RuleGroup is the Schema for the RuleGroups API. Provides an AWS Network Firewall Rule Group resource.
Type
CRD
Group
networkfirewall.aws.upbound.io
Version
v1beta1
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
RuleGroupSpec defines the desired state of RuleGroup
No description provided.
A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
Set of configuration blocks that define IP address information. See IP Sets below for details.
A configuration block that defines a set of IP addresses. See IP Set below for details.
Set of port ranges.
Set of configuration blocks that define port range information. See Port Sets below for details.
A configuration block that defines a set of port ranges. See Port Set below for details.
Set of port ranges.
A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
Set of domains that you want to inspect for in your traffic flows.
Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
ProviderReference specifies the provider that will be used to create, observe, update, and delete this managed resource. Deprecated: Please use ProviderConfigReference, i.e. providerConfigRef
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
RuleGroupStatus defines the observed state of RuleGroup.
No description provided.
Conditions of the resource.
example
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/rulegroup
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
capacity: 100
name: example
region: us-west-1
ruleGroup:
- rulesSource:
- rulesSourceList:
- generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
tags:
Tag1: Value1
Tag2: Value2
type: STATEFUL
example
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewallpolicy
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
capacity: 100
name: example
region: us-west-1
ruleGroup:
- rulesSource:
- statelessRulesAndCustomActions:
- customAction:
- actionDefinition:
- publishMetricAction:
- dimension:
- value: "2"
actionName: ExampleMetricsAction
statelessRule:
- priority: 1
ruleDefinition:
- actions:
- aws:pass
- ExampleMetricsAction
matchAttributes:
- destination:
- addressDefinition: 124.1.1.5/32
destinationPort:
- fromPort: 443
toPort: 443
protocols:
- 6
source:
- addressDefinition: 1.2.3.4/32
sourcePort:
- fromPort: 443
toPort: 443
tcpFlag:
- flags:
- SYN
masks:
- SYN
- ACK
tags:
Tag1: Value1
Tag2: Value2
type: STATELESS
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.