Skip to content

Commit

Permalink
feat(client-fms): Add support NetworkFirewall Managed Rule Group Over…
Browse files Browse the repository at this point in the history 
…ride flag in GetViolationDetails API
  • Loading branch information
awstools committed Oct 27, 2022
1 parent 3711a1f commit 7586f6e
Show file tree
Hide file tree
Showing 3 changed files with 812 additions and 611 deletions.
132 changes: 80 additions & 52 deletions clients/client-fms/src/models/models_0.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -779,58 +779,6 @@ export interface SecurityServicePolicyData {
* </p>
* </li>
* <li>
* <p>Specification for <code>SHIELD_ADVANCED</code> for Amazon CloudFront distributions </p>
* <p>
* <code>"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\":
* {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\",
* \"automaticResponseAction\":\"BLOCK|COUNT\"},
* \"overrideCustomerWebaclClassic\":true|false}"</code>
* </p>
* <p>For example:
* <code>"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\":
* {\"automaticResponseStatus\":\"ENABLED\",
* \"automaticResponseAction\":\"COUNT\"}}"</code>
* </p>
* <p>The default value for <code>automaticResponseStatus</code> is
* <code>IGNORED</code>. The value for <code>automaticResponseAction</code> is only
* required when <code>automaticResponseStatus</code> is set to <code>ENABLED</code>.
* The default value for <code>overrideCustomerWebaclClassic</code> is
* <code>false</code>.</p>
* <p>For other resource types that you can protect with a Shield Advanced policy, this
* <code>ManagedServiceData</code> configuration is an empty string.</p>
* </li>
* <li>
* <p>Example: <code>WAFV2</code>
* </p>
* <p>
* <code>"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"</code>
* </p>
* <p>In the <code>loggingConfiguration</code>, you can specify one
* <code>logDestinationConfigs</code>, you can optionally provide up to 20
* <code>redactedFields</code>, and the <code>RedactedFieldType</code> must be one of
* <code>URI</code>, <code>QUERY_STRING</code>, <code>HEADER</code>, or
* <code>METHOD</code>.</p>
* </li>
* <li>
* <p>Example: <code>WAF Classic</code>
* </p>
* <p>
* <code>"{\"type\": \"WAF\", \"ruleGroups\":
* [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\":
* \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"</code>
* </p>
* </li>
* <li>
* <p>Example: <code>WAFV2</code> - Firewall Manager support for WAF managed rule group versioning
* </p>
* <p>
* <code>"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"</code>
* </p>
* <p>
* To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set <code>versionEnabled</code> to <code>true</code>, and set <code>version</code> to the version you'd like to use. If you don't set <code>versionEnabled</code> to <code>true</code>, or if you omit <code>versionEnabled</code>, then Firewall Manager uses the default version of the WAF managed rule group.
* </p>
* </li>
* <li>
* <p>Example: <code>SECURITY_GROUPS_COMMON</code>
* </p>
* <p>
Expand Down Expand Up @@ -880,6 +828,58 @@ export interface SecurityServicePolicyData {
* <code>"{\"type\":\"SECURITY_GROUPS_USAGE_AUDIT\",\"deleteUnusedSecurityGroups\":true,\"coalesceRedundantSecurityGroups\":true}"</code>
* </p>
* </li>
* <li>
* <p>Specification for <code>SHIELD_ADVANCED</code> for Amazon CloudFront distributions </p>
* <p>
* <code>"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\":
* {\"automaticResponseStatus\":\"ENABLED|IGNORED|DISABLED\",
* \"automaticResponseAction\":\"BLOCK|COUNT\"},
* \"overrideCustomerWebaclClassic\":true|false}"</code>
* </p>
* <p>For example:
* <code>"{\"type\":\"SHIELD_ADVANCED\",\"automaticResponseConfiguration\":
* {\"automaticResponseStatus\":\"ENABLED\",
* \"automaticResponseAction\":\"COUNT\"}}"</code>
* </p>
* <p>The default value for <code>automaticResponseStatus</code> is
* <code>IGNORED</code>. The value for <code>automaticResponseAction</code> is only
* required when <code>automaticResponseStatus</code> is set to <code>ENABLED</code>.
* The default value for <code>overrideCustomerWebaclClassic</code> is
* <code>false</code>.</p>
* <p>For other resource types that you can protect with a Shield Advanced policy, this
* <code>ManagedServiceData</code> configuration is an empty string.</p>
* </li>
* <li>
* <p>Example: <code>WAFV2</code>
* </p>
* <p>
* <code>"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"version\":null,\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesAmazonIpReputationList\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"</code>
* </p>
* <p>In the <code>loggingConfiguration</code>, you can specify one
* <code>logDestinationConfigs</code>, you can optionally provide up to 20
* <code>redactedFields</code>, and the <code>RedactedFieldType</code> must be one of
* <code>URI</code>, <code>QUERY_STRING</code>, <code>HEADER</code>, or
* <code>METHOD</code>.</p>
* </li>
* <li>
* <p>Example: <code>WAFV2</code> - Firewall Manager support for WAF managed rule group versioning
* </p>
* <p>
* <code>"{\"type\":\"WAFV2\",\"preProcessRuleGroups\":[{\"ruleGroupArn\":null,\"overrideAction\":{\"type\":\"NONE\"},\"managedRuleGroupIdentifier\":{\"versionEnabled\":true,\"version\":\"Version_2.0\",\"vendorName\":\"AWS\",\"managedRuleGroupName\":\"AWSManagedRulesCommonRuleSet\"},\"ruleGroupType\":\"ManagedRuleGroup\",\"excludeRules\":[{\"name\":\"NoUserAgent_HEADER\"}]}],\"postProcessRuleGroups\":[],\"defaultAction\":{\"type\":\"ALLOW\"},\"overrideCustomerWebACLAssociation\":false,\"loggingConfiguration\":{\"logDestinationConfigs\":[\"arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination\"],\"redactedFields\":[{\"redactedFieldType\":\"SingleHeader\",\"redactedFieldValue\":\"Cookies\"},{\"redactedFieldType\":\"Method\"}]}}"</code>
* </p>
* <p>
* To use a specific version of a WAF managed rule group in your Firewall Manager policy, you must set <code>versionEnabled</code> to <code>true</code>, and set <code>version</code> to the version you'd like to use. If you don't set <code>versionEnabled</code> to <code>true</code>, or if you omit <code>versionEnabled</code>, then Firewall Manager uses the default version of the WAF managed rule group.
* </p>
* </li>
* <li>
* <p>Example: <code>WAF Classic</code>
* </p>
* <p>
* <code>"{\"type\": \"WAF\", \"ruleGroups\":
* [{\"id\":\"12345678-1bcd-9012-efga-0987654321ab\", \"overrideAction\" : {\"type\":
* \"COUNT\"}}], \"defaultAction\": {\"type\": \"BLOCK\"}}"</code>
* </p>
* </li>
* </ul>
*/
ManagedServiceData?: string;
Expand Down Expand Up @@ -1931,6 +1931,20 @@ export interface StatefulEngineOptions {
RuleOrder?: RuleOrder | string;
}

export enum NetworkFirewallOverrideAction {
DROP_TO_ALERT = "DROP_TO_ALERT",
}

/**
* <p>The setting that allows the policy owner to change the behavior of the rule group within a policy.</p>
*/
export interface NetworkFirewallStatefulRuleGroupOverride {
/**
* <p>The action that changes the rule group from <code>DROP</code> to <code>ALERT</code>. This only applies to managed rule groups.</p>
*/
Action?: NetworkFirewallOverrideAction | string;
}

/**
* <p>Network Firewall stateful rule group, used in a <a>NetworkFirewallPolicyDescription</a>. </p>
*/
Expand Down Expand Up @@ -1959,6 +1973,11 @@ export interface StatefulRuleGroup {
* </p>
*/
Priority?: number;

/**
* <p>The action that allows the policy owner to override the behavior of the rule group within a policy.</p>
*/
Override?: NetworkFirewallStatefulRuleGroupOverride;
}

/**
Expand Down Expand Up @@ -3729,6 +3748,15 @@ export const StatefulEngineOptionsFilterSensitiveLog = (obj: StatefulEngineOptio
...obj,
});

/**
* @internal
*/
export const NetworkFirewallStatefulRuleGroupOverrideFilterSensitiveLog = (
obj: NetworkFirewallStatefulRuleGroupOverride
): any => ({
...obj,
});

/**
* @internal
*/
Expand Down
14 changes: 14 additions & 0 deletions clients/client-fms/src/protocols/Aws_json1_1.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -177,6 +177,7 @@ import {
NetworkFirewallPolicy,
NetworkFirewallPolicyDescription,
NetworkFirewallPolicyModifiedViolation,
NetworkFirewallStatefulRuleGroupOverride,
NetworkFirewallUnexpectedFirewallRoutesViolation,
NetworkFirewallUnexpectedGatewayRoutesViolation,
PartialMatch,
Expand Down Expand Up @@ -3482,6 +3483,15 @@ const deserializeAws_json1_1NetworkFirewallPolicyModifiedViolation = (
} as any;
};

const deserializeAws_json1_1NetworkFirewallStatefulRuleGroupOverride = (
output: any,
context: __SerdeContext
): NetworkFirewallStatefulRuleGroupOverride => {
return {
Action: __expectString(output.Action),
} as any;
};

const deserializeAws_json1_1NetworkFirewallUnexpectedFirewallRoutesViolation = (
output: any,
context: __SerdeContext
Expand Down Expand Up @@ -4182,6 +4192,10 @@ const deserializeAws_json1_1StatefulEngineOptions = (output: any, context: __Ser

const deserializeAws_json1_1StatefulRuleGroup = (output: any, context: __SerdeContext): StatefulRuleGroup => {
return {
Override:
output.Override != null
? deserializeAws_json1_1NetworkFirewallStatefulRuleGroupOverride(output.Override, context)
: undefined,
Priority: __expectInt32(output.Priority),
ResourceId: __expectString(output.ResourceId),
RuleGroupName: __expectString(output.RuleGroupName),
Expand Down
Loading

0 comments on commit 7586f6e

Please sign in to comment.