aws-sdk-networkfirewall 1.26.0 → 1.28.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f06525de7ab96ffab1dc74ee6cfb7629f37fade446430443a5e3fa6a6430e571
-  data.tar.gz: cdaf82868e449d14b6b626169486b4fd60346a3d3e98d36dbbbfeb76919c0647
+  metadata.gz: 0777bee33353956140748399c259f21e1da2819f69f84f0353b438725e003c62
+  data.tar.gz: b3e1cf9cde792809cc2963d6b3293aca1915965a1be408eeb21ee22b4ba2db7f
 SHA512:
-  metadata.gz: 04f2235e8fef3726e03bac04bcca56af77b3ad6055d70f68fd4284a213916edc9b73a901f6480cd4951407fd37df9380d8bf7f6e1b3bddb194074f2136c5d94b
-  data.tar.gz: 254bfefe094e643f56861d3444353792363e6fbfc1d89b51a9b9e0da8b9d064a449399120640d2d82762fd48d1c3b62428f72b6229475a78586410103c22f8b9
+  metadata.gz: b50dc676821f92c9b96e1e41536c72c770c294240907afb2508d9c8001621dd797921395222c3e8d632dddd0415b68a883b6784a2d93f0142ac53089c72cb9ea
+  data.tar.gz: d8ce58d223868c23b80041a606de67df91f313f6adbf17066cb11d5b3d4a814a3ac1d294b413371ae371be9faf215d98bb85fa169d4cb13e0ddc9266da6002fb

data/CHANGELOG.md

@@ -1,6 +1,16 @@
 Unreleased Changes
 ------------------
 
+1.28.0 (2023-05-04)
+------------------
+
+* Feature - This release adds support for the Suricata REJECT option in midstream exception configurations.
+
+1.27.0 (2023-05-03)
+------------------
+
+* Feature - AWS Network Firewall now supports policy level HOME_NET variable overrides.
+
 1.26.0 (2023-04-05)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.26.0
+1.28.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -663,7 +663,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "FAILED", "ERROR", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -766,9 +766,16 @@ module Aws::NetworkFirewall
     #       stateful_default_actions: ["CollectionMember_String"],
     #       stateful_engine_options: {
     #         rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
-    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
+    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE, REJECT
     #       },
     #       tls_inspection_configuration_arn: "ResourceArn",
+    #       policy_variables: {
+    #         rule_variables: {
+    #           "RuleVariableName" => {
+    #             definition: ["VariableDefinition"], # required
+    #           },
+    #         },
+    #       },
     #     },
     #     description: "Description",
     #     tags: [
@@ -1324,7 +1331,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "FAILED", "ERROR", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -1586,7 +1593,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "FAILED", "ERROR", "SCALING", "READY"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -1666,8 +1673,11 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy.stateful_default_actions #=> Array
     #   resp.firewall_policy.stateful_default_actions[0] #=> String
     #   resp.firewall_policy.stateful_engine_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
-    #   resp.firewall_policy.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE"
+    #   resp.firewall_policy.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE", "REJECT"
     #   resp.firewall_policy.tls_inspection_configuration_arn #=> String
+    #   resp.firewall_policy.policy_variables.rule_variables #=> Hash
+    #   resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition #=> Array
+    #   resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition[0] #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallPolicy AWS API Documentation
     #
@@ -2402,10 +2412,6 @@ module Aws::NetworkFirewall
     #   For a firewall policy resource, you can specify the following
     #   operations in the Actions section of the statement:
     #
-    #   * network-firewall:CreateFirewall
-    #
-    #   * network-firewall:UpdateFirewall
-    #
     #   * network-firewall:AssociateFirewallPolicy
     #
     #   * network-firewall:ListFirewallPolicies
@@ -2825,9 +2831,16 @@ module Aws::NetworkFirewall
     #       stateful_default_actions: ["CollectionMember_String"],
     #       stateful_engine_options: {
     #         rule_order: "DEFAULT_ACTION_ORDER", # accepts DEFAULT_ACTION_ORDER, STRICT_ORDER
-    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
+    #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE, REJECT
     #       },
     #       tls_inspection_configuration_arn: "ResourceArn",
+    #       policy_variables: {
+    #         rule_variables: {
+    #           "RuleVariableName" => {
+    #             definition: ["VariableDefinition"], # required
+    #           },
+    #         },
+    #       },
     #     },
     #     description: "Description",
     #     dry_run: false,
@@ -3507,7 +3520,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.26.0'
+      context[:gem_version] = '1.28.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-networkfirewall/client_api.rb

@@ -137,6 +137,7 @@ module Aws::NetworkFirewall
     PerObjectStatus = Shapes::StructureShape.new(name: 'PerObjectStatus')
     PerObjectSyncStatus = Shapes::StringShape.new(name: 'PerObjectSyncStatus')
     PolicyString = Shapes::StringShape.new(name: 'PolicyString')
+    PolicyVariables = Shapes::StructureShape.new(name: 'PolicyVariables')
     Port = Shapes::StringShape.new(name: 'Port')
     PortRange = Shapes::StructureShape.new(name: 'PortRange')
     PortRangeBound = Shapes::IntegerShape.new(name: 'PortRangeBound')
@@ -515,6 +516,7 @@ module Aws::NetworkFirewall
     FirewallPolicy.add_member(:stateful_default_actions, Shapes::ShapeRef.new(shape: StatefulActions, location_name: "StatefulDefaultActions"))
     FirewallPolicy.add_member(:stateful_engine_options, Shapes::ShapeRef.new(shape: StatefulEngineOptions, location_name: "StatefulEngineOptions"))
     FirewallPolicy.add_member(:tls_inspection_configuration_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "TLSInspectionConfigurationArn"))
+    FirewallPolicy.add_member(:policy_variables, Shapes::ShapeRef.new(shape: PolicyVariables, location_name: "PolicyVariables"))
     FirewallPolicy.struct_class = Types::FirewallPolicy
 
     FirewallPolicyMetadata.add_member(:name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "Name"))
@@ -664,6 +666,9 @@ module Aws::NetworkFirewall
     PerObjectStatus.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
     PerObjectStatus.struct_class = Types::PerObjectStatus
 
+    PolicyVariables.add_member(:rule_variables, Shapes::ShapeRef.new(shape: IPSets, location_name: "RuleVariables"))
+    PolicyVariables.struct_class = Types::PolicyVariables
+
     PortRange.add_member(:from_port, Shapes::ShapeRef.new(shape: PortRangeBound, required: true, location_name: "FromPort"))
     PortRange.add_member(:to_port, Shapes::ShapeRef.new(shape: PortRangeBound, required: true, location_name: "ToPort"))
     PortRange.struct_class = Types::PortRange

data/lib/aws-sdk-networkfirewall/types.rb

@@ -286,12 +286,14 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] status_message
     #   If Network Firewall fails to create or delete the firewall endpoint
-    #   in the subnet, it populates this with the reason for the failure and
-    #   how to resolve it. Depending on the error, it can take as many as 15
+    #   in the subnet, it populates this with the reason for the error or
+    #   failure and how to resolve it. A `FAILED` status indicates a
+    #   non-recoverable state, and a `ERROR` status indicates an issue that
+    #   you can fix. Depending on the error, it can take as many as 15
     #   minutes to populate this field. For more information about the
-    #   errors and solutions available for this field, see [Troubleshooting
-    #   firewall endpoint failures][1] in the *Network Firewall Developer
-    #   Guide*.
+    #   causes for failiure or errors and solutions available for this
+    #   field, see [Troubleshooting firewall endpoint failures][1] in the
+    #   *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1840,6 +1842,11 @@ module Aws::NetworkFirewall
     #   The Amazon Resource Name (ARN) of the TLS inspection configuration.
     #   @return [String]
     #
+    # @!attribute [rw] policy_variables
+    #   Contains variables that you can use to override default Suricata
+    #   settings in your firewall policy.
+    #   @return [Types::PolicyVariables]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallPolicy AWS API Documentation
     #
     class FirewallPolicy < Struct.new(
@@ -1850,7 +1857,8 @@ module Aws::NetworkFirewall
       :stateful_rule_group_references,
       :stateful_default_actions,
       :stateful_engine_options,
-      :tls_inspection_configuration_arn)
+      :tls_inspection_configuration_arn,
+      :policy_variables)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2730,6 +2738,26 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # Contains variables that you can use to override default Suricata
+    # settings in your firewall policy.
+    #
+    # @!attribute [rw] rule_variables
+    #   The IPv4 or IPv6 addresses in CIDR notation to use for the Suricata
+    #   `HOME_NET` variable. If your firewall uses an inspection VPC, you
+    #   might want to override the `HOME_NET` variable with the CIDRs of
+    #   your home networks. If you don't override `HOME_NET` with your own
+    #   CIDRs, Network Firewall by default uses the CIDR of your inspection
+    #   VPC.
+    #   @return [Hash<String,Types::IPSet>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/PolicyVariables AWS API Documentation
+    #
+    class PolicyVariables < Struct.new(
+      :rule_variables)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A single port range specification. This is used for source and
     # destination port ranges in the stateless rule MatchAttributes,
     # `SourcePorts`, and `DestinationPorts` settings.
@@ -2804,10 +2832,6 @@ module Aws::NetworkFirewall
     #   For a firewall policy resource, you can specify the following
     #   operations in the Actions section of the statement:
     #
-    #   * network-firewall:CreateFirewall
-    #
-    #   * network-firewall:UpdateFirewall
-    #
     #   * network-firewall:AssociateFirewallPolicy
     #
     #   * network-firewall:ListFirewallPolicies
@@ -3425,6 +3449,13 @@ module Aws::NetworkFirewall
     #     behavior is rule dependent—a TCP-layer rule using a
     #     `flow:stateless` rule would still match, as would the
     #     `aws:drop_strict` default action.
+    #
+    #   * `REJECT` - Network Firewall fails closed and drops all subsequent
+    #     traffic going to the firewall. Network Firewall also sends a TCP
+    #     reject packet back to your client so that the client can
+    #     immediately establish a new session. Network Firewall will have
+    #     context about the new session and will apply rules to the
+    #     subsequent traffic.
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulEngineOptions AWS API Documentation

data/lib/aws-sdk-networkfirewall.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
 
-  GEM_VERSION = '1.26.0'
+  GEM_VERSION = '1.28.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.26.0
+  version: 1.28.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-05 00:00:00.000000000 Z
+date: 2023-05-04 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core