pulumi-aws-kotlin/com.pulumi.aws.networkfirewall.kotlin/RuleGroup

RuleGroup

class RuleGroup : KotlinCustomResource

Provides an AWS Network Firewall Rule Group Resource

Example Usage

Stateful Inspection for denying access to a domain

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                        .generatedRulesType("DENYLIST")
                        .targetTypes("HTTP_HOST")
                        .targets("test.example.com")
                        .build())
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATEFUL")
            .build());
    }
}
Content copied to clipboard

Stateful Inspection for permitting packets from a source IP address

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        final var ips =
            "1.1.1.1/32",
            "1.0.0.1/32";
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(50)
            .description("Permits http traffic from source")
            .type("STATEFUL")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .dynamic(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                    .build())
                .build())
            .tags(Map.of("Name", "permit HTTP from source"))
            .build());
    }
}
Content copied to clipboard

Stateful Inspection for blocking packets from going to an intended destination

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .statefulRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATEFUL")
            .build());
    }
}
Content copied to clipboard

Stateful Inspection from rules specifications defined in Suricata flat format

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .type("STATEFUL")
            .rules(Files.readString(Paths.get("example.rules")))
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());
    }
}
Content copied to clipboard

Stateful Inspection from rule group specifications using rule variables and Suricata format rules

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRuleVariablesArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .type("STATEFUL")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .ruleVariables(RuleGroupRuleGroupRuleVariablesArgs.builder()
                    .ipSets(
                        RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                            .key("WEBSERVERS_HOSTS")
                            .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                .definitions(
                                    "10.0.0.0/16",
                                    "10.0.1.0/24",
                                    "192.168.0.0/16")
                                .build())
                            .build(),
                        RuleGroupRuleGroupRuleVariablesIpSetArgs.builder()
                            .key("EXTERNAL_HOST")
                            .ipSet(RuleGroupRuleGroupRuleVariablesIpSetIpSetArgs.builder()
                                .definitions("1.2.3.4/32")
                                .build())
                            .build())
                    .portSets(RuleGroupRuleGroupRuleVariablesPortSetArgs.builder()
                        .key("HTTP_PORTS")
                        .portSet(RuleGroupRuleGroupRuleVariablesPortSetPortSetArgs.builder()
                            .definitions(
                                "443",
                                "80")
                            .build())
                        .build())
                    .build())
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .rulesString(Files.readString(Paths.get("suricata_rules_file")))
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());
    }
}
Content copied to clipboard

Stateless Inspection with a Custom Action

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .description("Stateless Rate Limiting Rule")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .statelessRulesAndCustomActions(RuleGroupRuleGroupRulesSourceStatelessRulesAndCustomActionsArgs.builder()
                        .customAction(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .statelessRule(%!v(PANIC=Format method: runtime error: invalid memory address or nil pointer dereference))
                        .build())
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .type("STATELESS")
            .build());
    }
}
Content copied to clipboard

IP Set References to the Rule Group

package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.networkfirewall.RuleGroup;
import com.pulumi.aws.networkfirewall.RuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupRulesSourceRulesSourceListArgs;
import com.pulumi.aws.networkfirewall.inputs.RuleGroupRuleGroupReferenceSetsArgs;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        var example = new RuleGroup("example", RuleGroupArgs.builder()
            .capacity(100)
            .type("STATEFUL")
            .ruleGroup(RuleGroupRuleGroupArgs.builder()
                .rulesSource(RuleGroupRuleGroupRulesSourceArgs.builder()
                    .rulesSourceList(RuleGroupRuleGroupRulesSourceRulesSourceListArgs.builder()
                        .generatedRulesType("DENYLIST")
                        .targetTypes("HTTP_HOST")
                        .targets("test.example.com")
                        .build())
                    .build())
                .referenceSets(RuleGroupRuleGroupReferenceSetsArgs.builder()
                    .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceArgs.builder()
                        .key("example")
                        .ipSetReferences(RuleGroupRuleGroupReferenceSetsIpSetReferenceIpSetReferenceArgs.builder()
                            .referenceArn(aws_ec2_managed_prefix_list.this().arn())
                            .build())
                        .build())
                    .build())
                .build())
            .tags(Map.ofEntries(
                Map.entry("Tag1", "Value1"),
                Map.entry("Tag2", "Value2")
            ))
            .build());
    }
}
Content copied to clipboard

Import

Network Firewall Rule Groups can be imported using their ARN.

$ pulumi import aws:networkfirewall/ruleGroup:RuleGroup example arn:aws:network-firewall:us-west-1:123456789012:stateful-rulegroup/example
Content copied to clipboard

Properties

Link copied to clipboard
val arn: Output<String>

The Amazon Resource Name (ARN) that identifies the rule group.

Link copied to clipboard
val capacity: Output<Int>

The maximum number of operating resources that this rule group can use. For a stateless rule group, the capacity required is the sum of the capacity requirements of the individual rules. For a stateful rule group, the minimum capacity required is the number of individual rules.

Link copied to clipboard
val description: Output<String>?

A friendly description of the rule group.

Link copied to clipboard
val encryptionConfiguration: Output<RuleGroupEncryptionConfiguration>?

KMS encryption configuration settings. See Encryption Configuration below for details.

Link copied to clipboard
val id: Output<String>
Link copied to clipboard
val name: Output<String>

A friendly name of the rule group.

Link copied to clipboard
val pulumiChildResources: Set<KotlinResource>
Link copied to clipboard
Link copied to clipboard
Link copied to clipboard
val ruleGroup: Output<RuleGroupRuleGroup>

A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.

Link copied to clipboard
val rules: Output<String>?

The stateful rule group rules specifications in Suricata file format, with one rule per line. Use this to import your existing Suricata compatible rule groups. Required unless rule_group is specified.

Link copied to clipboard
val tags: Output<Map<String, String>>?

A map of key:value pairs to associate with the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

Link copied to clipboard
val tagsAll: Output<Map<String, String>>

A map of tags assigned to the resource, including those inherited from the provider default_tags configuration block.

Link copied to clipboard
val type: Output<String>

Whether the rule group is stateless (containing stateless rules) or stateful (containing stateful rules). Valid values include: STATEFUL or STATELESS.

Link copied to clipboard
val updateToken: Output<String>

A string token used when updating the rule group.

Link copied to clipboard
val urn: Output<String>