Docs Home
AWS v6.71.0 published on Friday, Mar 7, 2025 by Pulumi
aws.fms.Policy
Explore with Pulumi AI
Provides a resource to create an AWS Firewall Manager policy. You need to be using AWS organizations and have enabled the Firewall Manager administrator account.
NOTE: Due to limitations with testing, we provide it as best effort. If you find it useful, and have the ability to help test or notice issues, consider reaching out to us on GitHub.
Example Usage
import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";
const exampleRuleGroup = new aws.wafregional.RuleGroup("example", {
metricName: "WAFRuleGroupExample",
name: "WAF-Rule-Group-Example",
});
const example = new aws.fms.Policy("example", {
name: "FMS-Policy-Example",
excludeResourceTags: false,
remediationEnabled: false,
resourceType: "AWS::ElasticLoadBalancingV2::LoadBalancer",
securityServicePolicyData: {
type: "WAF",
managedServiceData: pulumi.jsonStringify({
type: "WAF",
ruleGroups: [{
id: exampleRuleGroup.id,
overrideAction: {
type: "COUNT",
},
}],
defaultAction: {
type: "BLOCK",
},
overrideCustomerWebACLAssociation: false,
}),
},
tags: {
Name: "example-fms-policy",
},
});
import pulumi
import json
import pulumi_aws as aws
example_rule_group = aws.wafregional.RuleGroup("example",
metric_name="WAFRuleGroupExample",
name="WAF-Rule-Group-Example")
example = aws.fms.Policy("example",
name="FMS-Policy-Example",
exclude_resource_tags=False,
remediation_enabled=False,
resource_type="AWS::ElasticLoadBalancingV2::LoadBalancer",
security_service_policy_data={
"type": "WAF",
"managed_service_data": pulumi.Output.json_dumps({
"type": "WAF",
"ruleGroups": [{
"id": example_rule_group.id,
"overrideAction": {
"type": "COUNT",
},
}],
"defaultAction": {
"type": "BLOCK",
},
"overrideCustomerWebACLAssociation": False,
}),
},
tags={
"Name": "example-fms-policy",
})
package main
import (
"encoding/json"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/fms"
"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/wafregional"
"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)
func main() {
pulumi.Run(func(ctx *pulumi.Context) error {
exampleRuleGroup, err := wafregional.NewRuleGroup(ctx, "example", &wafregional.RuleGroupArgs{
MetricName: pulumi.String("WAFRuleGroupExample"),
Name: pulumi.String("WAF-Rule-Group-Example"),
})
if err != nil {
return err
}
_, err = fms.NewPolicy(ctx, "example", &fms.PolicyArgs{
Name: pulumi.String("FMS-Policy-Example"),
ExcludeResourceTags: pulumi.Bool(false),
RemediationEnabled: pulumi.Bool(false),
ResourceType: pulumi.String("AWS::ElasticLoadBalancingV2::LoadBalancer"),
SecurityServicePolicyData: &fms.PolicySecurityServicePolicyDataArgs{
Type: pulumi.String("WAF"),
ManagedServiceData: exampleRuleGroup.ID().ApplyT(func(id string) (pulumi.String, error) {
var _zero pulumi.String
tmpJSON0, err := json.Marshal(map[string]interface{}{
"type": "WAF",
"ruleGroups": []map[string]interface{}{
map[string]interface{}{
"id": id,
"overrideAction": map[string]interface{}{
"type": "COUNT",
},
},
},
"defaultAction": map[string]interface{}{
"type": "BLOCK",
},
"overrideCustomerWebACLAssociation": false,
})
if err != nil {
return _zero, err
}
json0 := string(tmpJSON0)
return pulumi.String(json0), nil
}).(pulumi.StringOutput),
},
Tags: pulumi.StringMap{
"Name": pulumi.String("example-fms-policy"),
},
})
if err != nil {
return err
}
return nil
})
}
using System.Collections.Generic;
using System.Linq;
using System.Text.Json;
using Pulumi;
using Aws = Pulumi.Aws;
return await Deployment.RunAsync(() =>
{
var exampleRuleGroup = new Aws.WafRegional.RuleGroup("example", new()
{
MetricName = "WAFRuleGroupExample",
Name = "WAF-Rule-Group-Example",
});
var example = new Aws.Fms.Policy("example", new()
{
Name = "FMS-Policy-Example",
ExcludeResourceTags = false,
RemediationEnabled = false,
ResourceType = "AWS::ElasticLoadBalancingV2::LoadBalancer",
SecurityServicePolicyData = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataArgs
{
Type = "WAF",
ManagedServiceData = Output.JsonSerialize(Output.Create(new Dictionary<string, object?>
{
["type"] = "WAF",
["ruleGroups"] = new[]
{
new Dictionary<string, object?>
{
["id"] = exampleRuleGroup.Id,
["overrideAction"] = new Dictionary<string, object?>
{
["type"] = "COUNT",
},
},
},
["defaultAction"] = new Dictionary<string, object?>
{
["type"] = "BLOCK",
},
["overrideCustomerWebACLAssociation"] = false,
})),
},
Tags =
{
{ "Name", "example-fms-policy" },
},
});
});
package generated_program;
import com.pulumi.Context;
import com.pulumi.Pulumi;
import com.pulumi.core.Output;
import com.pulumi.aws.wafregional.RuleGroup;
import com.pulumi.aws.wafregional.RuleGroupArgs;
import com.pulumi.aws.fms.Policy;
import com.pulumi.aws.fms.PolicyArgs;
import com.pulumi.aws.fms.inputs.PolicySecurityServicePolicyDataArgs;
import static com.pulumi.codegen.internal.Serialization.*;
import java.util.List;
import java.util.ArrayList;
import java.util.Map;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.Paths;
public class App {
public static void main(String[] args) {
Pulumi.run(App::stack);
}
public static void stack(Context ctx) {
var exampleRuleGroup = new RuleGroup("exampleRuleGroup", RuleGroupArgs.builder()
.metricName("WAFRuleGroupExample")
.name("WAF-Rule-Group-Example")
.build());
var example = new Policy("example", PolicyArgs.builder()
.name("FMS-Policy-Example")
.excludeResourceTags(false)
.remediationEnabled(false)
.resourceType("AWS::ElasticLoadBalancingV2::LoadBalancer")
.securityServicePolicyData(PolicySecurityServicePolicyDataArgs.builder()
.type("WAF")
.managedServiceData(exampleRuleGroup.id().applyValue(id -> serializeJson(
jsonObject(
jsonProperty("type", "WAF"),
jsonProperty("ruleGroups", jsonArray(jsonObject(
jsonProperty("id", id),
jsonProperty("overrideAction", jsonObject(
jsonProperty("type", "COUNT")
))
))),
jsonProperty("defaultAction", jsonObject(
jsonProperty("type", "BLOCK")
)),
jsonProperty("overrideCustomerWebACLAssociation", false)
))))
.build())
.tags(Map.of("Name", "example-fms-policy"))
.build());
}
}
resources:
example:
type: aws:fms:Policy
properties:
name: FMS-Policy-Example
excludeResourceTags: false
remediationEnabled: false
resourceType: AWS::ElasticLoadBalancingV2::LoadBalancer
securityServicePolicyData:
type: WAF
managedServiceData:
fn::toJSON:
type: WAF
ruleGroups:
- id: ${exampleRuleGroup.id}
overrideAction:
type: COUNT
defaultAction:
type: BLOCK
overrideCustomerWebACLAssociation: false
tags:
Name: example-fms-policy
exampleRuleGroup:
type: aws:wafregional:RuleGroup
name: example
properties:
metricName: WAFRuleGroupExample
name: WAF-Rule-Group-Example
Create Policy Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new Policy(name: string, args: PolicyArgs, opts?: CustomResourceOptions);@overload
def Policy(resource_name: str,
args: PolicyArgs,
opts: Optional[ResourceOptions] = None)
@overload
def Policy(resource_name: str,
opts: Optional[ResourceOptions] = None,
exclude_resource_tags: Optional[bool] = None,
security_service_policy_data: Optional[PolicySecurityServicePolicyDataArgs] = None,
name: Optional[str] = None,
exclude_map: Optional[PolicyExcludeMapArgs] = None,
description: Optional[str] = None,
include_map: Optional[PolicyIncludeMapArgs] = None,
delete_all_policy_resources: Optional[bool] = None,
remediation_enabled: Optional[bool] = None,
resource_set_ids: Optional[Sequence[str]] = None,
resource_tags: Optional[Mapping[str, str]] = None,
resource_type: Optional[str] = None,
resource_type_lists: Optional[Sequence[str]] = None,
delete_unused_fm_managed_resources: Optional[bool] = None,
tags: Optional[Mapping[str, str]] = None)func NewPolicy(ctx *Context, name string, args PolicyArgs, opts ...ResourceOption) (*Policy, error)public Policy(string name, PolicyArgs args, CustomResourceOptions? opts = null)
public Policy(String name, PolicyArgs args)
public Policy(String name, PolicyArgs args, CustomResourceOptions options)
type: aws:fms:Policy
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args PolicyArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var examplepolicyResourceResourceFromFmspolicy = new Aws.Fms.Policy("examplepolicyResourceResourceFromFmspolicy", new()
{
ExcludeResourceTags = false,
SecurityServicePolicyData = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataArgs
{
Type = "string",
ManagedServiceData = "string",
PolicyOption = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionArgs
{
NetworkAclCommonPolicy = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyArgs
{
NetworkAclEntrySet = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetArgs
{
ForceRemediateForFirstEntries = false,
ForceRemediateForLastEntries = false,
FirstEntries = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryArgs
{
Egress = false,
Protocol = "string",
RuleAction = "string",
CidrBlock = "string",
IcmpTypeCodes = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCodeArgs
{
Code = 0,
Type = 0,
},
},
Ipv6CidrBlock = "string",
PortRanges = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRangeArgs
{
From = 0,
To = 0,
},
},
},
},
LastEntries = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryArgs
{
Egress = false,
Protocol = "string",
RuleAction = "string",
CidrBlock = "string",
IcmpTypeCodes = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCodeArgs
{
Code = 0,
Type = 0,
},
},
Ipv6CidrBlock = "string",
PortRanges = new[]
{
new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRangeArgs
{
From = 0,
To = 0,
},
},
},
},
},
},
NetworkFirewallPolicy = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionNetworkFirewallPolicyArgs
{
FirewallDeploymentModel = "string",
},
ThirdPartyFirewallPolicy = new Aws.Fms.Inputs.PolicySecurityServicePolicyDataPolicyOptionThirdPartyFirewallPolicyArgs
{
FirewallDeploymentModel = "string",
},
},
},
Name = "string",
ExcludeMap = new Aws.Fms.Inputs.PolicyExcludeMapArgs
{
Accounts = new[]
{
"string",
},
Orgunits = new[]
{
"string",
},
},
Description = "string",
IncludeMap = new Aws.Fms.Inputs.PolicyIncludeMapArgs
{
Accounts = new[]
{
"string",
},
Orgunits = new[]
{
"string",
},
},
DeleteAllPolicyResources = false,
RemediationEnabled = false,
ResourceSetIds = new[]
{
"string",
},
ResourceTags =
{
{ "string", "string" },
},
ResourceType = "string",
ResourceTypeLists = new[]
{
"string",
},
DeleteUnusedFmManagedResources = false,
Tags =
{
{ "string", "string" },
},
});
example, err := fms.NewPolicy(ctx, "examplepolicyResourceResourceFromFmspolicy", &fms.PolicyArgs{
ExcludeResourceTags: pulumi.Bool(false),
SecurityServicePolicyData: &fms.PolicySecurityServicePolicyDataArgs{
Type: pulumi.String("string"),
ManagedServiceData: pulumi.String("string"),
PolicyOption: &fms.PolicySecurityServicePolicyDataPolicyOptionArgs{
NetworkAclCommonPolicy: &fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyArgs{
NetworkAclEntrySet: &fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetArgs{
ForceRemediateForFirstEntries: pulumi.Bool(false),
ForceRemediateForLastEntries: pulumi.Bool(false),
FirstEntries: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryArgs{
Egress: pulumi.Bool(false),
Protocol: pulumi.String("string"),
RuleAction: pulumi.String("string"),
CidrBlock: pulumi.String("string"),
IcmpTypeCodes: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCodeArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCodeArgs{
Code: pulumi.Int(0),
Type: pulumi.Int(0),
},
},
Ipv6CidrBlock: pulumi.String("string"),
PortRanges: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRangeArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRangeArgs{
From: pulumi.Int(0),
To: pulumi.Int(0),
},
},
},
},
LastEntries: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryArgs{
Egress: pulumi.Bool(false),
Protocol: pulumi.String("string"),
RuleAction: pulumi.String("string"),
CidrBlock: pulumi.String("string"),
IcmpTypeCodes: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCodeArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCodeArgs{
Code: pulumi.Int(0),
Type: pulumi.Int(0),
},
},
Ipv6CidrBlock: pulumi.String("string"),
PortRanges: fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRangeArray{
&fms.PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRangeArgs{
From: pulumi.Int(0),
To: pulumi.Int(0),
},
},
},
},
},
},
NetworkFirewallPolicy: &fms.PolicySecurityServicePolicyDataPolicyOptionNetworkFirewallPolicyArgs{
FirewallDeploymentModel: pulumi.String("string"),
},
ThirdPartyFirewallPolicy: &fms.PolicySecurityServicePolicyDataPolicyOptionThirdPartyFirewallPolicyArgs{
FirewallDeploymentModel: pulumi.String("string"),
},
},
},
Name: pulumi.String("string"),
ExcludeMap: &fms.PolicyExcludeMapArgs{
Accounts: pulumi.StringArray{
pulumi.String("string"),
},
Orgunits: pulumi.StringArray{
pulumi.String("string"),
},
},
Description: pulumi.String("string"),
IncludeMap: &fms.PolicyIncludeMapArgs{
Accounts: pulumi.StringArray{
pulumi.String("string"),
},
Orgunits: pulumi.StringArray{
pulumi.String("string"),
},
},
DeleteAllPolicyResources: pulumi.Bool(false),
RemediationEnabled: pulumi.Bool(false),
ResourceSetIds: pulumi.StringArray{
pulumi.String("string"),
},
ResourceTags: pulumi.StringMap{
"string": pulumi.String("string"),
},
ResourceType: pulumi.String("string"),
ResourceTypeLists: pulumi.StringArray{
pulumi.String("string"),
},
DeleteUnusedFmManagedResources: pulumi.Bool(false),
Tags: pulumi.StringMap{
"string": pulumi.String("string"),
},
})
var examplepolicyResourceResourceFromFmspolicy = new Policy("examplepolicyResourceResourceFromFmspolicy", PolicyArgs.builder()
.excludeResourceTags(false)
.securityServicePolicyData(PolicySecurityServicePolicyDataArgs.builder()
.type("string")
.managedServiceData("string")
.policyOption(PolicySecurityServicePolicyDataPolicyOptionArgs.builder()
.networkAclCommonPolicy(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyArgs.builder()
.networkAclEntrySet(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetArgs.builder()
.forceRemediateForFirstEntries(false)
.forceRemediateForLastEntries(false)
.firstEntries(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryArgs.builder()
.egress(false)
.protocol("string")
.ruleAction("string")
.cidrBlock("string")
.icmpTypeCodes(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCodeArgs.builder()
.code(0)
.type(0)
.build())
.ipv6CidrBlock("string")
.portRanges(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRangeArgs.builder()
.from(0)
.to(0)
.build())
.build())
.lastEntries(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryArgs.builder()
.egress(false)
.protocol("string")
.ruleAction("string")
.cidrBlock("string")
.icmpTypeCodes(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCodeArgs.builder()
.code(0)
.type(0)
.build())
.ipv6CidrBlock("string")
.portRanges(PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRangeArgs.builder()
.from(0)
.to(0)
.build())
.build())
.build())
.build())
.networkFirewallPolicy(PolicySecurityServicePolicyDataPolicyOptionNetworkFirewallPolicyArgs.builder()
.firewallDeploymentModel("string")
.build())
.thirdPartyFirewallPolicy(PolicySecurityServicePolicyDataPolicyOptionThirdPartyFirewallPolicyArgs.builder()
.firewallDeploymentModel("string")
.build())
.build())
.build())
.name("string")
.excludeMap(PolicyExcludeMapArgs.builder()
.accounts("string")
.orgunits("string")
.build())
.description("string")
.includeMap(PolicyIncludeMapArgs.builder()
.accounts("string")
.orgunits("string")
.build())
.deleteAllPolicyResources(false)
.remediationEnabled(false)
.resourceSetIds("string")
.resourceTags(Map.of("string", "string"))
.resourceType("string")
.resourceTypeLists("string")
.deleteUnusedFmManagedResources(false)
.tags(Map.of("string", "string"))
.build());
examplepolicy_resource_resource_from_fmspolicy = aws.fms.Policy("examplepolicyResourceResourceFromFmspolicy",
exclude_resource_tags=False,
security_service_policy_data={
"type": "string",
"managed_service_data": "string",
"policy_option": {
"network_acl_common_policy": {
"network_acl_entry_set": {
"force_remediate_for_first_entries": False,
"force_remediate_for_last_entries": False,
"first_entries": [{
"egress": False,
"protocol": "string",
"rule_action": "string",
"cidr_block": "string",
"icmp_type_codes": [{
"code": 0,
"type": 0,
}],
"ipv6_cidr_block": "string",
"port_ranges": [{
"from_": 0,
"to": 0,
}],
}],
"last_entries": [{
"egress": False,
"protocol": "string",
"rule_action": "string",
"cidr_block": "string",
"icmp_type_codes": [{
"code": 0,
"type": 0,
}],
"ipv6_cidr_block": "string",
"port_ranges": [{
"from_": 0,
"to": 0,
}],
}],
},
},
"network_firewall_policy": {
"firewall_deployment_model": "string",
},
"third_party_firewall_policy": {
"firewall_deployment_model": "string",
},
},
},
name="string",
exclude_map={
"accounts": ["string"],
"orgunits": ["string"],
},
description="string",
include_map={
"accounts": ["string"],
"orgunits": ["string"],
},
delete_all_policy_resources=False,
remediation_enabled=False,
resource_set_ids=["string"],
resource_tags={
"string": "string",
},
resource_type="string",
resource_type_lists=["string"],
delete_unused_fm_managed_resources=False,
tags={
"string": "string",
})
const examplepolicyResourceResourceFromFmspolicy = new aws.fms.Policy("examplepolicyResourceResourceFromFmspolicy", {
excludeResourceTags: false,
securityServicePolicyData: {
type: "string",
managedServiceData: "string",
policyOption: {
networkAclCommonPolicy: {
networkAclEntrySet: {
forceRemediateForFirstEntries: false,
forceRemediateForLastEntries: false,
firstEntries: [{
egress: false,
protocol: "string",
ruleAction: "string",
cidrBlock: "string",
icmpTypeCodes: [{
code: 0,
type: 0,
}],
ipv6CidrBlock: "string",
portRanges: [{
from: 0,
to: 0,
}],
}],
lastEntries: [{
egress: false,
protocol: "string",
ruleAction: "string",
cidrBlock: "string",
icmpTypeCodes: [{
code: 0,
type: 0,
}],
ipv6CidrBlock: "string",
portRanges: [{
from: 0,
to: 0,
}],
}],
},
},
networkFirewallPolicy: {
firewallDeploymentModel: "string",
},
thirdPartyFirewallPolicy: {
firewallDeploymentModel: "string",
},
},
},
name: "string",
excludeMap: {
accounts: ["string"],
orgunits: ["string"],
},
description: "string",
includeMap: {
accounts: ["string"],
orgunits: ["string"],
},
deleteAllPolicyResources: false,
remediationEnabled: false,
resourceSetIds: ["string"],
resourceTags: {
string: "string",
},
resourceType: "string",
resourceTypeLists: ["string"],
deleteUnusedFmManagedResources: false,
tags: {
string: "string",
},
});
type: aws:fms:Policy
properties:
deleteAllPolicyResources: false
deleteUnusedFmManagedResources: false
description: string
excludeMap:
accounts:
- string
orgunits:
- string
excludeResourceTags: false
includeMap:
accounts:
- string
orgunits:
- string
name: string
remediationEnabled: false
resourceSetIds:
- string
resourceTags:
string: string
resourceType: string
resourceTypeLists:
- string
securityServicePolicyData:
managedServiceData: string
policyOption:
networkAclCommonPolicy:
networkAclEntrySet:
firstEntries:
- cidrBlock: string
egress: false
icmpTypeCodes:
- code: 0
type: 0
ipv6CidrBlock: string
portRanges:
- from: 0
to: 0
protocol: string
ruleAction: string
forceRemediateForFirstEntries: false
forceRemediateForLastEntries: false
lastEntries:
- cidrBlock: string
egress: false
icmpTypeCodes:
- code: 0
type: 0
ipv6CidrBlock: string
portRanges:
- from: 0
to: 0
protocol: string
ruleAction: string
networkFirewallPolicy:
firewallDeploymentModel: string
thirdPartyFirewallPolicy:
firewallDeploymentModel: string
type: string
tags:
string: string
Policy Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The Policy resource accepts the following input properties:
- bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - Security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Delete
All boolPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - Delete
Unused boolFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - Description string
- The description of the AWS Network Firewall firewall policy.
- Exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - Include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - Name string
- The friendly name of the AWS Firewall Manager Policy.
- Remediation
Enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- Resource
Set List<string>Ids - Dictionary<string, string>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- Resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - Resource
Type List<string>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Dictionary<string, string>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
- bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - Security
Service PolicyPolicy Data Security Service Policy Data Args - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Delete
All boolPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - Delete
Unused boolFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - Description string
- The description of the AWS Network Firewall firewall policy.
- Exclude
Map PolicyExclude Map Args - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - Include
Map PolicyInclude Map Args - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - Name string
- The friendly name of the AWS Firewall Manager Policy.
- Remediation
Enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- Resource
Set []stringIds - map[string]string
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- Resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - Resource
Type []stringLists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - map[string]string
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
- Boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - delete
All BooleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused BooleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description String
- The description of the AWS Network Firewall firewall policy.
- exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name String
- The friendly name of the AWS Firewall Manager Policy.
- remediation
Enabled Boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set List<String>Ids - Map<String,String>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type String - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type List<String>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Map<String,String>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
- boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - delete
All booleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused booleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description string
- The description of the AWS Network Firewall firewall policy.
- exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name string
- The friendly name of the AWS Firewall Manager Policy.
- remediation
Enabled boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set string[]Ids - {[key: string]: string}
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type string[]Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - {[key: string]: string}
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
- bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - security_
service_ Policypolicy_ data Security Service Policy Data Args - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - delete_
all_ boolpolicy_ resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete_
unused_ boolfm_ managed_ resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description str
- The description of the AWS Network Firewall firewall policy.
- exclude_
map PolicyExclude Map Args - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - include_
map PolicyInclude Map Args - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name str
- The friendly name of the AWS Firewall Manager Policy.
- remediation_
enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource_
set_ Sequence[str]ids - Mapping[str, str]
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource_
type str - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource_
type_ Sequence[str]lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Mapping[str, str]
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
- Boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - security
Service Property MapPolicy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - delete
All BooleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused BooleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description String
- The description of the AWS Network Firewall firewall policy.
- exclude
Map Property Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - include
Map Property Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name String
- The friendly name of the AWS Firewall Manager Policy.
- remediation
Enabled Boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set List<String>Ids - Map<String>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type String - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type List<String>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Map<String>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level
Outputs
All input properties are implicitly available as output properties. Additionally, the Policy resource produces the following output properties:
- Arn string
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Update stringToken - A unique identifier for each update to the policy.
- Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- Id string
- The provider-assigned unique ID for this managed resource.
- Policy
Update stringToken - A unique identifier for each update to the policy.
- map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Update StringToken - A unique identifier for each update to the policy.
- Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- id string
- The provider-assigned unique ID for this managed resource.
- policy
Update stringToken - A unique identifier for each update to the policy.
- {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- id str
- The provider-assigned unique ID for this managed resource.
- policy_
update_ strtoken - A unique identifier for each update to the policy.
- Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- id String
- The provider-assigned unique ID for this managed resource.
- policy
Update StringToken - A unique identifier for each update to the policy.
- Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Look up Existing Policy Resource
Get an existing Policy resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: PolicyState, opts?: CustomResourceOptions): Policy@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
arn: Optional[str] = None,
delete_all_policy_resources: Optional[bool] = None,
delete_unused_fm_managed_resources: Optional[bool] = None,
description: Optional[str] = None,
exclude_map: Optional[PolicyExcludeMapArgs] = None,
exclude_resource_tags: Optional[bool] = None,
include_map: Optional[PolicyIncludeMapArgs] = None,
name: Optional[str] = None,
policy_update_token: Optional[str] = None,
remediation_enabled: Optional[bool] = None,
resource_set_ids: Optional[Sequence[str]] = None,
resource_tags: Optional[Mapping[str, str]] = None,
resource_type: Optional[str] = None,
resource_type_lists: Optional[Sequence[str]] = None,
security_service_policy_data: Optional[PolicySecurityServicePolicyDataArgs] = None,
tags: Optional[Mapping[str, str]] = None,
tags_all: Optional[Mapping[str, str]] = None) -> Policyfunc GetPolicy(ctx *Context, name string, id IDInput, state *PolicyState, opts ...ResourceOption) (*Policy, error)public static Policy Get(string name, Input<string> id, PolicyState? state, CustomResourceOptions? opts = null)public static Policy get(String name, Output<String> id, PolicyState state, CustomResourceOptions options)resources: _: type: aws:fms:Policy get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Arn string
- Delete
All boolPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - Delete
Unused boolFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - Description string
- The description of the AWS Network Firewall firewall policy.
- Exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - Include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - Name string
- The friendly name of the AWS Firewall Manager Policy.
- Policy
Update stringToken - A unique identifier for each update to the policy.
- Remediation
Enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- Resource
Set List<string>Ids - Dictionary<string, string>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- Resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - Resource
Type List<string>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Dictionary<string, string>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - Dictionary<string, string>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- Arn string
- Delete
All boolPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - Delete
Unused boolFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - Description string
- The description of the AWS Network Firewall firewall policy.
- Exclude
Map PolicyExclude Map Args - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - Include
Map PolicyInclude Map Args - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - Name string
- The friendly name of the AWS Firewall Manager Policy.
- Policy
Update stringToken - A unique identifier for each update to the policy.
- Remediation
Enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- Resource
Set []stringIds - map[string]string
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- Resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - Resource
Type []stringLists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - Security
Service PolicyPolicy Data Security Service Policy Data Args - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - map[string]string
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - map[string]string
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- delete
All BooleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused BooleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description String
- The description of the AWS Network Firewall firewall policy.
- exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - Boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name String
- The friendly name of the AWS Firewall Manager Policy.
- policy
Update StringToken - A unique identifier for each update to the policy.
- remediation
Enabled Boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set List<String>Ids - Map<String,String>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type String - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type List<String>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Map<String,String>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - Map<String,String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn string
- delete
All booleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused booleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description string
- The description of the AWS Network Firewall firewall policy.
- exclude
Map PolicyExclude Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - include
Map PolicyInclude Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name string
- The friendly name of the AWS Firewall Manager Policy.
- policy
Update stringToken - A unique identifier for each update to the policy.
- remediation
Enabled boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set string[]Ids - {[key: string]: string}
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type string - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type string[]Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - security
Service PolicyPolicy Data Security Service Policy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - {[key: string]: string}
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - {[key: string]: string}
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn str
- delete_
all_ boolpolicy_ resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete_
unused_ boolfm_ managed_ resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description str
- The description of the AWS Network Firewall firewall policy.
- exclude_
map PolicyExclude Map Args - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - bool
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - include_
map PolicyInclude Map Args - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name str
- The friendly name of the AWS Firewall Manager Policy.
- policy_
update_ strtoken - A unique identifier for each update to the policy.
- remediation_
enabled bool - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource_
set_ Sequence[str]ids - Mapping[str, str]
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource_
type str - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource_
type_ Sequence[str]lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - security_
service_ Policypolicy_ data Security Service Policy Data Args - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Mapping[str, str]
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - Mapping[str, str]
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
- arn String
- delete
All BooleanPolicy Resources - If true, the request will also perform a clean-up process. Defaults to
true. More information can be found here AWS Firewall Manager delete policy - delete
Unused BooleanFm Managed Resources - If true, Firewall Manager will automatically remove protections from resources that leave the policy scope. Defaults to
false. More information can be found here AWS Firewall Manager policy contents - description String
- The description of the AWS Network Firewall firewall policy.
- exclude
Map Property Map - A map of lists of accounts and OU's to exclude from the policy. See the
exclude_mapblock. - Boolean
- A boolean value, if true the tags that are specified in the
resource_tagsare not protected by this policy. If set to false and resource_tags are populated, resources that contain tags will be protected by this policy. - include
Map Property Map - A map of lists of accounts and OU's to include in the policy. See the
include_mapblock. - name String
- The friendly name of the AWS Firewall Manager Policy.
- policy
Update StringToken - A unique identifier for each update to the policy.
- remediation
Enabled Boolean - A boolean value, indicates if the policy should automatically applied to resources that already exist in the account.
- resource
Set List<String>Ids - Map<String>
- A map of resource tags, that if present will filter protections on resources based on the exclude_resource_tags.
- resource
Type String - A resource type to protect. Conflicts with
resource_type_list. See the FMS API Reference for more information about supported values. - resource
Type List<String>Lists - A list of resource types to protect. Conflicts with
resource_type. See the FMS API Reference for more information about supported values. Lists with only one element are not supported, instead useresource_type. - security
Service Property MapPolicy Data - The objects to include in Security Service Policy Data. See the
security_service_policy_datablock. - Map<String>
- Key-value mapping of resource tags. If configured with a provider
default_tagsconfiguration block present, tags with matching keys will overwrite those defined at the provider-level - Map<String>
- A map of tags assigned to the resource, including those inherited from the provider
default_tagsconfiguration block.
Supporting Types
PolicyExcludeMap, PolicyExcludeMapArgs
- Accounts List<string>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- Orgunits List<string>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- Accounts []string
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- Orgunits []string
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts List<String>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits List<String>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts string[]
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits string[]
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts Sequence[str]
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits Sequence[str]
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts List<String>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits List<String>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
PolicyIncludeMap, PolicyIncludeMapArgs
- Accounts List<string>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- Orgunits List<string>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- Accounts []string
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- Orgunits []string
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts List<String>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits List<String>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts string[]
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits string[]
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts Sequence[str]
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits Sequence[str]
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
- accounts List<String>
- A list of AWS Organization member Accounts that you want to include for this AWS FMS Policy.
- orgunits List<String>
A list of IDs of the AWS Organizational Units that you want to include for this AWS FMS Policy. Specifying an OU is the equivalent of specifying all accounts in the OU and in any of its child OUs, including any child OUs and accounts that are added at a later time.
You can specify inclusions or exclusions, but not both. If you specify an
include_map, AWS Firewall Manager applies the policy to all accounts specified by theinclude_map, and does not evaluate anyexclude_mapspecifications. If you do not specify aninclude_map, then Firewall Manager applies the policy to all accounts except for those specified by theexclude_map.
PolicySecurityServicePolicyData, PolicySecurityServicePolicyDataArgs
- Type string
- An integer value containing ICMP type.
- Managed
Service stringData - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - Policy
Option PolicySecurity Service Policy Data Policy Option - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
- Type string
- An integer value containing ICMP type.
- Managed
Service stringData - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - Policy
Option PolicySecurity Service Policy Data Policy Option - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
- type String
- An integer value containing ICMP type.
- managed
Service StringData - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - policy
Option PolicySecurity Service Policy Data Policy Option - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
- type string
- An integer value containing ICMP type.
- managed
Service stringData - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - policy
Option PolicySecurity Service Policy Data Policy Option - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
- type str
- An integer value containing ICMP type.
- managed_
service_ strdata - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - policy_
option PolicySecurity Service Policy Data Policy Option - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
- type String
- An integer value containing ICMP type.
- managed
Service StringData - Details about the service that are specific to the service type, in JSON format. For service type
SHIELD_ADVANCED, this is an empty string. Examples depending ontypecan be found in the AWS Firewall Manager SecurityServicePolicyData API Reference. - policy
Option Property Map - Contains the Network Firewall firewall policy options to configure a centralized deployment model. See the
policy_optionblock.
PolicySecurityServicePolicyDataPolicyOption, PolicySecurityServicePolicyDataPolicyOptionArgs
- Network
Acl PolicyCommon Policy Security Service Policy Data Policy Option Network Acl Common Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - Network
Firewall PolicyPolicy Security Service Policy Data Policy Option Network Firewall Policy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - Third
Party PolicyFirewall Policy Security Service Policy Data Policy Option Third Party Firewall Policy
- Network
Acl PolicyCommon Policy Security Service Policy Data Policy Option Network Acl Common Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - Network
Firewall PolicyPolicy Security Service Policy Data Policy Option Network Firewall Policy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - Third
Party PolicyFirewall Policy Security Service Policy Data Policy Option Third Party Firewall Policy
- network
Acl PolicyCommon Policy Security Service Policy Data Policy Option Network Acl Common Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - network
Firewall PolicyPolicy Security Service Policy Data Policy Option Network Firewall Policy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - third
Party PolicyFirewall Policy Security Service Policy Data Policy Option Third Party Firewall Policy
- network
Acl PolicyCommon Policy Security Service Policy Data Policy Option Network Acl Common Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - network
Firewall PolicyPolicy Security Service Policy Data Policy Option Network Firewall Policy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - third
Party PolicyFirewall Policy Security Service Policy Data Policy Option Third Party Firewall Policy
- network_
acl_ Policycommon_ policy Security Service Policy Data Policy Option Network Acl Common Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - network_
firewall_ Policypolicy Security Service Policy Data Policy Option Network Firewall Policy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - third_
party_ Policyfirewall_ policy Security Service Policy Data Policy Option Third Party Firewall Policy
- network
Acl Property MapCommon Policy - Defines NACL rules across accounts in their AWS Organization. See the
network_acl_common_policyblock. - network
Firewall Property MapPolicy - Defines the deployment model to use for the firewall policy. See the
network_firewall_policyblock. - third
Party Property MapFirewall Policy
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicy, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyArgs
- Network
Acl PolicyEntry Set Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
- Network
Acl PolicyEntry Set Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
- network
Acl PolicyEntry Set Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
- network
Acl PolicyEntry Set Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
- network_
acl_ Policyentry_ set Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
- network
Acl Property MapEntry Set - Defines NACL entries for Network ACL policy. See the
network_acl_entry_setblock.
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySet, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetArgs
- Force
Remediate boolFor First Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- Force
Remediate boolFor Last Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- First
Entries List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry> - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - Last
Entries List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry> - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
- Force
Remediate boolFor First Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- Force
Remediate boolFor Last Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- First
Entries []PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - Last
Entries []PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
- force
Remediate BooleanFor First Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- force
Remediate BooleanFor Last Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- first
Entries List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry> - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - last
Entries List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry> - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
- force
Remediate booleanFor First Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- force
Remediate booleanFor Last Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- first
Entries PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry[] - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - last
Entries PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry[] - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
- force_
remediate_ boolfor_ first_ entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- force_
remediate_ boolfor_ last_ entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- first_
entries Sequence[PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry] - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - last_
entries Sequence[PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry] - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
- force
Remediate BooleanFor First Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- force
Remediate BooleanFor Last Entries - A boolean value, if true Firewall Manager uses this setting when it finds policy violations that involve conflicts between the custom entries and the policy entries. If false Firewall Manager marks the network ACL as noncompliant and does not try to remediate.
- first
Entries List<Property Map> - The rules that you want to run first in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 1 and 5000. See the
first_entryblock. - last
Entries List<Property Map> - The rules that you want to run last in the Firewall Manager managed network ACLs. Firewall manager creates entries with ID value between 32000 and 32766. See the
last_entryblock.
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntry, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryArgs
- Egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- Protocol string
- The protocol number. A value of "-1" means all protocols.
- Rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - Cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- Icmp
Type List<PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Icmp Type Code> - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - Ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- Port
Ranges List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Port Range> - A configuration block for PortRange. See the
port_rangeblock.
- Egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- Protocol string
- The protocol number. A value of "-1" means all protocols.
- Rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - Cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- Icmp
Type []PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Icmp Type Code - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - Ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- Port
Ranges []PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Port Range - A configuration block for PortRange. See the
port_rangeblock.
- egress Boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol String
- The protocol number. A value of "-1" means all protocols.
- rule
Action String - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block String - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type List<PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Icmp Type Code> - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block String - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Port Range> - A configuration block for PortRange. See the
port_rangeblock.
- egress boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol string
- The protocol number. A value of "-1" means all protocols.
- rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Icmp Type Code[] - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Port Range[] - A configuration block for PortRange. See the
port_rangeblock.
- egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol str
- The protocol number. A value of "-1" means all protocols.
- rule_
action str - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr_
block str - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp_
type_ Sequence[Policycodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Icmp Type Code] - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6_
cidr_ strblock - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port_
ranges Sequence[PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set First Entry Port Range] - A configuration block for PortRange. See the
port_rangeblock.
- egress Boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol String
- The protocol number. A value of "-1" means all protocols.
- rule
Action String - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block String - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type List<Property Map>Codes - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block String - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges List<Property Map> - A configuration block for PortRange. See the
port_rangeblock.
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCode, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryIcmpTypeCodeArgs
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRange, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetFirstEntryPortRangeArgs
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntry, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryArgs
- Egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- Protocol string
- The protocol number. A value of "-1" means all protocols.
- Rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - Cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- Icmp
Type List<PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Icmp Type Code> - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - Ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- Port
Ranges List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Port Range> - A configuration block for PortRange. See the
port_rangeblock.
- Egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- Protocol string
- The protocol number. A value of "-1" means all protocols.
- Rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - Cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- Icmp
Type []PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Icmp Type Code - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - Ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- Port
Ranges []PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Port Range - A configuration block for PortRange. See the
port_rangeblock.
- egress Boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol String
- The protocol number. A value of "-1" means all protocols.
- rule
Action String - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block String - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type List<PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Icmp Type Code> - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block String - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges List<PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Port Range> - A configuration block for PortRange. See the
port_rangeblock.
- egress boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol string
- The protocol number. A value of "-1" means all protocols.
- rule
Action string - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block string - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type PolicyCodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Icmp Type Code[] - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block string - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Port Range[] - A configuration block for PortRange. See the
port_rangeblock.
- egress bool
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol str
- The protocol number. A value of "-1" means all protocols.
- rule_
action str - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr_
block str - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp_
type_ Sequence[Policycodes Security Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Icmp Type Code] - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6_
cidr_ strblock - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port_
ranges Sequence[PolicySecurity Service Policy Data Policy Option Network Acl Common Policy Network Acl Entry Set Last Entry Port Range] - A configuration block for PortRange. See the
port_rangeblock.
- egress Boolean
- A boolean value, if true Firewall Manager creates egress rule. If false Firewall Manager creates ingress rule.
- protocol String
- The protocol number. A value of "-1" means all protocols.
- rule
Action String - A string value that indicates whether to allow or deny the traffic that matches the rule. Valid values:
allow,deny. - cidr
Block String - A string value containing the IPv4 network range to allow or deny, in CIDR notation.
- icmp
Type List<Property Map>Codes - A configuration block for ICMP protocol: The ICMP type and code. See the
icmp_type_codeblock. - ipv6Cidr
Block String - A string value containing the IPv6 network range to allow or deny, in CIDR notation.
- port
Ranges List<Property Map> - A configuration block for PortRange. See the
port_rangeblock.
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCode, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryIcmpTypeCodeArgs
PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRange, PolicySecurityServicePolicyDataPolicyOptionNetworkAclCommonPolicyNetworkAclEntrySetLastEntryPortRangeArgs
PolicySecurityServicePolicyDataPolicyOptionNetworkFirewallPolicy, PolicySecurityServicePolicyDataPolicyOptionNetworkFirewallPolicyArgs
- Firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- Firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment StringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall_
deployment_ strmodel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment StringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
PolicySecurityServicePolicyDataPolicyOptionThirdPartyFirewallPolicy, PolicySecurityServicePolicyDataPolicyOptionThirdPartyFirewallPolicyArgs
- Firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- Firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment StringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment stringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall_
deployment_ strmodel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
- firewall
Deployment StringModel - Defines the deployment model to use for the third-party firewall policy. Valid values are
CENTRALIZEDandDISTRIBUTED.
Import
Using pulumi import, import Firewall Manager policies using the policy ID. For example:
$ pulumi import aws:fms/policy:Policy example 5be49585-a7e3-4c49-dde1-a179fe4a619a
To learn more about importing existing cloud resources, see Importing resources.
Package Details
- Repository
- AWS Classic pulumi/pulumi-aws
- License
- Apache-2.0
- Notes
- This Pulumi package is based on the
awsTerraform Provider.