.21.0 

func (o PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyOutputWithContext(ctx context.Context) PolicyNetworkFirewallPolicyOutput

func (PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyPtrOutput added in v0.21.0 

func (o PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyPtrOutput() PolicyNetworkFirewallPolicyPtrOutput

func (PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (o PolicyNetworkFirewallPolicyOutput) ToPolicyNetworkFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkFirewallPolicyPtrOutput

type PolicyNetworkFirewallPolicyPtrInput added in v0.21.0 

type PolicyNetworkFirewallPolicyPtrInput interface {
	pulumi.Input

	ToPolicyNetworkFirewallPolicyPtrOutput() PolicyNetworkFirewallPolicyPtrOutput
	ToPolicyNetworkFirewallPolicyPtrOutputWithContext(context.Context) PolicyNetworkFirewallPolicyPtrOutput
}

PolicyNetworkFirewallPolicyPtrInput is an input type that accepts PolicyNetworkFirewallPolicyArgs, PolicyNetworkFirewallPolicyPtr and PolicyNetworkFirewallPolicyPtrOutput values. You can construct a concrete instance of `PolicyNetworkFirewallPolicyPtrInput` via: 

        PolicyNetworkFirewallPolicyArgs{...}

or:

        nil

func PolicyNetworkFirewallPolicyPtr added in v0.21.0 

func PolicyNetworkFirewallPolicyPtr(v *PolicyNetworkFirewallPolicyArgs) PolicyNetworkFirewallPolicyPtrInput

type PolicyNetworkFirewallPolicyPtrOutput added in v0.21.0 

type PolicyNetworkFirewallPolicyPtrOutput struct{ *pulumi.OutputState }

func (PolicyNetworkFirewallPolicyPtrOutput) Elem added in v0.21.0 

func (o PolicyNetworkFirewallPolicyPtrOutput) Elem() PolicyNetworkFirewallPolicyOutput

func (PolicyNetworkFirewallPolicyPtrOutput) ElementType added in v0.21.0 

func (PolicyNetworkFirewallPolicyPtrOutput) ElementType() reflect.Type

func (PolicyNetworkFirewallPolicyPtrOutput) FirewallDeploymentModel added in v0.21.0 

func (o PolicyNetworkFirewallPolicyPtrOutput) FirewallDeploymentModel() PolicyFirewallDeploymentModelPtrOutput

Defines the deployment model to use for the firewall policy. To use a distributed model, set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .

func (PolicyNetworkFirewallPolicyPtrOutput) ToPolicyNetworkFirewallPolicyPtrOutput added in v0.21.0 

func (o PolicyNetworkFirewallPolicyPtrOutput) ToPolicyNetworkFirewallPolicyPtrOutput() PolicyNetworkFirewallPolicyPtrOutput

func (PolicyNetworkFirewallPolicyPtrOutput) ToPolicyNetworkFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (o PolicyNetworkFirewallPolicyPtrOutput) ToPolicyNetworkFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyNetworkFirewallPolicyPtrOutput

type PolicyOption added in v0.21.0 

type PolicyOption struct {
	// Defines a Firewall Manager network ACL policy.
	NetworkAclCommonPolicy *PolicyNetworkAclCommonPolicy `pulumi:"networkAclCommonPolicy"`
	// Defines the deployment model to use for the firewall policy.
	NetworkFirewallPolicy *PolicyNetworkFirewallPolicy `pulumi:"networkFirewallPolicy"`
	// Defines the policy options for a third-party firewall policy.
	ThirdPartyFirewallPolicy *PolicyThirdPartyFirewallPolicy `pulumi:"thirdPartyFirewallPolicy"`
}

Firewall policy option.

type PolicyOptionArgs added in v0.21.0 

type PolicyOptionArgs struct {
	// Defines a Firewall Manager network ACL policy.
	NetworkAclCommonPolicy PolicyNetworkAclCommonPolicyPtrInput `pulumi:"networkAclCommonPolicy"`
	// Defines the deployment model to use for the firewall policy.
	NetworkFirewallPolicy PolicyNetworkFirewallPolicyPtrInput `pulumi:"networkFirewallPolicy"`
	// Defines the policy options for a third-party firewall policy.
	ThirdPartyFirewallPolicy PolicyThirdPartyFirewallPolicyPtrInput `pulumi:"thirdPartyFirewallPolicy"`
}

Firewall policy option.

func (PolicyOptionArgs) ElementType added in v0.21.0 

func (PolicyOptionArgs) ElementType() reflect.Type

func (PolicyOptionArgs) ToPolicyOptionOutput added in v0.21.0 

func (i PolicyOptionArgs) ToPolicyOptionOutput() PolicyOptionOutput

func (PolicyOptionArgs) ToPolicyOptionOutputWithContext added in v0.21.0 

func (i PolicyOptionArgs) ToPolicyOptionOutputWithContext(ctx context.Context) PolicyOptionOutput

func (PolicyOptionArgs) ToPolicyOptionPtrOutput added in v0.21.0 

func (i PolicyOptionArgs) ToPolicyOptionPtrOutput() PolicyOptionPtrOutput

func (PolicyOptionArgs) ToPolicyOptionPtrOutputWithContext added in v0.21.0 

func (i PolicyOptionArgs) ToPolicyOptionPtrOutputWithContext(ctx context.Context) PolicyOptionPtrOutput

type PolicyOptionInput added in v0.21.0 

type PolicyOptionInput interface {
	pulumi.Input

	ToPolicyOptionOutput() PolicyOptionOutput
	ToPolicyOptionOutputWithContext(context.Context) PolicyOptionOutput
}

PolicyOptionInput is an input type that accepts PolicyOptionArgs and PolicyOptionOutput values. You can construct a concrete instance of `PolicyOptionInput` via: 

PolicyOptionArgs{...}

type PolicyOptionOutput added in v0.21.0 

type PolicyOptionOutput struct{ *pulumi.OutputState }

Firewall policy option.

func (PolicyOptionOutput) ElementType added in v0.21.0 

func (PolicyOptionOutput) ElementType() reflect.Type

func (PolicyOptionOutput) NetworkAclCommonPolicy added in v0.105.0 

func (o PolicyOptionOutput) NetworkAclCommonPolicy() PolicyNetworkAclCommonPolicyPtrOutput

Defines a Firewall Manager network ACL policy.

func (PolicyOptionOutput) NetworkFirewallPolicy added in v0.21.0 

func (o PolicyOptionOutput) NetworkFirewallPolicy() PolicyNetworkFirewallPolicyPtrOutput

Defines the deployment model to use for the firewall policy.

func (PolicyOptionOutput) ThirdPartyFirewallPolicy added in v0.21.0 

func (o PolicyOptionOutput) ThirdPartyFirewallPolicy() PolicyThirdPartyFirewallPolicyPtrOutput

Defines the policy options for a third-party firewall policy.

func (PolicyOptionOutput) ToPolicyOptionOutput added in v0.21.0 

func (o PolicyOptionOutput) ToPolicyOptionOutput() PolicyOptionOutput

func (PolicyOptionOutput) ToPolicyOptionOutputWithContext added in v0.21.0 

func (o PolicyOptionOutput) ToPolicyOptionOutputWithContext(ctx context.Context) PolicyOptionOutput

func (PolicyOptionOutput) ToPolicyOptionPtrOutput added in v0.21.0 

func (o PolicyOptionOutput) ToPolicyOptionPtrOutput() PolicyOptionPtrOutput

func (PolicyOptionOutput) ToPolicyOptionPtrOutputWithContext added in v0.21.0 

func (o PolicyOptionOutput) ToPolicyOptionPtrOutputWithContext(ctx context.Context) PolicyOptionPtrOutput

type PolicyOptionPtrInput added in v0.21.0 

type PolicyOptionPtrInput interface {
	pulumi.Input

	ToPolicyOptionPtrOutput() PolicyOptionPtrOutput
	ToPolicyOptionPtrOutputWithContext(context.Context) PolicyOptionPtrOutput
}

PolicyOptionPtrInput is an input type that accepts PolicyOptionArgs, PolicyOptionPtr and PolicyOptionPtrOutput values. You can construct a concrete instance of `PolicyOptionPtrInput` via: 

        PolicyOptionArgs{...}

or:

        nil

func PolicyOptionPtr added in v0.21.0 

func PolicyOptionPtr(v *PolicyOptionArgs) PolicyOptionPtrInput

type PolicyOptionPtrOutput added in v0.21.0 

type PolicyOptionPtrOutput struct{ *pulumi.OutputState }

func (PolicyOptionPtrOutput) Elem added in v0.21.0 

func (o PolicyOptionPtrOutput) Elem() PolicyOptionOutput

func (PolicyOptionPtrOutput) ElementType added in v0.21.0 

func (PolicyOptionPtrOutput) ElementType() reflect.Type

func (PolicyOptionPtrOutput) NetworkAclCommonPolicy added in v0.105.0 

func (o PolicyOptionPtrOutput) NetworkAclCommonPolicy() PolicyNetworkAclCommonPolicyPtrOutput

Defines a Firewall Manager network ACL policy.

func (PolicyOptionPtrOutput) NetworkFirewallPolicy added in v0.21.0 

func (o PolicyOptionPtrOutput) NetworkFirewallPolicy() PolicyNetworkFirewallPolicyPtrOutput

Defines the deployment model to use for the firewall policy.

func (PolicyOptionPtrOutput) ThirdPartyFirewallPolicy added in v0.21.0 

func (o PolicyOptionPtrOutput) ThirdPartyFirewallPolicy() PolicyThirdPartyFirewallPolicyPtrOutput

Defines the policy options for a third-party firewall policy.

func (PolicyOptionPtrOutput) ToPolicyOptionPtrOutput added in v0.21.0 

func (o PolicyOptionPtrOutput) ToPolicyOptionPtrOutput() PolicyOptionPtrOutput

func (PolicyOptionPtrOutput) ToPolicyOptionPtrOutputWithContext added in v0.21.0 

func (o PolicyOptionPtrOutput) ToPolicyOptionPtrOutputWithContext(ctx context.Context) PolicyOptionPtrOutput

type PolicyOutput 

type PolicyOutput struct{ *pulumi.OutputState }

func (PolicyOutput) Arn added in v0.17.0 

func (o PolicyOutput) Arn() pulumi.StringOutput

The Amazon Resource Name (ARN) of the policy.

func (PolicyOutput) AwsId added in v0.99.0 

func (o PolicyOutput) AwsId() pulumi.StringOutput

The ID of the policy.

func (PolicyOutput) DeleteAllPolicyResources added in v0.17.0 

func (o PolicyOutput) DeleteAllPolicyResources() pulumi.BoolPtrOutput

Used when deleting a policy. If `true` , Firewall Manager performs cleanup according to the policy type.

For AWS WAF and Shield Advanced policies, Firewall Manager does the following:

- Deletes rule groups created by Firewall Manager - Removes web ACLs from in-scope resources - Deletes web ACLs that contain no rules or rule groups

For security group policies, Firewall Manager does the following for each security group in the policy:

- Disassociates the security group from in-scope resources - Deletes the security group if it was created through Firewall Manager and if it's no longer associated with any resources through another policy

After the cleanup, in-scope resources are no longer protected by web ACLs in this policy. Protection of out-of-scope resources remains unchanged. Scope is determined by tags that you create and accounts that you associate with the policy. When creating the policy, if you specify that only resources in specific accounts or with specific tags are in scope of the policy, those accounts and resources are handled by the policy. All others are out of scope. If you don't specify tags or accounts, all resources are in scope.

func (PolicyOutput) ElementType 

func (PolicyOutput) ElementType() reflect.Type

func (PolicyOutput) ExcludeMap added in v0.17.0 

func (o PolicyOutput) ExcludeMap() PolicyIeMapPtrOutput

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to exclude from the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .

You can specify account IDs, OUs, or a combination:

- Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` . - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .

func (PolicyOutput) ExcludeResourceTags added in v0.17.0 

func (o PolicyOutput) ExcludeResourceTags() pulumi.BoolOutput

Used only when tags are specified in the `ResourceTags` property. If this property is `True` , resources with the specified tags are not in scope of the policy. If it's `False` , only resources with the specified tags are in scope of the policy.

func (PolicyOutput) IncludeMap added in v0.17.0 

func (o PolicyOutput) IncludeMap() PolicyIeMapPtrOutput

Specifies the AWS account IDs and AWS Organizations organizational units (OUs) to include in the policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.

You can specify inclusions or exclusions, but not both. If you specify an `IncludeMap` , AWS Firewall Manager applies the policy to all accounts specified by the `IncludeMap` , and does not evaluate any `ExcludeMap` specifications. If you do not specify an `IncludeMap` , then Firewall Manager applies the policy to all accounts except for those specified by the `ExcludeMap` .

You can specify account IDs, OUs, or a combination:

- Specify account IDs by setting the key to `ACCOUNT` . For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"]}` . - Specify OUs by setting the key to `ORGUNIT` . For example, the following is a valid map: `{"ORGUNIT" : ["ouid111", "ouid112"]}` . - Specify accounts and OUs together in a single map, separated with a comma. For example, the following is a valid map: `{"ACCOUNT" : ["accountID1", "accountID2"], "ORGUNIT" : ["ouid111", "ouid112"]}` .

func (PolicyOutput) PolicyDescription added in v0.48.0 

func (o PolicyOutput) PolicyDescription() pulumi.StringPtrOutput

Your description of the AWS Firewall Manager policy.

func (PolicyOutput) PolicyName added in v0.17.0 

func (o PolicyOutput) PolicyName() pulumi.StringOutput

The name of the AWS Firewall Manager policy.

func (PolicyOutput) RemediationEnabled added in v0.17.0 

func (o PolicyOutput) RemediationEnabled() pulumi.BoolOutput

Indicates if the policy should be automatically applied to new resources.

func (PolicyOutput) ResourceSetIds added in v0.48.0 

func (o PolicyOutput) ResourceSetIds() pulumi.StringArrayOutput

The unique identifiers of the resource sets used by the policy.

func (PolicyOutput) ResourceTags added in v0.17.0 

func (o PolicyOutput) ResourceTags() PolicyResourceTagArrayOutput

An array of `ResourceTag` objects, used to explicitly include resources in the policy scope or explicitly exclude them. If this isn't set, then tags aren't used to modify policy scope. See also `ExcludeResourceTags` .

func (PolicyOutput) ResourceType added in v0.17.0 

func (o PolicyOutput) ResourceType() pulumi.StringPtrOutput

The type of resource protected by or in scope of the policy. This is in the format shown in the [AWS Resource Types Reference](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html) . To apply this policy to multiple resource types, specify a resource type of `ResourceTypeList` and then specify the resource types in a `ResourceTypeList` .

The following are valid resource types for each Firewall Manager policy type:

- AWS WAF Classic - `AWS::ApiGateway::Stage` , `AWS::CloudFront::Distribution` , and `AWS::ElasticLoadBalancingV2::LoadBalancer` . - AWS WAF - `AWS::ApiGateway::Stage` , `AWS::ElasticLoadBalancingV2::LoadBalancer` , and `AWS::CloudFront::Distribution` . - Shield Advanced - `AWS::ElasticLoadBalancingV2::LoadBalancer` , `AWS::ElasticLoadBalancing::LoadBalancer` , `AWS::EC2::EIP` , and `AWS::CloudFront::Distribution` . - Network ACL - `AWS::EC2::Subnet` . - Security group usage audit - `AWS::EC2::SecurityGroup` . - Security group content audit - `AWS::EC2::SecurityGroup` , `AWS::EC2::NetworkInterface` , and `AWS::EC2::Instance` . - DNS Firewall, AWS Network Firewall , and third-party firewall - `AWS::EC2::VPC` .

func (PolicyOutput) ResourceTypeList added in v0.17.0 

func (o PolicyOutput) ResourceTypeList() pulumi.StringArrayOutput

An array of `ResourceType` objects. Use this only to specify multiple resource types. To specify a single resource type, use `ResourceType` .

func (PolicyOutput) ResourcesCleanUp added in v0.17.0 

func (o PolicyOutput) ResourcesCleanUp() pulumi.BoolPtrOutput

Indicates whether AWS Firewall Manager should automatically remove protections from resources that leave the policy scope and clean up resources that Firewall Manager is managing for accounts when those accounts leave policy scope. For example, Firewall Manager will disassociate a Firewall Manager managed web ACL from a protected customer resource when the customer resource leaves policy scope.

By default, Firewall Manager doesn't remove protections or delete Firewall Manager managed resources.

This option is not available for Shield Advanced or AWS WAF Classic policies.

func (PolicyOutput) SecurityServicePolicyData added in v0.17.0 

func (o PolicyOutput) SecurityServicePolicyData() PolicySecurityServicePolicyDataOutput

Details about the security service that is being used to protect the resources.

This contains the following settings:

- Type - Indicates the service type that the policy uses to protect the resource. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .

Valid values: `DNS_FIREWALL` | `NETWORK_FIREWALL` | `SECURITY_GROUPS_COMMON` | `SECURITY_GROUPS_CONTENT_AUDIT` | `SECURITY_GROUPS_USAGE_AUDIT` | `SHIELD_ADVANCED` | `THIRD_PARTY_FIREWALL` | `WAFV2` | `WAF` - ManagedServiceData - Details about the service that are specific to the service type, in JSON format.

- Example: `DNS_FIREWALL`

`"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`

> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000. - Example: `NETWORK_FIREWALL` - Centralized deployment model

`"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model

`"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model

`"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` . - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions

`"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`

For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`

The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .

For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string. - Example: `WAFV2`

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` . - Example: `AWS WAF Classic`

`"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"` - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group. - Example: `SECURITY_GROUPS_COMMON`

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: `SECURITY_GROUPS_CONTENT_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`

The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group. - Example: `SECURITY_GROUPS_USAGE_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`

func (PolicyOutput) Tags added in v0.17.0 

func (o PolicyOutput) Tags() aws.TagArrayOutput

A collection of key:value pairs associated with an AWS resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as "environment") and the tag value represents a specific value within that category (such as "test," "development," or "production"). You can add up to 50 tags to each AWS resource.

func (PolicyOutput) ToPolicyOutput 

func (o PolicyOutput) ToPolicyOutput() PolicyOutput

func (PolicyOutput) ToPolicyOutputWithContext 

func (o PolicyOutput) ToPolicyOutputWithContext(ctx context.Context) PolicyOutput

type PolicyResourceTag 

type PolicyResourceTag struct {
	// The resource tag key.
	Key string `pulumi:"key"`
	// The resource tag value.
	Value *string `pulumi:"value"`
}

A resource tag.

type PolicyResourceTagArgs 

type PolicyResourceTagArgs struct {
	// The resource tag key.
	Key pulumi.StringInput `pulumi:"key"`
	// The resource tag value.
	Value pulumi.StringPtrInput `pulumi:"value"`
}

A resource tag.

func (PolicyResourceTagArgs) ElementType 

func (PolicyResourceTagArgs) ElementType() reflect.Type

func (PolicyResourceTagArgs) ToPolicyResourceTagOutput 

func (i PolicyResourceTagArgs) ToPolicyResourceTagOutput() PolicyResourceTagOutput

func (PolicyResourceTagArgs) ToPolicyResourceTagOutputWithContext 

func (i PolicyResourceTagArgs) ToPolicyResourceTagOutputWithContext(ctx context.Context) PolicyResourceTagOutput

type PolicyResourceTagArray 

type PolicyResourceTagArray []PolicyResourceTagInput

func (PolicyResourceTagArray) ElementType 

func (PolicyResourceTagArray) ElementType() reflect.Type

func (PolicyResourceTagArray) ToPolicyResourceTagArrayOutput 

func (i PolicyResourceTagArray) ToPolicyResourceTagArrayOutput() PolicyResourceTagArrayOutput

func (PolicyResourceTagArray) ToPolicyResourceTagArrayOutputWithContext 

func (i PolicyResourceTagArray) ToPolicyResourceTagArrayOutputWithContext(ctx context.Context) PolicyResourceTagArrayOutput

type PolicyResourceTagArrayInput 

type PolicyResourceTagArrayInput interface {
	pulumi.Input

	ToPolicyResourceTagArrayOutput() PolicyResourceTagArrayOutput
	ToPolicyResourceTagArrayOutputWithContext(context.Context) PolicyResourceTagArrayOutput
}

PolicyResourceTagArrayInput is an input type that accepts PolicyResourceTagArray and PolicyResourceTagArrayOutput values. You can construct a concrete instance of `PolicyResourceTagArrayInput` via: 

PolicyResourceTagArray{ PolicyResourceTagArgs{...} }

type PolicyResourceTagArrayOutput 

type PolicyResourceTagArrayOutput struct{ *pulumi.OutputState }

func (PolicyResourceTagArrayOutput) ElementType 

func (PolicyResourceTagArrayOutput) ElementType() reflect.Type

func (PolicyResourceTagArrayOutput) Index 

func (o PolicyResourceTagArrayOutput) Index(i pulumi.IntInput) PolicyResourceTagOutput

func (PolicyResourceTagArrayOutput) ToPolicyResourceTagArrayOutput 

func (o PolicyResourceTagArrayOutput) ToPolicyResourceTagArrayOutput() PolicyResourceTagArrayOutput

func (PolicyResourceTagArrayOutput) ToPolicyResourceTagArrayOutputWithContext 

func (o PolicyResourceTagArrayOutput) ToPolicyResourceTagArrayOutputWithContext(ctx context.Context) PolicyResourceTagArrayOutput

type PolicyResourceTagInput 

type PolicyResourceTagInput interface {
	pulumi.Input

	ToPolicyResourceTagOutput() PolicyResourceTagOutput
	ToPolicyResourceTagOutputWithContext(context.Context) PolicyResourceTagOutput
}

PolicyResourceTagInput is an input type that accepts PolicyResourceTagArgs and PolicyResourceTagOutput values. You can construct a concrete instance of `PolicyResourceTagInput` via: 

PolicyResourceTagArgs{...}

type PolicyResourceTagOutput 

type PolicyResourceTagOutput struct{ *pulumi.OutputState }

A resource tag.

func (PolicyResourceTagOutput) ElementType 

func (PolicyResourceTagOutput) ElementType() reflect.Type

func (PolicyResourceTagOutput) Key 

func (o PolicyResourceTagOutput) Key() pulumi.StringOutput

The resource tag key.

func (PolicyResourceTagOutput) ToPolicyResourceTagOutput 

func (o PolicyResourceTagOutput) ToPolicyResourceTagOutput() PolicyResourceTagOutput

func (PolicyResourceTagOutput) ToPolicyResourceTagOutputWithContext 

func (o PolicyResourceTagOutput) ToPolicyResourceTagOutputWithContext(ctx context.Context) PolicyResourceTagOutput

func (PolicyResourceTagOutput) Value 

func (o PolicyResourceTagOutput) Value() pulumi.StringPtrOutput

The resource tag value.

type PolicySecurityServicePolicyData added in v0.21.0 

type PolicySecurityServicePolicyData struct {
	// Details about the service that are specific to the service type, in JSON format.
	//
	// - Example: `DNS_FIREWALL`
	//
	// `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`
	//
	// > Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
	// - Example: `NETWORK_FIREWALL` - Centralized deployment model
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model
	//
	// `"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model
	//
	// `"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	// - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions
	//
	// `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`
	//
	// For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`
	//
	// The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .
	//
	// For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
	// - Example: `WAFV2`
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .
	// - Example: `AWS WAF Classic`
	//
	// `"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"`
	// - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.
	// - Example: `SECURITY_GROUPS_COMMON`
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: `SECURITY_GROUPS_CONTENT_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`
	//
	// The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
	// - Example: `SECURITY_GROUPS_USAGE_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`
	ManagedServiceData *string `pulumi:"managedServiceData"`
	// Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.
	PolicyOption *PolicyOption `pulumi:"policyOption"`
	// The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .
	Type PolicyType `pulumi:"type"`
}

Firewall security service policy data.

type PolicySecurityServicePolicyDataArgs added in v0.21.0 

type PolicySecurityServicePolicyDataArgs struct {
	// Details about the service that are specific to the service type, in JSON format.
	//
	// - Example: `DNS_FIREWALL`
	//
	// `"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`
	//
	// > Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000.
	// - Example: `NETWORK_FIREWALL` - Centralized deployment model
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management
	//
	// `"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model
	//
	// `"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` .
	// - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model
	//
	// `"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`
	//
	// To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` .
	// - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions
	//
	// `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`
	//
	// For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`
	//
	// The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .
	//
	// For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string.
	// - Example: `WAFV2`
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` .
	// - Example: `AWS WAF Classic`
	//
	// `"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"`
	// - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning
	//
	// `"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`
	//
	// To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group.
	// - Example: `SECURITY_GROUPS_COMMON`
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns
	//
	// `"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"`
	// - Example: `SECURITY_GROUPS_CONTENT_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`
	//
	// The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group.
	// - Example: `SECURITY_GROUPS_USAGE_AUDIT`
	//
	// `"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`
	ManagedServiceData pulumi.StringPtrInput `pulumi:"managedServiceData"`
	// Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.
	PolicyOption PolicyOptionPtrInput `pulumi:"policyOption"`
	// The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .
	Type PolicyTypeInput `pulumi:"type"`
}

Firewall security service policy data.

func (PolicySecurityServicePolicyDataArgs) ElementType added in v0.21.0 

func (PolicySecurityServicePolicyDataArgs) ElementType() reflect.Type

func (PolicySecurityServicePolicyDataArgs) ToPolicySecurityServicePolicyDataOutput added in v0.21.0 

func (i PolicySecurityServicePolicyDataArgs) ToPolicySecurityServicePolicyDataOutput() PolicySecurityServicePolicyDataOutput

func (PolicySecurityServicePolicyDataArgs) ToPolicySecurityServicePolicyDataOutputWithContext added in v0.21.0 

func (i PolicySecurityServicePolicyDataArgs) ToPolicySecurityServicePolicyDataOutputWithContext(ctx context.Context) PolicySecurityServicePolicyDataOutput

type PolicySecurityServicePolicyDataInput added in v0.21.0 

type PolicySecurityServicePolicyDataInput interface {
	pulumi.Input

	ToPolicySecurityServicePolicyDataOutput() PolicySecurityServicePolicyDataOutput
	ToPolicySecurityServicePolicyDataOutputWithContext(context.Context) PolicySecurityServicePolicyDataOutput
}

PolicySecurityServicePolicyDataInput is an input type that accepts PolicySecurityServicePolicyDataArgs and PolicySecurityServicePolicyDataOutput values. You can construct a concrete instance of `PolicySecurityServicePolicyDataInput` via: 

PolicySecurityServicePolicyDataArgs{...}

type PolicySecurityServicePolicyDataOutput added in v0.21.0 

type PolicySecurityServicePolicyDataOutput struct{ *pulumi.OutputState }

Firewall security service policy data.

func (PolicySecurityServicePolicyDataOutput) ElementType added in v0.21.0 

func (PolicySecurityServicePolicyDataOutput) ElementType() reflect.Type

func (PolicySecurityServicePolicyDataOutput) ManagedServiceData added in v0.21.0 

func (o PolicySecurityServicePolicyDataOutput) ManagedServiceData() pulumi.StringPtrOutput

Details about the service that are specific to the service type, in JSON format.

- Example: `DNS_FIREWALL`

`"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`

> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000. - Example: `NETWORK_FIREWALL` - Centralized deployment model

`"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model

`"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model

`"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` . - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions

`"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`

For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`

The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .

For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string. - Example: `WAFV2`

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` . - Example: `AWS WAF Classic`

`"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"` - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group. - Example: `SECURITY_GROUPS_COMMON`

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: `SECURITY_GROUPS_CONTENT_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`

The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group. - Example: `SECURITY_GROUPS_USAGE_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`

func (PolicySecurityServicePolicyDataOutput) PolicyOption added in v0.21.0 

func (o PolicySecurityServicePolicyDataOutput) PolicyOption() PolicyOptionPtrOutput

Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.

func (PolicySecurityServicePolicyDataOutput) ToPolicySecurityServicePolicyDataOutput added in v0.21.0 

func (o PolicySecurityServicePolicyDataOutput) ToPolicySecurityServicePolicyDataOutput() PolicySecurityServicePolicyDataOutput

func (PolicySecurityServicePolicyDataOutput) ToPolicySecurityServicePolicyDataOutputWithContext added in v0.21.0 

func (o PolicySecurityServicePolicyDataOutput) ToPolicySecurityServicePolicyDataOutputWithContext(ctx context.Context) PolicySecurityServicePolicyDataOutput

func (PolicySecurityServicePolicyDataOutput) Type added in v0.21.0 

func (o PolicySecurityServicePolicyDataOutput) Type() PolicyTypeOutput

The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .

type PolicySecurityServicePolicyDataPtrOutput added in v0.21.0 

type PolicySecurityServicePolicyDataPtrOutput struct{ *pulumi.OutputState }

func (PolicySecurityServicePolicyDataPtrOutput) Elem added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) Elem() PolicySecurityServicePolicyDataOutput

func (PolicySecurityServicePolicyDataPtrOutput) ElementType added in v0.21.0 

func (PolicySecurityServicePolicyDataPtrOutput) ElementType() reflect.Type

func (PolicySecurityServicePolicyDataPtrOutput) ManagedServiceData added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) ManagedServiceData() pulumi.StringPtrOutput

Details about the service that are specific to the service type, in JSON format.

- Example: `DNS_FIREWALL`

`"{\"type\":\"DNS_FIREWALL\",\"preProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-1\",\"priority\":10}],\"postProcessRuleGroups\":[{\"ruleGroupId\":\"rslvr-frg-2\",\"priority\":9911}]}"`

> Valid values for `preProcessRuleGroups` are between 1 and 99. Valid values for `postProcessRuleGroups` are between 9901 and 10000. - Example: `NETWORK_FIREWALL` - Centralized deployment model

`"{\"type\":\"NETWORK_FIREWALL\",\"awsNetworkFirewallConfig\":{\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}},\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"OFF\"},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

With automatic Availbility Zone configuration, Firewall Manager chooses which Availability Zones to create the endpoints in. To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with automatic Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":[\"10.0.0.0/28\",\"192.168.0.0/28\"],\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"]},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\": \"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":true}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\", \"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{ \"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[ \"10.0.0.0/28\"]}]} },\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"OFF\",\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

With custom Availability Zone configuration, you define which specific Availability Zones to create endpoints in by configuring `firewallCreationConfig` . To configure the Availability Zones in `firewallCreationConfig` , specify either the `availabilityZoneName` or `availabilityZoneId` parameter, not both parameters.

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `NETWORK_FIREWALL` - Distributed deployment model with custom Availability Zone configuration and route management

`"{\"type\":\"NETWORK_FIREWALL\",\"networkFirewallStatelessRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test\",\"priority\":1}],\"networkFirewallStatelessDefaultActions\":[\"aws:forward_to_sfe\",\"customActionName\"],\"networkFirewallStatelessFragmentDefaultActions\":[\"aws:forward_to_sfe\",\"fragmentcustomactionname\"],\"networkFirewallStatelessCustomActions\":[{\"actionName\":\"customActionName\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"metricdimensionvalue\"}]}}},{\"actionName\":\"fragmentcustomactionname\",\"actionDefinition\":{\"publishMetricAction\":{\"dimensions\":[{\"value\":\"fragmentmetricdimensionvalue\"}]}}}],\"networkFirewallStatefulRuleGroupReferences\":[{\"resourceARN\":\"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test\"}],\"networkFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]},{\"availabilityZoneName\":\"us-east-1b\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"singleFirewallEndpointPerVPC\":false,\"allowedIPV4CidrList\":null,\"routeManagementAction\":\"MONITOR\",\"routeManagementTargetTypes\":[\"InternetGateway\"],\"routeManagementConfig\":{\"allowCrossAZTrafficIfNoEndpoint\":true}},\"networkFirewallLoggingConfiguration\":{\"logDestinationConfigs\":[{\"logDestinationType\":\"S3\",\"logType\":\"ALERT\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}},{\"logDestinationType\":\"S3\",\"logType\":\"FLOW\",\"logDestination\":{\"bucketName\":\"s3-bucket-name\"}}],\"overrideExistingConfig\":boolean}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-networkfirewallpolicy.html) to `DISTRIBUTED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall centralized deployment model

`"{ \"type\":\"THIRD_PARTY_FIREWALL\", \"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\", \"thirdPartyFirewallConfig\":{ \"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{\"centralizedFirewallDeploymentModel\":{\"centralizedFirewallOrchestrationConfig\":{\"inspectionVpcIds\":[{\"resourceId\":\"vpc-1234\",\"accountId\":\"123456789011\"}],\"firewallCreationConfig\":{\"endpointLocation\":{\"availabilityZoneConfigList\":[{\"availabilityZoneId\":null,\"availabilityZoneName\":\"us-east-1a\",\"allowedIPV4CidrList\":[\"10.0.0.0/28\"]}]}},\"allowedIPV4CidrList\":[]}}}}"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `CENTRALIZED` . - Example: `THIRD_PARTY_FIREWALL` - Palo Alto Networks Cloud Next-Generation Firewall distributed deployment model

`"{\"type\":\"THIRD_PARTY_FIREWALL\",\"thirdPartyFirewall\":\"PALO_ALTO_NETWORKS_CLOUD_NGFW\",\"thirdPartyFirewallConfig\":{\"thirdPartyFirewallPolicyList\":[\"global-1\"] },\"firewallDeploymentModel\":{ \"distributedFirewallDeploymentModel\":{ \"distributedFirewallOrchestrationConfig\":{\"firewallCreationConfig\":{\"endpointLocation\":{ \"availabilityZoneConfigList\":[ {\"availabilityZoneName\":\"${AvailabilityZone}\" } ] } }, \"allowedIPV4CidrList\":[ ] } } } }"`

To use the distributed deployment model, you must set [FirewallDeploymentModel](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-fms-policy-thirdpartyfirewallpolicy.html) to `DISTRIBUTED` . - Specification for `SHIELD_ADVANCED` for Amazon CloudFront distributions

`"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\", \"automaticResponseAction\":\"BLOCK|COUNT\"}, \"overrideCustomerWebaclClassic\":true|false}"`

For example: `"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\": {\"automaticResponseStatus\":\"ENABLED\", \"automaticResponseAction\":\"COUNT\"}}"`

The default value for `automaticResponseStatus` is `IGNORED` . The value for `automaticResponseAction` is only required when `automaticResponseStatus` is set to `ENABLED` . The default value for `overrideCustomerWebaclClassic` is `false` .

For other resource types that you can protect with a Shield Advanced policy, this `ManagedServiceData` configuration is an empty string. - Example: `WAFV2`

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

In the `loggingConfiguration` , you can specify one `logDestinationConfigs` , you can optionally provide up to 20 `redactedFields` , and the `RedactedFieldType` must be one of `URI` , `QUERY_STRING` , `HEADER` , or `METHOD` . - Example: `AWS WAF Classic`

`"{\"type\": \"WAF\", \"ruleGroups\": [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\": \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"` - Example: `WAFV2` - AWS Firewall Manager support for AWS WAF managed rule group versioning

`"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"`

To use a specific version of a AWS WAF managed rule group in your Firewall Manager policy, you must set `versionEnabled` to `true` , and set `version` to the version you'd like to use. If you don't set `versionEnabled` to `true` , or if you omit `versionEnabled` , then Firewall Manager uses the default version of the AWS WAF managed rule group. - Example: `SECURITY_GROUPS_COMMON`

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: Shared VPCs. Apply the preceding policy to resources in shared VPCs as well as to those in VPCs that the account owns

`"{\"type\":\"SECURITY_GROUPS_COMMON\",\"revertManualSecurityGroupChanges\":false,\"exclusiveResourceSecurityGroupManagement\":false, \"applyToAllEC2InstanceENIs\":false,\"includeSharedVPC\":true,\"securityGroups\":[{\"id\":\" sg-000e55995d61a06bd\"}]}"` - Example: `SECURITY_GROUPS_CONTENT_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_CONTENT_AUDIT\",\"securityGroups\":[{\"id\":\"sg-000e55995d61a06bd\"}],\"securityGroupAction\":{\"type\":\"ALLOW\"}}"`

The security group action for content audit can be `ALLOW` or `DENY` . For `ALLOW` , all in-scope security group rules must be within the allowed range of the policy's security group rules. For `DENY` , all in-scope security group rules must not contain a value or a range that matches a rule value or range in the policy security group. - Example: `SECURITY_GROUPS_USAGE_AUDIT`

`"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"`

func (PolicySecurityServicePolicyDataPtrOutput) PolicyOption added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) PolicyOption() PolicyOptionPtrOutput

Contains the settings to configure a network ACL policy, a AWS Network Firewall firewall policy deployment model, or a third-party firewall policy.

func (PolicySecurityServicePolicyDataPtrOutput) ToPolicySecurityServicePolicyDataPtrOutput added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) ToPolicySecurityServicePolicyDataPtrOutput() PolicySecurityServicePolicyDataPtrOutput

func (PolicySecurityServicePolicyDataPtrOutput) ToPolicySecurityServicePolicyDataPtrOutputWithContext added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) ToPolicySecurityServicePolicyDataPtrOutputWithContext(ctx context.Context) PolicySecurityServicePolicyDataPtrOutput

func (PolicySecurityServicePolicyDataPtrOutput) Type added in v0.21.0 

func (o PolicySecurityServicePolicyDataPtrOutput) Type() PolicyTypePtrOutput

The service that the policy is using to protect the resources. This specifies the type of policy that is created, either an AWS WAF policy, a Shield Advanced policy, or a security group policy. For security group policies, Firewall Manager supports one security group for each common policy and for each content audit policy. This is an adjustable limit that you can increase by contacting AWS Support .

type PolicyState 

type PolicyState struct {
}

func (PolicyState) ElementType 

func (PolicyState) ElementType() reflect.Type

type PolicyTag added in v0.2.0 

type PolicyTag struct {
	// Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.
	Key string `pulumi:"key"`
	// Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.
	Value string `pulumi:"value"`
}

A policy tag.

type PolicyThirdPartyFirewallPolicy added in v0.21.0 

type PolicyThirdPartyFirewallPolicy struct {
	// Defines the deployment model to use for the third-party firewall policy.
	FirewallDeploymentModel PolicyFirewallDeploymentModel `pulumi:"firewallDeploymentModel"`
}

Third party firewall policy.

type PolicyThirdPartyFirewallPolicyArgs added in v0.21.0 

type PolicyThirdPartyFirewallPolicyArgs struct {
	// Defines the deployment model to use for the third-party firewall policy.
	FirewallDeploymentModel PolicyFirewallDeploymentModelInput `pulumi:"firewallDeploymentModel"`
}

Third party firewall policy.

func (PolicyThirdPartyFirewallPolicyArgs) ElementType added in v0.21.0 

func (PolicyThirdPartyFirewallPolicyArgs) ElementType() reflect.Type

func (PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyOutput added in v0.21.0 

func (i PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyOutput() PolicyThirdPartyFirewallPolicyOutput

func (PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyOutputWithContext added in v0.21.0 

func (i PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyOutputWithContext(ctx context.Context) PolicyThirdPartyFirewallPolicyOutput

func (PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyPtrOutput added in v0.21.0 

func (i PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyPtrOutput() PolicyThirdPartyFirewallPolicyPtrOutput

func (PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (i PolicyThirdPartyFirewallPolicyArgs) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyThirdPartyFirewallPolicyPtrOutput

type PolicyThirdPartyFirewallPolicyInput added in v0.21.0 

type PolicyThirdPartyFirewallPolicyInput interface {
	pulumi.Input

	ToPolicyThirdPartyFirewallPolicyOutput() PolicyThirdPartyFirewallPolicyOutput
	ToPolicyThirdPartyFirewallPolicyOutputWithContext(context.Context) PolicyThirdPartyFirewallPolicyOutput
}

PolicyThirdPartyFirewallPolicyInput is an input type that accepts PolicyThirdPartyFirewallPolicyArgs and PolicyThirdPartyFirewallPolicyOutput values. You can construct a concrete instance of `PolicyThirdPartyFirewallPolicyInput` via: 

PolicyThirdPartyFirewallPolicyArgs{...}

type PolicyThirdPartyFirewallPolicyOutput added in v0.21.0 

type PolicyThirdPartyFirewallPolicyOutput struct{ *pulumi.OutputState }

Third party firewall policy.

func (PolicyThirdPartyFirewallPolicyOutput) ElementType added in v0.21.0 

func (PolicyThirdPartyFirewallPolicyOutput) ElementType() reflect.Type

func (PolicyThirdPartyFirewallPolicyOutput) FirewallDeploymentModel added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyOutput) FirewallDeploymentModel() PolicyFirewallDeploymentModelOutput

Defines the deployment model to use for the third-party firewall policy.

func (PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyOutput added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyOutput() PolicyThirdPartyFirewallPolicyOutput

func (PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyOutputWithContext added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyOutputWithContext(ctx context.Context) PolicyThirdPartyFirewallPolicyOutput

func (PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyPtrOutput added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyPtrOutput() PolicyThirdPartyFirewallPolicyPtrOutput

func (PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyOutput) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyThirdPartyFirewallPolicyPtrOutput

type PolicyThirdPartyFirewallPolicyPtrInput added in v0.21.0 

type PolicyThirdPartyFirewallPolicyPtrInput interface {
	pulumi.Input

	ToPolicyThirdPartyFirewallPolicyPtrOutput() PolicyThirdPartyFirewallPolicyPtrOutput
	ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext(context.Context) PolicyThirdPartyFirewallPolicyPtrOutput
}

PolicyThirdPartyFirewallPolicyPtrInput is an input type that accepts PolicyThirdPartyFirewallPolicyArgs, PolicyThirdPartyFirewallPolicyPtr and PolicyThirdPartyFirewallPolicyPtrOutput values. You can construct a concrete instance of `PolicyThirdPartyFirewallPolicyPtrInput` via: 

        PolicyThirdPartyFirewallPolicyArgs{...}

or:

        nil

func PolicyThirdPartyFirewallPolicyPtr added in v0.21.0 

func PolicyThirdPartyFirewallPolicyPtr(v *PolicyThirdPartyFirewallPolicyArgs) PolicyThirdPartyFirewallPolicyPtrInput

type PolicyThirdPartyFirewallPolicyPtrOutput added in v0.21.0 

type PolicyThirdPartyFirewallPolicyPtrOutput struct{ *pulumi.OutputState }

func (PolicyThirdPartyFirewallPolicyPtrOutput) Elem added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyPtrOutput) Elem() PolicyThirdPartyFirewallPolicyOutput

func (PolicyThirdPartyFirewallPolicyPtrOutput) ElementType added in v0.21.0 

func (PolicyThirdPartyFirewallPolicyPtrOutput) ElementType() reflect.Type

func (PolicyThirdPartyFirewallPolicyPtrOutput) FirewallDeploymentModel added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyPtrOutput) FirewallDeploymentModel() PolicyFirewallDeploymentModelPtrOutput

Defines the deployment model to use for the third-party firewall policy.

func (PolicyThirdPartyFirewallPolicyPtrOutput) ToPolicyThirdPartyFirewallPolicyPtrOutput added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyPtrOutput) ToPolicyThirdPartyFirewallPolicyPtrOutput() PolicyThirdPartyFirewallPolicyPtrOutput

func (PolicyThirdPartyFirewallPolicyPtrOutput) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext added in v0.21.0 

func (o PolicyThirdPartyFirewallPolicyPtrOutput) ToPolicyThirdPartyFirewallPolicyPtrOutputWithContext(ctx context.Context) PolicyThirdPartyFirewallPolicyPtrOutput

type PolicyType added in v0.21.0 

type PolicyType string

Firewall policy type.

func (PolicyType) ElementType added in v0.21.0 

func (PolicyType) ElementType() reflect.Type

func (PolicyType) ToPolicyTypeOutput added in v0.21.0 

func (e PolicyType) ToPolicyTypeOutput() PolicyTypeOutput

func (PolicyType) ToPolicyTypeOutputWithContext added in v0.21.0 

func (e PolicyType) ToPolicyTypeOutputWithContext(ctx context.Context) PolicyTypeOutput

func (PolicyType) ToPolicyTypePtrOutput added in v0.21.0 

func (e PolicyType) ToPolicyTypePtrOutput() PolicyTypePtrOutput

func (PolicyType) ToPolicyTypePtrOutputWithContext added in v0.21.0 

func (e PolicyType) ToPolicyTypePtrOutputWithContext(ctx context.Context) PolicyTypePtrOutput

func (PolicyType) ToStringOutput added in v0.21.0 

func (e PolicyType) ToStringOutput() pulumi.StringOutput

func (PolicyType) ToStringOutputWithContext added in v0.21.0 

func (e PolicyType) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyType) ToStringPtrOutput added in v0.21.0 

func (e PolicyType) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyType) ToStringPtrOutputWithContext added in v0.21.0 

func (e PolicyType) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyTypeInput added in v0.21.0 

type PolicyTypeInput interface {
	pulumi.Input

	ToPolicyTypeOutput() PolicyTypeOutput
	ToPolicyTypeOutputWithContext(context.Context) PolicyTypeOutput
}

PolicyTypeInput is an input type that accepts values of the PolicyType enum A concrete instance of `PolicyTypeInput` can be one of the following: 

PolicyTypeWaf
PolicyTypeWafv2
PolicyTypeShieldAdvanced
PolicyTypeSecurityGroupsCommon
PolicyTypeSecurityGroupsContentAudit
PolicyTypeSecurityGroupsUsageAudit
PolicyTypeNetworkFirewall
PolicyTypeThirdPartyFirewall
PolicyTypeDnsFirewall
PolicyTypeImportNetworkFirewall
PolicyTypeNetworkAclCommon

type PolicyTypeOutput added in v0.21.0 

type PolicyTypeOutput struct{ *pulumi.OutputState }

func (PolicyTypeOutput) ElementType added in v0.21.0 

func (PolicyTypeOutput) ElementType() reflect.Type

func (PolicyTypeOutput) ToPolicyTypeOutput added in v0.21.0 

func (o PolicyTypeOutput) ToPolicyTypeOutput() PolicyTypeOutput

func (PolicyTypeOutput) ToPolicyTypeOutputWithContext added in v0.21.0 

func (o PolicyTypeOutput) ToPolicyTypeOutputWithContext(ctx context.Context) PolicyTypeOutput

func (PolicyTypeOutput) ToPolicyTypePtrOutput added in v0.21.0 

func (o PolicyTypeOutput) ToPolicyTypePtrOutput() PolicyTypePtrOutput

func (PolicyTypeOutput) ToPolicyTypePtrOutputWithContext added in v0.21.0 

func (o PolicyTypeOutput) ToPolicyTypePtrOutputWithContext(ctx context.Context) PolicyTypePtrOutput

func (PolicyTypeOutput) ToStringOutput added in v0.21.0 

func (o PolicyTypeOutput) ToStringOutput() pulumi.StringOutput

func (PolicyTypeOutput) ToStringOutputWithContext added in v0.21.0 

func (o PolicyTypeOutput) ToStringOutputWithContext(ctx context.Context) pulumi.StringOutput

func (PolicyTypeOutput) ToStringPtrOutput added in v0.21.0 

func (o PolicyTypeOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyTypeOutput) ToStringPtrOutputWithContext added in v0.21.0 

func (o PolicyTypeOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type PolicyTypePtrInput added in v0.21.0 

type PolicyTypePtrInput interface {
	pulumi.Input

	ToPolicyTypePtrOutput() PolicyTypePtrOutput
	ToPolicyTypePtrOutputWithContext(context.Context) PolicyTypePtrOutput
}

func PolicyTypePtr added in v0.21.0 

func PolicyTypePtr(v string) PolicyTypePtrInput

type PolicyTypePtrOutput added in v0.21.0 

type PolicyTypePtrOutput struct{ *pulumi.OutputState }

func (PolicyTypePtrOutput) Elem added in v0.21.0 

func (o PolicyTypePtrOutput) Elem() PolicyTypeOutput

func (PolicyTypePtrOutput) ElementType added in v0.21.0 

func (PolicyTypePtrOutput) ElementType() reflect.Type

func (PolicyTypePtrOutput) ToPolicyTypePtrOutput added in v0.21.0 

func (o PolicyTypePtrOutput) ToPolicyTypePtrOutput() PolicyTypePtrOutput

func (PolicyTypePtrOutput) ToPolicyTypePtrOutputWithContext added in v0.21.0 

func (o PolicyTypePtrOutput) ToPolicyTypePtrOutputWithContext(ctx context.Context) PolicyTypePtrOutput

func (PolicyTypePtrOutput) ToStringPtrOutput added in v0.21.0 

func (o PolicyTypePtrOutput) ToStringPtrOutput() pulumi.StringPtrOutput

func (PolicyTypePtrOutput) ToStringPtrOutputWithContext added in v0.21.0 

func (o PolicyTypePtrOutput) ToStringPtrOutputWithContext(ctx context.Context) pulumi.StringPtrOutput

type ResourceSet added in v0.51.0 

type ResourceSet struct {
	pulumi.CustomResourceState

	// A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.
	AwsId pulumi.StringOutput `pulumi:"awsId"`
	// A description of the resource set.
	Description pulumi.StringPtrOutput `pulumi:"description"`
	// The descriptive name of the resource set. You can't change the name of a resource set after you create it.
	Name pulumi.StringOutput `pulumi:"name"`
	// Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.
	ResourceTypeList pulumi.StringArrayOutput `pulumi:"resourceTypeList"`
	Resources        pulumi.StringArrayOutput `pulumi:"resources"`
	Tags             aws.TagArrayOutput       `pulumi:"tags"`
}

Creates an AWS Firewall Manager resource set.

func GetResourceSet added in v0.51.0 

func GetResourceSet(ctx *pulumi.Context,
	name string, id pulumi.IDInput, state *ResourceSetState, opts ...pulumi.ResourceOption) (*ResourceSet, error)

GetResourceSet gets an existing ResourceSet resource's state with the given name, ID, and optional state properties that are used to uniquely qualify the lookup (nil if not required).

func NewResourceSet added in v0.51.0 

func NewResourceSet(ctx *pulumi.Context,
	name string, args *ResourceSetArgs, opts ...pulumi.ResourceOption) (*ResourceSet, error)

NewResourceSet registers a new resource with the given unique name, arguments, and options.

func (*ResourceSet) ElementType added in v0.51.0 

func (*ResourceSet) ElementType() reflect.Type

func (*ResourceSet) ToResourceSetOutput added in v0.51.0 

func (i *ResourceSet) ToResourceSetOutput() ResourceSetOutput

func (*ResourceSet) ToResourceSetOutputWithContext added in v0.51.0 

func (i *ResourceSet) ToResourceSetOutputWithContext(ctx context.Context) ResourceSetOutput

type ResourceSetArgs added in v0.51.0 

type ResourceSetArgs struct {
	// A description of the resource set.
	Description pulumi.StringPtrInput
	// The descriptive name of the resource set. You can't change the name of a resource set after you create it.
	Name pulumi.StringPtrInput
	// Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.
	ResourceTypeList pulumi.StringArrayInput
	Resources        pulumi.StringArrayInput
	Tags             aws.TagArrayInput
}

The set of arguments for constructing a ResourceSet resource.

func (ResourceSetArgs) ElementType added in v0.51.0 

func (ResourceSetArgs) ElementType() reflect.Type

type ResourceSetInput added in v0.51.0 

type ResourceSetInput interface {
	pulumi.Input

	ToResourceSetOutput() ResourceSetOutput
	ToResourceSetOutputWithContext(ctx context.Context) ResourceSetOutput
}

type ResourceSetOutput added in v0.51.0 

type ResourceSetOutput struct{ *pulumi.OutputState }

func (ResourceSetOutput) AwsId added in v0.99.0 

func (o ResourceSetOutput) AwsId() pulumi.StringOutput

A unique identifier for the resource set. This ID is returned in the responses to create and list commands. You provide it to operations like update and delete.

func (ResourceSetOutput) Description added in v0.51.0 

func (o ResourceSetOutput) Description() pulumi.StringPtrOutput

A description of the resource set.

func (ResourceSetOutput) ElementType added in v0.51.0 

func (ResourceSetOutput) ElementType() reflect.Type

func (ResourceSetOutput) Name added in v0.51.0 

func (o ResourceSetOutput) Name() pulumi.StringOutput

The descriptive name of the resource set. You can't change the name of a resource set after you create it.

func (ResourceSetOutput) ResourceTypeList added in v0.51.0 

func (o ResourceSetOutput) ResourceTypeList() pulumi.StringArrayOutput

Determines the resources that can be associated to the resource set. Depending on your setting for max results and the number of resource sets, a single call might not return the full list.

func (ResourceSetOutput) Resources added in v0.51.0 

func (o ResourceSetOutput) Resources() pulumi.StringArrayOutput

func (ResourceSetOutput) Tags added in v0.51.0 

func (o ResourceSetOutput) Tags() aws.TagArrayOutput

func (ResourceSetOutput) ToResourceSetOutput added in v0.51.0 

func (o ResourceSetOutput) ToResourceSetOutput() ResourceSetOutput

func (ResourceSetOutput) ToResourceSetOutputWithContext added in v0.51.0 

func (o ResourceSetOutput) ToResourceSetOutputWithContext(ctx context.Context) ResourceSetOutput

type ResourceSetState added in v0.51.0 

type ResourceSetState struct {
}

func (ResourceSetState) ElementType added in v0.51.0 

func (ResourceSetState) ElementType() reflect.Type

type ResourceSetTag added in v0.51.0 

type ResourceSetTag struct {
	// Part of the key:value pair that defines a tag. You can use a tag key to describe a category of information, such as "customer." Tag keys are case-sensitive.
	Key string `pulumi:"key"`
	// Part of the key:value pair that defines a tag. You can use a tag value to describe a specific value within a category, such as "companyA" or "companyB." Tag values are case-sensitive.
	Value string `pulumi:"value"`
}

A tag.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.