Policy
Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.
Example Usage
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.RuleGroup;
import com.pulumi.aws.wafregional.RuleGroupArgs;
import com.pulumi.aws.fms.Policy;
import com.pulumi.aws.fms.PolicyArgs;
import com.pulumi.aws.fms.inputs.PolicySecurityServicePolicyDataArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleRuleGroup = new RuleGroup("exampleRuleGroup", RuleGroupArgs.builder()
.metricName("WAFRuleGroupExample")
.build());
var examplePolicy = new Policy("examplePolicy", PolicyArgs.builder()
.excludeResourceTags(false)
.remediationEnabled(false)
.resourceType("AWS::ElasticLoadBalancingV2::LoadBalancer")
.securityServicePolicyData(PolicySecurityServicePolicyDataArgs.builder()
.type("WAF")
.managedServiceData(exampleRuleGroup.id().applyValue(id -> serializeJson(
jsonObject(
jsonProperty("type", "WAF"),
jsonProperty("ruleGroups", jsonArray(jsonObject(
jsonProperty("id", id),
jsonProperty("overrideAction", jsonObject(
jsonProperty("type", "COUNT")
))
))),
jsonProperty("defaultAction", jsonObject(
jsonProperty("type", "BLOCK")
)),
jsonProperty("overrideCustomerWebACLAssociation", false)
))))
.build())
.tags(Map.of("Name", "example-fms-policy"))
.build());
}
}Import
Firewall Manager policies can be imported using the policy ID, e.g.,
$ pulumi import aws:fms/policy:Policy example 5be49585-a7e3-4c49-dde1-a179fe4a619aConstructors
Properties
If true, the request will also perform a clean-up process. Defaults to true. More information can be found here AWS Firewall Manager delete policy
If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to false. More information can be found here AWS Firewall Manager policy contents
The description of the AWS Network Firewall firewall policy.
A map of lists of accounts and OU's to exclude from the policy.
A boolean value, if true the tags that are specified in the resource_tags are not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy.
A map of lists of accounts and OU's to include in the policy.
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
A resource type to protect. Conflicts with resource_type_list. See the FMS API Reference for more information about supported values.
A list of resource types to protect. Conflicts with resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead use resource_type.
The objects to include in Security Service Policy Data. Documented below.