aws-sdk-wafv2 1.2.0 → 1.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -28,7 +28,9 @@ module Aws::WAFV2
28
28
  # * {WAFAssociatedItemException}
29
29
  # * {WAFDuplicateItemException}
30
30
  # * {WAFInternalErrorException}
31
+ # * {WAFInvalidOperationException}
31
32
  # * {WAFInvalidParameterException}
33
+ # * {WAFInvalidPermissionPolicyException}
32
34
  # * {WAFInvalidResourceException}
33
35
  # * {WAFLimitsExceededException}
34
36
  # * {WAFNonexistentItemException}
@@ -90,6 +92,21 @@ module Aws::WAFV2
90
92
  end
91
93
  end
92
94
 
95
+ class WAFInvalidOperationException < ServiceError
96
+
97
+ # @param [Seahorse::Client::RequestContext] context
98
+ # @param [String] message
99
+ # @param [Aws::WAFV2::Types::WAFInvalidOperationException] data
100
+ def initialize(context, message, data = Aws::EmptyStructure.new)
101
+ super(context, message, data)
102
+ end
103
+
104
+ # @return [String]
105
+ def message
106
+ @message || @data[:message]
107
+ end
108
+ end
109
+
93
110
  class WAFInvalidParameterException < ServiceError
94
111
 
95
112
  # @param [Seahorse::Client::RequestContext] context
@@ -120,6 +137,21 @@ module Aws::WAFV2
120
137
  end
121
138
  end
122
139
 
140
+ class WAFInvalidPermissionPolicyException < ServiceError
141
+
142
+ # @param [Seahorse::Client::RequestContext] context
143
+ # @param [String] message
144
+ # @param [Aws::WAFV2::Types::WAFInvalidPermissionPolicyException] data
145
+ def initialize(context, message, data = Aws::EmptyStructure.new)
146
+ super(context, message, data)
147
+ end
148
+
149
+ # @return [String]
150
+ def message
151
+ @message || @data[:message]
152
+ end
153
+ end
154
+
123
155
  class WAFInvalidResourceException < ServiceError
124
156
 
125
157
  # @param [Seahorse::Client::RequestContext] context
@@ -6,13 +6,7 @@
6
6
  # WARNING ABOUT GENERATED CODE
7
7
 
8
8
  module Aws::WAFV2
9
- # This class provides a resource oriented interface for WAFV2.
10
- # To create a resource object:
11
- # resource = Aws::WAFV2::Resource.new(region: 'us-west-2')
12
- # You can supply a client object with custom configuration that will be used for all resource operations.
13
- # If you do not pass +:client+, a default client will be constructed.
14
- # client = Aws::WAFV2::Client.new(region: 'us-west-2')
15
- # resource = Aws::WAFV2::Resource.new(client: client)
9
+
16
10
  class Resource
17
11
 
18
12
  # @param options ({})
@@ -408,8 +408,8 @@ module Aws::WAFV2
408
408
  # only in the part of web requests that you designate for inspection
409
409
  # in FieldToMatch. The maximum length of the value is 50 bytes.
410
410
  #
411
- # Valid values depend on the areas that you specify for inspection in
412
- # `FieldToMatch`\:
411
+ # Valid values depend on the component that you specify for inspection
412
+ # in `FieldToMatch`\:
413
413
  #
414
414
  # * `Method`\: The HTTP method that you want AWS WAF to search for.
415
415
  # This indicates the type of operation specified in the request.
@@ -446,9 +446,9 @@ module Aws::WAFV2
446
446
  # Text transformations eliminate some of the unusual formatting that
447
447
  # attackers use in web requests in an effort to bypass detection. If
448
448
  # you specify one or more transformations in a rule statement, AWS WAF
449
- # performs all transformations on the content identified by
450
- # `FieldToMatch`, starting from the lowest priority setting, before
451
- # inspecting the content for a match.
449
+ # performs all transformations on the content of the request component
450
+ # identified by `FieldToMatch`, starting from the lowest priority
451
+ # setting, before inspecting the content for a match.
452
452
  # @return [Array<Types::TextTransformation>]
453
453
  #
454
454
  # @!attribute [rw] positional_constraint
@@ -730,7 +730,7 @@ module Aws::WAFV2
730
730
  # To work with CloudFront, you must also specify the Region US East
731
731
  # (N. Virginia) as follows:
732
732
  #
733
- # * CLI - Specify the region when you use the CloudFront scope:
733
+ # * CLI - Specify the Region when you use the CloudFront scope:
734
734
  # `--scope=CLOUDFRONT --region=us-east-1`.
735
735
  #
736
736
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -800,8 +800,8 @@ module Aws::WAFV2
800
800
  # }
801
801
  #
802
802
  # @!attribute [rw] name
803
- # A friendly name of the IP set. You cannot change the name of an
804
- # `IPSet` after you create it.
803
+ # The name of the IP set. You cannot change the name of an `IPSet`
804
+ # after you create it.
805
805
  # @return [String]
806
806
  #
807
807
  # @!attribute [rw] scope
@@ -812,15 +812,15 @@ module Aws::WAFV2
812
812
  # To work with CloudFront, you must also specify the Region US East
813
813
  # (N. Virginia) as follows:
814
814
  #
815
- # * CLI - Specify the region when you use the CloudFront scope:
815
+ # * CLI - Specify the Region when you use the CloudFront scope:
816
816
  # `--scope=CLOUDFRONT --region=us-east-1`.
817
817
  #
818
818
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
819
819
  # @return [String]
820
820
  #
821
821
  # @!attribute [rw] description
822
- # A friendly description of the IP set. You cannot change the
823
- # description of an IP set after you create it.
822
+ # A description of the IP set that helps with identification. You
823
+ # cannot change the description of an IP set after you create it.
824
824
  # @return [String]
825
825
  #
826
826
  # @!attribute [rw] ip_address_version
@@ -913,8 +913,8 @@ module Aws::WAFV2
913
913
  # }
914
914
  #
915
915
  # @!attribute [rw] name
916
- # A friendly name of the set. You cannot change the name after you
917
- # create the set.
916
+ # The name of the set. You cannot change the name after you create the
917
+ # set.
918
918
  # @return [String]
919
919
  #
920
920
  # @!attribute [rw] scope
@@ -925,15 +925,15 @@ module Aws::WAFV2
925
925
  # To work with CloudFront, you must also specify the Region US East
926
926
  # (N. Virginia) as follows:
927
927
  #
928
- # * CLI - Specify the region when you use the CloudFront scope:
928
+ # * CLI - Specify the Region when you use the CloudFront scope:
929
929
  # `--scope=CLOUDFRONT --region=us-east-1`.
930
930
  #
931
931
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
932
932
  # @return [String]
933
933
  #
934
934
  # @!attribute [rw] description
935
- # A friendly description of the set. You cannot change the description
936
- # of a set after you create it.
935
+ # A description of the set that helps with identification. You cannot
936
+ # change the description of a set after you create it.
937
937
  # @return [String]
938
938
  #
939
939
  # @!attribute [rw] regular_expression_list
@@ -1203,8 +1203,8 @@ module Aws::WAFV2
1203
1203
  # }
1204
1204
  #
1205
1205
  # @!attribute [rw] name
1206
- # A friendly name of the rule group. You cannot change the name of a
1207
- # rule group after you create it.
1206
+ # The name of the rule group. You cannot change the name of a rule
1207
+ # group after you create it.
1208
1208
  # @return [String]
1209
1209
  #
1210
1210
  # @!attribute [rw] scope
@@ -1215,7 +1215,7 @@ module Aws::WAFV2
1215
1215
  # To work with CloudFront, you must also specify the Region US East
1216
1216
  # (N. Virginia) as follows:
1217
1217
  #
1218
- # * CLI - Specify the region when you use the CloudFront scope:
1218
+ # * CLI - Specify the Region when you use the CloudFront scope:
1219
1219
  # `--scope=CLOUDFRONT --region=us-east-1`.
1220
1220
  #
1221
1221
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1240,8 +1240,8 @@ module Aws::WAFV2
1240
1240
  # @return [Integer]
1241
1241
  #
1242
1242
  # @!attribute [rw] description
1243
- # A friendly description of the rule group. You cannot change the
1244
- # description of a rule group after you create it.
1243
+ # A description of the rule group that helps with identification. You
1244
+ # cannot change the description of a rule group after you create it.
1245
1245
  # @return [String]
1246
1246
  #
1247
1247
  # @!attribute [rw] rules
@@ -1526,8 +1526,8 @@ module Aws::WAFV2
1526
1526
  # }
1527
1527
  #
1528
1528
  # @!attribute [rw] name
1529
- # A friendly name of the Web ACL. You cannot change the name of a Web
1530
- # ACL after you create it.
1529
+ # The name of the Web ACL. You cannot change the name of a Web ACL
1530
+ # after you create it.
1531
1531
  # @return [String]
1532
1532
  #
1533
1533
  # @!attribute [rw] scope
@@ -1538,7 +1538,7 @@ module Aws::WAFV2
1538
1538
  # To work with CloudFront, you must also specify the Region US East
1539
1539
  # (N. Virginia) as follows:
1540
1540
  #
1541
- # * CLI - Specify the region when you use the CloudFront scope:
1541
+ # * CLI - Specify the Region when you use the CloudFront scope:
1542
1542
  # `--scope=CLOUDFRONT --region=us-east-1`.
1543
1543
  #
1544
1544
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1550,8 +1550,8 @@ module Aws::WAFV2
1550
1550
  # @return [Types::DefaultAction]
1551
1551
  #
1552
1552
  # @!attribute [rw] description
1553
- # A friendly description of the Web ACL. You cannot change the
1554
- # description of a Web ACL after you create it.
1553
+ # A description of the Web ACL that helps with identification. You
1554
+ # cannot change the description of a Web ACL after you create it.
1555
1555
  # @return [String]
1556
1556
  #
1557
1557
  # @!attribute [rw] rules
@@ -1638,6 +1638,57 @@ module Aws::WAFV2
1638
1638
  include Aws::Structure
1639
1639
  end
1640
1640
 
1641
+ # @note When making an API call, you may pass DeleteFirewallManagerRuleGroupsRequest
1642
+ # data as a hash:
1643
+ #
1644
+ # {
1645
+ # web_acl_arn: "ResourceArn", # required
1646
+ # web_acl_lock_token: "LockToken", # required
1647
+ # }
1648
+ #
1649
+ # @!attribute [rw] web_acl_arn
1650
+ # The Amazon Resource Name (ARN) of the web ACL.
1651
+ # @return [String]
1652
+ #
1653
+ # @!attribute [rw] web_acl_lock_token
1654
+ # A token used for optimistic locking. AWS WAF returns a token to your
1655
+ # get and list requests, to mark the state of the entity at the time
1656
+ # of the request. To make changes to the entity associated with the
1657
+ # token, you provide the token to operations like update and delete.
1658
+ # AWS WAF uses the token to ensure that no changes have been made to
1659
+ # the entity since you last retrieved it. If a change has been made,
1660
+ # the update fails with a `WAFOptimisticLockException`. If this
1661
+ # happens, perform another get, and use the new token returned by that
1662
+ # operation.
1663
+ # @return [String]
1664
+ #
1665
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsRequest AWS API Documentation
1666
+ #
1667
+ class DeleteFirewallManagerRuleGroupsRequest < Struct.new(
1668
+ :web_acl_arn,
1669
+ :web_acl_lock_token)
1670
+ include Aws::Structure
1671
+ end
1672
+
1673
+ # @!attribute [rw] next_web_acl_lock_token
1674
+ # A token used for optimistic locking. AWS WAF returns a token to your
1675
+ # get and list requests, to mark the state of the entity at the time
1676
+ # of the request. To make changes to the entity associated with the
1677
+ # token, you provide the token to operations like update and delete.
1678
+ # AWS WAF uses the token to ensure that no changes have been made to
1679
+ # the entity since you last retrieved it. If a change has been made,
1680
+ # the update fails with a `WAFOptimisticLockException`. If this
1681
+ # happens, perform another get, and use the new token returned by that
1682
+ # operation.
1683
+ # @return [String]
1684
+ #
1685
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsResponse AWS API Documentation
1686
+ #
1687
+ class DeleteFirewallManagerRuleGroupsResponse < Struct.new(
1688
+ :next_web_acl_lock_token)
1689
+ include Aws::Structure
1690
+ end
1691
+
1641
1692
  # @note When making an API call, you may pass DeleteIPSetRequest
1642
1693
  # data as a hash:
1643
1694
  #
@@ -1649,8 +1700,8 @@ module Aws::WAFV2
1649
1700
  # }
1650
1701
  #
1651
1702
  # @!attribute [rw] name
1652
- # A friendly name of the IP set. You cannot change the name of an
1653
- # `IPSet` after you create it.
1703
+ # The name of the IP set. You cannot change the name of an `IPSet`
1704
+ # after you create it.
1654
1705
  # @return [String]
1655
1706
  #
1656
1707
  # @!attribute [rw] scope
@@ -1661,7 +1712,7 @@ module Aws::WAFV2
1661
1712
  # To work with CloudFront, you must also specify the Region US East
1662
1713
  # (N. Virginia) as follows:
1663
1714
  #
1664
- # * CLI - Specify the region when you use the CloudFront scope:
1715
+ # * CLI - Specify the Region when you use the CloudFront scope:
1665
1716
  # `--scope=CLOUDFRONT --region=us-east-1`.
1666
1717
  #
1667
1718
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1722,6 +1773,31 @@ module Aws::WAFV2
1722
1773
  #
1723
1774
  class DeleteLoggingConfigurationResponse < Aws::EmptyStructure; end
1724
1775
 
1776
+ # @note When making an API call, you may pass DeletePermissionPolicyRequest
1777
+ # data as a hash:
1778
+ #
1779
+ # {
1780
+ # resource_arn: "ResourceArn", # required
1781
+ # }
1782
+ #
1783
+ # @!attribute [rw] resource_arn
1784
+ # The Amazon Resource Name (ARN) of the rule group from which you want
1785
+ # to delete the policy.
1786
+ #
1787
+ # You must be the owner of the rule group to perform this operation.
1788
+ # @return [String]
1789
+ #
1790
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyRequest AWS API Documentation
1791
+ #
1792
+ class DeletePermissionPolicyRequest < Struct.new(
1793
+ :resource_arn)
1794
+ include Aws::Structure
1795
+ end
1796
+
1797
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyResponse AWS API Documentation
1798
+ #
1799
+ class DeletePermissionPolicyResponse < Aws::EmptyStructure; end
1800
+
1725
1801
  # @note When making an API call, you may pass DeleteRegexPatternSetRequest
1726
1802
  # data as a hash:
1727
1803
  #
@@ -1733,8 +1809,8 @@ module Aws::WAFV2
1733
1809
  # }
1734
1810
  #
1735
1811
  # @!attribute [rw] name
1736
- # A friendly name of the set. You cannot change the name after you
1737
- # create the set.
1812
+ # The name of the set. You cannot change the name after you create the
1813
+ # set.
1738
1814
  # @return [String]
1739
1815
  #
1740
1816
  # @!attribute [rw] scope
@@ -1745,7 +1821,7 @@ module Aws::WAFV2
1745
1821
  # To work with CloudFront, you must also specify the Region US East
1746
1822
  # (N. Virginia) as follows:
1747
1823
  #
1748
- # * CLI - Specify the region when you use the CloudFront scope:
1824
+ # * CLI - Specify the Region when you use the CloudFront scope:
1749
1825
  # `--scope=CLOUDFRONT --region=us-east-1`.
1750
1826
  #
1751
1827
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1794,8 +1870,8 @@ module Aws::WAFV2
1794
1870
  # }
1795
1871
  #
1796
1872
  # @!attribute [rw] name
1797
- # A friendly name of the rule group. You cannot change the name of a
1798
- # rule group after you create it.
1873
+ # The name of the rule group. You cannot change the name of a rule
1874
+ # group after you create it.
1799
1875
  # @return [String]
1800
1876
  #
1801
1877
  # @!attribute [rw] scope
@@ -1806,7 +1882,7 @@ module Aws::WAFV2
1806
1882
  # To work with CloudFront, you must also specify the Region US East
1807
1883
  # (N. Virginia) as follows:
1808
1884
  #
1809
- # * CLI - Specify the region when you use the CloudFront scope:
1885
+ # * CLI - Specify the Region when you use the CloudFront scope:
1810
1886
  # `--scope=CLOUDFRONT --region=us-east-1`.
1811
1887
  #
1812
1888
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1855,8 +1931,8 @@ module Aws::WAFV2
1855
1931
  # }
1856
1932
  #
1857
1933
  # @!attribute [rw] name
1858
- # A friendly name of the Web ACL. You cannot change the name of a Web
1859
- # ACL after you create it.
1934
+ # The name of the Web ACL. You cannot change the name of a Web ACL
1935
+ # after you create it.
1860
1936
  # @return [String]
1861
1937
  #
1862
1938
  # @!attribute [rw] scope
@@ -1867,7 +1943,7 @@ module Aws::WAFV2
1867
1943
  # To work with CloudFront, you must also specify the Region US East
1868
1944
  # (N. Virginia) as follows:
1869
1945
  #
1870
- # * CLI - Specify the region when you use the CloudFront scope:
1946
+ # * CLI - Specify the Region when you use the CloudFront scope:
1871
1947
  # `--scope=CLOUDFRONT --region=us-east-1`.
1872
1948
  #
1873
1949
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1932,7 +2008,7 @@ module Aws::WAFV2
1932
2008
  # To work with CloudFront, you must also specify the Region US East
1933
2009
  # (N. Virginia) as follows:
1934
2010
  #
1935
- # * CLI - Specify the region when you use the CloudFront scope:
2011
+ # * CLI - Specify the Region when you use the CloudFront scope:
1936
2012
  # `--scope=CLOUDFRONT --region=us-east-1`.
1937
2013
  #
1938
2014
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2042,8 +2118,11 @@ module Aws::WAFV2
2042
2118
  # </note>
2043
2119
  #
2044
2120
  # The part of a web request that you want AWS WAF to inspect. Include
2045
- # the `FieldToMatch` types that you want to inspect, with additional
2046
- # specifications as needed, according to the type.
2121
+ # the single `FieldToMatch` type that you want to inspect, with
2122
+ # additional specifications as needed, according to the type. You
2123
+ # specify a single request component in `FieldToMatch` for each rule
2124
+ # statement that requires it. To inspect more than one component of a
2125
+ # web request, create a separate rule statement for each component.
2047
2126
  #
2048
2127
  #
2049
2128
  #
@@ -2135,6 +2214,128 @@ module Aws::WAFV2
2135
2214
  include Aws::Structure
2136
2215
  end
2137
2216
 
2217
+ # A rule group that's defined for an AWS Firewall Manager WAF policy.
2218
+ #
2219
+ # @!attribute [rw] name
2220
+ # The name of the rule group. You cannot change the name of a rule
2221
+ # group after you create it.
2222
+ # @return [String]
2223
+ #
2224
+ # @!attribute [rw] priority
2225
+ # If you define more than one rule group in the first or last Firewall
2226
+ # Manager rule groups, AWS WAF evaluates each request against the rule
2227
+ # groups in order, starting from the lowest priority setting. The
2228
+ # priorities don't need to be consecutive, but they must all be
2229
+ # different.
2230
+ # @return [Integer]
2231
+ #
2232
+ # @!attribute [rw] firewall_manager_statement
2233
+ # The processing guidance for an AWS Firewall Manager rule. This is
2234
+ # like a regular rule Statement, but it can only contain a rule group
2235
+ # reference.
2236
+ # @return [Types::FirewallManagerStatement]
2237
+ #
2238
+ # @!attribute [rw] override_action
2239
+ # The override action to apply to the rules in a rule group. Used only
2240
+ # for rule statements that reference a rule group, like
2241
+ # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
2242
+ #
2243
+ # Set the override action to none to leave the rule actions in effect.
2244
+ # Set it to count to only count matches, regardless of the rule action
2245
+ # settings.
2246
+ #
2247
+ # In a Rule, you must specify either this `OverrideAction` setting or
2248
+ # the rule `Action` setting, but not both:
2249
+ #
2250
+ # * If the rule statement references a rule group, use this override
2251
+ # action setting and not the action setting.
2252
+ #
2253
+ # * If the rule statement does not reference a rule group, use the
2254
+ # rule action setting and not this rule override action setting.
2255
+ # @return [Types::OverrideAction]
2256
+ #
2257
+ # @!attribute [rw] visibility_config
2258
+ # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
2259
+ # in November, 2019. For information, including how to migrate your
2260
+ # AWS WAF resources from the prior release, see the [AWS WAF Developer
2261
+ # Guide][1].
2262
+ #
2263
+ # </note>
2264
+ #
2265
+ # Defines and enables Amazon CloudWatch metrics and web request sample
2266
+ # collection.
2267
+ #
2268
+ #
2269
+ #
2270
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
2271
+ # @return [Types::VisibilityConfig]
2272
+ #
2273
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerRuleGroup AWS API Documentation
2274
+ #
2275
+ class FirewallManagerRuleGroup < Struct.new(
2276
+ :name,
2277
+ :priority,
2278
+ :firewall_manager_statement,
2279
+ :override_action,
2280
+ :visibility_config)
2281
+ include Aws::Structure
2282
+ end
2283
+
2284
+ # The processing guidance for an AWS Firewall Manager rule. This is like
2285
+ # a regular rule Statement, but it can only contain a rule group
2286
+ # reference.
2287
+ #
2288
+ # @!attribute [rw] managed_rule_group_statement
2289
+ # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
2290
+ # in November, 2019. For information, including how to migrate your
2291
+ # AWS WAF resources from the prior release, see the [AWS WAF Developer
2292
+ # Guide][1].
2293
+ #
2294
+ # </note>
2295
+ #
2296
+ # A rule statement used to run the rules that are defined in a managed
2297
+ # rule group. To use this, provide the vendor name and the name of the
2298
+ # rule group in this statement. You can retrieve the required names by
2299
+ # calling ListAvailableManagedRuleGroups.
2300
+ #
2301
+ # You can't nest a `ManagedRuleGroupStatement`, for example for use
2302
+ # inside a `NotStatement` or `OrStatement`. It can only be referenced
2303
+ # as a top-level statement within a rule.
2304
+ #
2305
+ #
2306
+ #
2307
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
2308
+ # @return [Types::ManagedRuleGroupStatement]
2309
+ #
2310
+ # @!attribute [rw] rule_group_reference_statement
2311
+ # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
2312
+ # in November, 2019. For information, including how to migrate your
2313
+ # AWS WAF resources from the prior release, see the [AWS WAF Developer
2314
+ # Guide][1].
2315
+ #
2316
+ # </note>
2317
+ #
2318
+ # A rule statement used to run the rules that are defined in a
2319
+ # RuleGroup. To use this, create a rule group with your rules, then
2320
+ # provide the ARN of the rule group in this statement.
2321
+ #
2322
+ # You cannot nest a `RuleGroupReferenceStatement`, for example for use
2323
+ # inside a `NotStatement` or `OrStatement`. It can only be referenced
2324
+ # as a top-level statement within a rule.
2325
+ #
2326
+ #
2327
+ #
2328
+ # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
2329
+ # @return [Types::RuleGroupReferenceStatement]
2330
+ #
2331
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerStatement AWS API Documentation
2332
+ #
2333
+ class FirewallManagerStatement < Struct.new(
2334
+ :managed_rule_group_statement,
2335
+ :rule_group_reference_statement)
2336
+ include Aws::Structure
2337
+ end
2338
+
2138
2339
  # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
2139
2340
  # in November, 2019. For information, including how to migrate your AWS
2140
2341
  # WAF resources from the prior release, see the [AWS WAF Developer
@@ -2179,8 +2380,8 @@ module Aws::WAFV2
2179
2380
  # }
2180
2381
  #
2181
2382
  # @!attribute [rw] name
2182
- # A friendly name of the IP set. You cannot change the name of an
2183
- # `IPSet` after you create it.
2383
+ # The name of the IP set. You cannot change the name of an `IPSet`
2384
+ # after you create it.
2184
2385
  # @return [String]
2185
2386
  #
2186
2387
  # @!attribute [rw] scope
@@ -2191,7 +2392,7 @@ module Aws::WAFV2
2191
2392
  # To work with CloudFront, you must also specify the Region US East
2192
2393
  # (N. Virginia) as follows:
2193
2394
  #
2194
- # * CLI - Specify the region when you use the CloudFront scope:
2395
+ # * CLI - Specify the Region when you use the CloudFront scope:
2195
2396
  # `--scope=CLOUDFRONT --region=us-east-1`.
2196
2397
  #
2197
2398
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2265,6 +2466,36 @@ module Aws::WAFV2
2265
2466
  include Aws::Structure
2266
2467
  end
2267
2468
 
2469
+ # @note When making an API call, you may pass GetPermissionPolicyRequest
2470
+ # data as a hash:
2471
+ #
2472
+ # {
2473
+ # resource_arn: "ResourceArn", # required
2474
+ # }
2475
+ #
2476
+ # @!attribute [rw] resource_arn
2477
+ # The Amazon Resource Name (ARN) of the rule group for which you want
2478
+ # to get the policy.
2479
+ # @return [String]
2480
+ #
2481
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyRequest AWS API Documentation
2482
+ #
2483
+ class GetPermissionPolicyRequest < Struct.new(
2484
+ :resource_arn)
2485
+ include Aws::Structure
2486
+ end
2487
+
2488
+ # @!attribute [rw] policy
2489
+ # The IAM policy that is attached to the specified rule group.
2490
+ # @return [String]
2491
+ #
2492
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyResponse AWS API Documentation
2493
+ #
2494
+ class GetPermissionPolicyResponse < Struct.new(
2495
+ :policy)
2496
+ include Aws::Structure
2497
+ end
2498
+
2268
2499
  # @note When making an API call, you may pass GetRateBasedStatementManagedKeysRequest
2269
2500
  # data as a hash:
2270
2501
  #
@@ -2283,15 +2514,15 @@ module Aws::WAFV2
2283
2514
  # To work with CloudFront, you must also specify the Region US East
2284
2515
  # (N. Virginia) as follows:
2285
2516
  #
2286
- # * CLI - Specify the region when you use the CloudFront scope:
2517
+ # * CLI - Specify the Region when you use the CloudFront scope:
2287
2518
  # `--scope=CLOUDFRONT --region=us-east-1`.
2288
2519
  #
2289
2520
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
2290
2521
  # @return [String]
2291
2522
  #
2292
2523
  # @!attribute [rw] web_acl_name
2293
- # A friendly name of the Web ACL. You cannot change the name of a Web
2294
- # ACL after you create it.
2524
+ # The name of the Web ACL. You cannot change the name of a Web ACL
2525
+ # after you create it.
2295
2526
  # @return [String]
2296
2527
  #
2297
2528
  # @!attribute [rw] web_acl_id
@@ -2340,8 +2571,8 @@ module Aws::WAFV2
2340
2571
  # }
2341
2572
  #
2342
2573
  # @!attribute [rw] name
2343
- # A friendly name of the set. You cannot change the name after you
2344
- # create the set.
2574
+ # The name of the set. You cannot change the name after you create the
2575
+ # set.
2345
2576
  # @return [String]
2346
2577
  #
2347
2578
  # @!attribute [rw] scope
@@ -2352,7 +2583,7 @@ module Aws::WAFV2
2352
2583
  # To work with CloudFront, you must also specify the Region US East
2353
2584
  # (N. Virginia) as follows:
2354
2585
  #
2355
- # * CLI - Specify the region when you use the CloudFront scope:
2586
+ # * CLI - Specify the Region when you use the CloudFront scope:
2356
2587
  # `--scope=CLOUDFRONT --region=us-east-1`.
2357
2588
  #
2358
2589
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2406,8 +2637,8 @@ module Aws::WAFV2
2406
2637
  # }
2407
2638
  #
2408
2639
  # @!attribute [rw] name
2409
- # A friendly name of the rule group. You cannot change the name of a
2410
- # rule group after you create it.
2640
+ # The name of the rule group. You cannot change the name of a rule
2641
+ # group after you create it.
2411
2642
  # @return [String]
2412
2643
  #
2413
2644
  # @!attribute [rw] scope
@@ -2418,7 +2649,7 @@ module Aws::WAFV2
2418
2649
  # To work with CloudFront, you must also specify the Region US East
2419
2650
  # (N. Virginia) as follows:
2420
2651
  #
2421
- # * CLI - Specify the region when you use the CloudFront scope:
2652
+ # * CLI - Specify the Region when you use the CloudFront scope:
2422
2653
  # `--scope=CLOUDFRONT --region=us-east-1`.
2423
2654
  #
2424
2655
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2494,7 +2725,7 @@ module Aws::WAFV2
2494
2725
  # To work with CloudFront, you must also specify the Region US East
2495
2726
  # (N. Virginia) as follows:
2496
2727
  #
2497
- # * CLI - Specify the region when you use the CloudFront scope:
2728
+ # * CLI - Specify the Region when you use the CloudFront scope:
2498
2729
  # `--scope=CLOUDFRONT --region=us-east-1`.
2499
2730
  #
2500
2731
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2596,8 +2827,8 @@ module Aws::WAFV2
2596
2827
  # }
2597
2828
  #
2598
2829
  # @!attribute [rw] name
2599
- # A friendly name of the Web ACL. You cannot change the name of a Web
2600
- # ACL after you create it.
2830
+ # The name of the Web ACL. You cannot change the name of a Web ACL
2831
+ # after you create it.
2601
2832
  # @return [String]
2602
2833
  #
2603
2834
  # @!attribute [rw] scope
@@ -2608,7 +2839,7 @@ module Aws::WAFV2
2608
2839
  # To work with CloudFront, you must also specify the Region US East
2609
2840
  # (N. Virginia) as follows:
2610
2841
  #
2611
- # * CLI - Specify the region when you use the CloudFront scope:
2842
+ # * CLI - Specify the Region when you use the CloudFront scope:
2612
2843
  # `--scope=CLOUDFRONT --region=us-east-1`.
2613
2844
  #
2614
2845
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2776,8 +3007,8 @@ module Aws::WAFV2
2776
3007
  # [2]: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
2777
3008
  #
2778
3009
  # @!attribute [rw] name
2779
- # A friendly name of the IP set. You cannot change the name of an
2780
- # `IPSet` after you create it.
3010
+ # The name of the IP set. You cannot change the name of an `IPSet`
3011
+ # after you create it.
2781
3012
  # @return [String]
2782
3013
  #
2783
3014
  # @!attribute [rw] id
@@ -2791,8 +3022,8 @@ module Aws::WAFV2
2791
3022
  # @return [String]
2792
3023
  #
2793
3024
  # @!attribute [rw] description
2794
- # A friendly description of the IP set. You cannot change the
2795
- # description of an IP set after you create it.
3025
+ # A description of the IP set that helps with identification. You
3026
+ # cannot change the description of an IP set after you create it.
2796
3027
  # @return [String]
2797
3028
  #
2798
3029
  # @!attribute [rw] ip_address_version
@@ -2903,8 +3134,8 @@ module Aws::WAFV2
2903
3134
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
2904
3135
  #
2905
3136
  # @!attribute [rw] name
2906
- # A friendly name of the IP set. You cannot change the name of an
2907
- # `IPSet` after you create it.
3137
+ # The name of the IP set. You cannot change the name of an `IPSet`
3138
+ # after you create it.
2908
3139
  # @return [String]
2909
3140
  #
2910
3141
  # @!attribute [rw] id
@@ -2914,8 +3145,8 @@ module Aws::WAFV2
2914
3145
  # @return [String]
2915
3146
  #
2916
3147
  # @!attribute [rw] description
2917
- # A friendly description of the IP set. You cannot change the
2918
- # description of an IP set after you create it.
3148
+ # A description of the IP set that helps with identification. You
3149
+ # cannot change the description of an IP set after you create it.
2919
3150
  # @return [String]
2920
3151
  #
2921
3152
  # @!attribute [rw] lock_token
@@ -2962,7 +3193,7 @@ module Aws::WAFV2
2962
3193
  # To work with CloudFront, you must also specify the Region US East
2963
3194
  # (N. Virginia) as follows:
2964
3195
  #
2965
- # * CLI - Specify the region when you use the CloudFront scope:
3196
+ # * CLI - Specify the Region when you use the CloudFront scope:
2966
3197
  # `--scope=CLOUDFRONT --region=us-east-1`.
2967
3198
  #
2968
3199
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3028,7 +3259,7 @@ module Aws::WAFV2
3028
3259
  # To work with CloudFront, you must also specify the Region US East
3029
3260
  # (N. Virginia) as follows:
3030
3261
  #
3031
- # * CLI - Specify the region when you use the CloudFront scope:
3262
+ # * CLI - Specify the Region when you use the CloudFront scope:
3032
3263
  # `--scope=CLOUDFRONT --region=us-east-1`.
3033
3264
  #
3034
3265
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3096,7 +3327,7 @@ module Aws::WAFV2
3096
3327
  # To work with CloudFront, you must also specify the Region US East
3097
3328
  # (N. Virginia) as follows:
3098
3329
  #
3099
- # * CLI - Specify the region when you use the CloudFront scope:
3330
+ # * CLI - Specify the Region when you use the CloudFront scope:
3100
3331
  # `--scope=CLOUDFRONT --region=us-east-1`.
3101
3332
  #
3102
3333
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3162,7 +3393,7 @@ module Aws::WAFV2
3162
3393
  # To work with CloudFront, you must also specify the Region US East
3163
3394
  # (N. Virginia) as follows:
3164
3395
  #
3165
- # * CLI - Specify the region when you use the CloudFront scope:
3396
+ # * CLI - Specify the Region when you use the CloudFront scope:
3166
3397
  # `--scope=CLOUDFRONT --region=us-east-1`.
3167
3398
  #
3168
3399
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3266,7 +3497,7 @@ module Aws::WAFV2
3266
3497
  # To work with CloudFront, you must also specify the Region US East
3267
3498
  # (N. Virginia) as follows:
3268
3499
  #
3269
- # * CLI - Specify the region when you use the CloudFront scope:
3500
+ # * CLI - Specify the Region when you use the CloudFront scope:
3270
3501
  # `--scope=CLOUDFRONT --region=us-east-1`.
3271
3502
  #
3272
3503
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3389,7 +3620,7 @@ module Aws::WAFV2
3389
3620
  # To work with CloudFront, you must also specify the Region US East
3390
3621
  # (N. Virginia) as follows:
3391
3622
  #
3392
- # * CLI - Specify the region when you use the CloudFront scope:
3623
+ # * CLI - Specify the Region when you use the CloudFront scope:
3393
3624
  # `--scope=CLOUDFRONT --region=us-east-1`.
3394
3625
  #
3395
3626
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -4089,21 +4320,22 @@ module Aws::WAFV2
4089
4320
  include Aws::Structure
4090
4321
  end
4091
4322
 
4092
- # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
4093
- # in November, 2019. For information, including how to migrate your AWS
4094
- # WAF resources from the prior release, see the [AWS WAF Developer
4095
- # Guide][1].
4096
- #
4097
- # </note>
4323
+ # The override action to apply to the rules in a rule group. Used only
4324
+ # for rule statements that reference a rule group, like
4325
+ # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
4098
4326
  #
4099
- # The action to use to override the rule's `Action` setting. You can
4100
- # use no override action, in which case the rule action is in effect, or
4101
- # count, in which case, if the rule matches a web request, it only
4102
- # counts the match.
4327
+ # Set the override action to none to leave the rule actions in effect.
4328
+ # Set it to count to only count matches, regardless of the rule action
4329
+ # settings.
4103
4330
  #
4331
+ # In a Rule, you must specify either this `OverrideAction` setting or
4332
+ # the rule `Action` setting, but not both:
4104
4333
  #
4334
+ # * If the rule statement references a rule group, use this override
4335
+ # action setting and not the action setting.
4105
4336
  #
4106
- # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
4337
+ # * If the rule statement does not reference a rule group, use the rule
4338
+ # action setting and not this rule override action setting.
4107
4339
  #
4108
4340
  # @note When making an API call, you may pass OverrideAction
4109
4341
  # data as a hash:
@@ -4181,6 +4413,57 @@ module Aws::WAFV2
4181
4413
  include Aws::Structure
4182
4414
  end
4183
4415
 
4416
+ # @note When making an API call, you may pass PutPermissionPolicyRequest
4417
+ # data as a hash:
4418
+ #
4419
+ # {
4420
+ # resource_arn: "ResourceArn", # required
4421
+ # policy: "PolicyString", # required
4422
+ # }
4423
+ #
4424
+ # @!attribute [rw] resource_arn
4425
+ # The Amazon Resource Name (ARN) of the RuleGroup to which you want to
4426
+ # attach the policy.
4427
+ # @return [String]
4428
+ #
4429
+ # @!attribute [rw] policy
4430
+ # The policy to attach to the specified rule group.
4431
+ #
4432
+ # The policy specifications must conform to the following:
4433
+ #
4434
+ # * The policy must be composed using IAM Policy version 2012-10-17 or
4435
+ # version 2015-01-01.
4436
+ #
4437
+ # * The policy must include specifications for `Effect`, `Action`, and
4438
+ # `Principal`.
4439
+ #
4440
+ # * `Effect` must specify `Allow`.
4441
+ #
4442
+ # * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
4443
+ # and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any
4444
+ # extra actions or wildcard actions in the policy.
4445
+ #
4446
+ # * The policy must not include a `Resource` parameter.
4447
+ #
4448
+ # For more information, see [IAM Policies][1].
4449
+ #
4450
+ #
4451
+ #
4452
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
4453
+ # @return [String]
4454
+ #
4455
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyRequest AWS API Documentation
4456
+ #
4457
+ class PutPermissionPolicyRequest < Struct.new(
4458
+ :resource_arn,
4459
+ :policy)
4460
+ include Aws::Structure
4461
+ end
4462
+
4463
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyResponse AWS API Documentation
4464
+ #
4465
+ class PutPermissionPolicyResponse < Aws::EmptyStructure; end
4466
+
4184
4467
  # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
4185
4468
  # in November, 2019. For information, including how to migrate your AWS
4186
4469
  # WAF resources from the prior release, see the [AWS WAF Developer
@@ -4548,8 +4831,8 @@ module Aws::WAFV2
4548
4831
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
4549
4832
  #
4550
4833
  # @!attribute [rw] name
4551
- # A friendly name of the set. You cannot change the name after you
4552
- # create the set.
4834
+ # The name of the set. You cannot change the name after you create the
4835
+ # set.
4553
4836
  # @return [String]
4554
4837
  #
4555
4838
  # @!attribute [rw] id
@@ -4563,8 +4846,8 @@ module Aws::WAFV2
4563
4846
  # @return [String]
4564
4847
  #
4565
4848
  # @!attribute [rw] description
4566
- # A friendly description of the set. You cannot change the description
4567
- # of a set after you create it.
4849
+ # A description of the set that helps with identification. You cannot
4850
+ # change the description of a set after you create it.
4568
4851
  # @return [String]
4569
4852
  #
4570
4853
  # @!attribute [rw] regular_expression_list
@@ -4651,9 +4934,9 @@ module Aws::WAFV2
4651
4934
  # Text transformations eliminate some of the unusual formatting that
4652
4935
  # attackers use in web requests in an effort to bypass detection. If
4653
4936
  # you specify one or more transformations in a rule statement, AWS WAF
4654
- # performs all transformations on the content identified by
4655
- # `FieldToMatch`, starting from the lowest priority setting, before
4656
- # inspecting the content for a match.
4937
+ # performs all transformations on the content of the request component
4938
+ # identified by `FieldToMatch`, starting from the lowest priority
4939
+ # setting, before inspecting the content for a match.
4657
4940
  # @return [Array<Types::TextTransformation>]
4658
4941
  #
4659
4942
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
@@ -4683,8 +4966,8 @@ module Aws::WAFV2
4683
4966
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
4684
4967
  #
4685
4968
  # @!attribute [rw] name
4686
- # A friendly name of the data type instance. You cannot change the
4687
- # name after you create the instance.
4969
+ # The name of the data type instance. You cannot change the name after
4970
+ # you create the instance.
4688
4971
  # @return [String]
4689
4972
  #
4690
4973
  # @!attribute [rw] id
@@ -4694,8 +4977,8 @@ module Aws::WAFV2
4694
4977
  # @return [String]
4695
4978
  #
4696
4979
  # @!attribute [rw] description
4697
- # A friendly description of the set. You cannot change the description
4698
- # of a set after you create it.
4980
+ # A description of the set that helps with identification. You cannot
4981
+ # change the description of a set after you create it.
4699
4982
  # @return [String]
4700
4983
  #
4701
4984
  # @!attribute [rw] lock_token
@@ -4956,8 +5239,8 @@ module Aws::WAFV2
4956
5239
  # }
4957
5240
  #
4958
5241
  # @!attribute [rw] name
4959
- # A friendly name of the rule. You can't change the name of a `Rule`
4960
- # after you create it.
5242
+ # The name of the rule. You can't change the name of a `Rule` after
5243
+ # you create it.
4961
5244
  # @return [String]
4962
5245
  #
4963
5246
  # @!attribute [rw] priority
@@ -4975,15 +5258,40 @@ module Aws::WAFV2
4975
5258
  #
4976
5259
  # @!attribute [rw] action
4977
5260
  # The action that AWS WAF should take on a web request when it matches
4978
- # the rule's statement. Settings at the web ACL level can override
4979
- # the rule action setting.
5261
+ # the rule statement. Settings at the web ACL level can override the
5262
+ # rule action setting.
5263
+ #
5264
+ # This is used only for rules whose statements do not reference a rule
5265
+ # group. Rule statements that reference a rule group include
5266
+ # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
5267
+ #
5268
+ # You must specify either this `Action` setting or the rule
5269
+ # `OverrideAction` setting, but not both:
5270
+ #
5271
+ # * If the rule statement does not reference a rule group, use this
5272
+ # rule action setting and not the rule override action setting.
5273
+ #
5274
+ # * If the rule statement references a rule group, use the override
5275
+ # action setting and not this action setting.
4980
5276
  # @return [Types::RuleAction]
4981
5277
  #
4982
5278
  # @!attribute [rw] override_action
4983
- # The action to use to override the rule's `Action` setting. You can
4984
- # use no override action, in which case the rule action is in effect,
4985
- # or count action, in which case, if the rule matches a web request,
4986
- # it only counts the match.
5279
+ # The override action to apply to the rules in a rule group. Used only
5280
+ # for rule statements that reference a rule group, like
5281
+ # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
5282
+ #
5283
+ # Set the override action to none to leave the rule actions in effect.
5284
+ # Set it to count to only count matches, regardless of the rule action
5285
+ # settings.
5286
+ #
5287
+ # In a Rule, you must specify either this `OverrideAction` setting or
5288
+ # the rule `Action` setting, but not both:
5289
+ #
5290
+ # * If the rule statement references a rule group, use this override
5291
+ # action setting and not the action setting.
5292
+ #
5293
+ # * If the rule statement does not reference a rule group, use the
5294
+ # rule action setting and not this rule override action setting.
4987
5295
  # @return [Types::OverrideAction]
4988
5296
  #
4989
5297
  # @!attribute [rw] visibility_config
@@ -5069,8 +5377,8 @@ module Aws::WAFV2
5069
5377
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
5070
5378
  #
5071
5379
  # @!attribute [rw] name
5072
- # A friendly name of the rule group. You cannot change the name of a
5073
- # rule group after you create it.
5380
+ # The name of the rule group. You cannot change the name of a rule
5381
+ # group after you create it.
5074
5382
  # @return [String]
5075
5383
  #
5076
5384
  # @!attribute [rw] id
@@ -5102,8 +5410,8 @@ module Aws::WAFV2
5102
5410
  # @return [String]
5103
5411
  #
5104
5412
  # @!attribute [rw] description
5105
- # A friendly description of the rule group. You cannot change the
5106
- # description of a rule group after you create it.
5413
+ # A description of the rule group that helps with identification. You
5414
+ # cannot change the description of a rule group after you create it.
5107
5415
  # @return [String]
5108
5416
  #
5109
5417
  # @!attribute [rw] rules
@@ -5197,8 +5505,8 @@ module Aws::WAFV2
5197
5505
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
5198
5506
  #
5199
5507
  # @!attribute [rw] name
5200
- # A friendly name of the data type instance. You cannot change the
5201
- # name after you create the instance.
5508
+ # The name of the data type instance. You cannot change the name after
5509
+ # you create the instance.
5202
5510
  # @return [String]
5203
5511
  #
5204
5512
  # @!attribute [rw] id
@@ -5208,8 +5516,8 @@ module Aws::WAFV2
5208
5516
  # @return [String]
5209
5517
  #
5210
5518
  # @!attribute [rw] description
5211
- # A friendly description of the rule group. You cannot change the
5212
- # description of a rule group after you create it.
5519
+ # A description of the rule group that helps with identification. You
5520
+ # cannot change the description of a rule group after you create it.
5213
5521
  # @return [String]
5214
5522
  #
5215
5523
  # @!attribute [rw] lock_token
@@ -5486,9 +5794,9 @@ module Aws::WAFV2
5486
5794
  # Text transformations eliminate some of the unusual formatting that
5487
5795
  # attackers use in web requests in an effort to bypass detection. If
5488
5796
  # you specify one or more transformations in a rule statement, AWS WAF
5489
- # performs all transformations on the content identified by
5490
- # `FieldToMatch`, starting from the lowest priority setting, before
5491
- # inspecting the content for a match.
5797
+ # performs all transformations on the content of the request component
5798
+ # identified by `FieldToMatch`, starting from the lowest priority
5799
+ # setting, before inspecting the content for a match.
5492
5800
  # @return [Array<Types::TextTransformation>]
5493
5801
  #
5494
5802
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
@@ -5560,9 +5868,9 @@ module Aws::WAFV2
5560
5868
  # Text transformations eliminate some of the unusual formatting that
5561
5869
  # attackers use in web requests in an effort to bypass detection. If
5562
5870
  # you specify one or more transformations in a rule statement, AWS WAF
5563
- # performs all transformations on the content identified by
5564
- # `FieldToMatch`, starting from the lowest priority setting, before
5565
- # inspecting the content for a match.
5871
+ # performs all transformations on the content of the request component
5872
+ # identified by `FieldToMatch`, starting from the lowest priority
5873
+ # setting, before inspecting the content for a match.
5566
5874
  # @return [Array<Types::TextTransformation>]
5567
5875
  #
5568
5876
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SqliMatchStatement AWS API Documentation
@@ -6982,8 +7290,8 @@ module Aws::WAFV2
6982
7290
  # }
6983
7291
  #
6984
7292
  # @!attribute [rw] name
6985
- # A friendly name of the IP set. You cannot change the name of an
6986
- # `IPSet` after you create it.
7293
+ # The name of the IP set. You cannot change the name of an `IPSet`
7294
+ # after you create it.
6987
7295
  # @return [String]
6988
7296
  #
6989
7297
  # @!attribute [rw] scope
@@ -6994,7 +7302,7 @@ module Aws::WAFV2
6994
7302
  # To work with CloudFront, you must also specify the Region US East
6995
7303
  # (N. Virginia) as follows:
6996
7304
  #
6997
- # * CLI - Specify the region when you use the CloudFront scope:
7305
+ # * CLI - Specify the Region when you use the CloudFront scope:
6998
7306
  # `--scope=CLOUDFRONT --region=us-east-1`.
6999
7307
  #
7000
7308
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7007,8 +7315,8 @@ module Aws::WAFV2
7007
7315
  # @return [String]
7008
7316
  #
7009
7317
  # @!attribute [rw] description
7010
- # A friendly description of the IP set. You cannot change the
7011
- # description of an IP set after you create it.
7318
+ # A description of the IP set that helps with identification. You
7319
+ # cannot change the description of an IP set after you create it.
7012
7320
  # @return [String]
7013
7321
  #
7014
7322
  # @!attribute [rw] addresses
@@ -7100,8 +7408,8 @@ module Aws::WAFV2
7100
7408
  # }
7101
7409
  #
7102
7410
  # @!attribute [rw] name
7103
- # A friendly name of the set. You cannot change the name after you
7104
- # create the set.
7411
+ # The name of the set. You cannot change the name after you create the
7412
+ # set.
7105
7413
  # @return [String]
7106
7414
  #
7107
7415
  # @!attribute [rw] scope
@@ -7112,7 +7420,7 @@ module Aws::WAFV2
7112
7420
  # To work with CloudFront, you must also specify the Region US East
7113
7421
  # (N. Virginia) as follows:
7114
7422
  #
7115
- # * CLI - Specify the region when you use the CloudFront scope:
7423
+ # * CLI - Specify the Region when you use the CloudFront scope:
7116
7424
  # `--scope=CLOUDFRONT --region=us-east-1`.
7117
7425
  #
7118
7426
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7125,8 +7433,8 @@ module Aws::WAFV2
7125
7433
  # @return [String]
7126
7434
  #
7127
7435
  # @!attribute [rw] description
7128
- # A friendly description of the set. You cannot change the description
7129
- # of a set after you create it.
7436
+ # A description of the set that helps with identification. You cannot
7437
+ # change the description of a set after you create it.
7130
7438
  # @return [String]
7131
7439
  #
7132
7440
  # @!attribute [rw] regular_expression_list
@@ -7397,8 +7705,8 @@ module Aws::WAFV2
7397
7705
  # }
7398
7706
  #
7399
7707
  # @!attribute [rw] name
7400
- # A friendly name of the rule group. You cannot change the name of a
7401
- # rule group after you create it.
7708
+ # The name of the rule group. You cannot change the name of a rule
7709
+ # group after you create it.
7402
7710
  # @return [String]
7403
7711
  #
7404
7712
  # @!attribute [rw] scope
@@ -7409,7 +7717,7 @@ module Aws::WAFV2
7409
7717
  # To work with CloudFront, you must also specify the Region US East
7410
7718
  # (N. Virginia) as follows:
7411
7719
  #
7412
- # * CLI - Specify the region when you use the CloudFront scope:
7720
+ # * CLI - Specify the Region when you use the CloudFront scope:
7413
7721
  # `--scope=CLOUDFRONT --region=us-east-1`.
7414
7722
  #
7415
7723
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7422,8 +7730,8 @@ module Aws::WAFV2
7422
7730
  # @return [String]
7423
7731
  #
7424
7732
  # @!attribute [rw] description
7425
- # A friendly description of the rule group. You cannot change the
7426
- # description of a rule group after you create it.
7733
+ # A description of the rule group that helps with identification. You
7734
+ # cannot change the description of a rule group after you create it.
7427
7735
  # @return [String]
7428
7736
  #
7429
7737
  # @!attribute [rw] rules
@@ -7710,8 +8018,8 @@ module Aws::WAFV2
7710
8018
  # }
7711
8019
  #
7712
8020
  # @!attribute [rw] name
7713
- # A friendly name of the Web ACL. You cannot change the name of a Web
7714
- # ACL after you create it.
8021
+ # The name of the Web ACL. You cannot change the name of a Web ACL
8022
+ # after you create it.
7715
8023
  # @return [String]
7716
8024
  #
7717
8025
  # @!attribute [rw] scope
@@ -7722,7 +8030,7 @@ module Aws::WAFV2
7722
8030
  # To work with CloudFront, you must also specify the Region US East
7723
8031
  # (N. Virginia) as follows:
7724
8032
  #
7725
- # * CLI - Specify the region when you use the CloudFront scope:
8033
+ # * CLI - Specify the Region when you use the CloudFront scope:
7726
8034
  # `--scope=CLOUDFRONT --region=us-east-1`.
7727
8035
  #
7728
8036
  # * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7740,8 +8048,8 @@ module Aws::WAFV2
7740
8048
  # @return [Types::DefaultAction]
7741
8049
  #
7742
8050
  # @!attribute [rw] description
7743
- # A friendly description of the Web ACL. You cannot change the
7744
- # description of a Web ACL after you create it.
8051
+ # A description of the Web ACL that helps with identification. You
8052
+ # cannot change the description of a Web ACL after you create it.
7745
8053
  # @return [String]
7746
8054
  #
7747
8055
  # @!attribute [rw] rules
@@ -7859,7 +8167,7 @@ module Aws::WAFV2
7859
8167
  # @return [Boolean]
7860
8168
  #
7861
8169
  # @!attribute [rw] metric_name
7862
- # A friendly name of the CloudWatch metric. The name can contain only
8170
+ # A name of the CloudWatch metric. The name can contain only
7863
8171
  # alphanumeric characters (A-Z, a-z, 0-9), with length from one to 128
7864
8172
  # characters. It can't contain whitespace or metric names reserved
7865
8173
  # for AWS WAF, for example "All" and "Default\_Action." You can't
@@ -7914,6 +8222,18 @@ module Aws::WAFV2
7914
8222
  include Aws::Structure
7915
8223
  end
7916
8224
 
8225
+ # The operation isn't valid.
8226
+ #
8227
+ # @!attribute [rw] message
8228
+ # @return [String]
8229
+ #
8230
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidOperationException AWS API Documentation
8231
+ #
8232
+ class WAFInvalidOperationException < Struct.new(
8233
+ :message)
8234
+ include Aws::Structure
8235
+ end
8236
+
7917
8237
  # The operation failed because AWS WAF didn't recognize a parameter in
7918
8238
  # the request. For example:
7919
8239
  #
@@ -7950,6 +8270,41 @@ module Aws::WAFV2
7950
8270
  include Aws::Structure
7951
8271
  end
7952
8272
 
8273
+ # The operation failed because the specified policy isn't in the proper
8274
+ # format.
8275
+ #
8276
+ # The policy specifications must conform to the following:
8277
+ #
8278
+ # * The policy must be composed using IAM Policy version 2012-10-17 or
8279
+ # version 2015-01-01.
8280
+ #
8281
+ # * The policy must include specifications for `Effect`, `Action`, and
8282
+ # `Principal`.
8283
+ #
8284
+ # * `Effect` must specify `Allow`.
8285
+ #
8286
+ # * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
8287
+ # and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any extra
8288
+ # actions or wildcard actions in the policy.
8289
+ #
8290
+ # * The policy must not include a `Resource` parameter.
8291
+ #
8292
+ # For more information, see [IAM Policies][1].
8293
+ #
8294
+ #
8295
+ #
8296
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
8297
+ #
8298
+ # @!attribute [rw] message
8299
+ # @return [String]
8300
+ #
8301
+ # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidPermissionPolicyException AWS API Documentation
8302
+ #
8303
+ class WAFInvalidPermissionPolicyException < Struct.new(
8304
+ :message)
8305
+ include Aws::Structure
8306
+ end
8307
+
7953
8308
  # AWS WAF couldn’t perform the operation because the resource that you
7954
8309
  # requested isn’t valid. Check the resource, and try again.
7955
8310
  #
@@ -8100,8 +8455,8 @@ module Aws::WAFV2
8100
8455
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
8101
8456
  #
8102
8457
  # @!attribute [rw] name
8103
- # A friendly name of the Web ACL. You cannot change the name of a Web
8104
- # ACL after you create it.
8458
+ # The name of the Web ACL. You cannot change the name of a Web ACL
8459
+ # after you create it.
8105
8460
  # @return [String]
8106
8461
  #
8107
8462
  # @!attribute [rw] id
@@ -8121,8 +8476,8 @@ module Aws::WAFV2
8121
8476
  # @return [Types::DefaultAction]
8122
8477
  #
8123
8478
  # @!attribute [rw] description
8124
- # A friendly description of the Web ACL. You cannot change the
8125
- # description of a Web ACL after you create it.
8479
+ # A description of the Web ACL that helps with identification. You
8480
+ # cannot change the description of a Web ACL after you create it.
8126
8481
  # @return [String]
8127
8482
  #
8128
8483
  # @!attribute [rw] rules
@@ -8151,6 +8506,38 @@ module Aws::WAFV2
8151
8506
  # for web ACLs is 1,500.
8152
8507
  # @return [Integer]
8153
8508
  #
8509
+ # @!attribute [rw] pre_process_firewall_manager_rule_groups
8510
+ # The first set of rules for AWS WAF to process in the web ACL. This
8511
+ # is defined in an AWS Firewall Manager WAF policy and contains only
8512
+ # rule group references. You can't alter these. Any rules and rule
8513
+ # groups that you define for the web ACL are prioritized after these.
8514
+ #
8515
+ # In the Firewall Manager WAF policy, the Firewall Manager
8516
+ # administrator can define a set of rule groups to run first in the
8517
+ # web ACL and a set of rule groups to run last. Within each set, the
8518
+ # administrator prioritizes the rule groups, to determine their
8519
+ # relative processing order.
8520
+ # @return [Array<Types::FirewallManagerRuleGroup>]
8521
+ #
8522
+ # @!attribute [rw] post_process_firewall_manager_rule_groups
8523
+ # The last set of rules for AWS WAF to process in the web ACL. This is
8524
+ # defined in an AWS Firewall Manager WAF policy and contains only rule
8525
+ # group references. You can't alter these. Any rules and rule groups
8526
+ # that you define for the web ACL are prioritized before these.
8527
+ #
8528
+ # In the Firewall Manager WAF policy, the Firewall Manager
8529
+ # administrator can define a set of rule groups to run first in the
8530
+ # web ACL and a set of rule groups to run last. Within each set, the
8531
+ # administrator prioritizes the rule groups, to determine their
8532
+ # relative processing order.
8533
+ # @return [Array<Types::FirewallManagerRuleGroup>]
8534
+ #
8535
+ # @!attribute [rw] managed_by_firewall_manager
8536
+ # Indicates whether this web ACL is managed by AWS Firewall Manager.
8537
+ # If true, then only AWS Firewall Manager can delete the web ACL or
8538
+ # any Firewall Manager rule groups in the web ACL.
8539
+ # @return [Boolean]
8540
+ #
8154
8541
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WebACL AWS API Documentation
8155
8542
  #
8156
8543
  class WebACL < Struct.new(
@@ -8161,7 +8548,10 @@ module Aws::WAFV2
8161
8548
  :description,
8162
8549
  :rules,
8163
8550
  :visibility_config,
8164
- :capacity)
8551
+ :capacity,
8552
+ :pre_process_firewall_manager_rule_groups,
8553
+ :post_process_firewall_manager_rule_groups,
8554
+ :managed_by_firewall_manager)
8165
8555
  include Aws::Structure
8166
8556
  end
8167
8557
 
@@ -8182,8 +8572,8 @@ module Aws::WAFV2
8182
8572
  # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
8183
8573
  #
8184
8574
  # @!attribute [rw] name
8185
- # A friendly name of the Web ACL. You cannot change the name of a Web
8186
- # ACL after you create it.
8575
+ # The name of the Web ACL. You cannot change the name of a Web ACL
8576
+ # after you create it.
8187
8577
  # @return [String]
8188
8578
  #
8189
8579
  # @!attribute [rw] id
@@ -8193,8 +8583,8 @@ module Aws::WAFV2
8193
8583
  # @return [String]
8194
8584
  #
8195
8585
  # @!attribute [rw] description
8196
- # A friendly description of the Web ACL. You cannot change the
8197
- # description of a Web ACL after you create it.
8586
+ # A description of the Web ACL that helps with identification. You
8587
+ # cannot change the description of a Web ACL after you create it.
8198
8588
  # @return [String]
8199
8589
  #
8200
8590
  # @!attribute [rw] lock_token
@@ -8283,9 +8673,9 @@ module Aws::WAFV2
8283
8673
  # Text transformations eliminate some of the unusual formatting that
8284
8674
  # attackers use in web requests in an effort to bypass detection. If
8285
8675
  # you specify one or more transformations in a rule statement, AWS WAF
8286
- # performs all transformations on the content identified by
8287
- # `FieldToMatch`, starting from the lowest priority setting, before
8288
- # inspecting the content for a match.
8676
+ # performs all transformations on the content of the request component
8677
+ # identified by `FieldToMatch`, starting from the lowest priority
8678
+ # setting, before inspecting the content for a match.
8289
8679
  # @return [Array<Types::TextTransformation>]
8290
8680
  #
8291
8681
  # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation