aws-sdk-networkfirewall 1.68.0 → 1.69.0

data/lib/aws-sdk-networkfirewall/types.rb

@@ -37,6 +37,59 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   accept. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AcceptNetworkFirewallTransitGatewayAttachmentRequest AWS API Documentation
+    #
+    class AcceptNetworkFirewallTransitGatewayAttachmentRequest < Struct.new(
+      :transit_gateway_attachment_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   The unique identifier of the transit gateway attachment that was
+    #   accepted.
+    #   @return [String]
+    #
+    # @!attribute [rw] transit_gateway_attachment_status
+    #   The current status of the transit gateway attachment. Valid values
+    #   are:
+    #
+    #   * `CREATING` - The attachment is being created
+    #
+    #   * `DELETING` - The attachment is being deleted
+    #
+    #   * `DELETED` - The attachment has been deleted
+    #
+    #   * `FAILED` - The attachment creation has failed and cannot be
+    #     recovered
+    #
+    #   * `ERROR` - The attachment is in an error state that might be
+    #     recoverable
+    #
+    #   * `READY` - The attachment is active and processing traffic
+    #
+    #   * `PENDING_ACCEPTANCE` - The attachment is waiting to be accepted
+    #
+    #   * `REJECTING` - The attachment is in the process of being rejected
+    #
+    #   * `REJECTED` - The attachment has been rejected
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AcceptNetworkFirewallTransitGatewayAttachmentResponse AWS API Documentation
+    #
+    class AcceptNetworkFirewallTransitGatewayAttachmentResponse < Struct.new(
+      :transit_gateway_attachment_id,
+      :transit_gateway_attachment_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A custom action to use in stateless rule actions settings. This is
     # used in CustomAction.
     #
@@ -253,6 +306,101 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints. You must specify at least one Availability Zone.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AssociateAvailabilityZonesRequest AWS API Documentation
+    #
+    class AssociateAvailabilityZonesRequest < Struct.new(
+      :update_token,
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_mappings)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   The Availability Zones where Network Firewall created firewall
+    #   endpoints. Each mapping specifies an Availability Zone where the
+    #   firewall processes traffic.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AssociateAvailabilityZonesResponse AWS API Documentation
+    #
+    class AssociateAvailabilityZonesResponse < Struct.new(
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_mappings,
+      :update_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -499,6 +647,29 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # Defines the mapping between an Availability Zone and a firewall
+    # endpoint for a transit gateway-attached firewall. Each mapping
+    # represents where the firewall can process traffic. You use these
+    # mappings when calling CreateFirewall, AssociateAvailabilityZones, and
+    # DisassociateAvailabilityZones.
+    #
+    # To retrieve the current Availability Zone mappings for a firewall, use
+    # DescribeFirewall.
+    #
+    # @!attribute [rw] availability_zone
+    #   The ID of the Availability Zone where the firewall endpoint is
+    #   located. For example, `us-east-2a`. The Availability Zone must be in
+    #   the same Region as the transit gateway.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/AvailabilityZoneMapping AWS API Documentation
+    #
+    class AvailabilityZoneMapping < Struct.new(
+      :availability_zone)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # High-level information about an Availability Zone where the firewall
     # has an endpoint defined.
     #
@@ -753,6 +924,50 @@ module Aws::NetworkFirewall
     #   to enable on the firewall.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] transit_gateway_id
+    #   Required when creating a transit gateway-attached firewall. The
+    #   unique identifier of the transit gateway to attach to this firewall.
+    #   You can provide either a transit gateway from your account or one
+    #   that has been shared with you through Resource Access Manager.
+    #
+    #   After creating the firewall, you cannot change the transit gateway
+    #   association. To use a different transit gateway, you must create a
+    #   new firewall.
+    #
+    #   For information about creating firewalls, see CreateFirewall. For
+    #   specific guidance about transit gateway-attached firewalls, see
+    #   [Considerations for transit gateway-attached firewalls][1] in the
+    #   *Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/tgw-firewall-considerations.html
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   Required. The Availability Zones where you want to create firewall
+    #   endpoints for a transit gateway-attached firewall. You must specify
+    #   at least one Availability Zone. Consider enabling the firewall in
+    #   every Availability Zone where you have workloads to maintain
+    #   Availability Zone independence.
+    #
+    #   You can modify Availability Zones later using
+    #   AssociateAvailabilityZones or DisassociateAvailabilityZones, but
+    #   this may briefly disrupt traffic. The
+    #   `AvailabilityZoneChangeProtection` setting controls whether you can
+    #   make these modifications.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @!attribute [rw] availability_zone_change_protection
+    #   Optional. A setting indicating whether the firewall is protected
+    #   against changes to its Availability Zone configuration. When set to
+    #   `TRUE`, you cannot add or remove Availability Zones without first
+    #   disabling this protection using
+    #   UpdateAvailabilityZoneChangeProtection.
+    #
+    #   Default value: `FALSE`
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/CreateFirewallRequest AWS API Documentation
     #
     class CreateFirewallRequest < Struct.new(
@@ -766,7 +981,10 @@ module Aws::NetworkFirewall
       :description,
       :tags,
       :encryption_configuration,
-      :enabled_analysis_types)
+      :enabled_analysis_types,
+      :transit_gateway_id,
+      :availability_zone_mappings,
+      :availability_zone_change_protection)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1268,6 +1486,59 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   delete.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteNetworkFirewallTransitGatewayAttachmentRequest AWS API Documentation
+    #
+    class DeleteNetworkFirewallTransitGatewayAttachmentRequest < Struct.new(
+      :transit_gateway_attachment_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   The ID of the transit gateway attachment that was deleted.
+    #   @return [String]
+    #
+    # @!attribute [rw] transit_gateway_attachment_status
+    #   The current status of the transit gateway attachment deletion
+    #   process.
+    #
+    #   Valid values are:
+    #
+    #   * `CREATING` - The attachment is being created
+    #
+    #   * `DELETING` - The attachment is being deleted
+    #
+    #   * `DELETED` - The attachment has been deleted
+    #
+    #   * `FAILED` - The attachment creation has failed and cannot be
+    #     recovered
+    #
+    #   * `ERROR` - The attachment is in an error state that might be
+    #     recoverable
+    #
+    #   * `READY` - The attachment is active and processing traffic
+    #
+    #   * `PENDING_ACCEPTANCE` - The attachment is waiting to be accepted
+    #
+    #   * `REJECTING` - The attachment is in the process of being rejected
+    #
+    #   * `REJECTED` - The attachment has been rejected
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DeleteNetworkFirewallTransitGatewayAttachmentResponse AWS API Documentation
+    #
+    class DeleteNetworkFirewallTransitGatewayAttachmentResponse < Struct.new(
+      :transit_gateway_attachment_id,
+      :transit_gateway_attachment_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] resource_arn
     #   The Amazon Resource Name (ARN) of the rule group or firewall policy
     #   whose resource policy you want to delete.
@@ -1444,6 +1715,12 @@ module Aws::NetworkFirewall
     #   defined.
     #   @return [Hash<String,Types::AvailabilityZoneMetadata>]
     #
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   The unique identifier of the transit gateway attachment associated
+    #   with this firewall. This field is only present for transit
+    #   gateway-attached firewalls.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallMetadataResponse AWS API Documentation
     #
     class DescribeFirewallMetadataResponse < Struct.new(
@@ -1451,7 +1728,8 @@ module Aws::NetworkFirewall
       :firewall_policy_arn,
       :description,
       :status,
-      :supported_availability_zones)
+      :supported_availability_zones,
+      :transit_gateway_attachment_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -1851,7 +2129,7 @@ module Aws::NetworkFirewall
     #   @return [Types::StatefulRuleOptions]
     #
     # @!attribute [rw] last_modified_time
-    #   The last time that the rule group was changed.
+    #   A timestamp indicating when the rule group was last modified.
     #   @return [Time]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupMetadataResponse AWS API Documentation
@@ -2099,6 +2377,100 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   Required. The Availability Zones to remove from the firewall's
+    #   configuration.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DisassociateAvailabilityZonesRequest AWS API Documentation
+    #
+    class DisassociateAvailabilityZonesRequest < Struct.new(
+      :update_token,
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_mappings)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   The remaining Availability Zones where the firewall has endpoints
+    #   after the disassociation.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DisassociateAvailabilityZonesResponse AWS API Documentation
+    #
+    class DisassociateAvailabilityZonesResponse < Struct.new(
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_mappings,
+      :update_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -2340,6 +2712,31 @@ module Aws::NetworkFirewall
     #   to enable on the firewall.
     #   @return [Array<String>]
     #
+    # @!attribute [rw] transit_gateway_id
+    #   The unique identifier of the transit gateway associated with this
+    #   firewall. This field is only present for transit gateway-attached
+    #   firewalls.
+    #   @return [String]
+    #
+    # @!attribute [rw] transit_gateway_owner_account_id
+    #   The Amazon Web Services account ID that owns the transit gateway.
+    #   This may be different from the firewall owner's account ID when
+    #   using a shared transit gateway.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_mappings
+    #   The Availability Zones where the firewall endpoints are created for
+    #   a transit gateway-attached firewall. Each mapping specifies an
+    #   Availability Zone where the firewall processes traffic.
+    #   @return [Array<Types::AvailabilityZoneMapping>]
+    #
+    # @!attribute [rw] availability_zone_change_protection
+    #   A setting indicating whether the firewall is protected against
+    #   changes to its Availability Zone configuration. When set to `TRUE`,
+    #   you must first disable this protection before adding or removing
+    #   Availability Zones.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/Firewall AWS API Documentation
     #
     class Firewall < Struct.new(
@@ -2356,7 +2753,11 @@ module Aws::NetworkFirewall
       :tags,
       :encryption_configuration,
       :number_of_associations,
-      :enabled_analysis_types)
+      :enabled_analysis_types,
+      :transit_gateway_id,
+      :transit_gateway_owner_account_id,
+      :availability_zone_mappings,
+      :availability_zone_change_protection)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2374,11 +2775,18 @@ module Aws::NetworkFirewall
     #   The Amazon Resource Name (ARN) of the firewall.
     #   @return [String]
     #
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   The unique identifier of the transit gateway attachment associated
+    #   with this firewall. This field is only present for transit
+    #   gateway-attached firewalls.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallMetadata AWS API Documentation
     #
     class FirewallMetadata < Struct.new(
       :firewall_name,
-      :firewall_arn)
+      :firewall_arn,
+      :transit_gateway_attachment_id)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2651,13 +3059,21 @@ module Aws::NetworkFirewall
     #   all of the reference sets in a firewall.
     #   @return [Types::CapacityUsageSummary]
     #
+    # @!attribute [rw] transit_gateway_attachment_sync_state
+    #   The synchronization state of the transit gateway attachment. This
+    #   indicates whether the firewall's transit gateway configuration is
+    #   properly synchronized and operational. Use this to verify that your
+    #   transit gateway configuration changes have been applied.
+    #   @return [Types::TransitGatewayAttachmentSyncState]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallStatus AWS API Documentation
     #
     class FirewallStatus < Struct.new(
       :status,
       :configuration_sync_state_summary,
       :sync_states,
-      :capacity_usage_summary)
+      :capacity_usage_summary,
+      :transit_gateway_attachment_sync_state)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -4176,6 +4592,67 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   Required. The unique identifier of the transit gateway attachment to
+    #   reject. This ID is returned in the response when creating a transit
+    #   gateway-attached firewall.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RejectNetworkFirewallTransitGatewayAttachmentRequest AWS API Documentation
+    #
+    class RejectNetworkFirewallTransitGatewayAttachmentRequest < Struct.new(
+      :transit_gateway_attachment_id)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] transit_gateway_attachment_id
+    #   The unique identifier of the transit gateway attachment that was
+    #   rejected.
+    #   @return [String]
+    #
+    # @!attribute [rw] transit_gateway_attachment_status
+    #   The current status of the transit gateway attachment. Valid values
+    #   are:
+    #
+    #   * `CREATING` - The attachment is being created
+    #
+    #   * `DELETING` - The attachment is being deleted
+    #
+    #   * `DELETED` - The attachment has been deleted
+    #
+    #   * `FAILED` - The attachment creation has failed and cannot be
+    #     recovered
+    #
+    #   * `ERROR` - The attachment is in an error state that might be
+    #     recoverable
+    #
+    #   * `READY` - The attachment is active and processing traffic
+    #
+    #   * `PENDING_ACCEPTANCE` - The attachment is waiting to be accepted
+    #
+    #   * `REJECTING` - The attachment is in the process of being rejected
+    #
+    #   * `REJECTED` - The attachment has been rejected
+    #
+    #   For information about troubleshooting endpoint failures, see
+    #   [Troubleshooting firewall endpoint failures][1] in the *Network
+    #   Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/RejectNetworkFirewallTransitGatewayAttachmentResponse AWS API Documentation
+    #
+    class RejectNetworkFirewallTransitGatewayAttachmentResponse < Struct.new(
+      :transit_gateway_attachment_id,
+      :transit_gateway_attachment_status)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Unable to locate a resource using the parameters that you provided.
     #
     # @!attribute [rw] message
@@ -4407,7 +4884,7 @@ module Aws::NetworkFirewall
     #   @return [Types::SourceMetadata]
     #
     # @!attribute [rw] sns_topic
-    #   The Amazon resource name (ARN) of the Amazon Simple Notification
+    #   The Amazon Resource Name (ARN) of the Amazon Simple Notification
     #   Service SNS topic that's used to record changes to the managed rule
     #   group. You can subscribe to the SNS topic to receive notifications
     #   when the managed rule group is modified, such as for new versions
@@ -4491,7 +4968,8 @@ module Aws::NetworkFirewall
     end
 
     # Settings that are available for use in the rules in the RuleGroup
-    # where this is defined.
+    # where this is defined. See CreateRuleGroup or UpdateRuleGroup for
+    # usage.
     #
     # @!attribute [rw] ip_sets
     #   A list of IP addresses and address ranges, in CIDR notation.
@@ -4682,9 +5160,8 @@ module Aws::NetworkFirewall
     #     Authority.
     #
     #   For more information about configuring certificates for outbound
-    #   inspection, see [Using SSL/TLS certificates with certificates with
-    #   TLS inspection configurations][1] in the *Network Firewall Developer
-    #   Guide*.
+    #   inspection, see [Using SSL/TLS certificates with TLS inspection
+    #   configurations][1] in the *Network Firewall Developer Guide*.
     #
     #   For information about working with certificates in ACM, see
     #   [Importing certificates][2] in the *Certificate Manager User Guide*.
@@ -5001,17 +5478,18 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. `STRICT_ORDER` is the default and recommended option.
-    #   With `STRICT_ORDER`, provide your rules in the order that you want
-    #   them to be evaluated. You can then choose one or more default
-    #   actions for packets that don't match any rules. Choose
-    #   `STRICT_ORDER` to have the stateful rules engine determine the
-    #   evaluation order of your rules. The default action for this rule
-    #   order is `PASS`, followed by `DROP`, `REJECT`, and `ALERT` actions.
-    #   Stateful rules are provided to the rule engine as Suricata
-    #   compatible strings, and Suricata evaluates them based on your
-    #   settings. For more information, see [Evaluation order for stateful
-    #   rules][1] in the *Network Firewall Developer Guide*.
+    #   the policy. `STRICT_ORDER` is the recommended option, but
+    #   `DEFAULT_ACTION_ORDER` is the default option. With `STRICT_ORDER`,
+    #   provide your rules in the order that you want them to be evaluated.
+    #   You can then choose one or more default actions for packets that
+    #   don't match any rules. Choose `STRICT_ORDER` to have the stateful
+    #   rules engine determine the evaluation order of your rules. The
+    #   default action for this rule order is `PASS`, followed by `DROP`,
+    #   `REJECT`, and `ALERT` actions. Stateful rules are provided to the
+    #   rule engine as Suricata compatible strings, and Suricata evaluates
+    #   them based on your settings. For more information, see [Evaluation
+    #   order for stateful rules][1] in the *Network Firewall Developer
+    #   Guide*.
     #
     #
     #
@@ -5612,6 +6090,87 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # Contains information about the synchronization state of a transit
+    # gateway attachment, including its current status and any error
+    # messages. Network Firewall uses this to track the state of your
+    # transit gateway configuration changes.
+    #
+    # @!attribute [rw] attachment_id
+    #   The unique identifier of the transit gateway attachment.
+    #   @return [String]
+    #
+    # @!attribute [rw] transit_gateway_attachment_status
+    #   The current status of the transit gateway attachment.
+    #
+    #   Valid values are:
+    #
+    #   * `CREATING` - The attachment is being created
+    #
+    #   * `DELETING` - The attachment is being deleted
+    #
+    #   * `DELETED` - The attachment has been deleted
+    #
+    #   * `FAILED` - The attachment creation has failed and cannot be
+    #     recovered
+    #
+    #   * `ERROR` - The attachment is in an error state that might be
+    #     recoverable
+    #
+    #   * `READY` - The attachment is active and processing traffic
+    #
+    #   * `PENDING_ACCEPTANCE` - The attachment is waiting to be accepted
+    #
+    #   * `REJECTING` - The attachment is in the process of being rejected
+    #
+    #   * `REJECTED` - The attachment has been rejected
+    #   @return [String]
+    #
+    # @!attribute [rw] status_message
+    #   A message providing additional information about the current status,
+    #   particularly useful when the transit gateway attachment is in a
+    #   non-`READY` state.
+    #
+    #   Valid values are:
+    #
+    #   * `CREATING` - The attachment is being created
+    #
+    #   * `DELETING` - The attachment is being deleted
+    #
+    #   * `DELETED` - The attachment has been deleted
+    #
+    #   * `FAILED` - The attachment creation has failed and cannot be
+    #     recovered
+    #
+    #   * `ERROR` - The attachment is in an error state that might be
+    #     recoverable
+    #
+    #   * `READY` - The attachment is active and processing traffic
+    #
+    #   * `PENDING_ACCEPTANCE` - The attachment is waiting to be accepted
+    #
+    #   * `REJECTING` - The attachment is in the process of being rejected
+    #
+    #   * `REJECTED` - The attachment has been rejected
+    #
+    #   For information about troubleshooting endpoint failures, see
+    #   [Troubleshooting firewall endpoint failures][1] in the *Network
+    #   Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/firewall-troubleshooting-endpoint-failures.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/TransitGatewayAttachmentSyncState AWS API Documentation
+    #
+    class TransitGatewayAttachmentSyncState < Struct.new(
+      :attachment_id,
+      :transit_gateway_attachment_status,
+      :status_message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A unique source IP address that connected to a domain.
     #
     # @!attribute [rw] count
@@ -5659,6 +6218,106 @@ module Aws::NetworkFirewall
     #
     class UntagResourceResponse < Aws::EmptyStructure; end
 
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_change_protection
+    #   A setting indicating whether the firewall is protected against
+    #   changes to the subnet associations. Use this setting to protect
+    #   against accidentally modifying the subnet associations for a
+    #   firewall that is in use. When you create a firewall, the operation
+    #   initializes this setting to `TRUE`.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateAvailabilityZoneChangeProtectionRequest AWS API Documentation
+    #
+    class UpdateAvailabilityZoneChangeProtectionRequest < Struct.new(
+      :update_token,
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_change_protection)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] update_token
+    #   An optional token that you can use for optimistic locking. Network
+    #   Firewall returns a token to your requests that access the firewall.
+    #   The token marks the state of the firewall resource at the time of
+    #   the request.
+    #
+    #   To make an unconditional change to the firewall, omit the token in
+    #   your update request. Without the token, Network Firewall performs
+    #   your updates regardless of whether the firewall has changed since
+    #   you last retrieved it.
+    #
+    #   To make a conditional change to the firewall, provide the token in
+    #   your update request. Network Firewall uses the token to ensure that
+    #   the firewall hasn't changed since you last retrieved it. If it has
+    #   changed, the operation fails with an `InvalidTokenException`. If
+    #   this happens, retrieve the firewall again to get a current copy of
+    #   it with a new token. Reapply your changes as needed, then try the
+    #   operation again using the new token.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_arn
+    #   The Amazon Resource Name (ARN) of the firewall.
+    #   @return [String]
+    #
+    # @!attribute [rw] firewall_name
+    #   The descriptive name of the firewall. You can't change the name of
+    #   a firewall after you create it.
+    #   @return [String]
+    #
+    # @!attribute [rw] availability_zone_change_protection
+    #   A setting indicating whether the firewall is protected against
+    #   changes to the subnet associations. Use this setting to protect
+    #   against accidentally modifying the subnet associations for a
+    #   firewall that is in use. When you create a firewall, the operation
+    #   initializes this setting to `TRUE`.
+    #   @return [Boolean]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/UpdateAvailabilityZoneChangeProtectionResponse AWS API Documentation
+    #
+    class UpdateAvailabilityZoneChangeProtectionResponse < Struct.new(
+      :update_token,
+      :firewall_arn,
+      :firewall_name,
+      :availability_zone_change_protection)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @!attribute [rw] enabled_analysis_types
     #   An optional setting indicating the specific traffic analysis types
     #   to enable on the firewall.