RuleGroup is the Schema for the RuleGroups API. Provides an AWS Network Firewall Rule Group resource.
Type
CRD
Group
networkfirewall.aws.upbound.io
Version
v1beta1
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
RuleGroupSpec defines the desired state of RuleGroup
No description provided.
A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
No description provided.
Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
Reference to a ManagedPrefixList in ec2 to populate referenceArn.
Policies for referencing.
Selector for a ManagedPrefixList in ec2 to populate referenceArn.
Policies for selection.
A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
Set of configuration blocks that define IP address information. See IP Sets below for details.
A configuration block that defines a set of IP addresses. See IP Set below for details.
Set of port ranges.
Set of configuration blocks that define port range information. See Port Sets below for details.
A configuration block that defines a set of port ranges. See Port Set below for details.
Set of port ranges.
A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
Set of domains that you want to inspect for in your traffic flows.
Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
THIS IS A BETA FIELD. It will be honored unless the Management Policies feature flag is disabled. InitProvider holds the same fields as ForProvider, with the exception of Identifier and other resource reference fields. The fields that are in InitProvider are merged into ForProvider when the resource is created. The same fields are also added to the terraform ignore_changes hook, to avoid updating them after creation. This is useful for fields that are required on creation, but we do not desire to update them after creation, for example because of an external controller is managing them, like an autoscaler.
A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
No description provided.
Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
Reference to a ManagedPrefixList in ec2 to populate referenceArn.
Policies for referencing.
Selector for a ManagedPrefixList in ec2 to populate referenceArn.
Policies for selection.
A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
Set of configuration blocks that define IP address information. See IP Sets below for details.
A configuration block that defines a set of IP addresses. See IP Set below for details.
Set of port ranges.
Set of configuration blocks that define port range information. See Port Sets below for details.
A configuration block that defines a set of port ranges. See Port Set below for details.
Set of port ranges.
A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
Set of domains that you want to inspect for in your traffic flows.
Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
THIS IS A BETA FIELD. It is on by default but can be opted out through a Crossplane feature flag. ManagementPolicies specify the array of actions Crossplane is allowed to take on the managed and external resources. This field is planned to replace the DeletionPolicy field in a future release. Currently, both could be set independently and non-default values would be honored if the feature flag is enabled. If both are custom, the DeletionPolicy field will be ignored. See the design doc for more information: https://github.com/crossplane/crossplane/blob/499895a25d1a1a0ba1604944ef98ac7a1a71f197/design/design-doc-observe-only-resources.md?plain=1#L223 and this one: https://github.com/crossplane/crossplane/blob/444267e84783136daa93568b364a5f01228cacbe/design/one-pager-ignore-changes.md
ProviderConfigReference specifies how the provider that will be used to create, observe, update, and delete this managed resource should be configured.
Policies for referencing.
PublishConnectionDetailsTo specifies the connection secret config which contains a name, metadata and a reference to secret store config to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource.
WriteConnectionSecretToReference specifies the namespace and name of a Secret to which any connection details for this managed resource should be written. Connection details frequently include the endpoint, username, and password required to connect to the managed resource. This field is planned to be replaced in a future release in favor of PublishConnectionDetailsTo. Currently, both could be set independently and connection details would be published to both without affecting each other.
RuleGroupStatus defines the observed state of RuleGroup.
No description provided.
A configuration block that defines the rule group rules. Required unless rules is specified. See Rule Group below for details.
A configuration block that defines the IP Set References for the rule group. See Reference Sets below for details. Please notes that there can only be a maximum of 5 reference_sets in a rule_group. See the AWS documentation for details.
No description provided.
Set of configuration blocks that define the IP Reference information. See IP Set Reference below for details.
A configuration block that defines additional settings available to use in the rules defined in the rule group. Can only be specified for stateful rule groups. See Rule Variables below for details.
Set of configuration blocks that define IP address information. See IP Sets below for details.
A configuration block that defines a set of IP addresses. See IP Set below for details.
Set of port ranges.
Set of configuration blocks that define port range information. See Port Sets below for details.
A configuration block that defines a set of port ranges. See Port Set below for details.
Set of port ranges.
A configuration block that defines the stateful or stateless rules for the rule group. See Rules Source below for details.
A configuration block containing stateful inspection criteria for a domain list rule group. See Rules Source List below for details.
Set of types of domain specifications that are provided in the targets argument. Valid values: HTTP_HOST, TLS_SNI.
Set of domains that you want to inspect for in your traffic flows.
Set of configuration blocks containing stateful inspection criteria for 5-tuple rules to be used together in a rule group. See Stateful Rule below for details.
A configuration block containing the stateful 5-tuple inspection criteria for the rule, used to inspect traffic flows. See Header below for details.
A configuration block containing stateless inspection criteria for a stateless rule group. See Stateless Rules and Custom Actions below for details.
Set of configuration blocks containing custom action definitions that are available for use by the set of stateless rule. See Custom Action below for details.
A configuration block describing the custom action associated with the action_name. See Action Definition below for details.
A configuration block describing the stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. You can pair this custom action with any of the standard stateless rule actions. See Publish Metric Action below for details.
Set of configuration blocks containing the stateless rules for use in the stateless rule group. See Stateless Rule below for details.
A configuration block defining the stateless 5-tuple packet inspection criteria and the action to take on a packet that matches the criteria. See Rule Definition below for details.
Set of actions to take on a packet that matches one of the stateless rule definition's match_attributes. For every rule you must specify 1 standard action, and you can add custom actions. Standard actions include: aws:pass, aws:drop, aws:forward_to_sfe.
A configuration block containing criteria for AWS Network Firewall to use to inspect an individual packet in stateless rule inspection. See Match Attributes below for details.
Set of configuration blocks describing the destination IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address. See Destination below for details.
Set of protocols to inspect for, specified using the protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.
Set of configuration blocks describing the source IP address and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address. See Source below for details.
Set of configuration blocks containing the TCP flags and masks to inspect for. If not specified, this matches with any settings.
Set of flags to look for in a packet. This setting can only specify values that are also specified in masks. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
Set of flags to consider in the inspection. To inspect all flags, leave this empty. Valid values: FIN, SYN, RST, PSH, ACK, URG, ECE, CWR.
A configuration block that defines stateful rule options for the rule group. See Stateful Rule Options below for details.
Conditions of the resource.
example
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/rulegroup
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
capacity: 100
name: example
region: us-west-1
ruleGroup:
- rulesSource:
- rulesSourceList:
- generatedRulesType: DENYLIST
targetTypes:
- HTTP_HOST
targets:
- test.example.com
tags:
Tag1: Value1
Tag2: Value2
type: STATEFUL
rulegroup
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewall
uptest.upbound.io/timeout: "3600"
labels:
testing.upbound.io/example-name: example
name: rulegroup
spec:
forProvider:
capacity: 100
name: rulegroup
region: us-west-1
ruleGroup:
- rulesSource:
- statelessRulesAndCustomActions:
- customAction:
- actionDefinition:
- publishMetricAction:
- dimension:
- value: "2"
actionName: ExampleMetricsAction
statelessRule:
- priority: 1
ruleDefinition:
- actions:
- aws:pass
- ExampleMetricsAction
matchAttributes:
- destination:
- addressDefinition: 124.1.1.5/32
destinationPort:
- fromPort: 443
toPort: 443
protocols:
- 6
source:
- addressDefinition: 1.2.3.4/32
sourcePort:
- fromPort: 443
toPort: 443
tcpFlag:
- flags:
- SYN
masks:
- SYN
- ACK
tags:
Tag1: Value1
Tag2: Value2
type: STATELESS
example-allow-domainlist
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewallpolicy
labels:
testing.upbound.io/example-name: example-allow-domainlist
name: example-allow-domainlist
spec:
forProvider:
capacity: 1000
name: example-allow-domainlist
region: us-west-1
ruleGroup:
- ruleVariables:
- ipSets:
- ipSet:
- definition:
- 10.0.0.0/8
key: HOME_NET
rulesSource:
- rulesSourceList:
- generatedRulesType: ALLOWLIST
targetTypes:
- TLS_SNI
- HTTP_HOST
targets:
- xpkg.upbound.io
type: STATEFUL
example-deny
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewallpolicy
labels:
testing.upbound.io/example-name: example-deny
name: example-deny
spec:
forProvider:
capacity: 300
name: example-deny
region: us-west-1
ruleGroup:
- ruleVariables:
- ipSets:
- ipSet:
- definition:
- 10.0.0.0/8
key: UP_NET
- ipSet:
- definition:
- 172.16.0.0/16
key: TGW_NET
rulesSource:
- rulesString: >
drop ip $TGW_NET,$UP_NET any <> $EXTERNAL_NET any (msg: "Drop
non-TCP traffic."; ip_proto:!TCP;sid:1003; rev:1;)
drop tcp $TGW_NET any -> $EXTERNAL_NET [!443] (msg:"Drop All non-TCP:443"; sid:1002; priority:2; rev:1;)
drop tcp $UP_NET any -> $EXTERNAL_NET [!443] (msg:"Drop All non-TCP:443"; sid:1001; priority:1; rev:1;)
type: STATEFUL
example
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewallpolicy
labels:
testing.upbound.io/example-name: example
name: example
spec:
forProvider:
capacity: 100
name: example
region: us-west-1
ruleGroup:
- rulesSource:
- statelessRulesAndCustomActions:
- customAction:
- actionDefinition:
- publishMetricAction:
- dimension:
- value: "2"
actionName: ExampleMetricsAction
statelessRule:
- priority: 1
ruleDefinition:
- actions:
- aws:pass
- ExampleMetricsAction
matchAttributes:
- destination:
- addressDefinition: 124.1.1.5/32
destinationPort:
- fromPort: 443
toPort: 443
protocols:
- 6
source:
- addressDefinition: 1.2.3.4/32
sourcePort:
- fromPort: 443
toPort: 443
tcpFlag:
- flags:
- SYN
masks:
- SYN
- ACK
tags:
Tag1: Value1
Tag2: Value2
type: STATELESS
example-forward-all
apiVersion: networkfirewall.aws.upbound.io/v1beta1
kind: RuleGroup
metadata:
annotations:
meta.upbound.io/example-id: networkfirewall/v1beta1/firewallpolicy
labels:
testing.upbound.io/example-name: example-forward-all
name: example-forward-all
spec:
forProvider:
capacity: 1
name: example-forward-all
region: us-west-1
ruleGroup:
- rulesSource:
- statelessRulesAndCustomActions:
- statelessRule:
- priority: 1
ruleDefinition:
- actions:
- aws:forward_to_sfe
matchAttributes:
- destination:
- addressDefinition: 0.0.0.0/0
source:
- addressDefinition: 0.0.0.0/0
type: STATELESS
© 2022 Upbound, Inc.
Discover the building blocksfor your internal cloud platform.