aws-sdk-wafv2 1.2.0 → 1.3.0

data/lib/aws-sdk-wafv2/errors.rb

@@ -28,7 +28,9 @@ module Aws::WAFV2
   # * {WAFAssociatedItemException}
   # * {WAFDuplicateItemException}
   # * {WAFInternalErrorException}
+  # * {WAFInvalidOperationException}
   # * {WAFInvalidParameterException}
+  # * {WAFInvalidPermissionPolicyException}
   # * {WAFInvalidResourceException}
   # * {WAFLimitsExceededException}
   # * {WAFNonexistentItemException}
@@ -90,6 +92,21 @@ module Aws::WAFV2
       end
     end
 
+    class WAFInvalidOperationException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::WAFV2::Types::WAFInvalidOperationException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class WAFInvalidParameterException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context
@@ -120,6 +137,21 @@ module Aws::WAFV2
       end
     end
 
+    class WAFInvalidPermissionPolicyException < ServiceError
+
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::WAFV2::Types::WAFInvalidPermissionPolicyException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
+
     class WAFInvalidResourceException < ServiceError
 
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-wafv2/resource.rb

@@ -6,13 +6,7 @@
 # WARNING ABOUT GENERATED CODE
 
 module Aws::WAFV2
-  # This class provides a resource oriented interface for WAFV2.
-  # To create a resource object:
-  #     resource = Aws::WAFV2::Resource.new(region: 'us-west-2')
-  # You can supply a client object with custom configuration that will be used for all resource operations.
-  # If you do not pass +:client+, a default client will be constructed.
-  #     client = Aws::WAFV2::Client.new(region: 'us-west-2')
-  #     resource = Aws::WAFV2::Resource.new(client: client)
+
   class Resource
 
     # @param options ({})

data/lib/aws-sdk-wafv2/types.rb

@@ -408,8 +408,8 @@ module Aws::WAFV2
     #   only in the part of web requests that you designate for inspection
     #   in FieldToMatch. The maximum length of the value is 50 bytes.
     #
-    #   Valid values depend on the areas that you specify for inspection in
-    #   `FieldToMatch`\:
+    #   Valid values depend on the component that you specify for inspection
+    #   in `FieldToMatch`\:
     #
     #   * `Method`\: The HTTP method that you want AWS WAF to search for.
     #     This indicates the type of operation specified in the request.
@@ -446,9 +446,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @!attribute [rw] positional_constraint
@@ -730,7 +730,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -800,8 +800,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -812,15 +812,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] ip_address_version
@@ -913,8 +913,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -925,15 +925,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -1203,8 +1203,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1215,7 +1215,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1240,8 +1240,8 @@ module Aws::WAFV2
     #   @return [Integer]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -1526,8 +1526,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1538,7 +1538,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1550,8 +1550,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -1638,6 +1638,57 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass DeleteFirewallManagerRuleGroupsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         web_acl_arn: "ResourceArn", # required
+    #         web_acl_lock_token: "LockToken", # required
+    #       }
+    #
+    # @!attribute [rw] web_acl_arn
+    #   The Amazon Resource Name (ARN) of the web ACL.
+    #   @return [String]
+    #
+    # @!attribute [rw] web_acl_lock_token
+    #   A token used for optimistic locking. AWS WAF returns a token to your
+    #   get and list requests, to mark the state of the entity at the time
+    #   of the request. To make changes to the entity associated with the
+    #   token, you provide the token to operations like update and delete.
+    #   AWS WAF uses the token to ensure that no changes have been made to
+    #   the entity since you last retrieved it. If a change has been made,
+    #   the update fails with a `WAFOptimisticLockException`. If this
+    #   happens, perform another get, and use the new token returned by that
+    #   operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsRequest AWS API Documentation
+    #
+    class DeleteFirewallManagerRuleGroupsRequest < Struct.new(
+      :web_acl_arn,
+      :web_acl_lock_token)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] next_web_acl_lock_token
+    #   A token used for optimistic locking. AWS WAF returns a token to your
+    #   get and list requests, to mark the state of the entity at the time
+    #   of the request. To make changes to the entity associated with the
+    #   token, you provide the token to operations like update and delete.
+    #   AWS WAF uses the token to ensure that no changes have been made to
+    #   the entity since you last retrieved it. If a change has been made,
+    #   the update fails with a `WAFOptimisticLockException`. If this
+    #   happens, perform another get, and use the new token returned by that
+    #   operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsResponse AWS API Documentation
+    #
+    class DeleteFirewallManagerRuleGroupsResponse < Struct.new(
+      :next_web_acl_lock_token)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass DeleteIPSetRequest
     #   data as a hash:
     #
@@ -1649,8 +1700,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1661,7 +1712,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1722,6 +1773,31 @@ module Aws::WAFV2
     #
     class DeleteLoggingConfigurationResponse < Aws::EmptyStructure; end
 
+    # @note When making an API call, you may pass DeletePermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the rule group from which you want
+    #   to delete the policy.
+    #
+    #   You must be the owner of the rule group to perform this operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyRequest AWS API Documentation
+    #
+    class DeletePermissionPolicyRequest < Struct.new(
+      :resource_arn)
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyResponse AWS API Documentation
+    #
+    class DeletePermissionPolicyResponse < Aws::EmptyStructure; end
+
     # @note When making an API call, you may pass DeleteRegexPatternSetRequest
     #   data as a hash:
     #
@@ -1733,8 +1809,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1745,7 +1821,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1794,8 +1870,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1806,7 +1882,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1855,8 +1931,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1867,7 +1943,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1932,7 +2008,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2042,8 +2118,11 @@ module Aws::WAFV2
     #  </note>
     #
     # The part of a web request that you want AWS WAF to inspect. Include
-    # the `FieldToMatch` types that you want to inspect, with additional
-    # specifications as needed, according to the type.
+    # the single `FieldToMatch` type that you want to inspect, with
+    # additional specifications as needed, according to the type. You
+    # specify a single request component in `FieldToMatch` for each rule
+    # statement that requires it. To inspect more than one component of a
+    # web request, create a separate rule statement for each component.
     #
     #
     #
@@ -2135,6 +2214,128 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # A rule group that's defined for an AWS Firewall Manager WAF policy.
+    #
+    # @!attribute [rw] name
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   If you define more than one rule group in the first or last Firewall
+    #   Manager rule groups, AWS WAF evaluates each request against the rule
+    #   groups in order, starting from the lowest priority setting. The
+    #   priorities don't need to be consecutive, but they must all be
+    #   different.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] firewall_manager_statement
+    #   The processing guidance for an AWS Firewall Manager rule. This is
+    #   like a regular rule Statement, but it can only contain a rule group
+    #   reference.
+    #   @return [Types::FirewallManagerStatement]
+    #
+    # @!attribute [rw] override_action
+    #   The override action to apply to the rules in a rule group. Used only
+    #   for rule statements that reference a rule group, like
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   Set the override action to none to leave the rule actions in effect.
+    #   Set it to count to only count matches, regardless of the rule action
+    #   settings.
+    #
+    #   In a Rule, you must specify either this `OverrideAction` setting or
+    #   the rule `Action` setting, but not both:
+    #
+    #   * If the rule statement references a rule group, use this override
+    #     action setting and not the action setting.
+    #
+    #   * If the rule statement does not reference a rule group, use the
+    #     rule action setting and not this rule override action setting.
+    #   @return [Types::OverrideAction]
+    #
+    # @!attribute [rw] visibility_config
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   Defines and enables Amazon CloudWatch metrics and web request sample
+    #   collection.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::VisibilityConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerRuleGroup AWS API Documentation
+    #
+    class FirewallManagerRuleGroup < Struct.new(
+      :name,
+      :priority,
+      :firewall_manager_statement,
+      :override_action,
+      :visibility_config)
+      include Aws::Structure
+    end
+
+    # The processing guidance for an AWS Firewall Manager rule. This is like
+    # a regular rule Statement, but it can only contain a rule group
+    # reference.
+    #
+    # @!attribute [rw] managed_rule_group_statement
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   A rule statement used to run the rules that are defined in a managed
+    #   rule group. To use this, provide the vendor name and the name of the
+    #   rule group in this statement. You can retrieve the required names by
+    #   calling ListAvailableManagedRuleGroups.
+    #
+    #   You can't nest a `ManagedRuleGroupStatement`, for example for use
+    #   inside a `NotStatement` or `OrStatement`. It can only be referenced
+    #   as a top-level statement within a rule.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::ManagedRuleGroupStatement]
+    #
+    # @!attribute [rw] rule_group_reference_statement
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   A rule statement used to run the rules that are defined in a
+    #   RuleGroup. To use this, create a rule group with your rules, then
+    #   provide the ARN of the rule group in this statement.
+    #
+    #   You cannot nest a `RuleGroupReferenceStatement`, for example for use
+    #   inside a `NotStatement` or `OrStatement`. It can only be referenced
+    #   as a top-level statement within a rule.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::RuleGroupReferenceStatement]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerStatement AWS API Documentation
+    #
+    class FirewallManagerStatement < Struct.new(
+      :managed_rule_group_statement,
+      :rule_group_reference_statement)
+      include Aws::Structure
+    end
+
     # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
     # in November, 2019. For information, including how to migrate your AWS
     # WAF resources from the prior release, see the [AWS WAF Developer
@@ -2179,8 +2380,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2191,7 +2392,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2265,6 +2466,36 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass GetPermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the rule group for which you want
+    #   to get the policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyRequest AWS API Documentation
+    #
+    class GetPermissionPolicyRequest < Struct.new(
+      :resource_arn)
+      include Aws::Structure
+    end
+
+    # @!attribute [rw] policy
+    #   The IAM policy that is attached to the specified rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyResponse AWS API Documentation
+    #
+    class GetPermissionPolicyResponse < Struct.new(
+      :policy)
+      include Aws::Structure
+    end
+
     # @note When making an API call, you may pass GetRateBasedStatementManagedKeysRequest
     #   data as a hash:
     #
@@ -2283,15 +2514,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] web_acl_name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] web_acl_id
@@ -2340,8 +2571,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2352,7 +2583,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2406,8 +2637,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2418,7 +2649,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2494,7 +2725,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2596,8 +2827,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2608,7 +2839,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2776,8 +3007,8 @@ module Aws::WAFV2
     # [2]: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -2791,8 +3022,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] ip_address_version
@@ -2903,8 +3134,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -2914,8 +3145,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -2962,7 +3193,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3028,7 +3259,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3096,7 +3327,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3162,7 +3393,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3266,7 +3497,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3389,7 +3620,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -4089,21 +4320,22 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
-    # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
-    # in November, 2019. For information, including how to migrate your AWS
-    # WAF resources from the prior release, see the [AWS WAF Developer
-    # Guide][1].
-    #
-    #  </note>
+    # The override action to apply to the rules in a rule group. Used only
+    # for rule statements that reference a rule group, like
+    # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
     #
-    # The action to use to override the rule's `Action` setting. You can
-    # use no override action, in which case the rule action is in effect, or
-    # count, in which case, if the rule matches a web request, it only
-    # counts the match.
+    # Set the override action to none to leave the rule actions in effect.
+    # Set it to count to only count matches, regardless of the rule action
+    # settings.
     #
+    # In a Rule, you must specify either this `OverrideAction` setting or
+    # the rule `Action` setting, but not both:
     #
+    # * If the rule statement references a rule group, use this override
+    #   action setting and not the action setting.
     #
-    # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    # * If the rule statement does not reference a rule group, use the rule
+    #   action setting and not this rule override action setting.
     #
     # @note When making an API call, you may pass OverrideAction
     #   data as a hash:
@@ -4181,6 +4413,57 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # @note When making an API call, you may pass PutPermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #         policy: "PolicyString", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the RuleGroup to which you want to
+    #   attach the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy
+    #   The policy to attach to the specified rule group.
+    #
+    #   The policy specifications must conform to the following:
+    #
+    #   * The policy must be composed using IAM Policy version 2012-10-17 or
+    #     version 2015-01-01.
+    #
+    #   * The policy must include specifications for `Effect`, `Action`, and
+    #     `Principal`.
+    #
+    #   * `Effect` must specify `Allow`.
+    #
+    #   * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
+    #     and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any
+    #     extra actions or wildcard actions in the policy.
+    #
+    #   * The policy must not include a `Resource` parameter.
+    #
+    #   For more information, see [IAM Policies][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyRequest AWS API Documentation
+    #
+    class PutPermissionPolicyRequest < Struct.new(
+      :resource_arn,
+      :policy)
+      include Aws::Structure
+    end
+
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyResponse AWS API Documentation
+    #
+    class PutPermissionPolicyResponse < Aws::EmptyStructure; end
+
     # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
     # in November, 2019. For information, including how to migrate your AWS
     # WAF resources from the prior release, see the [AWS WAF Developer
@@ -4548,8 +4831,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -4563,8 +4846,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -4651,9 +4934,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
@@ -4683,8 +4966,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the data type instance. You cannot change the
-    #   name after you create the instance.
+    #   The name of the data type instance. You cannot change the name after
+    #   you create the instance.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -4694,8 +4977,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -4956,8 +5239,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule. You can't change the name of a `Rule`
-    #   after you create it.
+    #   The name of the rule. You can't change the name of a `Rule` after
+    #   you create it.
     #   @return [String]
     #
     # @!attribute [rw] priority
@@ -4975,15 +5258,40 @@ module Aws::WAFV2
     #
     # @!attribute [rw] action
     #   The action that AWS WAF should take on a web request when it matches
-    #   the rule's statement. Settings at the web ACL level can override
-    #   the rule action setting.
+    #   the rule statement. Settings at the web ACL level can override the
+    #   rule action setting.
+    #
+    #   This is used only for rules whose statements do not reference a rule
+    #   group. Rule statements that reference a rule group include
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   You must specify either this `Action` setting or the rule
+    #   `OverrideAction` setting, but not both:
+    #
+    #   * If the rule statement does not reference a rule group, use this
+    #     rule action setting and not the rule override action setting.
+    #
+    #   * If the rule statement references a rule group, use the override
+    #     action setting and not this action setting.
     #   @return [Types::RuleAction]
     #
     # @!attribute [rw] override_action
-    #   The action to use to override the rule's `Action` setting. You can
-    #   use no override action, in which case the rule action is in effect,
-    #   or count action, in which case, if the rule matches a web request,
-    #   it only counts the match.
+    #   The override action to apply to the rules in a rule group. Used only
+    #   for rule statements that reference a rule group, like
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   Set the override action to none to leave the rule actions in effect.
+    #   Set it to count to only count matches, regardless of the rule action
+    #   settings.
+    #
+    #   In a Rule, you must specify either this `OverrideAction` setting or
+    #   the rule `Action` setting, but not both:
+    #
+    #   * If the rule statement references a rule group, use this override
+    #     action setting and not the action setting.
+    #
+    #   * If the rule statement does not reference a rule group, use the
+    #     rule action setting and not this rule override action setting.
     #   @return [Types::OverrideAction]
     #
     # @!attribute [rw] visibility_config
@@ -5069,8 +5377,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -5102,8 +5410,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -5197,8 +5505,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the data type instance. You cannot change the
-    #   name after you create the instance.
+    #   The name of the data type instance. You cannot change the name after
+    #   you create the instance.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -5208,8 +5516,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -5486,9 +5794,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
@@ -5560,9 +5868,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SqliMatchStatement AWS API Documentation
@@ -6982,8 +7290,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -6994,7 +7302,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7007,8 +7315,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] addresses
@@ -7100,8 +7408,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7112,7 +7420,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7125,8 +7433,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -7397,8 +7705,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7409,7 +7717,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7422,8 +7730,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -7710,8 +8018,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7722,7 +8030,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7740,8 +8048,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -7859,7 +8167,7 @@ module Aws::WAFV2
     #   @return [Boolean]
     #
     # @!attribute [rw] metric_name
-    #   A friendly name of the CloudWatch metric. The name can contain only
+    #   A name of the CloudWatch metric. The name can contain only
     #   alphanumeric characters (A-Z, a-z, 0-9), with length from one to 128
     #   characters. It can't contain whitespace or metric names reserved
     #   for AWS WAF, for example "All" and "Default\_Action." You can't
@@ -7914,6 +8222,18 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # The operation isn't valid.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidOperationException AWS API Documentation
+    #
+    class WAFInvalidOperationException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # The operation failed because AWS WAF didn't recognize a parameter in
     # the request. For example:
     #
@@ -7950,6 +8270,41 @@ module Aws::WAFV2
       include Aws::Structure
     end
 
+    # The operation failed because the specified policy isn't in the proper
+    # format.
+    #
+    # The policy specifications must conform to the following:
+    #
+    # * The policy must be composed using IAM Policy version 2012-10-17 or
+    #   version 2015-01-01.
+    #
+    # * The policy must include specifications for `Effect`, `Action`, and
+    #   `Principal`.
+    #
+    # * `Effect` must specify `Allow`.
+    #
+    # * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
+    #   and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any extra
+    #   actions or wildcard actions in the policy.
+    #
+    # * The policy must not include a `Resource` parameter.
+    #
+    # For more information, see [IAM Policies][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidPermissionPolicyException AWS API Documentation
+    #
+    class WAFInvalidPermissionPolicyException < Struct.new(
+      :message)
+      include Aws::Structure
+    end
+
     # AWS WAF couldn’t perform the operation because the resource that you
     # requested isn’t valid. Check the resource, and try again.
     #
@@ -8100,8 +8455,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -8121,8 +8476,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -8151,6 +8506,38 @@ module Aws::WAFV2
     #   for web ACLs is 1,500.
     #   @return [Integer]
     #
+    # @!attribute [rw] pre_process_firewall_manager_rule_groups
+    #   The first set of rules for AWS WAF to process in the web ACL. This
+    #   is defined in an AWS Firewall Manager WAF policy and contains only
+    #   rule group references. You can't alter these. Any rules and rule
+    #   groups that you define for the web ACL are prioritized after these.
+    #
+    #   In the Firewall Manager WAF policy, the Firewall Manager
+    #   administrator can define a set of rule groups to run first in the
+    #   web ACL and a set of rule groups to run last. Within each set, the
+    #   administrator prioritizes the rule groups, to determine their
+    #   relative processing order.
+    #   @return [Array<Types::FirewallManagerRuleGroup>]
+    #
+    # @!attribute [rw] post_process_firewall_manager_rule_groups
+    #   The last set of rules for AWS WAF to process in the web ACL. This is
+    #   defined in an AWS Firewall Manager WAF policy and contains only rule
+    #   group references. You can't alter these. Any rules and rule groups
+    #   that you define for the web ACL are prioritized before these.
+    #
+    #   In the Firewall Manager WAF policy, the Firewall Manager
+    #   administrator can define a set of rule groups to run first in the
+    #   web ACL and a set of rule groups to run last. Within each set, the
+    #   administrator prioritizes the rule groups, to determine their
+    #   relative processing order.
+    #   @return [Array<Types::FirewallManagerRuleGroup>]
+    #
+    # @!attribute [rw] managed_by_firewall_manager
+    #   Indicates whether this web ACL is managed by AWS Firewall Manager.
+    #   If true, then only AWS Firewall Manager can delete the web ACL or
+    #   any Firewall Manager rule groups in the web ACL.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WebACL AWS API Documentation
     #
     class WebACL < Struct.new(
@@ -8161,7 +8548,10 @@ module Aws::WAFV2
       :description,
       :rules,
       :visibility_config,
-      :capacity)
+      :capacity,
+      :pre_process_firewall_manager_rule_groups,
+      :post_process_firewall_manager_rule_groups,
+      :managed_by_firewall_manager)
       include Aws::Structure
     end
 
@@ -8182,8 +8572,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -8193,8 +8583,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -8283,9 +8673,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation