{ "description": "FirewallPolicy is the Schema for the FirewallPolicies API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "FirewallPolicySpec defines the desired state of FirewallPolicy. \n The firewall policy defines the behavior of a firewall using a collection of stateless and stateful rule groups and other settings. You can use one firewall policy for multiple firewalls. \n This, along with FirewallPolicyResponse, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.", "properties": { "description": { "description": "A description of the firewall policy.", "type": "string" }, "encryptionConfiguration": { "description": "A complex type that contains settings for encryption of your firewall policy resources.", "properties": { "keyID": { "type": "string" }, "type_": { "type": "string" } }, "type": "object", "additionalProperties": false }, "firewallPolicy": { "description": "The rule groups and policy actions to use in the firewall policy.", "properties": { "statefulDefaultActions": { "items": { "type": "string" }, "type": "array" }, "statefulEngineOptions": { "description": "Configuration settings for the handling of the stateful rule groups in a firewall policy.", "properties": { "ruleOrder": { "type": "string" } }, "type": "object", "additionalProperties": false }, "statefulRuleGroupReferences": { "items": { "description": "Identifier for a single stateful rule group, used in a firewall policy to refer to a rule group.", "properties": { "override": { "description": "The setting that allows the policy owner to change the behavior of the rule group within a policy.", "properties": { "action": { "type": "string" } }, "type": "object", "additionalProperties": false }, "priority": { "format": "int64", "type": "integer" }, "resourceARN": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "statelessCustomActions": { "items": { "description": "An optional, non-standard action to use for stateless packet handling. You can define this in addition to the standard action that you must specify. \n You define and name the custom actions that you want to be able to use, and then you reference them by name in your actions settings. \n You can use custom actions in the following places: \n - In a rule group's StatelessRulesAndCustomActions specification. The custom actions are available for use by name inside the StatelessRulesAndCustomActions where you define them. You can use them for your stateless rule actions to specify what to do with a packet that matches the rule's match attributes. \n - In a FirewallPolicy specification, in StatelessCustomActions. The custom actions are available for use inside the policy where you define them. You can use them for the policy's default stateless actions settings to specify what to do with packets that don't match any of the policy's stateless rules.", "properties": { "actionDefinition": { "description": "A custom action to use in stateless rule actions settings. This is used in CustomAction.", "properties": { "publishMetricAction": { "description": "Stateless inspection criteria that publishes the specified metrics to Amazon CloudWatch for the matching packet. This setting defines a CloudWatch dimension value to be published.", "properties": { "dimensions": { "items": { "description": "The value to use in an Amazon CloudWatch custom metric dimension. This is used in the PublishMetrics CustomAction. A CloudWatch custom metric dimension is a name/value pair that's part of the identity of a metric. \n Network Firewall sets the dimension name to CustomAction and you provide the dimension value. \n For more information about CloudWatch custom metric dimensions, see Publishing Custom Metrics (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/publishingMetrics.html#usingDimensions) in the Amazon CloudWatch User Guide (https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/WhatIsCloudWatch.html).", "properties": { "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "actionName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "statelessDefaultActions": { "items": { "type": "string" }, "type": "array" }, "statelessFragmentDefaultActions": { "items": { "type": "string" }, "type": "array" }, "statelessRuleGroupReferences": { "items": { "description": "Identifier for a single stateless rule group, used in a firewall policy to refer to the rule group.", "properties": { "priority": { "format": "int64", "type": "integer" }, "resourceARN": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "firewallPolicyName": { "description": "The descriptive name of the firewall policy. You can't change the name of a firewall policy after you create it.", "type": "string" }, "tags": { "description": "The key:value pairs to associate with the resource.", "items": { "description": "A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "firewallPolicy", "firewallPolicyName" ], "type": "object", "additionalProperties": false }, "status": { "description": "FirewallPolicyStatus defines the observed state of FirewallPolicy", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member that is used to contain resource sync state, account ownership, constructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an \"adopted\" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRS managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service controllers to indicate terminal states of the CR and its backend AWS service API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "firewallPolicyResponse": { "description": "The high-level properties of a firewall policy. This, along with the FirewallPolicy, define the policy. You can retrieve all objects for a firewall policy by calling DescribeFirewallPolicy.", "properties": { "consumedStatefulRuleCapacity": { "format": "int64", "type": "integer" }, "consumedStatelessRuleCapacity": { "format": "int64", "type": "integer" }, "description": { "type": "string" }, "encryptionConfiguration": { "description": "A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html) in the Network Firewall Developer Guide.", "properties": { "keyID": { "type": "string" }, "type_": { "type": "string" } }, "type": "object", "additionalProperties": false }, "firewallPolicyARN": { "type": "string" }, "firewallPolicyID": { "type": "string" }, "firewallPolicyName": { "type": "string" }, "firewallPolicyStatus": { "type": "string" }, "lastModifiedTime": { "format": "date-time", "type": "string" }, "numberOfAssociations": { "format": "int64", "type": "integer" }, "tags": { "items": { "description": "A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "updateToken": { "description": "A token used for optimistic locking. Network Firewall returns a token to your requests that access the firewall policy. The token marks the state of the policy resource at the time of the request. \n To make changes to the policy, you provide the token in your request. Network Firewall uses the token to ensure that the policy hasn't changed since you last retrieved it. If it has changed, the operation fails with an InvalidTokenException. If this happens, retrieve the firewall policy again to get a current copy of it with current token. Reapply your changes as needed, then try the operation again using the new token.", "type": "string" } }, "type": "object", "additionalProperties": false } }, "type": "object" }