aws-sdk-networkfirewall 1.17.0 → 1.19.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 60568c36adf25b6241c56a258da43d9508a482b29824db13da6fc88ea6c19954
-  data.tar.gz: a558af3d1058a75f0cadb7059cff44998938105e925af9cc7406e16736cd5666
+  metadata.gz: be09ee175389ae3449ee0b6b244e4a6cb85248f68ae8bde115ae537d287c18f8
+  data.tar.gz: 7b4ec448cbb2f8e0d3d27ea2df20722412cedd32b9842a29038395da48788ae3
 SHA512:
-  metadata.gz: d6fb0da54ec27b4367ce6b01bae549d0345b4b308e6d62fa6eb604eabc3d8150894445a456abcf2463cfb614ea7c609eaedf96e1fe379d72d96e06cd7a2b9c17
-  data.tar.gz: 213ce4bcb8657bad5bc2e6b4c44197f13f10deafc02a9eb8ff5f6b4a25203b71ca0c748c79686f159b60cf8df70d7619321ba97c3f9b6a872e23977eaf804f02
+  metadata.gz: 8664e5c493bae474d7fa36b98376961f25899deabb5c88192fd346c01af62c79a5697df7de4ce7afb06c3846f9484e7cd02435713fdd5c2c7e459fb61b61f8cf
+  data.tar.gz: '0690ea32a49da14aaf14afa86002f580f6157466b56153b14f10207110acb8cf0776744b136a19658eb2b297af6a7e023866e71e97eff74f31ff1b6bb0d4e5db'

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
 
+1.19.0 (2022-10-05)
+------------------
+
+* Feature - StreamExceptionPolicy configures how AWS Network Firewall processes traffic when a network connection breaks midstream
+
+1.18.0 (2022-07-21)
+------------------
+
+* Feature - Network Firewall now supports referencing dynamic IP sets from stateful rule groups, for IP sets stored in Amazon VPC prefix lists.
+
 1.17.0 (2022-04-28)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.17.0
+1.19.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -638,14 +638,18 @@ module Aws::NetworkFirewall
     #   resp.firewall.encryption_configuration.key_id #=> String
     #   resp.firewall.encryption_configuration.type #=> String, one of "CUSTOMER_KMS", "AWS_OWNED_KMS_KEY"
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
-    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
-    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].update_token #=> String
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.available_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateFirewall AWS API Documentation
     #
@@ -740,6 +744,7 @@ module Aws::NetworkFirewall
     #       stateful_default_actions: ["CollectionMember_String"],
     #       stateful_engine_options: {
     #         rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #       },
     #     },
     #     description: "Description",
@@ -922,6 +927,13 @@ module Aws::NetworkFirewall
     #           },
     #         },
     #       },
+    #       reference_sets: {
+    #         ip_set_references: {
+    #           "IPSetReferenceName" => {
+    #             reference_arn: "ResourceArn",
+    #           },
+    #         },
+    #       },
     #       rules_source: { # required
     #         rules_string: "RulesString",
     #         rules_source_list: {
@@ -1118,14 +1130,18 @@ module Aws::NetworkFirewall
     #   resp.firewall.encryption_configuration.key_id #=> String
     #   resp.firewall.encryption_configuration.type #=> String, one of "CUSTOMER_KMS", "AWS_OWNED_KMS_KEY"
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
-    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
-    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].update_token #=> String
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.available_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteFirewall AWS API Documentation
     #
@@ -1321,14 +1337,18 @@ module Aws::NetworkFirewall
     #   resp.firewall.encryption_configuration.key_id #=> String
     #   resp.firewall.encryption_configuration.type #=> String, one of "CUSTOMER_KMS", "AWS_OWNED_KMS_KEY"
     #   resp.firewall_status.status #=> String, one of "PROVISIONING", "DELETING", "READY"
-    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.configuration_sync_state_summary #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
-    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].update_token #=> String
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.available_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.utilized_cidr_count #=> Integer
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references #=> Hash
+    #   resp.firewall_status.capacity_usage_summary.cid_rs.ip_set_references["IPSetArn"].resolved_cidr_count #=> Integer
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewall AWS API Documentation
     #
@@ -1400,6 +1420,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy.stateful_default_actions #=> Array
     #   resp.firewall_policy.stateful_default_actions[0] #=> String
     #   resp.firewall_policy.stateful_engine_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
+    #   resp.firewall_policy.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE"
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallPolicy AWS API Documentation
     #
@@ -1529,6 +1550,8 @@ module Aws::NetworkFirewall
     #   resp.rule_group.rule_variables.port_sets #=> Hash
     #   resp.rule_group.rule_variables.port_sets["RuleVariableName"].definition #=> Array
     #   resp.rule_group.rule_variables.port_sets["RuleVariableName"].definition[0] #=> String
+    #   resp.rule_group.reference_sets.ip_set_references #=> Hash
+    #   resp.rule_group.reference_sets.ip_set_references["IPSetReferenceName"].reference_arn #=> String
     #   resp.rule_group.rules_source.rules_string #=> String
     #   resp.rule_group.rules_source.rules_source_list.targets #=> Array
     #   resp.rule_group.rules_source.rules_source_list.targets[0] #=> String
@@ -2433,6 +2456,7 @@ module Aws::NetworkFirewall
     #       stateful_default_actions: ["CollectionMember_String"],
     #       stateful_engine_options: {
     #         rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #       },
     #     },
     #     description: "Description",
@@ -2743,6 +2767,13 @@ module Aws::NetworkFirewall
     #           },
     #         },
     #       },
+    #       reference_sets: {
+    #         ip_set_references: {
+    #           "IPSetReferenceName" => {
+    #             reference_arn: "ResourceArn",
+    #           },
+    #         },
+    #       },
     #       rules_source: { # required
     #         rules_string: "RulesString",
     #         rules_source_list: {
@@ -2956,7 +2987,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.17.0'
+      context[:gem_version] = '1.19.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-networkfirewall/client_api.rb

@@ -28,6 +28,9 @@ module Aws::NetworkFirewall
     AzSubnet = Shapes::StringShape.new(name: 'AzSubnet')
     AzSubnets = Shapes::ListShape.new(name: 'AzSubnets')
     Boolean = Shapes::BooleanShape.new(name: 'Boolean')
+    CIDRCount = Shapes::IntegerShape.new(name: 'CIDRCount')
+    CIDRSummary = Shapes::StructureShape.new(name: 'CIDRSummary')
+    CapacityUsageSummary = Shapes::StructureShape.new(name: 'CapacityUsageSummary')
     CollectionMember_String = Shapes::StringShape.new(name: 'CollectionMember_String')
     ConfigurationSyncState = Shapes::StringShape.new(name: 'ConfigurationSyncState')
     CreateFirewallPolicyRequest = Shapes::StructureShape.new(name: 'CreateFirewallPolicyRequest')
@@ -84,6 +87,12 @@ module Aws::NetworkFirewall
     HashMapValue = Shapes::StringShape.new(name: 'HashMapValue')
     Header = Shapes::StructureShape.new(name: 'Header')
     IPSet = Shapes::StructureShape.new(name: 'IPSet')
+    IPSetArn = Shapes::StringShape.new(name: 'IPSetArn')
+    IPSetMetadata = Shapes::StructureShape.new(name: 'IPSetMetadata')
+    IPSetMetadataMap = Shapes::MapShape.new(name: 'IPSetMetadataMap')
+    IPSetReference = Shapes::StructureShape.new(name: 'IPSetReference')
+    IPSetReferenceMap = Shapes::MapShape.new(name: 'IPSetReferenceMap')
+    IPSetReferenceName = Shapes::StringShape.new(name: 'IPSetReferenceName')
     IPSets = Shapes::MapShape.new(name: 'IPSets')
     InsufficientCapacityException = Shapes::StructureShape.new(name: 'InsufficientCapacityException')
     InternalServerError = Shapes::StructureShape.new(name: 'InternalServerError')
@@ -130,6 +139,7 @@ module Aws::NetworkFirewall
     PublishMetricAction = Shapes::StructureShape.new(name: 'PublishMetricAction')
     PutResourcePolicyRequest = Shapes::StructureShape.new(name: 'PutResourcePolicyRequest')
     PutResourcePolicyResponse = Shapes::StructureShape.new(name: 'PutResourcePolicyResponse')
+    ReferenceSets = Shapes::StructureShape.new(name: 'ReferenceSets')
     ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
     ResourceId = Shapes::StringShape.new(name: 'ResourceId')
     ResourceManagedStatus = Shapes::StringShape.new(name: 'ResourceManagedStatus')
@@ -175,6 +185,7 @@ module Aws::NetworkFirewall
     StatelessRuleGroupReferences = Shapes::ListShape.new(name: 'StatelessRuleGroupReferences')
     StatelessRules = Shapes::ListShape.new(name: 'StatelessRules')
     StatelessRulesAndCustomActions = Shapes::StructureShape.new(name: 'StatelessRulesAndCustomActions')
+    StreamExceptionPolicy = Shapes::StringShape.new(name: 'StreamExceptionPolicy')
     SubnetMapping = Shapes::StructureShape.new(name: 'SubnetMapping')
     SubnetMappings = Shapes::ListShape.new(name: 'SubnetMappings')
     SyncState = Shapes::StructureShape.new(name: 'SyncState')
@@ -258,6 +269,14 @@ module Aws::NetworkFirewall
 
     AzSubnets.member = Shapes::ShapeRef.new(shape: AzSubnet)
 
+    CIDRSummary.add_member(:available_cidr_count, Shapes::ShapeRef.new(shape: CIDRCount, location_name: "AvailableCIDRCount"))
+    CIDRSummary.add_member(:utilized_cidr_count, Shapes::ShapeRef.new(shape: CIDRCount, location_name: "UtilizedCIDRCount"))
+    CIDRSummary.add_member(:ip_set_references, Shapes::ShapeRef.new(shape: IPSetMetadataMap, location_name: "IPSetReferences"))
+    CIDRSummary.struct_class = Types::CIDRSummary
+
+    CapacityUsageSummary.add_member(:cid_rs, Shapes::ShapeRef.new(shape: CIDRSummary, location_name: "CIDRs"))
+    CapacityUsageSummary.struct_class = Types::CapacityUsageSummary
+
     CreateFirewallPolicyRequest.add_member(:firewall_policy_name, Shapes::ShapeRef.new(shape: ResourceName, required: true, location_name: "FirewallPolicyName"))
     CreateFirewallPolicyRequest.add_member(:firewall_policy, Shapes::ShapeRef.new(shape: FirewallPolicy, required: true, location_name: "FirewallPolicy"))
     CreateFirewallPolicyRequest.add_member(:description, Shapes::ShapeRef.new(shape: Description, location_name: "Description"))
@@ -462,6 +481,7 @@ module Aws::NetworkFirewall
     FirewallStatus.add_member(:status, Shapes::ShapeRef.new(shape: FirewallStatusValue, required: true, location_name: "Status"))
     FirewallStatus.add_member(:configuration_sync_state_summary, Shapes::ShapeRef.new(shape: ConfigurationSyncState, required: true, location_name: "ConfigurationSyncStateSummary"))
     FirewallStatus.add_member(:sync_states, Shapes::ShapeRef.new(shape: SyncStates, location_name: "SyncStates"))
+    FirewallStatus.add_member(:capacity_usage_summary, Shapes::ShapeRef.new(shape: CapacityUsageSummary, location_name: "CapacityUsageSummary"))
     FirewallStatus.struct_class = Types::FirewallStatus
 
     Firewalls.member = Shapes::ShapeRef.new(shape: FirewallMetadata)
@@ -479,6 +499,18 @@ module Aws::NetworkFirewall
     IPSet.add_member(:definition, Shapes::ShapeRef.new(shape: VariableDefinitionList, required: true, location_name: "Definition"))
     IPSet.struct_class = Types::IPSet
 
+    IPSetMetadata.add_member(:resolved_cidr_count, Shapes::ShapeRef.new(shape: CIDRCount, location_name: "ResolvedCIDRCount"))
+    IPSetMetadata.struct_class = Types::IPSetMetadata
+
+    IPSetMetadataMap.key = Shapes::ShapeRef.new(shape: IPSetArn)
+    IPSetMetadataMap.value = Shapes::ShapeRef.new(shape: IPSetMetadata)
+
+    IPSetReference.add_member(:reference_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "ReferenceArn"))
+    IPSetReference.struct_class = Types::IPSetReference
+
+    IPSetReferenceMap.key = Shapes::ShapeRef.new(shape: IPSetReferenceName)
+    IPSetReferenceMap.value = Shapes::ShapeRef.new(shape: IPSetReference)
+
     IPSets.key = Shapes::ShapeRef.new(shape: RuleVariableName)
     IPSets.value = Shapes::ShapeRef.new(shape: IPSet)
 
@@ -591,6 +623,9 @@ module Aws::NetworkFirewall
 
     PutResourcePolicyResponse.struct_class = Types::PutResourcePolicyResponse
 
+    ReferenceSets.add_member(:ip_set_references, Shapes::ShapeRef.new(shape: IPSetReferenceMap, location_name: "IPSetReferences"))
+    ReferenceSets.struct_class = Types::ReferenceSets
+
     ResourceNotFoundException.add_member(:message, Shapes::ShapeRef.new(shape: ErrorMessage, location_name: "Message"))
     ResourceNotFoundException.struct_class = Types::ResourceNotFoundException
 
@@ -602,6 +637,7 @@ module Aws::NetworkFirewall
     RuleDefinition.struct_class = Types::RuleDefinition
 
     RuleGroup.add_member(:rule_variables, Shapes::ShapeRef.new(shape: RuleVariables, location_name: "RuleVariables"))
+    RuleGroup.add_member(:reference_sets, Shapes::ShapeRef.new(shape: ReferenceSets, location_name: "ReferenceSets"))
     RuleGroup.add_member(:rules_source, Shapes::ShapeRef.new(shape: RulesSource, required: true, location_name: "RulesSource"))
     RuleGroup.add_member(:stateful_rule_options, Shapes::ShapeRef.new(shape: StatefulRuleOptions, location_name: "StatefulRuleOptions"))
     RuleGroup.struct_class = Types::RuleGroup
@@ -660,6 +696,7 @@ module Aws::NetworkFirewall
     StatefulActions.member = Shapes::ShapeRef.new(shape: CollectionMember_String)
 
     StatefulEngineOptions.add_member(:rule_order, Shapes::ShapeRef.new(shape: RuleOrder, location_name: "RuleOrder"))
+    StatefulEngineOptions.add_member(:stream_exception_policy, Shapes::ShapeRef.new(shape: StreamExceptionPolicy, location_name: "StreamExceptionPolicy"))
     StatefulEngineOptions.struct_class = Types::StatefulEngineOptions
 
     StatefulRule.add_member(:action, Shapes::ShapeRef.new(shape: StatefulAction, required: true, location_name: "Action"))

data/lib/aws-sdk-networkfirewall/types.rb

@@ -329,6 +329,50 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # Summarizes the CIDR blocks used by the IP set references in a
+    # firewall. Network Firewall calculates the number of CIDRs by taking an
+    # aggregated count of all CIDRs used by the IP sets you are referencing.
+    #
+    # @!attribute [rw] available_cidr_count
+    #   The number of CIDR blocks available for use by the IP set references
+    #   in a firewall.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] utilized_cidr_count
+    #   The number of CIDR blocks used by the IP set references in a
+    #   firewall.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] ip_set_references
+    #   The list of the IP set references used by a firewall.
+    #   @return [Hash<String,Types::IPSetMetadata>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CIDRSummary AWS API Documentation
+    #
+    class CIDRSummary < Struct.new(
+      :available_cidr_count,
+      :utilized_cidr_count,
+      :ip_set_references)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # The capacity usage summary of the resources used by the ReferenceSets
+    # in a firewall.
+    #
+    # @!attribute [rw] cid_rs
+    #   Describes the capacity usage of the CIDR blocks used by the IP set
+    #   references in a firewall.
+    #   @return [Types::CIDRSummary]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CapacityUsageSummary AWS API Documentation
+    #
+    class CapacityUsageSummary < Struct.new(
+      :cid_rs)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass CreateFirewallPolicyRequest
     #   data as a hash:
     #
@@ -369,6 +413,7 @@ module Aws::NetworkFirewall
     #           stateful_default_actions: ["CollectionMember_String"],
     #           stateful_engine_options: {
     #             rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #             stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #           },
     #         },
     #         description: "Description",
@@ -609,6 +654,13 @@ module Aws::NetworkFirewall
     #               },
     #             },
     #           },
+    #           reference_sets: {
+    #             ip_set_references: {
+    #               "IPSetReferenceName" => {
+    #                 reference_arn: "ResourceArn",
+    #               },
+    #             },
+    #           },
     #           rules_source: { # required
     #             rules_string: "RulesString",
     #             rules_source_list: {
@@ -1882,6 +1934,7 @@ module Aws::NetworkFirewall
     #         stateful_default_actions: ["CollectionMember_String"],
     #         stateful_engine_options: {
     #           rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #           stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #         },
     #       }
     #
@@ -2120,12 +2173,20 @@ module Aws::NetworkFirewall
     #   and configuration object.
     #   @return [Hash<String,Types::SyncState>]
     #
+    # @!attribute [rw] capacity_usage_summary
+    #   Describes the capacity usage of the resources contained in a
+    #   firewall's reference sets. Network Firewall calclulates the
+    #   capacity usage by taking an aggregated count of all of the resources
+    #   used by all of the reference sets in a firewall.
+    #   @return [Types::CapacityUsageSummary]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallStatus AWS API Documentation
     #
     class FirewallStatus < Struct.new(
       :status,
       :configuration_sync_state_summary,
-      :sync_states)
+      :sync_states,
+      :capacity_usage_summary)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2255,6 +2316,63 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # General information about the IP set.
+    #
+    # @!attribute [rw] resolved_cidr_count
+    #   Describes the total number of CIDR blocks currently in use by the IP
+    #   set references in a firewall. To determine how many CIDR blocks are
+    #   available for you to use in a firewall, you can call
+    #   `AvailableCIDRCount`.
+    #   @return [Integer]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/IPSetMetadata AWS API Documentation
+    #
+    class IPSetMetadata < Struct.new(
+      :resolved_cidr_count)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # Configures one or more IP set references for a Suricata-compatible
+    # rule group. This is used in CreateRuleGroup or UpdateRuleGroup. An IP
+    # set reference is a rule variable that references a resource that you
+    # create and manage in another Amazon Web Services service, such as an
+    # Amazon VPC prefix list. Network Firewall IP set references enable you
+    # to dynamically update the contents of your rules. When you create,
+    # update, or delete the IP set you are referencing in your rule, Network
+    # Firewall automatically updates the rule's content with the changes.
+    # For more information about IP set references in Network Firewall, see
+    # [Using IP set references][1] in the *Network Firewall Developer
+    # Guide*.
+    #
+    # Network Firewall currently supports only [Amazon VPC prefix lists][2]
+    # as IP set references.
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/rule-groups-ip-set-references
+    # [2]: https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html
+    #
+    # @note When making an API call, you may pass IPSetReference
+    #   data as a hash:
+    #
+    #       {
+    #         reference_arn: "ResourceArn",
+    #       }
+    #
+    # @!attribute [rw] reference_arn
+    #   The Amazon Resource Name (ARN) of the resource that you are
+    #   referencing in your rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/IPSetReference AWS API Documentation
+    #
+    class IPSetReference < Struct.new(
+      :reference_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Amazon Web Services doesn't currently have enough available capacity
     # to fulfill your request. Try your request later.
     #
@@ -2983,6 +3101,31 @@ module Aws::NetworkFirewall
     #
     class PutResourcePolicyResponse < Aws::EmptyStructure; end
 
+    # Contains a set of IP set references.
+    #
+    # @note When making an API call, you may pass ReferenceSets
+    #   data as a hash:
+    #
+    #       {
+    #         ip_set_references: {
+    #           "IPSetReferenceName" => {
+    #             reference_arn: "ResourceArn",
+    #           },
+    #         },
+    #       }
+    #
+    # @!attribute [rw] ip_set_references
+    #   The list of IP set references.
+    #   @return [Hash<String,Types::IPSetReference>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ReferenceSets AWS API Documentation
+    #
+    class ReferenceSets < Struct.new(
+      :ip_set_references)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Unable to locate a resource using the parameters that you provided.
     #
     # @!attribute [rw] message
@@ -3136,6 +3279,13 @@ module Aws::NetworkFirewall
     #             },
     #           },
     #         },
+    #         reference_sets: {
+    #           ip_set_references: {
+    #             "IPSetReferenceName" => {
+    #               reference_arn: "ResourceArn",
+    #             },
+    #           },
+    #         },
     #         rules_source: { # required
     #           rules_string: "RulesString",
     #           rules_source_list: {
@@ -3228,6 +3378,10 @@ module Aws::NetworkFirewall
     #   You can only use these for stateful rule groups.
     #   @return [Types::RuleVariables]
     #
+    # @!attribute [rw] reference_sets
+    #   The list of a rule group's reference sets.
+    #   @return [Types::ReferenceSets]
+    #
     # @!attribute [rw] rules_source
     #   The stateful rules or stateless rules for the rule group.
     #   @return [Types::RulesSource]
@@ -3243,6 +3397,7 @@ module Aws::NetworkFirewall
     #
     class RuleGroup < Struct.new(
       :rule_variables,
+      :reference_sets,
       :rules_source,
       :stateful_rule_options)
       SENSITIVE = []
@@ -3558,7 +3713,7 @@ module Aws::NetworkFirewall
     #
     #
     #
-    #   [1]: https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#
+    #   [1]: https://suricata.readthedocs.io/rules/intro.html#
     #   @return [Array<Types::StatefulRule>]
     #
     # @!attribute [rw] stateless_rules_and_custom_actions
@@ -3684,6 +3839,7 @@ module Aws::NetworkFirewall
     #
     #       {
     #         rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #       }
     #
     # @!attribute [rw] rule_order
@@ -3699,10 +3855,31 @@ module Aws::NetworkFirewall
     #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html
     #   @return [String]
     #
+    # @!attribute [rw] stream_exception_policy
+    #   Configures how Network Firewall processes traffic when a network
+    #   connection breaks midstream. Network connections can break due to
+    #   disruptions in external networks or within the firewall itself.
+    #
+    #   * `DROP` - Network Firewall fails closed and drops all subsequent
+    #     traffic going to the firewall. This is the default behavior.
+    #
+    #   * `CONTINUE` - Network Firewall continues to apply rules to the
+    #     subsequent traffic without context from traffic before the break.
+    #     This impacts the behavior of rules that depend on this context.
+    #     For example, if you have a stateful rule to `drop http` traffic,
+    #     Network Firewall won't match the traffic for this rule because
+    #     the service won't have the context from session initialization
+    #     defining the application layer protocol as HTTP. However, this
+    #     behavior is rule dependent—a TCP-layer rule using a
+    #     `flow:stateless` rule would still match, as would the
+    #     `aws:drop_strict` default action.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulEngineOptions AWS API Documentation
     #
     class StatefulEngineOptions < Struct.new(
-      :rule_order)
+      :rule_order,
+      :stream_exception_policy)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3715,7 +3892,7 @@ module Aws::NetworkFirewall
     #
     #
     #
-    # [1]: https://suricata.readthedocs.io/en/suricata-5.0.0/rules/intro.html#
+    # [1]: https://suricata.readthedocs.io/rules/intro.html#
     #
     # @note When making an API call, you may pass StatefulRule
     #   data as a hash:
@@ -4800,6 +4977,7 @@ module Aws::NetworkFirewall
     #           stateful_default_actions: ["CollectionMember_String"],
     #           stateful_engine_options: {
     #             rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
+    #             stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #           },
     #         },
     #         description: "Description",
@@ -5000,6 +5178,13 @@ module Aws::NetworkFirewall
     #               },
     #             },
     #           },
+    #           reference_sets: {
+    #             ip_set_references: {
+    #               "IPSetReferenceName" => {
+    #                 reference_arn: "ResourceArn",
+    #               },
+    #             },
+    #           },
     #           rules_source: { # required
     #             rules_string: "RulesString",
     #             rules_source_list: {

data/lib/aws-sdk-networkfirewall.rb

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
 
-  GEM_VERSION = '1.17.0'
+  GEM_VERSION = '1.19.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.17.0
+  version: 1.19.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-04-28 00:00:00.000000000 Z
+date: 2022-10-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core