Policy
data class PolicyArgs(val deleteAllPolicyResources: Output<Boolean>? = null, val deleteUnusedFmManagedResources: Output<Boolean>? = null, val description: Output<String>? = null, val excludeMap: Output<PolicyExcludeMapArgs>? = null, val excludeResourceTags: Output<Boolean>? = null, val includeMap: Output<PolicyIncludeMapArgs>? = null, val name: Output<String>? = null, val remediationEnabled: Output<Boolean>? = null, val resourceSetIds: Output<List<String>>? = null, val resourceTags: Output<Map<String, String>>? = null, val resourceType: Output<String>? = null, val resourceTypeLists: Output<List<String>>? = null, val securityServicePolicyData: Output<PolicySecurityServicePolicyDataArgs>? = null, val tags: Output<Map<String, String>>? = null) : ConvertibleToJava<PolicyArgs>
Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.
NOTE: Due to limitations with testing, we provide it as best effort. If you find it useful, and have the ability to help test or notice issues, consider reaching out to us on GitHub.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleRuleGroup = new aws.wafregional.RuleGroup("example", {
metricName: "WAFRuleGroupExample",
name: "WAF-Rule-Group-Example",
});
const example = new aws.fms.Policy("example", {
name: "FMS-Policy-Example",
excludeResourceTags: false,
remediationEnabled: false,
resourceType: "AWS::ElasticLoadBalancingV2::LoadBalancer",
securityServicePolicyData: {
type: "WAF",
managedServiceData: pulumi.jsonStringify({
type: "WAF",
ruleGroups: [{
id: exampleRuleGroup.id,
overrideAction: {
type: "COUNT",
},
}],
defaultAction: {
type: "BLOCK",
},
overrideCustomerWebACLAssociation: false,
}),
},
tags: {
Name: "example-fms-policy",
},
});Content copied to clipboard
import pulumi
import json
import pulumi_aws as aws
example_rule_group = aws.wafregional.RuleGroup("example",
metric_name="WAFRuleGroupExample",
name="WAF-Rule-Group-Example")
example = aws.fms.Policy("example",
name="FMS-Policy-Example",
exclude_resource_tags=False,
remediation_enabled=False,
resource_type="AWS::ElasticLoadBalancingV2::LoadBalancer",
security_service_policy_data={
"type": "WAF",
"managed_service_data": pulumi.Output.json_dumps({
"type": "WAF",
"ruleGroups": [{
"id": example_rule_group.id,
"overrideAction": {
"type": "COUNT",
},
}],
"defaultAction": {
"type": "BLOCK",
},
"overrideCustomerWebACLAssociation": False,
}),
},
tags={
"Name": "example-fms-policy",
})Content copied to clipboard
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleRuleGroup = new Aws.WafRegional.RuleGroup("example", new()
{
MetricName = "WAFRuleGroupExample",
Name = "WAF-Rule-Group-Example",
});
var example = new Aws.Fms.Policy("example", new()
{
Name = "FMS-Policy-Example",
ExcludeResourceTags = false,
RemediationEnabled = false,
ResourceType = "AWS::ElasticLoadBalancingV2::LoadBalancer",
SecurityServicePolicyData = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataArgs
{
Type = "WAF",
ManagedServiceData = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["type"] = "WAF",
["ruleGroups"] = new[]
{
new Dictionary<string, object?>
{
["id"] = exampleRuleGroup.Id,
["overrideAction"] = new Dictionary<string, object?>
{
["type"] = "COUNT",
},
},
},
["defaultAction"] = new Dictionary<string, object?>
{
["type"] = "BLOCK",
},
["overrideCustomerWebACLAssociation"] = false,
})),
},
Tags =
{
{ "Name", "example-fms-policy" },
},
});
});Content copied to clipboard
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/fms"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleRuleGroup, err := wafregional.NewRuleGroup(ctx, "example", &wafregional.RuleGroupArgs{
MetricName: pulumi.String("WAFRuleGroupExample"),
Name: pulumi.String("WAF-Rule-Group-Example"),
})
if err != nil {
return err
}
_, err = fms.NewPolicy(ctx, "example", &fms.PolicyArgs{
Name: pulumi.String("FMS-Policy-Example"),
ExcludeResourceTags: pulumi.Bool(false),
RemediationEnabled: pulumi.Bool(false),
ResourceType: pulumi.String("AWS::ElasticLoadBalancingV2::LoadBalancer"),
SecurityServicePolicyData: &fms.PolicySecurityServicePolicyDataArgs{
Type: pulumi.String("WAF"),
ManagedServiceData: exampleRuleGroup.ID().ApplyT(func(id string) (pulumi.String, error) {
var _zero pulumi.String
tmpJSON0, err := json.Marshal(map[string]interface{}{
"type": "WAF",
"ruleGroups": []map[string]interface{}{
map[string]interface{}{
"id": id,
"overrideAction": map[string]interface{}{
"type": "COUNT",
},
},
},
"defaultAction": map[string]interface{}{
"type": "BLOCK",
},
"overrideCustomerWebACLAssociation": false,
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return pulumi.String(json0), nil
}).(pulumi.StringOutput),
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-fms-policy"),
},
})
if err != nil {
return err
}
return nil
})
}Content copied to clipboard
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.RuleGroup;
import com.pulumi.aws.wafregional.RuleGroupArgs;
import com.pulumi.aws.fms.Policy;
import com.pulumi.aws.fms.PolicyArgs;
import com.pulumi.aws.fms.inputs.PolicySecurityServicePolicyDataArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleRuleGroup = new RuleGroup("exampleRuleGroup", RuleGroupArgs.builder()
.metricName("WAFRuleGroupExample")
.name("WAF-Rule-Group-Example")
.build());
var example = new Policy("example", PolicyArgs.builder()
.name("FMS-Policy-Example")
.excludeResourceTags(false)
.remediationEnabled(false)
.resourceType("AWS::ElasticLoadBalancingV2::LoadBalancer")
.securityServicePolicyData(PolicySecurityServicePolicyDataArgs.builder()
.type("WAF")
.managedServiceData(exampleRuleGroup.id().applyValue(id -> serializeJson(
jsonObject(
jsonProperty("type", "WAF"),
jsonProperty("ruleGroups", jsonArray(jsonObject(
jsonProperty("id", id),
jsonProperty("overrideAction", jsonObject(
jsonProperty("type", "COUNT")
))
))),
jsonProperty("defaultAction", jsonObject(
jsonProperty("type", "BLOCK")
)),
jsonProperty("overrideCustomerWebACLAssociation", false)
))))
.build())
.tags(Map.of("Name", "example-fms-policy"))
.build());
}
}Content copied to clipboard
resources:
example:
type: aws:fms:Policy
properties:
name: FMS-Policy-Example
excludeResourceTags: false
remediationEnabled: false
resourceType: AWS::ElasticLoadBalancingV2::LoadBalancer
securityServicePolicyData:
type: WAF
managedServiceData:
fn::toJSON:
type: WAF
ruleGroups:
- id: ${exampleRuleGroup.id}
overrideAction:
type: COUNT
defaultAction:
type: BLOCK
overrideCustomerWebACLAssociation: false
tags:
Name: example-fms-policy
exampleRuleGroup:
type: aws:wafregional:RuleGroup
name: example
properties:
metricName: WAFRuleGroupExample
name: WAF-Rule-Group-ExampleContent copied to clipboard
Import
Using pulumi import, import Firewall Manager policies using the policy ID. For example:
$ pulumi import aws:fms/policy:Policy example 5be49585-a7e3-4c49-dde1-a179fe4a619aContent copied to clipboard
Constructors
Link copied to clipboard
constructor(deleteAllPolicyResources: Output<Boolean>? = null, deleteUnusedFmManagedResources: Output<Boolean>? = null, description: Output<String>? = null, excludeMap: Output<PolicyExcludeMapArgs>? = null, excludeResourceTags: Output<Boolean>? = null, includeMap: Output<PolicyIncludeMapArgs>? = null, name: Output<String>? = null, remediationEnabled: Output<Boolean>? = null, resourceSetIds: Output<List<String>>? = null, resourceTags: Output<Map<String, String>>? = null, resourceType: Output<String>? = null, resourceTypeLists: Output<List<String>>? = null, securityServicePolicyData: Output<PolicySecurityServicePolicyDataArgs>? = null, tags: Output<Map<String, String>>? = null)
Properties
Link copied to clipboard
If true, the request will also perform a clean-up process. Defaults to true. More information can be found here AWS Firewall Manager delete policy
Link copied to clipboard
If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to false. More information can be found here AWS Firewall Manager policy contents
Link copied to clipboard
The description of the AWS Network Firewall firewall policy.
Link copied to clipboard
A map of lists of accounts and OU's to exclude from the policy. See the exclude_map block.
Link copied to clipboard
A boolean value, if true the tags that are specified in the resource_tags are not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy.
Link copied to clipboard
A map of lists of accounts and OU's to include in the policy. See the include_map block.
Link copied to clipboard
A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
Link copied to clipboard
Link copied to clipboard
A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
Link copied to clipboard
A resource type to protect. Conflicts with resource_type_list. See the FMS API Reference for more information about supported values.
Link copied to clipboard
A list of resource types to protect. Conflicts with resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead use resource_type.
Link copied to clipboard
The objects to include in Security Service Policy Data. See the security_service_policy_data block.