aws-sdk-networkfirewall 1.11.0 → 1.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6ccab61032781decb6d5f4dc880424249824ef1dca1669c6985c65bf4c3b8a13
-  data.tar.gz: f8a4f0fcb037edace6d2f15af90846b2161801c93006fb3b8be813153c7fd620
+  metadata.gz: efb85e8a5f83f0a539703aefb30893ed8f96df4e00a361da83089ac061211dc5
+  data.tar.gz: 2cfc028fd27c7681a8a3561cfc22f250c8f93f3cf0b7d5543ff914bebc9ac7a5
 SHA512:
-  metadata.gz: e79c16a8f3fea2e0ab53e0d85e4b37892fe7d914c700fcc4408a630f604eb04ca64ba5af9d53f35a60d583dd9427939ae55785dfa16116c93fe5ab2ba3d7b1e0
-  data.tar.gz: ad221e62dfa116b7de586c3078ede1a795bed53bb2c11960f01be63000dcb6df57afc92da76389acfead37e08d1e1103503bd44c8d074eff02ae3eaa36a87f80
+  metadata.gz: 68820ccd6afe392a2ac4481f2657cdd404faafec75415d87cf313e959575bdea39ac5f3d7155622ef2faa2d17388d229a871735beaef8431e14e05115f59c7ac
+  data.tar.gz: d6e4dfb732b21248197e928a6219d36f194ecce636cd1b856182d875b5bf1938eef8dfb8ccca75be589a5e887e7db3d9410db0e922b78465a402ae27eec729e6

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.12.0 (2021-12-09)
+------------------
+
+* Feature - This release adds support for managed rule groups.
+
 1.11.0 (2021-11-30)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.11.0
+1.12.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -704,6 +704,9 @@ module Aws::NetworkFirewall
     #         {
     #           resource_arn: "ResourceArn", # required
     #           priority: 1,
+    #           override: {
+    #             action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #           },
     #         },
     #       ],
     #       stateful_default_actions: ["CollectionMember_String"],
@@ -1319,6 +1322,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy.stateful_rule_group_references #=> Array
     #   resp.firewall_policy.stateful_rule_group_references[0].resource_arn #=> String
     #   resp.firewall_policy.stateful_rule_group_references[0].priority #=> Integer
+    #   resp.firewall_policy.stateful_rule_group_references[0].override.action #=> String, one of "DROP_TO_ALERT"
     #   resp.firewall_policy.stateful_default_actions #=> Array
     #   resp.firewall_policy.stateful_default_actions[0] #=> String
     #   resp.firewall_policy.stateful_engine_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
@@ -1517,6 +1521,68 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # High-level information about a rule group, returned by operations like
+    # create and describe. You can use the information provided in the
+    # metadata to retrieve and manage a rule group. You can retrieve all
+    # objects for a rule group by calling DescribeRuleGroup.
+    #
+    # @option params [String] :rule_group_name
+    #   The descriptive name of the rule group. You can't change the name of
+    #   a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :rule_group_arn
+    #   The descriptive name of the rule group. You can't change the name of
+    #   a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #
+    # @option params [String] :type
+    #   Indicates whether the rule group is stateless or stateful. If the rule
+    #   group is stateless, it contains stateless rules. If it is stateful, it
+    #   contains stateful rules.
+    #
+    #   <note markdown="1"> This setting is required for requests that do not include the
+    #   `RuleGroupARN`.
+    #
+    #    </note>
+    #
+    # @return [Types::DescribeRuleGroupMetadataResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
+    #
+    #   * {Types::DescribeRuleGroupMetadataResponse#rule_group_arn #rule_group_arn} => String
+    #   * {Types::DescribeRuleGroupMetadataResponse#rule_group_name #rule_group_name} => String
+    #   * {Types::DescribeRuleGroupMetadataResponse#description #description} => String
+    #   * {Types::DescribeRuleGroupMetadataResponse#type #type} => String
+    #   * {Types::DescribeRuleGroupMetadataResponse#capacity #capacity} => Integer
+    #   * {Types::DescribeRuleGroupMetadataResponse#stateful_rule_options #stateful_rule_options} => Types::StatefulRuleOptions
+    #
+    # @example Request syntax with placeholder values
+    #
+    #   resp = client.describe_rule_group_metadata({
+    #     rule_group_name: "ResourceName",
+    #     rule_group_arn: "ResourceArn",
+    #     type: "STATELESS", # accepts STATELESS, STATEFUL
+    #   })
+    #
+    # @example Response structure
+    #
+    #   resp.rule_group_arn #=> String
+    #   resp.rule_group_name #=> String
+    #   resp.description #=> String
+    #   resp.type #=> String, one of "STATELESS", "STATEFUL"
+    #   resp.capacity #=> Integer
+    #   resp.stateful_rule_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupMetadata AWS API Documentation
+    #
+    # @overload describe_rule_group_metadata(params = {})
+    # @param [Hash] params ({})
+    def describe_rule_group_metadata(params = {}, options = {})
+      req = build_request(:describe_rule_group_metadata, params)
+      req.send_request(options)
+    end
+
     # Removes the specified subnet associations from the firewall. This
     # removes the firewall endpoints from the subnets and removes any
     # network filtering protections that the endpoints were providing.
@@ -1707,6 +1773,11 @@ module Aws::NetworkFirewall
     #   Network Firewall provides a `NextToken` value that you can use in a
     #   subsequent call to get the next batch of objects.
     #
+    # @option params [String] :scope
+    #   The scope of the request. The default setting of `ACCOUNT` or a
+    #   setting of `NULL` returns all of the rule groups in your account. A
+    #   setting of `MANAGED` returns all available managed rule groups.
+    #
     # @return [Types::ListRuleGroupsResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
     #
     #   * {Types::ListRuleGroupsResponse#next_token #next_token} => String
@@ -1719,6 +1790,7 @@ module Aws::NetworkFirewall
     #   resp = client.list_rule_groups({
     #     next_token: "PaginationToken",
     #     max_results: 1,
+    #     scope: "MANAGED", # accepts MANAGED, ACCOUNT
     #   })
     #
     # @example Response structure
@@ -2176,6 +2248,9 @@ module Aws::NetworkFirewall
     #         {
     #           resource_arn: "ResourceArn", # required
     #           priority: 1,
+    #           override: {
+    #             action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #           },
     #         },
     #       ],
     #       stateful_default_actions: ["CollectionMember_String"],
@@ -2211,6 +2286,11 @@ module Aws::NetworkFirewall
       req.send_request(options)
     end
 
+    # Modifies the flag, `ChangeProtection`, which indicates whether it is
+    # possible to change the firewall. If the flag is set to `TRUE`, the
+    # firewall is protected from changes. This setting helps protect against
+    # accidentally changing a firewall that's in use.
+    #
     # @option params [String] :update_token
     #   An optional token that you can use for optimistic locking. Network
     #   Firewall returns a token to your requests that access the firewall.
@@ -2669,7 +2749,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.11.0'
+      context[:gem_version] = '1.12.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-networkfirewall/client_api.rb

@@ -54,6 +54,8 @@ module Aws::NetworkFirewall
     DescribeLoggingConfigurationResponse = Shapes::StructureShape.new(name: 'DescribeLoggingConfigurationResponse')
     DescribeResourcePolicyRequest = Shapes::StructureShape.new(name: 'DescribeResourcePolicyRequest')
     DescribeResourcePolicyResponse = Shapes::StructureShape.new(name: 'DescribeResourcePolicyResponse')
+    DescribeRuleGroupMetadataRequest = Shapes::StructureShape.new(name: 'DescribeRuleGroupMetadataRequest')
+    DescribeRuleGroupMetadataResponse = Shapes::StructureShape.new(name: 'DescribeRuleGroupMetadataResponse')
     DescribeRuleGroupRequest = Shapes::StructureShape.new(name: 'DescribeRuleGroupRequest')
     DescribeRuleGroupResponse = Shapes::StructureShape.new(name: 'DescribeRuleGroupResponse')
     Description = Shapes::StringShape.new(name: 'Description')
@@ -106,6 +108,7 @@ module Aws::NetworkFirewall
     LoggingConfiguration = Shapes::StructureShape.new(name: 'LoggingConfiguration')
     MatchAttributes = Shapes::StructureShape.new(name: 'MatchAttributes')
     NumberOfAssociations = Shapes::IntegerShape.new(name: 'NumberOfAssociations')
+    OverrideAction = Shapes::StringShape.new(name: 'OverrideAction')
     PaginationMaxResults = Shapes::IntegerShape.new(name: 'PaginationMaxResults')
     PaginationToken = Shapes::StringShape.new(name: 'PaginationToken')
     PerObjectStatus = Shapes::StructureShape.new(name: 'PerObjectStatus')
@@ -125,6 +128,7 @@ module Aws::NetworkFirewall
     PutResourcePolicyResponse = Shapes::StructureShape.new(name: 'PutResourcePolicyResponse')
     ResourceArn = Shapes::StringShape.new(name: 'ResourceArn')
     ResourceId = Shapes::StringShape.new(name: 'ResourceId')
+    ResourceManagedStatus = Shapes::StringShape.new(name: 'ResourceManagedStatus')
     ResourceName = Shapes::StringShape.new(name: 'ResourceName')
     ResourceNotFoundException = Shapes::StructureShape.new(name: 'ResourceNotFoundException')
     ResourceOwnerCheckException = Shapes::StructureShape.new(name: 'ResourceOwnerCheckException')
@@ -153,6 +157,7 @@ module Aws::NetworkFirewall
     StatefulEngineOptions = Shapes::StructureShape.new(name: 'StatefulEngineOptions')
     StatefulRule = Shapes::StructureShape.new(name: 'StatefulRule')
     StatefulRuleDirection = Shapes::StringShape.new(name: 'StatefulRuleDirection')
+    StatefulRuleGroupOverride = Shapes::StructureShape.new(name: 'StatefulRuleGroupOverride')
     StatefulRuleGroupReference = Shapes::StructureShape.new(name: 'StatefulRuleGroupReference')
     StatefulRuleGroupReferences = Shapes::ListShape.new(name: 'StatefulRuleGroupReferences')
     StatefulRuleOptions = Shapes::StructureShape.new(name: 'StatefulRuleOptions')
@@ -351,6 +356,19 @@ module Aws::NetworkFirewall
     DescribeResourcePolicyResponse.add_member(:policy, Shapes::ShapeRef.new(shape: PolicyString, location_name: "Policy"))
     DescribeResourcePolicyResponse.struct_class = Types::DescribeResourcePolicyResponse
 
+    DescribeRuleGroupMetadataRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
+    DescribeRuleGroupMetadataRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
+    DescribeRuleGroupMetadataRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
+    DescribeRuleGroupMetadataRequest.struct_class = Types::DescribeRuleGroupMetadataRequest
+
+    DescribeRuleGroupMetadataResponse.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, required: true, location_name: "RuleGroupArn"))
+    DescribeRuleGroupMetadataResponse.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, required: true, location_name: "RuleGroupName"))
+    DescribeRuleGroupMetadataResponse.add_member(:description, Shapes::ShapeRef.new(shape: Description, location_name: "Description"))
+    DescribeRuleGroupMetadataResponse.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
+    DescribeRuleGroupMetadataResponse.add_member(:capacity, Shapes::ShapeRef.new(shape: RuleCapacity, location_name: "Capacity"))
+    DescribeRuleGroupMetadataResponse.add_member(:stateful_rule_options, Shapes::ShapeRef.new(shape: StatefulRuleOptions, location_name: "StatefulRuleOptions"))
+    DescribeRuleGroupMetadataResponse.struct_class = Types::DescribeRuleGroupMetadataResponse
+
     DescribeRuleGroupRequest.add_member(:rule_group_name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "RuleGroupName"))
     DescribeRuleGroupRequest.add_member(:rule_group_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "RuleGroupArn"))
     DescribeRuleGroupRequest.add_member(:type, Shapes::ShapeRef.new(shape: RuleGroupType, location_name: "Type"))
@@ -484,6 +502,7 @@ module Aws::NetworkFirewall
 
     ListRuleGroupsRequest.add_member(:next_token, Shapes::ShapeRef.new(shape: PaginationToken, location_name: "NextToken"))
     ListRuleGroupsRequest.add_member(:max_results, Shapes::ShapeRef.new(shape: PaginationMaxResults, location_name: "MaxResults"))
+    ListRuleGroupsRequest.add_member(:scope, Shapes::ShapeRef.new(shape: ResourceManagedStatus, location_name: "Scope"))
     ListRuleGroupsRequest.struct_class = Types::ListRuleGroupsRequest
 
     ListRuleGroupsResponse.add_member(:next_token, Shapes::ShapeRef.new(shape: PaginationToken, location_name: "NextToken"))
@@ -618,8 +637,12 @@ module Aws::NetworkFirewall
     StatefulRule.add_member(:rule_options, Shapes::ShapeRef.new(shape: RuleOptions, required: true, location_name: "RuleOptions"))
     StatefulRule.struct_class = Types::StatefulRule
 
+    StatefulRuleGroupOverride.add_member(:action, Shapes::ShapeRef.new(shape: OverrideAction, location_name: "Action"))
+    StatefulRuleGroupOverride.struct_class = Types::StatefulRuleGroupOverride
+
     StatefulRuleGroupReference.add_member(:resource_arn, Shapes::ShapeRef.new(shape: ResourceArn, required: true, location_name: "ResourceArn"))
     StatefulRuleGroupReference.add_member(:priority, Shapes::ShapeRef.new(shape: Priority, location_name: "Priority", metadata: {"box"=>true}))
+    StatefulRuleGroupReference.add_member(:override, Shapes::ShapeRef.new(shape: StatefulRuleGroupOverride, location_name: "Override"))
     StatefulRuleGroupReference.struct_class = Types::StatefulRuleGroupReference
 
     StatefulRuleGroupReferences.member = Shapes::ShapeRef.new(shape: StatefulRuleGroupReference)
@@ -988,6 +1011,18 @@ module Aws::NetworkFirewall
         o.errors << Shapes::ShapeRef.new(shape: InternalServerError)
       end)
 
+      api.add_operation(:describe_rule_group_metadata, Seahorse::Model::Operation.new.tap do |o|
+        o.name = "DescribeRuleGroupMetadata"
+        o.http_method = "POST"
+        o.http_request_uri = "/"
+        o.input = Shapes::ShapeRef.new(shape: DescribeRuleGroupMetadataRequest)
+        o.output = Shapes::ShapeRef.new(shape: DescribeRuleGroupMetadataResponse)
+        o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
+        o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerError)
+      end)
+
       api.add_operation(:disassociate_subnets, Seahorse::Model::Operation.new.tap do |o|
         o.name = "DisassociateSubnets"
         o.http_method = "POST"
@@ -1059,6 +1094,8 @@ module Aws::NetworkFirewall
         o.http_request_uri = "/"
         o.input = Shapes::ShapeRef.new(shape: ListTagsForResourceRequest)
         o.output = Shapes::ShapeRef.new(shape: ListTagsForResourceResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerError)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
         o[:pager] = Aws::Pager.new(
@@ -1088,6 +1125,8 @@ module Aws::NetworkFirewall
         o.http_request_uri = "/"
         o.input = Shapes::ShapeRef.new(shape: TagResourceRequest)
         o.output = Shapes::ShapeRef.new(shape: TagResourceResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerError)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
       end)
@@ -1098,6 +1137,8 @@ module Aws::NetworkFirewall
         o.http_request_uri = "/"
         o.input = Shapes::ShapeRef.new(shape: UntagResourceRequest)
         o.output = Shapes::ShapeRef.new(shape: UntagResourceResponse)
+        o.errors << Shapes::ShapeRef.new(shape: ThrottlingException)
+        o.errors << Shapes::ShapeRef.new(shape: InternalServerError)
         o.errors << Shapes::ShapeRef.new(shape: ResourceNotFoundException)
         o.errors << Shapes::ShapeRef.new(shape: InvalidRequestException)
       end)

data/lib/aws-sdk-networkfirewall/types.rb

@@ -361,6 +361,9 @@ module Aws::NetworkFirewall
     #             {
     #               resource_arn: "ResourceArn", # required
     #               priority: 1,
+    #               override: {
+    #                 action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #               },
     #             },
     #           ],
     #           stateful_default_actions: ["CollectionMember_String"],
@@ -1291,6 +1294,109 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass DescribeRuleGroupMetadataRequest
+    #   data as a hash:
+    #
+    #       {
+    #         rule_group_name: "ResourceName",
+    #         rule_group_arn: "ResourceArn",
+    #         type: "STATELESS", # accepts STATELESS, STATEFUL
+    #       }
+    #
+    # @!attribute [rw] rule_group_name
+    #   The descriptive name of the rule group. You can't change the name
+    #   of a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] rule_group_arn
+    #   The descriptive name of the rule group. You can't change the name
+    #   of a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] type
+    #   Indicates whether the rule group is stateless or stateful. If the
+    #   rule group is stateless, it contains stateless rules. If it is
+    #   stateful, it contains stateful rules.
+    #
+    #   <note markdown="1"> This setting is required for requests that do not include the
+    #   `RuleGroupARN`.
+    #
+    #    </note>
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupMetadataRequest AWS API Documentation
+    #
+    class DescribeRuleGroupMetadataRequest < Struct.new(
+      :rule_group_name,
+      :rule_group_arn,
+      :type)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] rule_group_arn
+    #   The descriptive name of the rule group. You can't change the name
+    #   of a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] rule_group_name
+    #   The descriptive name of the rule group. You can't change the name
+    #   of a rule group after you create it.
+    #
+    #   You must specify the ARN or the name, and you can specify both.
+    #   @return [String]
+    #
+    # @!attribute [rw] description
+    #   Returns the metadata objects for the specified rule group.
+    #   @return [String]
+    #
+    # @!attribute [rw] type
+    #   Indicates whether the rule group is stateless or stateful. If the
+    #   rule group is stateless, it contains stateless rules. If it is
+    #   stateful, it contains stateful rules.
+    #
+    #   <note markdown="1"> This setting is required for requests that do not include the
+    #   `RuleGroupARN`.
+    #
+    #    </note>
+    #   @return [String]
+    #
+    # @!attribute [rw] capacity
+    #   The maximum operating resources that this rule group can use. Rule
+    #   group capacity is fixed at creation. When you update a rule group,
+    #   you are limited to this capacity. When you reference a rule group
+    #   from a firewall policy, Network Firewall reserves this capacity for
+    #   the rule group.
+    #
+    #   You can retrieve the capacity that would be required for a rule
+    #   group before you create the rule group by calling CreateRuleGroup
+    #   with `DryRun` set to `TRUE`.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] stateful_rule_options
+    #   Additional options governing how Network Firewall handles the rule
+    #   group. You can only use these for stateful rule groups.
+    #   @return [Types::StatefulRuleOptions]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeRuleGroupMetadataResponse AWS API Documentation
+    #
+    class DescribeRuleGroupMetadataResponse < Struct.new(
+      :rule_group_arn,
+      :rule_group_name,
+      :description,
+      :type,
+      :capacity,
+      :stateful_rule_options)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DescribeRuleGroupRequest
     #   data as a hash:
     #
@@ -1667,6 +1773,9 @@ module Aws::NetworkFirewall
     #           {
     #             resource_arn: "ResourceArn", # required
     #             priority: 1,
+    #             override: {
+    #               action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #             },
     #           },
     #         ],
     #         stateful_default_actions: ["CollectionMember_String"],
@@ -1728,7 +1837,25 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] stateful_default_actions
     #   The default actions to take on a packet that doesn't match any
-    #   stateful rules.
+    #   stateful rules. The stateful default action is optional, and is only
+    #   valid when using the strict rule order.
+    #
+    #   Valid values of the stateful default action:
+    #
+    #   * aws:drop\_strict
+    #
+    #   * aws:drop\_established
+    #
+    #   * aws:alert\_strict
+    #
+    #   * aws:alert\_established
+    #
+    #   For more information, see [Strict evaluation order][1] in the *AWS
+    #   Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-strict-rule-evaluation-order.html
     #   @return [Array<String>]
     #
     # @!attribute [rw] stateful_engine_options
@@ -2243,6 +2370,7 @@ module Aws::NetworkFirewall
     #       {
     #         next_token: "PaginationToken",
     #         max_results: 1,
+    #         scope: "MANAGED", # accepts MANAGED, ACCOUNT
     #       }
     #
     # @!attribute [rw] next_token
@@ -2260,11 +2388,18 @@ module Aws::NetworkFirewall
     #   use in a subsequent call to get the next batch of objects.
     #   @return [Integer]
     #
+    # @!attribute [rw] scope
+    #   The scope of the request. The default setting of `ACCOUNT` or a
+    #   setting of `NULL` returns all of the rule groups in your account. A
+    #   setting of `MANAGED` returns all available managed rule groups.
+    #   @return [String]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/ListRuleGroupsRequest AWS API Documentation
     #
     class ListRuleGroupsRequest < Struct.new(
       :next_token,
-      :max_results)
+      :max_results,
+      :scope)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3309,9 +3444,8 @@ module Aws::NetworkFirewall
     #       }
     #
     # @!attribute [rw] targets
-    #   The domains that you want to inspect for in your traffic flows. To
-    #   provide multiple domains, separate them with commas. Valid domain
-    #   specifications are the following:
+    #   The domains that you want to inspect for in your traffic flows.
+    #   Valid domain specifications are the following:
     #
     #   * Explicit names. For example, `abc.example.com` matches only the
     #     domain `abc.example.com`.
@@ -3354,13 +3488,15 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of stateful rule evaluation for
-    #   the policy. By default, Network Firewall leaves the rule evaluation
-    #   order up to the Suricata rule processing engine. If you set this to
-    #   `STRICT_ORDER`, your rules are evaluated in the exact order that you
-    #   provide them in the policy. With strict ordering, the rule groups
-    #   are evaluated by order of priority, starting from the lowest number,
-    #   and the rules in each rule group are processed in the order that
-    #   they're defined.
+    #   the policy. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
+    #   rules are provided to the rule engine as Suricata compatible
+    #   strings, and Suricata evaluates them based on certain settings. For
+    #   more information, see [Evaluation order for stateful rules][1] in
+    #   the *AWS Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulEngineOptions AWS API Documentation
@@ -3446,6 +3582,29 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # The setting that allows the policy owner to change the behavior of the
+    # rule group within a policy.
+    #
+    # @note When making an API call, you may pass StatefulRuleGroupOverride
+    #   data as a hash:
+    #
+    #       {
+    #         action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #       }
+    #
+    # @!attribute [rw] action
+    #   The action that changes the rule group from `DROP` to `ALERT`. This
+    #   only applies to managed rule groups.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulRuleGroupOverride AWS API Documentation
+    #
+    class StatefulRuleGroupOverride < Struct.new(
+      :action)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # Identifier for a single stateful rule group, used in a firewall policy
     # to refer to a rule group.
     #
@@ -3455,6 +3614,9 @@ module Aws::NetworkFirewall
     #       {
     #         resource_arn: "ResourceArn", # required
     #         priority: 1,
+    #         override: {
+    #           action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #         },
     #       }
     #
     # @!attribute [rw] resource_arn
@@ -3478,11 +3640,17 @@ module Aws::NetworkFirewall
     #   on.
     #   @return [Integer]
     #
+    # @!attribute [rw] override
+    #   The action that allows the policy owner to override the behavior of
+    #   the rule group within a policy.
+    #   @return [Types::StatefulRuleGroupOverride]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulRuleGroupReference AWS API Documentation
     #
     class StatefulRuleGroupReference < Struct.new(
       :resource_arn,
-      :priority)
+      :priority,
+      :override)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -3499,10 +3667,15 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] rule_order
     #   Indicates how to manage the order of the rule evaluation for the
-    #   rule group. By default, Network Firewall leaves the rule evaluation
-    #   order up to the Suricata rule processing engine. If you set this to
-    #   `STRICT_ORDER`, your rules are evaluated in the exact order that
-    #   they're listed in your Suricata rules string.
+    #   rule group. `DEFAULT_ACTION_ORDER` is the default behavior. Stateful
+    #   rules are provided to the rule engine as Suricata compatible
+    #   strings, and Suricata evaluates them based on certain settings. For
+    #   more information, see [Evaluation order for stateful rules][1] in
+    #   the *AWS Network Firewall Developer Guide*.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html
     #   @return [String]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/StatefulRuleOptions AWS API Documentation
@@ -4009,6 +4182,11 @@ module Aws::NetworkFirewall
     #   @return [String]
     #
     # @!attribute [rw] delete_protection
+    #   A flag indicating whether it is possible to delete the firewall. A
+    #   setting of `TRUE` indicates that the firewall is protected against
+    #   deletion. Use this setting to protect against accidentally deleting
+    #   a firewall that is in use. When you create a firewall, the operation
+    #   initializes this flag to `TRUE`.
     #   @return [Boolean]
     #
     # @!attribute [rw] update_token
@@ -4289,6 +4467,9 @@ module Aws::NetworkFirewall
     #             {
     #               resource_arn: "ResourceArn", # required
     #               priority: 1,
+    #               override: {
+    #                 action: "DROP_TO_ALERT", # accepts DROP_TO_ALERT
+    #               },
     #             },
     #           ],
     #           stateful_default_actions: ["CollectionMember_String"],

data/lib/aws-sdk-networkfirewall.rb

@@ -48,6 +48,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
 
-  GEM_VERSION = '1.11.0'
+  GEM_VERSION = '1.12.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.11.0
+  version: 1.12.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-11-30 00:00:00.000000000 Z
+date: 2021-12-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core