Rule
data class RuleGroupArgs(val capacity: Output<Int>? = null, val description: Output<String>? = null, val encryptionConfiguration: Output<RuleGroupEncryptionConfigurationArgs>? = null, val name: Output<String>? = null, val ruleGroup: Output<RuleGroupRuleGroupArgs>? = null, val rules: Output<String>? = null, val tags: Output<Map<String, String>>? = null, val type: Output<String>? = null) : ConvertibleToJava<RuleGroupArgs>
Provides an AWS Network Firewall Rule Group Resource
Example Usage
Stateful Inspection for denying access to a domain
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.type("STATEFUL")
.build());
}
}Content copied to clipboard
Stateful Inspection for permitting packets from a source IP address
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
final var ips =
"1.1.1.1/32",
"1.0.0.1/32";
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(50)
.description("Permits http traffic from source")
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.dynamic(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.build())
.build())
.tags(Map.of("Name", "permit HTTP from source"))
.build());
}
}Content copied to clipboard
Stateful Inspection for blocking packets from going to an intended destination
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statefulRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.type("STATEFUL")
.build());
}
}Content copied to clipboard
Stateful Inspection from rules specifications defined in Suricata flat format
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.type("STATEFUL")
.rules(Files.readString(Paths.get("example.rules")))
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}Content copied to clipboard
Stateful Inspection from rule group specifications using rule variables and Suricata format rules
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
.ipSets(
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("WEBSERVERS_HOSTS")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions(
"10.0.0.0/16",
"10.0.1.0/24",
"192.168.0.0/16")
.build())
.build(),
RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
.key("EXTERNAL_HOST")
.ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
.definitions("1.2.3.4/32")
.build())
.build())
.portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
.key("HTTP_PORTS")
.portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
.definitions(
"443",
"80")
.build())
.build())
.build())
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesString(Files.readString(Paths.get("suricata_rules_file")))
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}Content copied to clipboard
Stateless Inspection with a Custom Action
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.description("Stateless Rate Limiting Rule")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
.customAction(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.statelessRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.type("STATELESS")
.build());
}
}Content copied to clipboard
IP Set References to the Rule Group
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var example = new RuleGroup("example", RuleGroupArgs.builder()
.capacity(100)
.type("STATEFUL")
.ruleGroup(RuleGroupRuleGroupArgs.builder()
.rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
.rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
.generatedRulesType("DENYLIST")
.targetTypes("HTTP_HOST")
.targets("test.example.com")
.build())
.build())
.referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
.key("example")
.ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
.referenceArn(aws_ec2_managed_prefix_list.this().arn())
.build())
.build())
.build())
.build())
.tags(Map.ofEntries(
Map.entry("Tag1", "Value1"),
Map.entry("Tag2", "Value2")
))
.build());
}
}Content copied to clipboard
Import
Network Firewall Rule Groups can be imported using their ARN.
$ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/exampleContent copied to clipboard
Constructors
Link copied to clipboard
constructor(capacity: Output<Int>? = null, description: Output<String>? = null, encryptionConfiguration: Output<RuleGroupEncryptionConfigurationArgs>? = null, name: Output<String>? = null, ruleGroup: Output<RuleGroupRuleGroupArgs>? = null, rules: Output<String>? = null, tags: Output<Map<String, String>>? = null, type: Output<String>? = null)
Properties
Link copied to clipboard
The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.
Link copied to clipboard
A friendly description of the rule group.
Link copied to clipboard
KMS encryption configuration settings. See Encryption Configuration below for details.
Link copied to clipboard
A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.