aws-sdk-networkfirewall 1.26.0 → 1.27.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f06525de7ab96ffab1dc74ee6cfb7629f37fade446430443a5e3fa6a6430e571
-  data.tar.gz: cdaf82868e449d14b6b626169486b4fd60346a3d3e98d36dbbbfeb76919c0647
+  metadata.gz: 848dc5acca2271ff27fe731050b218de6eb5bd90c5cf3f9238d2e7876bd779f1
+  data.tar.gz: 5020c9ed7a2fdde8c547c9e45989ae6c57531ebef798c35c69b18ca031845bf1
 SHA512:
-  metadata.gz: 04f2235e8fef3726e03bac04bcca56af77b3ad6055d70f68fd4284a213916edc9b73a901f6480cd4951407fd37df9380d8bf7f6e1b3bddb194074f2136c5d94b
-  data.tar.gz: 254bfefe094e643f56861d3444353792363e6fbfc1d89b51a9b9e0da8b9d064a449399120640d2d82762fd48d1c3b62428f72b6229475a78586410103c22f8b9
+  metadata.gz: 198569d2c17cdc7db5247a1e39838ec54582a80bafb30946911c02ef36e3482a09a2288407e9bdc86dd9cc8e63914f4dcf4f2b2eb156e220db172cafb8d9d393
+  data.tar.gz: 56255332e20a9726aba325f3e512b28dad5dfcbd4cc7317df5be254aac4a2c5bddaa6f3ec11fb7d0539938866568997a93cf4c9615e1c83de9b4620f5101cbae

data/CHANGELOG.md

@@ -1,6 +1,11 @@
 Unreleased Changes
 ------------------
 
+1.27.0 (2023-05-03)
+------------------
+
+* Feature - AWS Network Firewall now supports policy level HOME_NET variable overrides.
+
 1.26.0 (2023-04-05)
 ------------------
 

data/VERSION

@@ -1 +1 @@
-1.26.0
+1.27.0

data/lib/aws-sdk-networkfirewall/client.rb

@@ -663,7 +663,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY", "FAILED", "ERROR"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -769,6 +769,13 @@ module Aws::NetworkFirewall
     #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #       },
     #       tls_inspection_configuration_arn: "ResourceArn",
+    #       policy_variables: {
+    #         rule_variables: {
+    #           "RuleVariableName" => {
+    #             definition: ["VariableDefinition"], # required
+    #           },
+    #         },
+    #       },
     #     },
     #     description: "Description",
     #     tags: [
@@ -1324,7 +1331,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY", "FAILED", "ERROR"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -1586,7 +1593,7 @@ module Aws::NetworkFirewall
     #   resp.firewall_status.sync_states #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.subnet_id #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.endpoint_id #=> String
-    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY"
+    #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status #=> String, one of "CREATING", "DELETING", "SCALING", "READY", "FAILED", "ERROR"
     #   resp.firewall_status.sync_states["AvailabilityZone"].attachment.status_message #=> String
     #   resp.firewall_status.sync_states["AvailabilityZone"].config #=> Hash
     #   resp.firewall_status.sync_states["AvailabilityZone"].config["ResourceName"].sync_status #=> String, one of "PENDING", "IN_SYNC", "CAPACITY_CONSTRAINED"
@@ -1668,6 +1675,9 @@ module Aws::NetworkFirewall
     #   resp.firewall_policy.stateful_engine_options.rule_order #=> String, one of "DEFAULT_ACTION_ORDER", "STRICT_ORDER"
     #   resp.firewall_policy.stateful_engine_options.stream_exception_policy #=> String, one of "DROP", "CONTINUE"
     #   resp.firewall_policy.tls_inspection_configuration_arn #=> String
+    #   resp.firewall_policy.policy_variables.rule_variables #=> Hash
+    #   resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition #=> Array
+    #   resp.firewall_policy.policy_variables.rule_variables["RuleVariableName"].definition[0] #=> String
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/DescribeFirewallPolicy AWS API Documentation
     #
@@ -2402,10 +2412,6 @@ module Aws::NetworkFirewall
     #   For a firewall policy resource, you can specify the following
     #   operations in the Actions section of the statement:
     #
-    #   * network-firewall:CreateFirewall
-    #
-    #   * network-firewall:UpdateFirewall
-    #
     #   * network-firewall:AssociateFirewallPolicy
     #
     #   * network-firewall:ListFirewallPolicies
@@ -2828,6 +2834,13 @@ module Aws::NetworkFirewall
     #         stream_exception_policy: "DROP", # accepts DROP, CONTINUE
     #       },
     #       tls_inspection_configuration_arn: "ResourceArn",
+    #       policy_variables: {
+    #         rule_variables: {
+    #           "RuleVariableName" => {
+    #             definition: ["VariableDefinition"], # required
+    #           },
+    #         },
+    #       },
     #     },
     #     description: "Description",
     #     dry_run: false,
@@ -3507,7 +3520,7 @@ module Aws::NetworkFirewall
         params: params,
         config: config)
       context[:gem_name] = 'aws-sdk-networkfirewall'
-      context[:gem_version] = '1.26.0'
+      context[:gem_version] = '1.27.0'
       Seahorse::Client::Request.new(handlers, context)
     end
 

data/lib/aws-sdk-networkfirewall/client_api.rb

@@ -137,6 +137,7 @@ module Aws::NetworkFirewall
     PerObjectStatus = Shapes::StructureShape.new(name: 'PerObjectStatus')
     PerObjectSyncStatus = Shapes::StringShape.new(name: 'PerObjectSyncStatus')
     PolicyString = Shapes::StringShape.new(name: 'PolicyString')
+    PolicyVariables = Shapes::StructureShape.new(name: 'PolicyVariables')
     Port = Shapes::StringShape.new(name: 'Port')
     PortRange = Shapes::StructureShape.new(name: 'PortRange')
     PortRangeBound = Shapes::IntegerShape.new(name: 'PortRangeBound')
@@ -515,6 +516,7 @@ module Aws::NetworkFirewall
     FirewallPolicy.add_member(:stateful_default_actions, Shapes::ShapeRef.new(shape: StatefulActions, location_name: "StatefulDefaultActions"))
     FirewallPolicy.add_member(:stateful_engine_options, Shapes::ShapeRef.new(shape: StatefulEngineOptions, location_name: "StatefulEngineOptions"))
     FirewallPolicy.add_member(:tls_inspection_configuration_arn, Shapes::ShapeRef.new(shape: ResourceArn, location_name: "TLSInspectionConfigurationArn"))
+    FirewallPolicy.add_member(:policy_variables, Shapes::ShapeRef.new(shape: PolicyVariables, location_name: "PolicyVariables"))
     FirewallPolicy.struct_class = Types::FirewallPolicy
 
     FirewallPolicyMetadata.add_member(:name, Shapes::ShapeRef.new(shape: ResourceName, location_name: "Name"))
@@ -664,6 +666,9 @@ module Aws::NetworkFirewall
     PerObjectStatus.add_member(:update_token, Shapes::ShapeRef.new(shape: UpdateToken, location_name: "UpdateToken"))
     PerObjectStatus.struct_class = Types::PerObjectStatus
 
+    PolicyVariables.add_member(:rule_variables, Shapes::ShapeRef.new(shape: IPSets, location_name: "RuleVariables"))
+    PolicyVariables.struct_class = Types::PolicyVariables
+
     PortRange.add_member(:from_port, Shapes::ShapeRef.new(shape: PortRangeBound, required: true, location_name: "FromPort"))
     PortRange.add_member(:to_port, Shapes::ShapeRef.new(shape: PortRangeBound, required: true, location_name: "ToPort"))
     PortRange.struct_class = Types::PortRange

data/lib/aws-sdk-networkfirewall/types.rb

@@ -286,12 +286,14 @@ module Aws::NetworkFirewall
     #
     # @!attribute [rw] status_message
     #   If Network Firewall fails to create or delete the firewall endpoint
-    #   in the subnet, it populates this with the reason for the failure and
-    #   how to resolve it. Depending on the error, it can take as many as 15
+    #   in the subnet, it populates this with the reason for the error or
+    #   failure and how to resolve it. A `FAILED` status indicates a
+    #   non-recoverable state, and a `ERROR` status indicates an issue that
+    #   you can fix. Depending on the error, it can take as many as 15
     #   minutes to populate this field. For more information about the
-    #   errors and solutions available for this field, see [Troubleshooting
-    #   firewall endpoint failures][1] in the *Network Firewall Developer
-    #   Guide*.
+    #   causes for failiure or errors and solutions available for this
+    #   field, see [Troubleshooting firewall endpoint failures][1] in the
+    #   *Network Firewall Developer Guide*.
     #
     #
     #
@@ -1840,6 +1842,11 @@ module Aws::NetworkFirewall
     #   The Amazon Resource Name (ARN) of the TLS inspection configuration.
     #   @return [String]
     #
+    # @!attribute [rw] policy_variables
+    #   Contains variables that you can use to override default Suricata
+    #   settings in your firewall policy.
+    #   @return [Types::PolicyVariables]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/FirewallPolicy AWS API Documentation
     #
     class FirewallPolicy < Struct.new(
@@ -1850,7 +1857,8 @@ module Aws::NetworkFirewall
       :stateful_rule_group_references,
       :stateful_default_actions,
       :stateful_engine_options,
-      :tls_inspection_configuration_arn)
+      :tls_inspection_configuration_arn,
+      :policy_variables)
       SENSITIVE = []
       include Aws::Structure
     end
@@ -2730,6 +2738,26 @@ module Aws::NetworkFirewall
       include Aws::Structure
     end
 
+    # Contains variables that you can use to override default Suricata
+    # settings in your firewall policy.
+    #
+    # @!attribute [rw] rule_variables
+    #   The IPv4 or IPv6 addresses in CIDR notation to use for the Suricata
+    #   `HOME_NET` variable. If your firewall uses an inspection VPC, you
+    #   might want to override the `HOME_NET` variable with the CIDRs of
+    #   your home networks. If you don't override `HOME_NET` with your own
+    #   CIDRs, Network Firewall by default uses the CIDR of your inspection
+    #   VPC.
+    #   @return [Hash<String,Types::IPSet>]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/network-firewall-2020-11-12/PolicyVariables AWS API Documentation
+    #
+    class PolicyVariables < Struct.new(
+      :rule_variables)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+
     # A single port range specification. This is used for source and
     # destination port ranges in the stateless rule MatchAttributes,
     # `SourcePorts`, and `DestinationPorts` settings.
@@ -2804,10 +2832,6 @@ module Aws::NetworkFirewall
     #   For a firewall policy resource, you can specify the following
     #   operations in the Actions section of the statement:
     #
-    #   * network-firewall:CreateFirewall
-    #
-    #   * network-firewall:UpdateFirewall
-    #
     #   * network-firewall:AssociateFirewallPolicy
     #
     #   * network-firewall:ListFirewallPolicies
@@ -3173,7 +3197,7 @@ module Aws::NetworkFirewall
     #
     #
     #
-    #   [1]: https://suricata.readthedocs.iorules/intro.html#
+    #   [1]: https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html
     #   @return [Array<Types::StatefulRule>]
     #
     # @!attribute [rw] stateless_rules_and_custom_actions
@@ -3444,7 +3468,7 @@ module Aws::NetworkFirewall
     #
     #
     #
-    # [1]: https://suricata.readthedocs.iorules/intro.html#
+    # [1]: https://suricata.readthedocs.io/en/suricata-6.0.9/rules/intro.html
     #
     # @!attribute [rw] action
     #   Defines what Network Firewall should do with the packets in a
@@ -3468,16 +3492,6 @@ module Aws::NetworkFirewall
     #     drop traffic. You can enable the rule with `ALERT` action, verify
     #     in the logs that the rule is filtering as you want, then change
     #     the action to `DROP`.
-    #
-    #   * **REJECT** - Drops TCP traffic that matches the conditions of the
-    #     stateful rule, and sends a TCP reset packet back to sender of the
-    #     packet. A TCP reset packet is a packet with no payload and a `RST`
-    #     bit contained in the TCP header flags. Also sends an alert log
-    #     mesage if alert logging is configured in the Firewall
-    #     LoggingConfiguration.
-    #
-    #     `REJECT` isn't currently available for use with IMAP and FTP
-    #     protocols.
     #   @return [String]
     #
     # @!attribute [rw] header

data/lib/aws-sdk-networkfirewall.rb

@@ -52,6 +52,6 @@ require_relative 'aws-sdk-networkfirewall/customizations'
 # @!group service
 module Aws::NetworkFirewall
 
-  GEM_VERSION = '1.26.0'
+  GEM_VERSION = '1.27.0'
 
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aws-sdk-networkfirewall
 version: !ruby/object:Gem::Version
-  version: 1.26.0
+  version: 1.27.0
 platform: ruby
 authors:
 - Amazon Web Services
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2023-04-05 00:00:00.000000000 Z
+date: 2023-05-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core