aws-sdk-fms 1.46.0 → 1.49.0

data/lib/aws-sdk-fms/types.rb

@@ -200,6 +200,54 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass AssociateThirdPartyFirewallRequest
+    #   data as a hash:
+    #
+    #       {
+    #         third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
+    #       }
+    #
+    # @!attribute [rw] third_party_firewall
+    #   The name of the third-party firewall vendor.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AssociateThirdPartyFirewallRequest AWS API Documentation
+    #
+    class AssociateThirdPartyFirewallRequest < Struct.new(
+      :third_party_firewall)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] third_party_firewall_status
+    #   The current status for setting a Firewall Manager policy
+    #   administrator's account as an administrator of the third-party
+    #   firewall tenant.
+    #
+    #   * `ONBOARDING` - The Firewall Manager policy administrator is being
+    #     designated as a tenant administrator.
+    #
+    #   * `ONBOARD_COMPLETE` - The Firewall Manager policy administrator is
+    #     designated as a tenant administrator.
+    #
+    #   * `OFFBOARDING` - The Firewall Manager policy administrator is being
+    #     removed as a tenant administrator.
+    #
+    #   * `OFFBOARD_COMPLETE` - The Firewall Manager policy administrator
+    #     has been removed as a tenant administrator.
+    #
+    #   * `NOT_EXIST` - The Firewall Manager policy administrator doesn't
+    #     exist as a tenant administrator.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/AssociateThirdPartyFirewallResponse AWS API Documentation
+    #
+    class AssociateThirdPartyFirewallResponse < Struct.new(
+      :third_party_firewall_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Violation detail for an EC2 instance resource.
     #
     # @!attribute [rw] violation_target
@@ -294,12 +342,18 @@ module Aws::FMS
     #   [1]: https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html
     #   @return [String]
     #
+    # @!attribute [rw] metadata
+    #   Metadata about the resource that doesn't comply with the policy
+    #   scope.
+    #   @return [Hash<String,String>]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ComplianceViolator AWS API Documentation
     #
     class ComplianceViolator < Struct.new(
       :resource_id,
       :violation_reason,
-      :resource_type)
+      :resource_type,
+      :metadata)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -412,6 +466,38 @@ module Aws::FMS
     #
     class DisassociateAdminAccountRequest < Aws::EmptyStructure; end
 
+    # @note When making an API call, you may pass DisassociateThirdPartyFirewallRequest
+    #   data as a hash:
+    #
+    #       {
+    #         third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
+    #       }
+    #
+    # @!attribute [rw] third_party_firewall
+    #   The name of the third-party firewall vendor.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateThirdPartyFirewallRequest AWS API Documentation
+    #
+    class DisassociateThirdPartyFirewallRequest < Struct.new(
+      :third_party_firewall)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] third_party_firewall_status
+    #   The current status for the disassociation of a Firewall Manager
+    #   administrators account with a third-party firewall.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/DisassociateThirdPartyFirewallResponse AWS API Documentation
+    #
+    class DisassociateThirdPartyFirewallResponse < Struct.new(
+      :third_party_firewall_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A DNS Firewall rule group that Firewall Manager tried to associate
     # with a VPC is already associated with the VPC and can't be associated
     # again.
@@ -810,6 +896,103 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains information about the actions that you can take to remediate
+    # scope violations caused by your policy's `FirewallCreationConfig`.
+    # `FirewallCreationConfig` is an optional configuration that you can use
+    # to choose which Availability Zones Firewall Manager creates Network
+    # Firewall endpoints in.
+    #
+    # @!attribute [rw] description
+    #   Describes the remedial action.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_creation_config
+    #   A `FirewallCreationConfig` that you can copy into your current
+    #   policy's [SecurityServiceData][1] in order to remedy scope
+    #   violations.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_SecurityServicePolicyData.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FMSPolicyUpdateFirewallCreationConfigAction AWS API Documentation
+    #
+    class FMSPolicyUpdateFirewallCreationConfigAction < Struct.new(
+      :description,
+      :firewall_creation_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Contains details about the firewall subnet that violates the policy
+    # scope.
+    #
+    # @!attribute [rw] firewall_subnet_id
+    #   The ID of the firewall subnet that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The VPC ID of the firewall subnet that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone
+    #   The Availability Zone of the firewall subnet that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone_id
+    #   The Availability Zone ID of the firewall subnet that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_endpoint_id
+    #   The VPC endpoint ID of the firewall subnet that violates the policy
+    #   scope.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FirewallSubnetIsOutOfScopeViolation AWS API Documentation
+    #
+    class FirewallSubnetIsOutOfScopeViolation < Struct.new(
+      :firewall_subnet_id,
+      :vpc_id,
+      :subnet_availability_zone,
+      :subnet_availability_zone_id,
+      :vpc_endpoint_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The violation details for a firewall subnet's VPC endpoint that's
+    # deleted or missing.
+    #
+    # @!attribute [rw] firewall_subnet_id
+    #   The ID of the firewall that this VPC endpoint is associated with.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The resource ID of the VPC associated with the deleted VPC subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone
+    #   The name of the Availability Zone of the deleted VPC subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone_id
+    #   The ID of the Availability Zone of the deleted VPC subnet.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/FirewallSubnetMissingVPCEndpointViolation AWS API Documentation
+    #
+    class FirewallSubnetMissingVPCEndpointViolation < Struct.new(
+      :firewall_subnet_id,
+      :vpc_id,
+      :subnet_availability_zone,
+      :subnet_availability_zone_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @api private
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetAdminAccountRequest AWS API Documentation
@@ -1140,6 +1323,73 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GetThirdPartyFirewallAssociationStatusRequest
+    #   data as a hash:
+    #
+    #       {
+    #         third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
+    #       }
+    #
+    # @!attribute [rw] third_party_firewall
+    #   The name of the third-party firewall vendor.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetThirdPartyFirewallAssociationStatusRequest AWS API Documentation
+    #
+    class GetThirdPartyFirewallAssociationStatusRequest < Struct.new(
+      :third_party_firewall)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] third_party_firewall_status
+    #   The current status for setting a Firewall Manager policy
+    #   administrators account as an administrator of the third-party
+    #   firewall tenant.
+    #
+    #   * `ONBOARDING` - The Firewall Manager policy administrator is being
+    #     designated as a tenant administrator.
+    #
+    #   * `ONBOARD_COMPLETE` - The Firewall Manager policy administrator is
+    #     designated as a tenant administrator.
+    #
+    #   * `OFFBOARDING` - The Firewall Manager policy administrator is being
+    #     removed as a tenant administrator.
+    #
+    #   * `OFFBOARD_COMPLETE` - The Firewall Manager policy administrator
+    #     has been removed as a tenant administrator.
+    #
+    #   * `NOT_EXIST` - The Firewall Manager policy administrator doesn't
+    #     exist as a tenant administrator.
+    #   @return [String]
+    #
+    # @!attribute [rw] marketplace_onboarding_status
+    #   The status for subscribing to the third-party firewall vendor in the
+    #   AWS Marketplace.
+    #
+    #   * `NO_SUBSCRIPTION` - The Firewall Manager policy administrator
+    #     isn't subscribed to the third-party firewall service in the AWS
+    #     Marketplace.
+    #
+    #   * `NOT_COMPLETE` - The Firewall Manager policy administrator is in
+    #     the process of subscribing to the third-party firewall service in
+    #     the Amazon Web Services Marketplace, but doesn't yet have an
+    #     active subscription.
+    #
+    #   * `COMPLETE` - The Firewall Manager policy administrator has an
+    #     active subscription to the third-party firewall service in the
+    #     Amazon Web Services Marketplace.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/GetThirdPartyFirewallAssociationStatusResponse AWS API Documentation
+    #
+    class GetThirdPartyFirewallAssociationStatusResponse < Struct.new(
+      :third_party_firewall_status,
+      :marketplace_onboarding_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GetViolationDetailsRequest
     #   data as a hash:
     #
@@ -1610,6 +1860,74 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass ListThirdPartyFirewallFirewallPoliciesRequest
+    #   data as a hash:
+    #
+    #       {
+    #         third_party_firewall: "PALO_ALTO_NETWORKS_CLOUD_NGFW", # required, accepts PALO_ALTO_NETWORKS_CLOUD_NGFW
+    #         next_token: "PaginationToken",
+    #         max_results: 1, # required
+    #       }
+    #
+    # @!attribute [rw] third_party_firewall
+    #   The name of the third-party firewall vendor.
+    #   @return [String]
+    #
+    # @!attribute [rw] next_token
+    #   If the previous response included a `NextToken` element, the
+    #   specified third-party firewall vendor is associated with more
+    #   third-party firewall policies. To get more third-party firewall
+    #   policies, submit another
+    #   `ListThirdPartyFirewallFirewallPoliciesRequest` request.
+    #
+    #   For the value of `NextToken`, specify the value of `NextToken` from
+    #   the previous response. If the previous response didn't include a
+    #   `NextToken` element, there are no more third-party firewall policies
+    #   to get.
+    #   @return [String]
+    #
+    # @!attribute [rw] max_results
+    #   The maximum number of third-party firewall policies that you want
+    #   Firewall Manager to return. If the specified third-party firewall
+    #   vendor is associated with more than `MaxResults` firewall policies,
+    #   the response includes a `NextToken` element. `NextToken` contains an
+    #   encrypted token that identifies the first third-party firewall
+    #   policies that Firewall Manager will return if you submit another
+    #   request.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListThirdPartyFirewallFirewallPoliciesRequest AWS API Documentation
+    #
+    class ListThirdPartyFirewallFirewallPoliciesRequest < Struct.new(
+      :third_party_firewall,
+      :next_token,
+      :max_results)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] third_party_firewall_firewall_policies
+    #   A list that contains one `ThirdPartyFirewallFirewallPolicies`
+    #   element for each third-party firewall policies that the specified
+    #   third-party firewall vendor is associated with. Each
+    #   `ThirdPartyFirewallFirewallPolicies` element contains the firewall
+    #   policy name and ID.
+    #   @return [Array<Types::ThirdPartyFirewallFirewallPolicy>]
+    #
+    # @!attribute [rw] next_token
+    #   The value that you will use for `NextToken` in the next
+    #   `ListThirdPartyFirewallFirewallPolicies` request.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ListThirdPartyFirewallFirewallPoliciesResponse AWS API Documentation
+    #
+    class ListThirdPartyFirewallFirewallPoliciesResponse < Struct.new(
+      :third_party_firewall_firewall_policies,
+      :next_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Violation detail for an internet gateway route with an inactive state
     # in the customer subnet route table or Network Firewall subnet route
     # table.
@@ -1940,6 +2258,39 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Configures the firewall policy deployment model of Network Firewall.
+    # For information about Network Firewall deployment models, see [Network
+    # Firewall example architectures with routing][1] in the *Network
+    # Firewall Developer Guide*.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/architectures.html
+    #
+    # @note When making an API call, you may pass NetworkFirewallPolicy
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #       }
+    #
+    # @!attribute [rw] firewall_deployment_model
+    #   Defines the deployment model to use for the firewall policy. To use
+    #   a distributed model, set [PolicyOption][1] to `NULL`.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/NetworkFirewallPolicy AWS API Documentation
+    #
+    class NetworkFirewallPolicy < Struct.new(
+      :firewall_deployment_model)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # The definition of the Network Firewall firewall policy.
     #
     # @!attribute [rw] stateless_rule_groups
@@ -2102,8 +2453,16 @@ module Aws::FMS
     #         policy_name: "ResourceName", # required
     #         policy_update_token: "PolicyUpdateToken",
     #         security_service_policy_data: { # required
-    #           type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
+    #           type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
     #           managed_service_data: "ManagedServiceData",
+    #           policy_option: {
+    #             network_firewall_policy: {
+    #               firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #             },
+    #             third_party_firewall_policy: {
+    #               firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #             },
+    #           },
     #         },
     #         resource_type: "ResourceType", # required
     #         resource_type_list: ["ResourceType"],
@@ -2389,6 +2748,38 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains the Network Firewall firewall policy options to configure a
+    # centralized deployment model.
+    #
+    # @note When making an API call, you may pass PolicyOption
+    #   data as a hash:
+    #
+    #       {
+    #         network_firewall_policy: {
+    #           firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #         },
+    #         third_party_firewall_policy: {
+    #           firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #         },
+    #       }
+    #
+    # @!attribute [rw] network_firewall_policy
+    #   Defines the deployment model to use for the firewall policy.
+    #   @return [Types::NetworkFirewallPolicy]
+    #
+    # @!attribute [rw] third_party_firewall_policy
+    #   Defines the policy options for a third-party firewall policy.
+    #   @return [Types::ThirdPartyFirewallPolicy]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/PolicyOption AWS API Documentation
+    #
+    class PolicyOption < Struct.new(
+      :network_firewall_policy,
+      :third_party_firewall_policy)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Details of the Firewall Manager policy.
     #
     # @!attribute [rw] policy_arn
@@ -2703,8 +3094,16 @@ module Aws::FMS
     #           policy_name: "ResourceName", # required
     #           policy_update_token: "PolicyUpdateToken",
     #           security_service_policy_data: { # required
-    #             type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
+    #             type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
     #             managed_service_data: "ManagedServiceData",
+    #             policy_option: {
+    #               network_firewall_policy: {
+    #                 firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #               },
+    #               third_party_firewall_policy: {
+    #                 firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #               },
+    #             },
     #           },
     #           resource_type: "ResourceType", # required
     #           resource_type_list: ["ResourceType"],
@@ -2860,6 +3259,10 @@ module Aws::FMS
     #   Information about the CreateRouteTable action in the Amazon EC2 API.
     #   @return [Types::EC2CreateRouteTableAction]
     #
+    # @!attribute [rw] fms_policy_update_firewall_creation_config_action
+    #   The remedial action to take when updating a firewall configuration.
+    #   @return [Types::FMSPolicyUpdateFirewallCreationConfigAction]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RemediationAction AWS API Documentation
     #
     class RemediationAction < Struct.new(
@@ -2870,7 +3273,8 @@ module Aws::FMS
       :ec2_copy_route_table_action,
       :ec2_replace_route_table_association_action,
       :ec2_associate_route_table_action,
-      :ec2_create_route_table_action)
+      :ec2_create_route_table_action,
+      :fms_policy_update_firewall_creation_config_action)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3037,6 +3441,37 @@ module Aws::FMS
     #   actions.
     #   @return [Types::PossibleRemediationActions]
     #
+    # @!attribute [rw] firewall_subnet_is_out_of_scope_violation
+    #   Contains details about the firewall subnet that violates the policy
+    #   scope.
+    #   @return [Types::FirewallSubnetIsOutOfScopeViolation]
+    #
+    # @!attribute [rw] route_has_out_of_scope_endpoint_violation
+    #   Contains details about the route endpoint that violates the policy
+    #   scope.
+    #   @return [Types::RouteHasOutOfScopeEndpointViolation]
+    #
+    # @!attribute [rw] third_party_firewall_missing_firewall_violation
+    #   The violation details for a third-party firewall that's been
+    #   deleted.
+    #   @return [Types::ThirdPartyFirewallMissingFirewallViolation]
+    #
+    # @!attribute [rw] third_party_firewall_missing_subnet_violation
+    #   The violation details for a third-party firewall's subnet that's
+    #   been deleted.
+    #   @return [Types::ThirdPartyFirewallMissingSubnetViolation]
+    #
+    # @!attribute [rw] third_party_firewall_missing_expected_route_table_violation
+    #   The violation details for a third-party firewall that has the
+    #   Firewall Manager managed route table that was associated with the
+    #   third-party firewall has been deleted.
+    #   @return [Types::ThirdPartyFirewallMissingExpectedRouteTableViolation]
+    #
+    # @!attribute [rw] firewall_subnet_missing_vpc_endpoint_violation
+    #   The violation details for a third-party firewall's VPC endpoint
+    #   subnet that was deleted.
+    #   @return [Types::FirewallSubnetMissingVPCEndpointViolation]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ResourceViolation AWS API Documentation
     #
     class ResourceViolation < Struct.new(
@@ -3056,7 +3491,13 @@ module Aws::FMS
       :dns_rule_group_priority_conflict_violation,
       :dns_duplicate_rule_group_violation,
       :dns_rule_group_limit_exceeded_violation,
-      :possible_remediation_actions)
+      :possible_remediation_actions,
+      :firewall_subnet_is_out_of_scope_violation,
+      :route_has_out_of_scope_endpoint_violation,
+      :third_party_firewall_missing_firewall_violation,
+      :third_party_firewall_missing_subnet_violation,
+      :third_party_firewall_missing_expected_route_table_violation,
+      :firewall_subnet_missing_vpc_endpoint_violation)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3090,6 +3531,77 @@ module Aws::FMS
       include Aws::Structure
     end
 
+    # Contains details about the route endpoint that violates the policy
+    # scope.
+    #
+    # @!attribute [rw] subnet_id
+    #   The ID of the subnet associated with the route that violates the
+    #   policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc_id
+    #   The VPC ID of the route that violates the policy scope.
+    #   @return [String]
+    #
+    # @!attribute [rw] route_table_id
+    #   The ID of the route table.
+    #   @return [String]
+    #
+    # @!attribute [rw] violating_routes
+    #   The list of routes that violate the route table.
+    #   @return [Array<Types::Route>]
+    #
+    # @!attribute [rw] subnet_availability_zone
+    #   The subnet's Availability Zone.
+    #   @return [String]
+    #
+    # @!attribute [rw] subnet_availability_zone_id
+    #   The ID of the subnet's Availability Zone.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_firewall_subnet_route_table
+    #   The route table associated with the current firewall subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_subnet_id
+    #   The ID of the firewall subnet.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_subnet_routes
+    #   The list of firewall subnet routes.
+    #   @return [Array<Types::Route>]
+    #
+    # @!attribute [rw] internet_gateway_id
+    #   The ID of the Internet Gateway.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_internet_gateway_route_table
+    #   The current route table associated with the Internet Gateway.
+    #   @return [String]
+    #
+    # @!attribute [rw] internet_gateway_routes
+    #   The routes in the route table associated with the Internet Gateway.
+    #   @return [Array<Types::Route>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/RouteHasOutOfScopeEndpointViolation AWS API Documentation
+    #
+    class RouteHasOutOfScopeEndpointViolation < Struct.new(
+      :subnet_id,
+      :vpc_id,
+      :route_table_id,
+      :violating_routes,
+      :subnet_availability_zone,
+      :subnet_availability_zone_id,
+      :current_firewall_subnet_route_table,
+      :firewall_subnet_id,
+      :firewall_subnet_routes,
+      :internet_gateway_id,
+      :current_internet_gateway_route_table,
+      :internet_gateway_routes)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Remediation option for the rule specified in the `ViolationTarget`.
     #
     # @!attribute [rw] remediation_action_type
@@ -3169,8 +3681,16 @@ module Aws::FMS
     #   data as a hash:
     #
     #       {
-    #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL
+    #         type: "WAF", # required, accepts WAF, WAFV2, SHIELD_ADVANCED, SECURITY_GROUPS_COMMON, SECURITY_GROUPS_CONTENT_AUDIT, SECURITY_GROUPS_USAGE_AUDIT, NETWORK_FIREWALL, DNS_FIREWALL, THIRD_PARTY_FIREWALL
     #         managed_service_data: "ManagedServiceData",
+    #         policy_option: {
+    #           network_firewall_policy: {
+    #             firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #           },
+    #           third_party_firewall_policy: {
+    #             firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #           },
+    #         },
     #       }
     #
     # @!attribute [rw] type
@@ -3197,11 +3717,162 @@ module Aws::FMS
     #
     #      </note>
     #
-    #   * Example: `NETWORK_FIREWALL`
+    #   * Example: `DNS_FIREWALL`
+    #
+    #     `"\{"type":"DNS_FIREWALL","preProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-1","priority":10\}],"postProcessRuleGroups":[\{"ruleGroupId":"rslvr-frg-2","priority":9911\}]\}"`
+    #
+    #     <note markdown="1"> Valid values for `preProcessRuleGroups` are between 1 and 99.
+    #     Valid values for `postProcessRuleGroups` are between 9901 and
+    #     10000.
+    #
+    #      </note>
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     automatic Availability Zone configuration. With automatic
+    #     Availbility Zone configuration, Firewall Manager chooses which
+    #     Availability Zones to create the endpoints in.
+    #
+    #     `"\{ "type": "NETWORK_FIREWALL",
+    #     "networkFirewallStatelessRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
+    #     "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
+    #     [ "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions": [
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessCustomActions": [ \{ "actionName":
+    #     "customActionName", "actionDefinition": \{
+    #     "publishMetricAction": \{ "dimensions": [ \{ "value":
+    #     "metricdimensionvalue" \} ] \} \} \} ],
+    #     "networkFirewallStatefulRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig": \{
+    #     "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
+    #     [ "10.0.0.0/28", "192.168.0.0/28" ],
+    #     "routeManagementAction": "OFF" \},
+    #     "networkFirewallLoggingConfiguration": \{
+    #     "logDestinationConfigs": [ \{ "logDestinationType": "S3",
+    #     "logType": "ALERT", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
+    #     "logType": "FLOW", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
+    #     \}"`
     #
-    #     `"\{"type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateless-rulegroup/rulegroup2","priority":10\}],"networkFirewallStatelessDefaultActions":["aws:pass","custom1"],"networkFirewallStatelessFragmentDefaultActions":["custom2","aws:pass"],"networkFirewallStatelessCustomActions":[\{"actionName":"custom1","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension1"\}]\}\}\},\{"actionName":"custom2","actionDefinition":\{"publishMetricAction":\{"dimensions":[\{"value":"dimension2"\}]\}\}\}],"networkFirewallStatefulRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-west-1:1234567891011:stateful-rulegroup/rulegroup1"\}],"networkFirewallOrchestrationConfig":\{"singleFirewallEndpointPerVPC":true,"allowedIPV4CidrList":["10.24.34.0/28"]\}
+    #     To use the distributed deployment model, you must set
+    #     [PolicyOption][1] to `NULL`.
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     automatic Availability Zone configuration, and route management.
+    #
+    #     `"\{ "type": "NETWORK_FIREWALL",
+    #     "networkFirewallStatelessRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test",
+    #     "priority": 1 \} ], "networkFirewallStatelessDefaultActions":
+    #     [ "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions": [
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessCustomActions": [ \{ "actionName":
+    #     "customActionName", "actionDefinition": \{
+    #     "publishMetricAction": \{ "dimensions": [ \{ "value":
+    #     "metricdimensionvalue" \} ] \} \} \} ],
+    #     "networkFirewallStatefulRuleGroupReferences": [ \{
+    #     "resourceARN":
+    #     "arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig": \{
+    #     "singleFirewallEndpointPerVPC": false, "allowedIPV4CidrList":
+    #     [ "10.0.0.0/28", "192.168.0.0/28" ],
+    #     "routeManagementAction": "MONITOR",
+    #     "routeManagementTargetTypes": [ "InternetGateway" ] \},
+    #     "networkFirewallLoggingConfiguration": \{
+    #     "logDestinationConfigs": [ \{ "logDestinationType": "S3",
+    #     "logType": "ALERT", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \}, \{ "logDestinationType": "S3",
+    #     "logType": "FLOW", "logDestination": \{ "bucketName":
+    #     "s3-bucket-name" \} \} ], "overrideExistingConfig": true \}
     #     \}"`
     #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     custom Availability Zone configuration. With custom Availability
+    #     Zone configuration, you define which specific Availability Zones
+    #     to create endpoints in by configuring `firewallCreationConfig`.
+    #
+    #     `"\{
+    #     "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
+    #     "networkFirewallStatelessDefaultActions":[
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions":[
+    #     "aws:forward_to_sfe", "fragmentcustomactionname" ],
+    #     "networkFirewallStatelessCustomActions":[ \{
+    #     "actionName":"customActionName", "actionDefinition":\{
+    #     "publishMetricAction":\{ "dimensions":[ \{
+    #     "value":"metricdimensionvalue" \} ] \} \} \}, \{
+    #     "actionName":"fragmentcustomactionname",
+    #     "actionDefinition":\{ "publishMetricAction":\{
+    #     "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
+    #     ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
+    #     "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig":\{
+    #     "firewallCreationConfig":\{ "endpointLocation":\{
+    #     "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \} ] \} \},
+    #     "singleFirewallEndpointPerVPC":false,
+    #     "allowedIPV4CidrList":null, "routeManagementAction":"OFF",
+    #     "networkFirewallLoggingConfiguration":\{
+    #     "logDestinationConfigs":[ \{ "logDestinationType":"S3",
+    #     "logType":"ALERT", "logDestination":\{
+    #     "bucketName":"s3-bucket-name" \} \}, \{
+    #     "logDestinationType":"S3", "logType":"FLOW",
+    #     "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
+    #     "overrideExistingConfig":boolean \} \}"`
+    #
+    #   * Example: `NETWORK_FIREWALL` - Distributed deployment model with
+    #     custom Availability Zone configuration, and route management.
+    #
+    #     `"\{
+    #     "type":"NETWORK_FIREWALL","networkFirewallStatelessRuleGroupReferences":[\{"resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateless-rulegroup/test","priority":1\}],
+    #     "networkFirewallStatelessDefaultActions":[
+    #     "aws:forward_to_sfe", "customActionName" ],
+    #     "networkFirewallStatelessFragmentDefaultActions":[
+    #     "aws:forward_to_sfe", "fragmentcustomactionname" ],
+    #     "networkFirewallStatelessCustomActions":[ \{
+    #     "actionName":"customActionName", "actionDefinition":\{
+    #     "publishMetricAction":\{ "dimensions":[ \{
+    #     "value":"metricdimensionvalue" \} ] \} \} \}, \{
+    #     "actionName":"fragmentcustomactionname",
+    #     "actionDefinition":\{ "publishMetricAction":\{
+    #     "dimensions":[ \{ "value":"fragmentmetricdimensionvalue" \}
+    #     ] \} \} \} ], "networkFirewallStatefulRuleGroupReferences":[ \{
+    #     "resourceARN":"arn:aws:network-firewall:us-east-1:123456789011:stateful-rulegroup/test"
+    #     \} ], "networkFirewallOrchestrationConfig":\{
+    #     "firewallCreationConfig":\{ "endpointLocation":\{
+    #     "availabilityZoneConfigList":[ \{ "availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1a", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \}, \{ ¯"availabilityZoneId":null,
+    #     "availabilityZoneName":"us-east-1b", "allowedIPV4CidrList":[
+    #     "10.0.0.0/28" ] \} ] \} \},
+    #     "singleFirewallEndpointPerVPC":false,
+    #     "allowedIPV4CidrList":null,
+    #     "routeManagementAction":"MONITOR",
+    #     "routeManagementTargetTypes":[ "InternetGateway" ],
+    #     "routeManagementConfig":\{
+    #     "allowCrossAZTrafficIfNoEndpoint":true \} \},
+    #     "networkFirewallLoggingConfiguration":\{
+    #     "logDestinationConfigs":[ \{ "logDestinationType":"S3",
+    #     "logType":"ALERT", "logDestination":\{
+    #     "bucketName":"s3-bucket-name" \} \}, \{
+    #     "logDestinationType":"S3", "logType":"FLOW",
+    #     "logDestination":\{ "bucketName":"s3-bucket-name" \} \} ],
+    #     "overrideExistingConfig":boolean \} \}"`
+    #
+    #   * Example: `PARTNER_FIREWALL` for Firewall Manager
+    #
+    #     `"\{"type":"THIRD_PARTY_FIREWALL","thirdPartyrFirewall":"PALO_ALTO_NETWORKS_CLOUD_NGFW","thirdPartyFirewallConfig":\{"thirdPartyFirewallPolicyList":["global-123456789012-1"],"networkFirewallLoggingConfiguration":null\},"firewallDeploymentModel":\{"distributedFirewallDeploymentModel":\{"distributedFirewallOrchestrationConfig":\{"firewallCreationConfig":\{"endpointLocation":\{"availabilityZoneConfigList":[\{"availabilityZoneId":null,"availabilityZoneName":"us-east-1a","allowedIPV4CidrList":["10.0.1.0/28"]\}]\}\},"allowedIPV4CidrList":null\},"distributedRouteManagementConfig":null\},"centralizedFirewallDeploymentModel":null\}\}""`
+    #
     #   * Specification for `SHIELD_ADVANCED` for Amazon CloudFront
     #     distributions
     #
@@ -3240,6 +3911,18 @@ module Aws::FMS
     #     "overrideAction" : \{"type": "COUNT"\}\}],
     #     "defaultAction": \{"type": "BLOCK"\}\}"`
     #
+    #   * Example: `WAFV2` - Firewall Manager support for WAF managed rule
+    #     group versioning
+    #
+    #     `"\{"type":"WAFV2","preProcessRuleGroups":[\{"ruleGroupArn":null,"overrideAction":\{"type":"NONE"\},"managedRuleGroupIdentifier":\{"versionEnabled":true,"version":"Version_2.0","vendorName":"AWS","managedRuleGroupName":"AWSManagedRulesCommonRuleSet"\},"ruleGroupType":"ManagedRuleGroup","excludeRules":[\{"name":"NoUserAgent_HEADER"\}]\}],"postProcessRuleGroups":[],"defaultAction":\{"type":"ALLOW"\},"overrideCustomerWebACLAssociation":false,"loggingConfiguration":\{"logDestinationConfigs":["arn:aws:firehose:us-west-2:12345678912:deliverystream/aws-waf-logs-fms-admin-destination"],"redactedFields":[\{"redactedFieldType":"SingleHeader","redactedFieldValue":"Cookies"\},\{"redactedFieldType":"Method"\}]\}\}"`
+    #
+    #     To use a specific version of a WAF managed rule group in your
+    #     Firewall Manager policy, you must set `versionEnabled` to `true`,
+    #     and set `version` to the version you'd like to use. If you don't
+    #     set `versionEnabled` to `true`, or if you omit `versionEnabled`,
+    #     then Firewall Manager uses the default version of the WAF managed
+    #     rule group.
+    #
     #   * Example: `SECURITY_GROUPS_COMMON`
     #
     #     `"\{"type":"SECURITY_GROUPS_COMMON","revertManualSecurityGroupChanges":false,"exclusiveResourceSecurityGroupManagement":false,
@@ -3267,13 +3950,23 @@ module Aws::FMS
     #   * Example: `SECURITY_GROUPS_USAGE_AUDIT`
     #
     #     `"\{"type":"SECURITY_GROUPS_USAGE_AUDIT","deleteUnusedSecurityGroups":true,"coalesceRedundantSecurityGroups":true\}"`
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/fms/2018-01-01/APIReference/API_PolicyOption.html
     #   @return [String]
     #
+    # @!attribute [rw] policy_option
+    #   Contains the Network Firewall firewall policy options to configure a
+    #   centralized deployment model.
+    #   @return [Types::PolicyOption]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/SecurityServicePolicyData AWS API Documentation
     #
     class SecurityServicePolicyData < Struct.new(
       :type,
-      :managed_service_data)
+      :managed_service_data,
+      :policy_option)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3397,6 +4090,153 @@ module Aws::FMS
     #
     class TagResourceResponse < Aws::EmptyStructure; end
 
+    # Configures the firewall policy deployment model for a third-party
+    # firewall. The deployment model can either be distributed or
+    # centralized.
+    #
+    # @!attribute [rw] firewall_policy_id
+    #   The ID of the specified firewall policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_policy_name
+    #   The name of the specified firewall policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallFirewallPolicy AWS API Documentation
+    #
+    class ThirdPartyFirewallFirewallPolicy < Struct.new(
+      :firewall_policy_id,
+      :firewall_policy_name)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The violation details for a third-party firewall that's not
+    # associated with an Firewall Manager managed route table.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the third-party firewall or VPC resource that's causing
+    #   the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a fireawll subnet that's
+    #   causing the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of the firewall subnet that's causing the
+    #   violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] current_route_table
+    #   The resource ID of the current route table that's associated with
+    #   the subnet, if one is available.
+    #   @return [String]
+    #
+    # @!attribute [rw] expected_route_table
+    #   The resource ID of the route table that should be associated with
+    #   the subnet.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingExpectedRouteTableViolation AWS API Documentation
+    #
+    class ThirdPartyFirewallMissingExpectedRouteTableViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :current_route_table,
+      :expected_route_table)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The violation details about a third-party firewall's subnet that
+    # doesn't have a Firewall Manager managed firewall in its VPC.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the third-party firewall that's causing the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a third-party firewall.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of the third-party firewall that's causing
+    #   the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_violation_reason
+    #   The reason the resource is causing this violation, if a reason is
+    #   available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingFirewallViolation AWS API Documentation
+    #
+    class ThirdPartyFirewallMissingFirewallViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :target_violation_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The violation details for a third-party firewall for an Availability
+    # Zone that's missing the Firewall Manager managed subnet.
+    #
+    # @!attribute [rw] violation_target
+    #   The ID of the third-party firewall or VPC resource that's causing
+    #   the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] vpc
+    #   The resource ID of the VPC associated with a subnet that's causing
+    #   the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone
+    #   The Availability Zone of a subnet that's causing the violation.
+    #   @return [String]
+    #
+    # @!attribute [rw] target_violation_reason
+    #   The reason the resource is causing the violation, if a reason is
+    #   available.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallMissingSubnetViolation AWS API Documentation
+    #
+    class ThirdPartyFirewallMissingSubnetViolation < Struct.new(
+      :violation_target,
+      :vpc,
+      :availability_zone,
+      :target_violation_reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Configures the policy for the third-party firewall.
+    #
+    # @note When making an API call, you may pass ThirdPartyFirewallPolicy
+    #   data as a hash:
+    #
+    #       {
+    #         firewall_deployment_model: "CENTRALIZED", # accepts CENTRALIZED, DISTRIBUTED
+    #       }
+    #
+    # @!attribute [rw] firewall_deployment_model
+    #   Defines the deployment model to use for the third-party firewall.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/fms-2018-01-01/ThirdPartyFirewallPolicy AWS API Documentation
+    #
+    class ThirdPartyFirewallPolicy < Struct.new(
+      :firewall_deployment_model)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass UntagResourceRequest
     #   data as a hash:
     #