RubyGems - aws-sdk-wafv2 - Versions diffs - 1.2.0 → 1.7.0 - Mend

aws-sdk-wafv2 1.2.0 → 1.7.0

Files changed (8) hide show

checksums.yaml +5 -5
data/lib/aws-sdk-wafv2.rb +3 -1
data/lib/aws-sdk-wafv2/client.rb +333 -103
data/lib/aws-sdk-wafv2/client_api.rb +146 -0
data/lib/aws-sdk-wafv2/errors.rb +34 -0
data/lib/aws-sdk-wafv2/resource.rb +3 -7
data/lib/aws-sdk-wafv2/types.rb +669 -148
metadata +5 -5

data/lib/aws-sdk-wafv2/errors.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -28,7 +30,9 @@ module Aws::WAFV2
   # * {WAFAssociatedItemException}
   # * {WAFDuplicateItemException}
   # * {WAFInternalErrorException}
+  # * {WAFInvalidOperationException}
   # * {WAFInvalidParameterException}
+  # * {WAFInvalidPermissionPolicyException}
   # * {WAFInvalidResourceException}
   # * {WAFLimitsExceededException}
   # * {WAFNonexistentItemException}
@@ -90,6 +94,21 @@ module Aws::WAFV2
       end
     end
+    class WAFInvalidOperationException < ServiceError
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::WAFV2::Types::WAFInvalidOperationException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
     class WAFInvalidParameterException < ServiceError
       # @param [Seahorse::Client::RequestContext] context
@@ -120,6 +139,21 @@ module Aws::WAFV2
       end
     end
+    class WAFInvalidPermissionPolicyException < ServiceError
+      # @param [Seahorse::Client::RequestContext] context
+      # @param [String] message
+      # @param [Aws::WAFV2::Types::WAFInvalidPermissionPolicyException] data
+      def initialize(context, message, data = Aws::EmptyStructure.new)
+        super(context, message, data)
+      end
+      # @return [String]
+      def message
+        @message || @data[:message]
+      end
+    end
     class WAFInvalidResourceException < ServiceError
       # @param [Seahorse::Client::RequestContext] context

data/lib/aws-sdk-wafv2/resource.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -6,13 +8,7 @@
 # WARNING ABOUT GENERATED CODE
 module Aws::WAFV2
-  # This class provides a resource oriented interface for WAFV2.
-  # To create a resource object:
-  #     resource = Aws::WAFV2::Resource.new(region: 'us-west-2')
-  # You can supply a client object with custom configuration that will be used for all resource operations.
-  # If you do not pass +:client+, a default client will be constructed.
-  #     client = Aws::WAFV2::Client.new(region: 'us-west-2')
-  #     resource = Aws::WAFV2::Resource.new(client: client)
   class Resource
     # @param options ({})

data/lib/aws-sdk-wafv2/types.rb CHANGED

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
 # WARNING ABOUT GENERATED CODE
 #
 # This file is generated. See the contributing guide for more information:
@@ -266,6 +268,7 @@ module Aws::WAFV2
     #
     class AndStatement < Struct.new(
       :statements)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -301,6 +304,7 @@ module Aws::WAFV2
     class AssociateWebACLRequest < Struct.new(
       :web_acl_arn,
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -408,8 +412,8 @@ module Aws::WAFV2
     #   only in the part of web requests that you designate for inspection
     #   in FieldToMatch. The maximum length of the value is 50 bytes.
     #
-    #   Valid values depend on the areas that you specify for inspection in
-    #   `FieldToMatch`\:
+    #   Valid values depend on the component that you specify for inspection
+    #   in `FieldToMatch`\:
     #
     #   * `Method`\: The HTTP method that you want AWS WAF to search for.
     #     This indicates the type of operation specified in the request.
@@ -446,9 +450,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @!attribute [rw] positional_constraint
@@ -501,6 +505,7 @@ module Aws::WAFV2
       :field_to_match,
       :text_transformations,
       :positional_constraint)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -730,7 +735,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -746,6 +751,7 @@ module Aws::WAFV2
     class CheckCapacityRequest < Struct.new(
       :scope,
       :rules)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -757,6 +763,7 @@ module Aws::WAFV2
     #
     class CheckCapacityResponse < Struct.new(
       :capacity)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -800,8 +807,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -812,15 +819,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] ip_address_version
@@ -875,6 +882,7 @@ module Aws::WAFV2
       :ip_address_version,
       :addresses,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -889,6 +897,7 @@ module Aws::WAFV2
     #
     class CreateIPSetResponse < Struct.new(
       :summary)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -913,8 +922,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -925,15 +934,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -952,6 +961,7 @@ module Aws::WAFV2
       :description,
       :regular_expression_list,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -967,6 +977,7 @@ module Aws::WAFV2
     #
     class CreateRegexPatternSetResponse < Struct.new(
       :summary)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1203,8 +1214,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1215,7 +1226,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1240,8 +1251,8 @@ module Aws::WAFV2
     #   @return [Integer]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -1270,6 +1281,7 @@ module Aws::WAFV2
       :rules,
       :visibility_config,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1285,6 +1297,7 @@ module Aws::WAFV2
     #
     class CreateRuleGroupResponse < Struct.new(
       :summary)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1526,8 +1539,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1538,7 +1551,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1550,8 +1563,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -1580,6 +1593,7 @@ module Aws::WAFV2
       :rules,
       :visibility_config,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1594,6 +1608,7 @@ module Aws::WAFV2
     #
     class CreateWebACLResponse < Struct.new(
       :summary)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1635,6 +1650,60 @@ module Aws::WAFV2
     class DefaultAction < Struct.new(
       :block,
       :allow)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @note When making an API call, you may pass DeleteFirewallManagerRuleGroupsRequest
+    #   data as a hash:
+    #
+    #       {
+    #         web_acl_arn: "ResourceArn", # required
+    #         web_acl_lock_token: "LockToken", # required
+    #       }
+    #
+    # @!attribute [rw] web_acl_arn
+    #   The Amazon Resource Name (ARN) of the web ACL.
+    #   @return [String]
+    #
+    # @!attribute [rw] web_acl_lock_token
+    #   A token used for optimistic locking. AWS WAF returns a token to your
+    #   get and list requests, to mark the state of the entity at the time
+    #   of the request. To make changes to the entity associated with the
+    #   token, you provide the token to operations like update and delete.
+    #   AWS WAF uses the token to ensure that no changes have been made to
+    #   the entity since you last retrieved it. If a change has been made,
+    #   the update fails with a `WAFOptimisticLockException`. If this
+    #   happens, perform another get, and use the new token returned by that
+    #   operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsRequest AWS API Documentation
+    #
+    class DeleteFirewallManagerRuleGroupsRequest < Struct.new(
+      :web_acl_arn,
+      :web_acl_lock_token)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @!attribute [rw] next_web_acl_lock_token
+    #   A token used for optimistic locking. AWS WAF returns a token to your
+    #   get and list requests, to mark the state of the entity at the time
+    #   of the request. To make changes to the entity associated with the
+    #   token, you provide the token to operations like update and delete.
+    #   AWS WAF uses the token to ensure that no changes have been made to
+    #   the entity since you last retrieved it. If a change has been made,
+    #   the update fails with a `WAFOptimisticLockException`. If this
+    #   happens, perform another get, and use the new token returned by that
+    #   operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeleteFirewallManagerRuleGroupsResponse AWS API Documentation
+    #
+    class DeleteFirewallManagerRuleGroupsResponse < Struct.new(
+      :next_web_acl_lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1649,8 +1718,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1661,7 +1730,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1692,6 +1761,7 @@ module Aws::WAFV2
       :scope,
       :id,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1715,6 +1785,7 @@ module Aws::WAFV2
     #
     class DeleteLoggingConfigurationRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1722,6 +1793,32 @@ module Aws::WAFV2
     #
     class DeleteLoggingConfigurationResponse < Aws::EmptyStructure; end
+    # @note When making an API call, you may pass DeletePermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the rule group from which you want
+    #   to delete the policy.
+    #
+    #   You must be the owner of the rule group to perform this operation.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyRequest AWS API Documentation
+    #
+    class DeletePermissionPolicyRequest < Struct.new(
+      :resource_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/DeletePermissionPolicyResponse AWS API Documentation
+    #
+    class DeletePermissionPolicyResponse < Aws::EmptyStructure; end
     # @note When making an API call, you may pass DeleteRegexPatternSetRequest
     #   data as a hash:
     #
@@ -1733,8 +1830,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1745,7 +1842,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1776,6 +1873,7 @@ module Aws::WAFV2
       :scope,
       :id,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1794,8 +1892,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1806,7 +1904,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1837,6 +1935,7 @@ module Aws::WAFV2
       :scope,
       :id,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1855,8 +1954,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -1867,7 +1966,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1898,6 +1997,7 @@ module Aws::WAFV2
       :scope,
       :id,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1932,7 +2032,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -1944,6 +2044,7 @@ module Aws::WAFV2
       :vendor_name,
       :name,
       :scope)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1965,6 +2066,7 @@ module Aws::WAFV2
     class DescribeManagedRuleGroupResponse < Struct.new(
       :capacity,
       :rules)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -1993,6 +2095,7 @@ module Aws::WAFV2
     #
     class DisassociateWebACLRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2031,6 +2134,7 @@ module Aws::WAFV2
     #
     class ExcludedRule < Struct.new(
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2042,8 +2146,11 @@ module Aws::WAFV2
     #  </note>
     #
     # The part of a web request that you want AWS WAF to inspect. Include
-    # the `FieldToMatch` types that you want to inspect, with additional
-    # specifications as needed, according to the type.
+    # the single `FieldToMatch` type that you want to inspect, with
+    # additional specifications as needed, according to the type. You
+    # specify a single request component in `FieldToMatch` for each rule
+    # statement that requires it. To inspect more than one component of a
+    # web request, create a separate rule statement for each component.
     #
     #
     #
@@ -2132,6 +2239,131 @@ module Aws::WAFV2
       :query_string,
       :body,
       :method)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # A rule group that's defined for an AWS Firewall Manager WAF policy.
+    #
+    # @!attribute [rw] name
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
+    #   @return [String]
+    #
+    # @!attribute [rw] priority
+    #   If you define more than one rule group in the first or last Firewall
+    #   Manager rule groups, AWS WAF evaluates each request against the rule
+    #   groups in order, starting from the lowest priority setting. The
+    #   priorities don't need to be consecutive, but they must all be
+    #   different.
+    #   @return [Integer]
+    #
+    # @!attribute [rw] firewall_manager_statement
+    #   The processing guidance for an AWS Firewall Manager rule. This is
+    #   like a regular rule Statement, but it can only contain a rule group
+    #   reference.
+    #   @return [Types::FirewallManagerStatement]
+    #
+    # @!attribute [rw] override_action
+    #   The override action to apply to the rules in a rule group. Used only
+    #   for rule statements that reference a rule group, like
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   Set the override action to none to leave the rule actions in effect.
+    #   Set it to count to only count matches, regardless of the rule action
+    #   settings.
+    #
+    #   In a Rule, you must specify either this `OverrideAction` setting or
+    #   the rule `Action` setting, but not both:
+    #
+    #   * If the rule statement references a rule group, use this override
+    #     action setting and not the action setting.
+    #
+    #   * If the rule statement does not reference a rule group, use the
+    #     rule action setting and not this rule override action setting.
+    #   @return [Types::OverrideAction]
+    #
+    # @!attribute [rw] visibility_config
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   Defines and enables Amazon CloudWatch metrics and web request sample
+    #   collection.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::VisibilityConfig]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerRuleGroup AWS API Documentation
+    #
+    class FirewallManagerRuleGroup < Struct.new(
+      :name,
+      :priority,
+      :firewall_manager_statement,
+      :override_action,
+      :visibility_config)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # The processing guidance for an AWS Firewall Manager rule. This is like
+    # a regular rule Statement, but it can only contain a rule group
+    # reference.
+    #
+    # @!attribute [rw] managed_rule_group_statement
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   A rule statement used to run the rules that are defined in a managed
+    #   rule group. To use this, provide the vendor name and the name of the
+    #   rule group in this statement. You can retrieve the required names by
+    #   calling ListAvailableManagedRuleGroups.
+    #
+    #   You can't nest a `ManagedRuleGroupStatement`, for example for use
+    #   inside a `NotStatement` or `OrStatement`. It can only be referenced
+    #   as a top-level statement within a rule.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::ManagedRuleGroupStatement]
+    #
+    # @!attribute [rw] rule_group_reference_statement
+    #   <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
+    #   in November, 2019. For information, including how to migrate your
+    #   AWS WAF resources from the prior release, see the [AWS WAF Developer
+    #   Guide][1].
+    #
+    #    </note>
+    #
+    #   A rule statement used to run the rules that are defined in a
+    #   RuleGroup. To use this, create a rule group with your rules, then
+    #   provide the ARN of the rule group in this statement.
+    #
+    #   You cannot nest a `RuleGroupReferenceStatement`, for example for use
+    #   inside a `NotStatement` or `OrStatement`. It can only be referenced
+    #   as a top-level statement within a rule.
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    #   @return [Types::RuleGroupReferenceStatement]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/FirewallManagerStatement AWS API Documentation
+    #
+    class FirewallManagerStatement < Struct.new(
+      :managed_rule_group_statement,
+      :rule_group_reference_statement)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2166,6 +2398,7 @@ module Aws::WAFV2
     #
     class GeoMatchStatement < Struct.new(
       :country_codes)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2179,8 +2412,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2191,7 +2424,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2209,6 +2442,7 @@ module Aws::WAFV2
       :name,
       :scope,
       :id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2232,6 +2466,7 @@ module Aws::WAFV2
     class GetIPSetResponse < Struct.new(
       :ip_set,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2251,6 +2486,7 @@ module Aws::WAFV2
     #
     class GetLoggingConfigurationRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2262,6 +2498,39 @@ module Aws::WAFV2
     #
     class GetLoggingConfigurationResponse < Struct.new(
       :logging_configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @note When making an API call, you may pass GetPermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the rule group for which you want
+    #   to get the policy.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyRequest AWS API Documentation
+    #
+    class GetPermissionPolicyRequest < Struct.new(
+      :resource_arn)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @!attribute [rw] policy
+    #   The IAM policy that is attached to the specified rule group.
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/GetPermissionPolicyResponse AWS API Documentation
+    #
+    class GetPermissionPolicyResponse < Struct.new(
+      :policy)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2283,15 +2552,15 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
     #   @return [String]
     #
     # @!attribute [rw] web_acl_name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] web_acl_id
@@ -2311,6 +2580,7 @@ module Aws::WAFV2
       :web_acl_name,
       :web_acl_id,
       :rule_name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2327,6 +2597,7 @@ module Aws::WAFV2
     class GetRateBasedStatementManagedKeysResponse < Struct.new(
       :managed_keys_ipv4,
       :managed_keys_ipv6)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2340,8 +2611,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2352,7 +2623,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2370,6 +2641,7 @@ module Aws::WAFV2
       :name,
       :scope,
       :id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2393,6 +2665,7 @@ module Aws::WAFV2
     class GetRegexPatternSetResponse < Struct.new(
       :regex_pattern_set,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2406,8 +2679,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2418,7 +2691,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2436,6 +2709,7 @@ module Aws::WAFV2
       :name,
       :scope,
       :id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2459,6 +2733,7 @@ module Aws::WAFV2
     class GetRuleGroupResponse < Struct.new(
       :rule_group,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2494,7 +2769,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2524,6 +2799,7 @@ module Aws::WAFV2
       :scope,
       :time_window,
       :max_items)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2553,6 +2829,7 @@ module Aws::WAFV2
       :sampled_requests,
       :population_size,
       :time_window)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2571,6 +2848,7 @@ module Aws::WAFV2
     #
     class GetWebACLForResourceRequest < Struct.new(
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2583,6 +2861,7 @@ module Aws::WAFV2
     #
     class GetWebACLForResourceResponse < Struct.new(
       :web_acl)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2596,8 +2875,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -2608,7 +2887,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2626,6 +2905,7 @@ module Aws::WAFV2
       :name,
       :scope,
       :id)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2651,6 +2931,7 @@ module Aws::WAFV2
     class GetWebACLResponse < Struct.new(
       :web_acl,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2683,6 +2964,7 @@ module Aws::WAFV2
     class HTTPHeader < Struct.new(
       :name,
       :value)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2751,6 +3033,7 @@ module Aws::WAFV2
       :method,
       :http_version,
       :headers)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2776,8 +3059,8 @@ module Aws::WAFV2
     # [2]: https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -2791,8 +3074,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] ip_address_version
@@ -2843,6 +3126,7 @@ module Aws::WAFV2
       :description,
       :ip_address_version,
       :addresses)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2883,6 +3167,7 @@ module Aws::WAFV2
     #
     class IPSetReferenceStatement < Struct.new(
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2903,8 +3188,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -2914,8 +3199,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -2942,6 +3227,7 @@ module Aws::WAFV2
       :description,
       :lock_token,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -2962,7 +3248,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -2989,6 +3275,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3008,6 +3295,7 @@ module Aws::WAFV2
     class ListAvailableManagedRuleGroupsResponse < Struct.new(
       :next_marker,
       :managed_rule_groups)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3028,7 +3316,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3055,6 +3343,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3076,6 +3365,7 @@ module Aws::WAFV2
     class ListIPSetsResponse < Struct.new(
       :next_marker,
       :ip_sets)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3096,7 +3386,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3123,6 +3413,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3142,6 +3433,7 @@ module Aws::WAFV2
     class ListLoggingConfigurationsResponse < Struct.new(
       :logging_configurations,
       :next_marker)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3162,7 +3454,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3189,6 +3481,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3208,6 +3501,7 @@ module Aws::WAFV2
     class ListRegexPatternSetsResponse < Struct.new(
       :next_marker,
       :regex_pattern_sets)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3234,6 +3528,7 @@ module Aws::WAFV2
     class ListResourcesForWebACLRequest < Struct.new(
       :web_acl_arn,
       :resource_type)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3246,6 +3541,7 @@ module Aws::WAFV2
     #
     class ListResourcesForWebACLResponse < Struct.new(
       :resource_arns)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3266,7 +3562,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3293,6 +3589,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3312,6 +3609,7 @@ module Aws::WAFV2
     class ListRuleGroupsResponse < Struct.new(
       :next_marker,
       :rule_groups)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3349,6 +3647,7 @@ module Aws::WAFV2
       :next_marker,
       :limit,
       :resource_arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3369,6 +3668,7 @@ module Aws::WAFV2
     class ListTagsForResourceResponse < Struct.new(
       :next_marker,
       :tag_info_for_resource)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3389,7 +3689,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -3416,6 +3716,7 @@ module Aws::WAFV2
       :scope,
       :next_marker,
       :limit)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3435,6 +3736,7 @@ module Aws::WAFV2
     class ListWebACLsResponse < Struct.new(
       :next_marker,
       :web_acls)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3504,6 +3806,7 @@ module Aws::WAFV2
       :resource_arn,
       :log_destination_configs,
       :redacted_fields)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3562,6 +3865,7 @@ module Aws::WAFV2
       :vendor_name,
       :name,
       :excluded_rules)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3605,6 +3909,7 @@ module Aws::WAFV2
       :vendor_name,
       :name,
       :description)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -3870,6 +4175,7 @@ module Aws::WAFV2
     #
     class NotStatement < Struct.new(
       :statement)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4086,24 +4392,26 @@ module Aws::WAFV2
     #
     class OrStatement < Struct.new(
       :statements)
+      SENSITIVE = []
       include Aws::Structure
     end
-    # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
-    # in November, 2019. For information, including how to migrate your AWS
-    # WAF resources from the prior release, see the [AWS WAF Developer
-    # Guide][1].
-    #
-    #  </note>
+    # The override action to apply to the rules in a rule group. Used only
+    # for rule statements that reference a rule group, like
+    # `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
     #
-    # The action to use to override the rule's `Action` setting. You can
-    # use no override action, in which case the rule action is in effect, or
-    # count, in which case, if the rule matches a web request, it only
-    # counts the match.
+    # Set the override action to none to leave the rule actions in effect.
+    # Set it to count to only count matches, regardless of the rule action
+    # settings.
     #
+    # In a Rule, you must specify either this `OverrideAction` setting or
+    # the rule `Action` setting, but not both:
     #
+    # * If the rule statement references a rule group, use this override
+    #   action setting and not the action setting.
     #
-    # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
+    # * If the rule statement does not reference a rule group, use the rule
+    #   action setting and not this rule override action setting.
     #
     # @note When making an API call, you may pass OverrideAction
     #   data as a hash:
@@ -4128,6 +4436,7 @@ module Aws::WAFV2
     class OverrideAction < Struct.new(
       :count,
       :none)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4168,6 +4477,7 @@ module Aws::WAFV2
     #
     class PutLoggingConfigurationRequest < Struct.new(
       :logging_configuration)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4178,9 +4488,62 @@ module Aws::WAFV2
     #
     class PutLoggingConfigurationResponse < Struct.new(
       :logging_configuration)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # @note When making an API call, you may pass PutPermissionPolicyRequest
+    #   data as a hash:
+    #
+    #       {
+    #         resource_arn: "ResourceArn", # required
+    #         policy: "PolicyString", # required
+    #       }
+    #
+    # @!attribute [rw] resource_arn
+    #   The Amazon Resource Name (ARN) of the RuleGroup to which you want to
+    #   attach the policy.
+    #   @return [String]
+    #
+    # @!attribute [rw] policy
+    #   The policy to attach to the specified rule group.
+    #
+    #   The policy specifications must conform to the following:
+    #
+    #   * The policy must be composed using IAM Policy version 2012-10-17 or
+    #     version 2015-01-01.
+    #
+    #   * The policy must include specifications for `Effect`, `Action`, and
+    #     `Principal`.
+    #
+    #   * `Effect` must specify `Allow`.
+    #
+    #   * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
+    #     and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any
+    #     extra actions or wildcard actions in the policy.
+    #
+    #   * The policy must not include a `Resource` parameter.
+    #
+    #   For more information, see [IAM Policies][1].
+    #
+    #
+    #
+    #   [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyRequest AWS API Documentation
+    #
+    class PutPermissionPolicyRequest < Struct.new(
+      :resource_arn,
+      :policy)
+      SENSITIVE = []
       include Aws::Structure
     end
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/PutPermissionPolicyResponse AWS API Documentation
+    #
+    class PutPermissionPolicyResponse < Aws::EmptyStructure; end
     # <note markdown="1"> This is the latest version of **AWS WAF**, named AWS WAFV2, released
     # in November, 2019. For information, including how to migrate your AWS
     # WAF resources from the prior release, see the [AWS WAF Developer
@@ -4467,6 +4830,7 @@ module Aws::WAFV2
       :limit,
       :aggregate_key_type,
       :scope_down_statement)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4496,6 +4860,7 @@ module Aws::WAFV2
     class RateBasedStatementManagedKeysIPSet < Struct.new(
       :ip_address_version,
       :addresses)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4527,6 +4892,7 @@ module Aws::WAFV2
     #
     class Regex < Struct.new(
       :regex_string)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4548,8 +4914,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -4563,8 +4929,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -4579,6 +4945,7 @@ module Aws::WAFV2
       :arn,
       :description,
       :regular_expression_list)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4651,9 +5018,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/RegexPatternSetReferenceStatement AWS API Documentation
@@ -4662,6 +5029,7 @@ module Aws::WAFV2
       :arn,
       :field_to_match,
       :text_transformations)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4683,8 +5051,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the data type instance. You cannot change the
-    #   name after you create the instance.
+    #   The name of the data type instance. You cannot change the name after
+    #   you create the instance.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -4694,8 +5062,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -4722,6 +5090,7 @@ module Aws::WAFV2
       :description,
       :lock_token,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -4956,8 +5325,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule. You can't change the name of a `Rule`
-    #   after you create it.
+    #   The name of the rule. You can't change the name of a `Rule` after
+    #   you create it.
     #   @return [String]
     #
     # @!attribute [rw] priority
@@ -4975,15 +5344,40 @@ module Aws::WAFV2
     #
     # @!attribute [rw] action
     #   The action that AWS WAF should take on a web request when it matches
-    #   the rule's statement. Settings at the web ACL level can override
-    #   the rule action setting.
+    #   the rule statement. Settings at the web ACL level can override the
+    #   rule action setting.
+    #
+    #   This is used only for rules whose statements do not reference a rule
+    #   group. Rule statements that reference a rule group include
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   You must specify either this `Action` setting or the rule
+    #   `OverrideAction` setting, but not both:
+    #
+    #   * If the rule statement does not reference a rule group, use this
+    #     rule action setting and not the rule override action setting.
+    #
+    #   * If the rule statement references a rule group, use the override
+    #     action setting and not this action setting.
     #   @return [Types::RuleAction]
     #
     # @!attribute [rw] override_action
-    #   The action to use to override the rule's `Action` setting. You can
-    #   use no override action, in which case the rule action is in effect,
-    #   or count action, in which case, if the rule matches a web request,
-    #   it only counts the match.
+    #   The override action to apply to the rules in a rule group. Used only
+    #   for rule statements that reference a rule group, like
+    #   `RuleGroupReferenceStatement` and `ManagedRuleGroupStatement`.
+    #
+    #   Set the override action to none to leave the rule actions in effect.
+    #   Set it to count to only count matches, regardless of the rule action
+    #   settings.
+    #
+    #   In a Rule, you must specify either this `OverrideAction` setting or
+    #   the rule `Action` setting, but not both:
+    #
+    #   * If the rule statement references a rule group, use this override
+    #     action setting and not the action setting.
+    #
+    #   * If the rule statement does not reference a rule group, use the
+    #     rule action setting and not this rule override action setting.
     #   @return [Types::OverrideAction]
     #
     # @!attribute [rw] visibility_config
@@ -5000,6 +5394,7 @@ module Aws::WAFV2
       :action,
       :override_action,
       :visibility_config)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5048,6 +5443,7 @@ module Aws::WAFV2
       :block,
       :allow,
       :count)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5069,8 +5465,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -5102,8 +5498,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -5128,6 +5524,7 @@ module Aws::WAFV2
       :description,
       :rules,
       :visibility_config)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5176,6 +5573,7 @@ module Aws::WAFV2
     class RuleGroupReferenceStatement < Struct.new(
       :arn,
       :excluded_rules)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5197,8 +5595,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the data type instance. You cannot change the
-    #   name after you create the instance.
+    #   The name of the data type instance. You cannot change the name after
+    #   you create the instance.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -5208,8 +5606,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -5236,6 +5634,7 @@ module Aws::WAFV2
       :description,
       :lock_token,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5282,6 +5681,7 @@ module Aws::WAFV2
     class RuleSummary < Struct.new(
       :name,
       :action)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5339,6 +5739,7 @@ module Aws::WAFV2
       :timestamp,
       :action,
       :rule_name_within_rule_group)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5374,6 +5775,7 @@ module Aws::WAFV2
     #
     class SingleHeader < Struct.new(
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5407,6 +5809,7 @@ module Aws::WAFV2
     #
     class SingleQueryArgument < Struct.new(
       :name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5486,9 +5889,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SizeConstraintStatement AWS API Documentation
@@ -5498,6 +5901,7 @@ module Aws::WAFV2
       :comparison_operator,
       :size,
       :text_transformations)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -5560,9 +5964,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/SqliMatchStatement AWS API Documentation
@@ -5570,6 +5974,7 @@ module Aws::WAFV2
     class SqliMatchStatement < Struct.new(
       :field_to_match,
       :text_transformations)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6663,6 +7068,7 @@ module Aws::WAFV2
       :or_statement,
       :not_statement,
       :managed_rule_group_statement)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6709,6 +7115,7 @@ module Aws::WAFV2
     class Tag < Struct.new(
       :key,
       :value)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6738,6 +7145,7 @@ module Aws::WAFV2
     class TagInfoForResource < Struct.new(
       :resource_arn,
       :tag_list)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6767,6 +7175,7 @@ module Aws::WAFV2
     class TagResourceRequest < Struct.new(
       :resource_arn,
       :tags)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6881,6 +7290,7 @@ module Aws::WAFV2
     class TextTransformation < Struct.new(
       :priority,
       :type)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6937,6 +7347,7 @@ module Aws::WAFV2
     class TimeWindow < Struct.new(
       :start_time,
       :end_time)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6962,6 +7373,7 @@ module Aws::WAFV2
     class UntagResourceRequest < Struct.new(
       :resource_arn,
       :tag_keys)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -6982,8 +7394,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the IP set. You cannot change the name of an
-    #   `IPSet` after you create it.
+    #   The name of the IP set. You cannot change the name of an `IPSet`
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -6994,7 +7406,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7007,8 +7419,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the IP set. You cannot change the
-    #   description of an IP set after you create it.
+    #   A description of the IP set that helps with identification. You
+    #   cannot change the description of an IP set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] addresses
@@ -7067,6 +7479,7 @@ module Aws::WAFV2
       :description,
       :addresses,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7080,6 +7493,7 @@ module Aws::WAFV2
     #
     class UpdateIPSetResponse < Struct.new(
       :next_lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7100,8 +7514,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the set. You cannot change the name after you
-    #   create the set.
+    #   The name of the set. You cannot change the name after you create the
+    #   set.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7112,7 +7526,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7125,8 +7539,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the set. You cannot change the description
-    #   of a set after you create it.
+    #   A description of the set that helps with identification. You cannot
+    #   change the description of a set after you create it.
     #   @return [String]
     #
     # @!attribute [rw] regular_expression_list
@@ -7153,6 +7567,7 @@ module Aws::WAFV2
       :description,
       :regular_expression_list,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7166,6 +7581,7 @@ module Aws::WAFV2
     #
     class UpdateRegexPatternSetResponse < Struct.new(
       :next_lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7397,8 +7813,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the rule group. You cannot change the name of a
-    #   rule group after you create it.
+    #   The name of the rule group. You cannot change the name of a rule
+    #   group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7409,7 +7825,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7422,8 +7838,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the rule group. You cannot change the
-    #   description of a rule group after you create it.
+    #   A description of the rule group that helps with identification. You
+    #   cannot change the description of a rule group after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -7460,6 +7876,7 @@ module Aws::WAFV2
       :rules,
       :visibility_config,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7473,6 +7890,7 @@ module Aws::WAFV2
     #
     class UpdateRuleGroupResponse < Struct.new(
       :next_lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7710,8 +8128,8 @@ module Aws::WAFV2
     #       }
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] scope
@@ -7722,7 +8140,7 @@ module Aws::WAFV2
     #   To work with CloudFront, you must also specify the Region US East
     #   (N. Virginia) as follows:
     #
-    #   * CLI - Specify the region when you use the CloudFront scope:
+    #   * CLI - Specify the Region when you use the CloudFront scope:
     #     `--scope=CLOUDFRONT --region=us-east-1`.
     #
     #   * API and SDKs - For all calls, use the Region endpoint us-east-1.
@@ -7740,8 +8158,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -7779,6 +8197,7 @@ module Aws::WAFV2
       :rules,
       :visibility_config,
       :lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7792,6 +8211,7 @@ module Aws::WAFV2
     #
     class UpdateWebACLResponse < Struct.new(
       :next_lock_token)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7859,7 +8279,7 @@ module Aws::WAFV2
     #   @return [Boolean]
     #
     # @!attribute [rw] metric_name
-    #   A friendly name of the CloudWatch metric. The name can contain only
+    #   A name of the CloudWatch metric. The name can contain only
     #   alphanumeric characters (A-Z, a-z, 0-9), with length from one to 128
     #   characters. It can't contain whitespace or metric names reserved
     #   for AWS WAF, for example "All" and "Default\_Action." You can't
@@ -7872,6 +8292,7 @@ module Aws::WAFV2
       :sampled_requests_enabled,
       :cloud_watch_metrics_enabled,
       :metric_name)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7885,6 +8306,7 @@ module Aws::WAFV2
     #
     class WAFAssociatedItemException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7898,6 +8320,7 @@ module Aws::WAFV2
     #
     class WAFDuplicateItemException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7911,6 +8334,20 @@ module Aws::WAFV2
     #
     class WAFInternalErrorException < Struct.new(
       :message)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # The operation isn't valid.
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidOperationException AWS API Documentation
+    #
+    class WAFInvalidOperationException < Struct.new(
+      :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7947,6 +8384,43 @@ module Aws::WAFV2
       :field,
       :parameter,
       :reason)
+      SENSITIVE = []
+      include Aws::Structure
+    end
+    # The operation failed because the specified policy isn't in the proper
+    # format.
+    #
+    # The policy specifications must conform to the following:
+    #
+    # * The policy must be composed using IAM Policy version 2012-10-17 or
+    #   version 2015-01-01.
+    #
+    # * The policy must include specifications for `Effect`, `Action`, and
+    #   `Principal`.
+    #
+    # * `Effect` must specify `Allow`.
+    #
+    # * `Action` must specify `wafv2:CreateWebACL`, `wafv2:UpdateWebACL`,
+    #   and `wafv2:PutFirewallManagerRuleGroups`. AWS WAF rejects any extra
+    #   actions or wildcard actions in the policy.
+    #
+    # * The policy must not include a `Resource` parameter.
+    #
+    # For more information, see [IAM Policies][1].
+    #
+    #
+    #
+    # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
+    #
+    # @!attribute [rw] message
+    #   @return [String]
+    #
+    # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WAFInvalidPermissionPolicyException AWS API Documentation
+    #
+    class WAFInvalidPermissionPolicyException < Struct.new(
+      :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7960,6 +8434,7 @@ module Aws::WAFV2
     #
     class WAFInvalidResourceException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7979,6 +8454,7 @@ module Aws::WAFV2
     #
     class WAFLimitsExceededException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -7992,6 +8468,7 @@ module Aws::WAFV2
     #
     class WAFNonexistentItemException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8007,6 +8484,7 @@ module Aws::WAFV2
     #
     class WAFOptimisticLockException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8027,6 +8505,7 @@ module Aws::WAFV2
     #
     class WAFServiceLinkedRoleErrorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8037,6 +8516,7 @@ module Aws::WAFV2
     #
     class WAFSubscriptionNotFoundException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8049,6 +8529,7 @@ module Aws::WAFV2
     #
     class WAFTagOperationException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8062,6 +8543,7 @@ module Aws::WAFV2
     #
     class WAFTagOperationInternalErrorException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8075,6 +8557,7 @@ module Aws::WAFV2
     #
     class WAFUnavailableEntityException < Struct.new(
       :message)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8100,8 +8583,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -8121,8 +8604,8 @@ module Aws::WAFV2
     #   @return [Types::DefaultAction]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] rules
@@ -8151,6 +8634,38 @@ module Aws::WAFV2
     #   for web ACLs is 1,500.
     #   @return [Integer]
     #
+    # @!attribute [rw] pre_process_firewall_manager_rule_groups
+    #   The first set of rules for AWS WAF to process in the web ACL. This
+    #   is defined in an AWS Firewall Manager WAF policy and contains only
+    #   rule group references. You can't alter these. Any rules and rule
+    #   groups that you define for the web ACL are prioritized after these.
+    #
+    #   In the Firewall Manager WAF policy, the Firewall Manager
+    #   administrator can define a set of rule groups to run first in the
+    #   web ACL and a set of rule groups to run last. Within each set, the
+    #   administrator prioritizes the rule groups, to determine their
+    #   relative processing order.
+    #   @return [Array<Types::FirewallManagerRuleGroup>]
+    #
+    # @!attribute [rw] post_process_firewall_manager_rule_groups
+    #   The last set of rules for AWS WAF to process in the web ACL. This is
+    #   defined in an AWS Firewall Manager WAF policy and contains only rule
+    #   group references. You can't alter these. Any rules and rule groups
+    #   that you define for the web ACL are prioritized before these.
+    #
+    #   In the Firewall Manager WAF policy, the Firewall Manager
+    #   administrator can define a set of rule groups to run first in the
+    #   web ACL and a set of rule groups to run last. Within each set, the
+    #   administrator prioritizes the rule groups, to determine their
+    #   relative processing order.
+    #   @return [Array<Types::FirewallManagerRuleGroup>]
+    #
+    # @!attribute [rw] managed_by_firewall_manager
+    #   Indicates whether this web ACL is managed by AWS Firewall Manager.
+    #   If true, then only AWS Firewall Manager can delete the web ACL or
+    #   any Firewall Manager rule groups in the web ACL.
+    #   @return [Boolean]
+    #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/WebACL AWS API Documentation
     #
     class WebACL < Struct.new(
@@ -8161,7 +8676,11 @@ module Aws::WAFV2
       :description,
       :rules,
       :visibility_config,
-      :capacity)
+      :capacity,
+      :pre_process_firewall_manager_rule_groups,
+      :post_process_firewall_manager_rule_groups,
+      :managed_by_firewall_manager)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8182,8 +8701,8 @@ module Aws::WAFV2
     # [1]: https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
     #
     # @!attribute [rw] name
-    #   A friendly name of the Web ACL. You cannot change the name of a Web
-    #   ACL after you create it.
+    #   The name of the Web ACL. You cannot change the name of a Web ACL
+    #   after you create it.
     #   @return [String]
     #
     # @!attribute [rw] id
@@ -8193,8 +8712,8 @@ module Aws::WAFV2
     #   @return [String]
     #
     # @!attribute [rw] description
-    #   A friendly description of the Web ACL. You cannot change the
-    #   description of a Web ACL after you create it.
+    #   A description of the Web ACL that helps with identification. You
+    #   cannot change the description of a Web ACL after you create it.
     #   @return [String]
     #
     # @!attribute [rw] lock_token
@@ -8221,6 +8740,7 @@ module Aws::WAFV2
       :description,
       :lock_token,
       :arn)
+      SENSITIVE = []
       include Aws::Structure
     end
@@ -8283,9 +8803,9 @@ module Aws::WAFV2
     #   Text transformations eliminate some of the unusual formatting that
     #   attackers use in web requests in an effort to bypass detection. If
     #   you specify one or more transformations in a rule statement, AWS WAF
-    #   performs all transformations on the content identified by
-    #   `FieldToMatch`, starting from the lowest priority setting, before
-    #   inspecting the content for a match.
+    #   performs all transformations on the content of the request component
+    #   identified by `FieldToMatch`, starting from the lowest priority
+    #   setting, before inspecting the content for a match.
     #   @return [Array<Types::TextTransformation>]
     #
     # @see http://docs.aws.amazon.com/goto/WebAPI/wafv2-2019-07-29/XssMatchStatement AWS API Documentation
@@ -8293,6 +8813,7 @@ module Aws::WAFV2
     class XssMatchStatement < Struct.new(
       :field_to_match,
       :text_transformations)
+      SENSITIVE = []
       include Aws::Structure
     end