@horietakehiro/aws-cdk-utul 0.35.3 → 0.35.4

package/lib/types/cfn-resource-types/aws-wafv2-webacl.d.ts

@@ -1,101 +1,104 @@
 /**
- * Description of the entity.
- */
-export type EntityDescription = string;
-export type SizeInspectionLimit = ("KB_16" | "KB_32" | "KB_48" | "KB_64");
-/**
- * Key of the field to protect.
+ * ARN of the WAF entity.
  */
-export type FieldToProtectKeyName = string;
-export type DataProtectionAction = ("SUBSTITUTION" | "HASH");
+export type ResourceArn = string;
 /**
- * @minItems 1
+ * HTTP header name.
  */
-export type DataProtections = DataProtect[];
+export type CustomHTTPHeaderName = string;
 /**
  * HTTP header value.
  */
 export type CustomHTTPHeaderValue = string;
-/**
- * HTTP header name.
- */
-export type CustomHTTPHeaderName = string;
 /**
  * Custom response code.
  */
 export type ResponseStatusCode = number;
 /**
- * Priority of the Rule, Rules get evaluated from lower to higher priority.
+ * Description of the entity.
  */
-export type RulePriority = number;
+export type EntityDescription = string;
 /**
- * Type of text transformation.
+ * Name of the WebACL.
  */
-export type TextTransformationType = ("NONE" | "COMPRESS_WHITE_SPACE" | "HTML_ENTITY_DECODE" | "LOWERCASE" | "CMD_LINE" | "URL_DECODE" | "BASE64_DECODE" | "HEX_DECODE" | "MD5" | "REPLACE_COMMENTS" | "ESCAPE_SEQ_DECODE" | "SQL_HEX_DECODE" | "CSS_DECODE" | "JS_DECODE" | "NORMALIZE_PATH" | "NORMALIZE_PATH_WIN" | "REMOVE_NULLS" | "REPLACE_NULLS" | "BASE64_DECODE_EXT" | "URL_DECODE_UNI" | "UTF8_TO_UNICODE");
+export type EntityName = string;
 /**
- * Priority of Rule being evaluated.
+ * Id of the WebACL
  */
-export type TextTransformationPriority = number;
+export type EntityId = string;
 /**
- * The parts of the request to match against using the MatchPattern.
+ * Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway.
  */
-export type MapMatchScope = ("ALL" | "KEY" | "VALUE");
+export type Scope = ("CLOUDFRONT" | "REGIONAL");
 /**
- * Handling of requests containing oversize fields
+ * Priority of the Rule, Rules get evaluated from lower to higher priority.
  */
-export type OversizeHandling = ("CONTINUE" | "MATCH" | "NO_MATCH");
+export type RulePriority = number;
 /**
- * The parts of the JSON to match against using the MatchPattern.
+ * String that is searched to find a match.
  */
-export type JsonMatchScope = ("ALL" | "KEY" | "VALUE");
+export type SearchString = string;
+/**
+ * Base64 encoded string that is searched to find a match.
+ */
+export type SearchStringBase64 = string;
+/**
+ * Handling of requests containing oversize fields
+ */
+export type OversizeHandling = ("CONTINUE" | "MATCH" | "NO_MATCH");
 /**
  * JSON pointer path in the web request's JSON body
  */
 export type JsonPointerPath = string;
 /**
- * The inspection behavior to fall back to if the JSON in the request body is invalid.
+ * The parts of the JSON to match against using the MatchPattern.
  */
-export type BodyParsingFallbackBehavior = ("MATCH" | "NO_MATCH" | "EVALUATE_AS_STRING");
+export type JsonMatchScope = ("ALL" | "KEY" | "VALUE");
 /**
- * Base64 encoded string that is searched to find a match.
+ * The inspection behavior to fall back to if the JSON in the request body is invalid.
  */
-export type SearchStringBase64 = string;
+export type BodyParsingFallbackBehavior = ("MATCH" | "NO_MATCH" | "EVALUATE_AS_STRING");
 /**
- * Position of the evaluation in the FieldToMatch of request.
+ * The parts of the request to match against using the MatchPattern.
  */
-export type PositionalConstraint = ("EXACTLY" | "STARTS_WITH" | "ENDS_WITH" | "CONTAINS" | "CONTAINS_WORD");
+export type MapMatchScope = ("ALL" | "KEY" | "VALUE");
 /**
- * String that is searched to find a match.
+ * Priority of Rule being evaluated.
  */
-export type SearchString = string;
-export type RateLimit = number;
-export type EvaluationWindowSec = (60 | 120 | 300 | 600);
+export type TextTransformationPriority = number;
 /**
- * Name of the WebACL.
+ * Type of text transformation.
  */
-export type EntityName = string;
+export type TextTransformationType = ("NONE" | "COMPRESS_WHITE_SPACE" | "HTML_ENTITY_DECODE" | "LOWERCASE" | "CMD_LINE" | "URL_DECODE" | "BASE64_DECODE" | "HEX_DECODE" | "MD5" | "REPLACE_COMMENTS" | "ESCAPE_SEQ_DECODE" | "SQL_HEX_DECODE" | "CSS_DECODE" | "JS_DECODE" | "NORMALIZE_PATH" | "NORMALIZE_PATH_WIN" | "REMOVE_NULLS" | "REPLACE_NULLS" | "BASE64_DECODE_EXT" | "URL_DECODE_UNI" | "UTF8_TO_UNICODE");
 /**
- * ARN of the WAF entity.
+ * Position of the evaluation in the FieldToMatch of request.
  */
-export type ResourceArn = string;
-export type LabelMatchScope = ("LABEL" | "NAMESPACE");
-export type LabelMatchKey = string;
+export type PositionalConstraint = ("EXACTLY" | "STARTS_WITH" | "ENDS_WITH" | "CONTAINS" | "CONTAINS_WORD");
 /**
  * Sensitivity Level current only used for sqli match statements.
  */
 export type SensitivityLevel = ("LOW" | "HIGH");
+export type UsageOfAction = ("ENABLED" | "DISABLED");
+export type SensitivityToAct = ("LOW" | "MEDIUM" | "HIGH");
+export type RegexPatternString = string;
+export type RegularExpressionList = Regex[];
+export type RateLimit = number;
+export type EvaluationWindowSec = (60 | 120 | 300 | 600);
+export type LabelMatchScope = ("LABEL" | "NAMESPACE");
+export type LabelMatchKey = string;
 /**
  * Name of the Label.
  */
 export type LabelName = string;
 /**
- * List of domains to accept in web request tokens, in addition to the domain of the protected resource.
+ * Key of the field to protect.
  */
-export type TokenDomains = string[];
+export type FieldToProtectKeyName = string;
+export type DataProtectionAction = ("SUBSTITUTION" | "HASH");
 /**
- * Use CLOUDFRONT for CloudFront WebACL, use REGIONAL for Application Load Balancer and API Gateway.
+ * @minItems 1
  */
-export type Scope = ("CLOUDFRONT" | "REGIONAL");
+export type DataProtections = DataProtect[];
 /**
  * Valid values are TEXT_PLAIN, TEXT_HTML, and APPLICATION_JSON.
  */
@@ -105,121 +108,50 @@ export type ResponseContentType = ("TEXT_PLAIN" | "TEXT_HTML" | "APPLICATION_JSO
  */
 export type ResponseContent = string;
 /**
- * Id of the WebACL
+ * List of domains to accept in web request tokens, in addition to the domain of the protected resource.
  */
-export type EntityId = string;
+export type TokenDomains = string[];
+export type SizeInspectionLimit = ("KB_16" | "KB_32" | "KB_48" | "KB_64");
 /**
  * Contains the Rules that identify the requests that you want to allow, block, or count. In a WebACL, you also specify a default action (ALLOW or BLOCK), and the action for each Rule that you add to a WebACL, for example, block requests from specified IP addresses or block requests from specified referrers. You also associate the WebACL with a CloudFront distribution to identify the requests that you want AWS WAF to filter. If you add more than one Rule to a WebACL, a request needs to match only one of the specifications to be allowed, blocked, or counted.
  */
 export interface _AWS_WAFV2_WEBACL {
+    Arn?: ResourceArn;
+    Capacity?: number;
+    DefaultAction: DefaultAction;
     Description?: EntityDescription;
-    AssociationConfig?: AssociationConfig;
-    ChallengeConfig?: ChallengeConfig;
-    DataProtectionConfig?: DataProtectionConfig;
-    OnSourceDDoSProtectionConfig?: unknown;
+    Name?: EntityName;
+    Id?: EntityId;
+    Scope: Scope;
     /**
      * Collection of Rules.
      */
     Rules?: Rule[];
     VisibilityConfig: VisibilityConfig;
-    LabelNamespace?: LabelName;
-    Name?: EntityName;
-    TokenDomains?: TokenDomains;
-    DefaultAction: DefaultAction;
-    Scope: Scope;
-    Capacity?: number;
-    CustomResponseBodies?: CustomResponseBodies;
-    Id?: EntityId;
-    Arn?: ResourceArn;
-    CaptchaConfig?: CaptchaConfig;
+    DataProtectionConfig?: DataProtectionConfig;
     /**
      * @minItems 1
      */
     Tags?: Tag[];
-}
-/**
- * AssociationConfig for body inspection
- */
-export interface AssociationConfig {
-    RequestBody?: RequestBody;
-}
-/**
- * Map of AssociatedResourceType and RequestBodyAssociatedResourceTypeConfig
- */
-export interface RequestBody {
-    [k: string]: RequestBodyAssociatedResourceTypeConfig;
-}
-/**
- * Configures the inspection size in the request body.
- *
- * This interface was referenced by `RequestBody`'s JSON-Schema definition
- * via the `patternProperty` "^(CLOUDFRONT|API_GATEWAY|COGNITO_USER_POOL|APP_RUNNER_SERVICE|VERIFIED_ACCESS_INSTANCE)$".
- */
-export interface RequestBodyAssociatedResourceTypeConfig {
-    DefaultSizeInspectionLimit: SizeInspectionLimit;
-}
-export interface ChallengeConfig {
-    ImmunityTimeProperty?: ImmunityTimeProperty;
-}
-export interface ImmunityTimeProperty {
-    ImmunityTime: number;
-}
-/**
- * Collection of dataProtects.
- */
-export interface DataProtectionConfig {
-    DataProtections: DataProtections;
-}
-export interface DataProtect {
-    Field: FieldToProtect;
-    Action: DataProtectionAction;
-    ExcludeRateBasedDetails?: boolean;
-    ExcludeRuleMatchDetails?: boolean;
-}
-/**
- * Field in log to protect.
- */
-export interface FieldToProtect {
-    /**
-     * List of field keys to protect
-     */
-    FieldKeys?: FieldToProtectKeyName[];
-    /**
-     * Field type to protect
-     */
-    FieldType: ("SINGLE_HEADER" | "SINGLE_COOKIE" | "SINGLE_QUERY_ARGUMENT" | "QUERY_STRING" | "BODY");
-}
-/**
- * Rule of WebACL that contains condition and action.
- */
-export interface Rule {
-    Action?: RuleAction;
-    Priority: RulePriority;
-    Statement: Statement;
-    ChallengeConfig?: ChallengeConfig;
-    OverrideAction?: OverrideAction;
-    /**
-     * Collection of Rule Labels.
-     */
-    RuleLabels?: Label[];
-    VisibilityConfig: VisibilityConfig;
+    LabelNamespace?: LabelName;
+    CustomResponseBodies?: CustomResponseBodies;
     CaptchaConfig?: CaptchaConfig;
-    Name: EntityName;
+    ChallengeConfig?: ChallengeConfig;
+    TokenDomains?: TokenDomains;
+    AssociationConfig?: AssociationConfig;
+    OnSourceDDoSProtectionConfig?: OnSourceDDoSProtectionConfig;
 }
 /**
- * Action taken when Rule matches its condition.
+ * Default Action WebACL will take against ingress traffic when there is no matching Rule.
  */
-export interface RuleAction {
-    Captcha?: CaptchaAction;
-    Block?: BlockAction;
-    Count?: CountAction;
+export interface DefaultAction {
     Allow?: AllowAction;
-    Challenge?: ChallengeAction;
+    Block?: BlockAction;
 }
 /**
- * Checks valid token exists with request.
+ * Allow traffic towards application.
  */
-export interface CaptchaAction {
+export interface AllowAction {
     CustomRequestHandling?: CustomRequestHandling;
 }
 /**
@@ -237,8 +169,8 @@ export interface CustomRequestHandling {
  * HTTP header.
  */
 export interface CustomHTTPHeader {
-    Value: CustomHTTPHeaderValue;
     Name: CustomHTTPHeaderName;
+    Value: CustomHTTPHeaderValue;
 }
 /**
  * Block traffic towards application.
@@ -263,75 +195,77 @@ export interface CustomResponse {
     ResponseHeaders?: CustomHTTPHeader[];
 }
 /**
- * Allow traffic towards application.
- */
-export interface CountAction {
-    CustomRequestHandling?: CustomRequestHandling;
-}
-/**
- * Allow traffic towards application.
- */
-export interface AllowAction {
-    CustomRequestHandling?: CustomRequestHandling;
-}
-/**
- * Checks that the request has a valid token with an unexpired challenge timestamp and, if not, returns a browser challenge to the client.
+ * Rule of WebACL that contains condition and action.
  */
-export interface ChallengeAction {
-    CustomRequestHandling?: CustomRequestHandling;
+export interface Rule {
+    Name: EntityName;
+    Priority: RulePriority;
+    Statement: Statement;
+    Action?: RuleAction;
+    OverrideAction?: OverrideAction;
+    /**
+     * Collection of Rule Labels.
+     */
+    RuleLabels?: Label[];
+    VisibilityConfig: VisibilityConfig;
+    CaptchaConfig?: CaptchaConfig;
+    ChallengeConfig?: ChallengeConfig;
 }
 /**
  * First level statement that contains conditions, such as ByteMatch, SizeConstraint, etc
  */
 export interface Statement {
-    SizeConstraintStatement?: SizeConstraintStatement;
-    AndStatement?: AndStatement;
-    XssMatchStatement?: XssMatchStatement;
-    NotStatement?: NotStatement;
     ByteMatchStatement?: ByteMatchStatement;
-    RateBasedStatement?: RateBasedStatement;
+    SqliMatchStatement?: SqliMatchStatement;
+    XssMatchStatement?: XssMatchStatement;
+    SizeConstraintStatement?: SizeConstraintStatement;
     GeoMatchStatement?: GeoMatchStatement;
     RuleGroupReferenceStatement?: RuleGroupReferenceStatement;
-    LabelMatchStatement?: LabelMatchStatement;
-    RegexMatchStatement?: RegexMatchStatement;
-    SqliMatchStatement?: SqliMatchStatement;
+    IPSetReferenceStatement?: IPSetReferenceStatement;
     RegexPatternSetReferenceStatement?: RegexPatternSetReferenceStatement;
-    OrStatement?: OrStatement;
     ManagedRuleGroupStatement?: ManagedRuleGroupStatement;
-    IPSetReferenceStatement?: IPSetReferenceStatement;
+    RateBasedStatement?: RateBasedStatement;
+    AndStatement?: AndStatement;
+    OrStatement?: OrStatement;
+    NotStatement?: NotStatement;
+    LabelMatchStatement?: LabelMatchStatement;
+    RegexMatchStatement?: RegexMatchStatement;
+    AsnMatchStatement?: AsnMatchStatement;
 }
 /**
- * Size Constraint statement.
+ * Byte Match statement.
  */
-export interface SizeConstraintStatement {
-    ComparisonOperator: ("EQ" | "NE" | "LE" | "LT" | "GE" | "GT");
-    TextTransformations: TextTransformation[];
-    Size: number;
+export interface ByteMatchStatement {
+    SearchString?: SearchString;
+    SearchStringBase64?: SearchStringBase64;
     FieldToMatch: FieldToMatch;
-}
-/**
- * Text Transformation on the Search String before match.
- */
-export interface TextTransformation {
-    Type: TextTransformationType;
-    Priority: TextTransformationPriority;
+    TextTransformations: TextTransformation[];
+    PositionalConstraint: PositionalConstraint;
 }
 /**
  * Field of the request to match.
  */
 export interface FieldToMatch {
+    SingleHeader?: {
+        Name: string;
+    };
+    /**
+     * One query argument in a web request, identified by name, for example UserName or SalesRegion. The name can be up to 30 characters long and isn't case sensitive.
+     */
+    SingleQueryArgument?: {
+        Name: string;
+    };
     /**
      * All query arguments of a web request.
      */
     AllQueryArguments?: {
         [k: string]: unknown;
     };
-    JA3Fingerprint?: JA3Fingerprint;
     /**
-     * One query argument in a web request, identified by name, for example UserName or SalesRegion. The name can be up to 30 characters long and isn't case sensitive.
+     * The path component of the URI of a web request. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg.
      */
-    SingleQueryArgument?: {
-        Name: string;
+    UriPath?: {
+        [k: string]: unknown;
     };
     /**
      * The query string of a web request. This is the part of a URL that appears after a ? character, if any.
@@ -339,40 +273,53 @@ export interface FieldToMatch {
     QueryString?: {
         [k: string]: unknown;
     };
-    Headers?: Headers;
+    Body?: Body;
     /**
      * The HTTP method of a web request. The method indicates the type of operation that the request is asking the origin to perform.
      */
     Method?: {
         [k: string]: unknown;
     };
-    UriFragment?: UriFragment;
     JsonBody?: JsonBody;
-    /**
-     * The path component of the URI of a web request. This is the part of a web request that identifies a resource, for example, /images/daily-ad.jpg.
-     */
-    UriPath?: {
-        [k: string]: unknown;
-    };
+    Headers?: Headers;
     Cookies?: Cookies;
+    JA3Fingerprint?: JA3Fingerprint;
     JA4Fingerprint?: JA4Fingerprint;
-    Body?: Body;
-    SingleHeader?: {
-        Name: string;
-    };
+    UriFragment?: UriFragment;
 }
 /**
- * Includes the JA3 fingerprint of a web request.
+ * The body of a web request. This immediately follows the request headers.
  */
-export interface JA3Fingerprint {
-    FallbackBehavior: ("MATCH" | "NO_MATCH");
+export interface Body {
+    OversizeHandling?: OversizeHandling;
+}
+/**
+ * Inspect the request body as JSON. The request body immediately follows the request headers.
+ */
+export interface JsonBody {
+    MatchPattern: JsonMatchPattern;
+    MatchScope: JsonMatchScope;
+    InvalidFallbackBehavior?: BodyParsingFallbackBehavior;
+    OversizeHandling?: OversizeHandling;
+}
+/**
+ * The pattern to look for in the JSON body.
+ */
+export interface JsonMatchPattern {
+    /**
+     * Inspect all parts of the web request's JSON body.
+     */
+    All?: {
+        [k: string]: unknown;
+    };
+    IncludedPaths?: JsonPointerPath[];
 }
 /**
  * Includes headers of a web request.
  */
 export interface Headers {
-    MatchScope: MapMatchScope;
     MatchPattern: HeaderMatchPattern;
+    MatchScope: MapMatchScope;
     OversizeHandling: OversizeHandling;
 }
 /**
@@ -396,39 +343,12 @@ export interface HeaderMatchPattern {
      */
     ExcludedHeaders?: string[];
 }
-/**
- * The path component of the URI Fragment. This is the part of a web request that identifies a fragment uri, for example, /abcd#introduction
- */
-export interface UriFragment {
-    FallbackBehavior?: ("MATCH" | "NO_MATCH");
-}
-/**
- * Inspect the request body as JSON. The request body immediately follows the request headers.
- */
-export interface JsonBody {
-    MatchScope: JsonMatchScope;
-    MatchPattern: JsonMatchPattern;
-    InvalidFallbackBehavior?: BodyParsingFallbackBehavior;
-    OversizeHandling?: OversizeHandling;
-}
-/**
- * The pattern to look for in the JSON body.
- */
-export interface JsonMatchPattern {
-    /**
-     * Inspect all parts of the web request's JSON body.
-     */
-    All?: {
-        [k: string]: unknown;
-    };
-    IncludedPaths?: JsonPointerPath[];
-}
 /**
  * Includes cookies of a web request.
  */
 export interface Cookies {
-    MatchScope: MapMatchScope;
     MatchPattern: CookieMatchPattern;
+    MatchScope: MapMatchScope;
     OversizeHandling: OversizeHandling;
 }
 /**
@@ -453,260 +373,213 @@ export interface CookieMatchPattern {
     ExcludedCookies?: string[];
 }
 /**
- * Includes the JA4 fingerprint of a web request.
+ * Includes the JA3 fingerprint of a web request.
  */
-export interface JA4Fingerprint {
+export interface JA3Fingerprint {
     FallbackBehavior: ("MATCH" | "NO_MATCH");
 }
 /**
- * The body of a web request. This immediately follows the request headers.
- */
-export interface Body {
-    OversizeHandling?: OversizeHandling;
-}
-export interface AndStatement {
-    Statements: Statement[];
-}
-/**
- * Xss Match Statement.
+ * Includes the JA4 fingerprint of a web request.
  */
-export interface XssMatchStatement {
-    TextTransformations: TextTransformation[];
-    FieldToMatch: FieldToMatch;
-}
-export interface NotStatement {
-    Statement: Statement;
+export interface JA4Fingerprint {
+    FallbackBehavior: ("MATCH" | "NO_MATCH");
 }
 /**
- * Byte Match statement.
+ * The path component of the URI Fragment. This is the part of a web request that identifies a fragment uri, for example, /abcd#introduction
  */
-export interface ByteMatchStatement {
-    SearchStringBase64?: SearchStringBase64;
-    TextTransformations: TextTransformation[];
-    PositionalConstraint: PositionalConstraint;
-    SearchString?: SearchString;
-    FieldToMatch: FieldToMatch;
-}
-export interface RateBasedStatement {
-    AggregateKeyType: ("CONSTANT" | "IP" | "FORWARDED_IP" | "CUSTOM_KEYS");
-    /**
-     * Specifies the aggregate keys to use in a rate-base rule.
-     *
-     * @maxItems 5
-     */
-    CustomKeys?: RateBasedStatementCustomKey[];
-    ForwardedIPConfig?: ForwardedIPConfiguration;
-    Limit: RateLimit;
-    EvaluationWindowSec?: EvaluationWindowSec;
-    ScopeDownStatement?: Statement;
+export interface UriFragment {
+    FallbackBehavior?: ("MATCH" | "NO_MATCH");
 }
 /**
- * Specifies a single custom aggregate key for a rate-base rule.
+ * Text Transformation on the Search String before match.
  */
-export interface RateBasedStatementCustomKey {
-    Cookie?: RateLimitCookie;
-    ForwardedIP?: RateLimitForwardedIP;
-    QueryArgument?: RateLimitQueryArgument;
-    JA3Fingerprint?: RateLimitJA3Fingerprint;
-    Header?: RateLimitHeader;
-    HTTPMethod?: RateLimitHTTPMethod;
-    QueryString?: RateLimitQueryString;
-    UriPath?: RateLimitUriPath;
-    IP?: RateLimitIP;
-    JA4Fingerprint?: RateLimitJA4Fingerprint;
-    LabelNamespace?: RateLimitLabelNamespace;
+export interface TextTransformation {
+    Priority: TextTransformationPriority;
+    Type: TextTransformationType;
 }
 /**
- * Specifies a cookie as an aggregate key for a rate-based rule.
+ * Sqli Match Statement.
  */
-export interface RateLimitCookie {
+export interface SqliMatchStatement {
+    FieldToMatch: FieldToMatch;
     TextTransformations: TextTransformation[];
-    /**
-     * The name of the cookie to use.
-     */
-    Name: string;
+    SensitivityLevel?: SensitivityLevel;
 }
 /**
- * Specifies the first IP address in an HTTP header as an aggregate key for a rate-based rule.
+ * Xss Match Statement.
  */
-export interface RateLimitForwardedIP {
-    [k: string]: unknown;
+export interface XssMatchStatement {
+    FieldToMatch: FieldToMatch;
+    TextTransformations: TextTransformation[];
 }
 /**
- * Specifies a query argument in the request as an aggregate key for a rate-based rule.
+ * Size Constraint statement.
  */
-export interface RateLimitQueryArgument {
+export interface SizeConstraintStatement {
+    FieldToMatch: FieldToMatch;
+    ComparisonOperator: ("EQ" | "NE" | "LE" | "LT" | "GE" | "GT");
+    Size: number;
     TextTransformations: TextTransformation[];
-    /**
-     * The name of the query argument to use.
-     */
-    Name: string;
 }
-/**
- * Specifies the request's JA3 fingerprint as an aggregate key for a rate-based rule.
- */
-export interface RateLimitJA3Fingerprint {
+export interface GeoMatchStatement {
+    CountryCodes?: string[];
+    ForwardedIPConfig?: ForwardedIPConfiguration;
+}
+export interface ForwardedIPConfiguration {
+    HeaderName: string;
     FallbackBehavior: ("MATCH" | "NO_MATCH");
 }
-/**
- * Specifies a header as an aggregate key for a rate-based rule.
- */
-export interface RateLimitHeader {
-    TextTransformations: TextTransformation[];
+export interface RuleGroupReferenceStatement {
+    Arn: ResourceArn;
+    ExcludedRules?: ExcludedRule[];
     /**
-     * The name of the header to use.
+     * Action overrides for rules in the rule group.
+     *
+     * @maxItems 100
      */
-    Name: string;
+    RuleActionOverrides?: RuleActionOverride[];
 }
 /**
- * Specifies the request's HTTP method as an aggregate key for a rate-based rule.
+ * Excluded Rule in the RuleGroup or ManagedRuleGroup will not be evaluated.
  */
-export interface RateLimitHTTPMethod {
-    [k: string]: unknown;
+export interface ExcludedRule {
+    Name: EntityName;
 }
 /**
- * Specifies the request's query string as an aggregate key for a rate-based rule.
+ * Action override for rules in the rule group.
  */
-export interface RateLimitQueryString {
-    TextTransformations: TextTransformation[];
+export interface RuleActionOverride {
+    Name: EntityName;
+    ActionToUse: RuleAction;
 }
 /**
- * Specifies the request's URI Path as an aggregate key for a rate-based rule.
+ * Action taken when Rule matches its condition.
  */
-export interface RateLimitUriPath {
-    TextTransformations: TextTransformation[];
+export interface RuleAction {
+    Allow?: AllowAction;
+    Block?: BlockAction;
+    Count?: CountAction;
+    Captcha?: CaptchaAction;
+    Challenge?: ChallengeAction;
 }
 /**
- * Specifies the IP address in the web request as an aggregate key for a rate-based rule.
+ * Allow traffic towards application.
  */
-export interface RateLimitIP {
-    [k: string]: unknown;
+export interface CountAction {
+    CustomRequestHandling?: CustomRequestHandling;
 }
 /**
- * Specifies the request's JA4 fingerprint as an aggregate key for a rate-based rule.
+ * Checks valid token exists with request.
  */
-export interface RateLimitJA4Fingerprint {
-    FallbackBehavior: ("MATCH" | "NO_MATCH");
+export interface CaptchaAction {
+    CustomRequestHandling?: CustomRequestHandling;
 }
 /**
- * Specifies a label namespace to use as an aggregate key for a rate-based rule.
+ * Checks that the request has a valid token with an unexpired challenge timestamp and, if not, returns a browser challenge to the client.
  */
-export interface RateLimitLabelNamespace {
-    /**
-     * The namespace to use for aggregation.
-     */
-    Namespace: string;
-}
-export interface ForwardedIPConfiguration {
-    FallbackBehavior: ("MATCH" | "NO_MATCH");
-    HeaderName: string;
-}
-export interface GeoMatchStatement {
-    ForwardedIPConfig?: ForwardedIPConfiguration;
-    CountryCodes?: string[];
+export interface ChallengeAction {
+    CustomRequestHandling?: CustomRequestHandling;
 }
-export interface RuleGroupReferenceStatement {
-    /**
-     * Action overrides for rules in the rule group.
-     *
-     * @maxItems 100
-     */
-    RuleActionOverrides?: RuleActionOverride[];
+export interface IPSetReferenceStatement {
     Arn: ResourceArn;
-    ExcludedRules?: ExcludedRule[];
-}
-/**
- * Action override for rules in the rule group.
- */
-export interface RuleActionOverride {
-    ActionToUse: RuleAction;
-    Name: EntityName;
-}
-/**
- * Excluded Rule in the RuleGroup or ManagedRuleGroup will not be evaluated.
- */
-export interface ExcludedRule {
-    Name: EntityName;
-}
-export interface LabelMatchStatement {
-    Scope: LabelMatchScope;
-    Key: LabelMatchKey;
-}
-export interface RegexMatchStatement {
-    TextTransformations: TextTransformation[];
-    RegexString: string;
-    FieldToMatch: FieldToMatch;
+    IPSetForwardedIPConfig?: IPSetForwardedIPConfiguration;
 }
-/**
- * Sqli Match Statement.
- */
-export interface SqliMatchStatement {
-    SensitivityLevel?: SensitivityLevel;
-    TextTransformations: TextTransformation[];
-    FieldToMatch: FieldToMatch;
+export interface IPSetForwardedIPConfiguration {
+    HeaderName: string;
+    FallbackBehavior: ("MATCH" | "NO_MATCH");
+    Position: ("FIRST" | "LAST" | "ANY");
 }
 export interface RegexPatternSetReferenceStatement {
-    TextTransformations: TextTransformation[];
     Arn: ResourceArn;
     FieldToMatch: FieldToMatch;
-}
-export interface OrStatement {
-    Statements: Statement[];
+    TextTransformations: TextTransformation[];
 }
 export interface ManagedRuleGroupStatement {
+    Name: EntityName;
     VendorName: string;
     Version?: string;
+    ExcludedRules?: ExcludedRule[];
+    ScopeDownStatement?: Statement;
+    /**
+     * Collection of ManagedRuleGroupConfig.
+     */
+    ManagedRuleGroupConfigs?: ManagedRuleGroupConfig[];
     /**
      * Action overrides for rules in the rule group.
      *
      * @maxItems 100
      */
     RuleActionOverrides?: RuleActionOverride[];
-    /**
-     * Collection of ManagedRuleGroupConfig.
-     */
-    ManagedRuleGroupConfigs?: ManagedRuleGroupConfig[];
-    ExcludedRules?: ExcludedRule[];
-    Name: EntityName;
-    ScopeDownStatement?: Statement;
 }
 /**
  * ManagedRuleGroupConfig.
  */
 export interface ManagedRuleGroupConfig {
-    UsernameField?: FieldIdentifier;
     LoginPath?: string;
-    AWSManagedRulesATPRuleSet?: AWSManagedRulesATPRuleSet;
-    AWSManagedRulesBotControlRuleSet?: AWSManagedRulesBotControlRuleSet;
+    PayloadType?: ("JSON" | "FORM_ENCODED");
+    UsernameField?: FieldIdentifier;
     PasswordField?: FieldIdentifier;
+    AWSManagedRulesBotControlRuleSet?: AWSManagedRulesBotControlRuleSet;
+    AWSManagedRulesATPRuleSet?: AWSManagedRulesATPRuleSet;
     AWSManagedRulesACFPRuleSet?: AWSManagedRulesACFPRuleSet;
-    PayloadType?: ("JSON" | "FORM_ENCODED");
+    AWSManagedRulesAntiDDoSRuleSet?: AWSManagedRulesAntiDDoSRuleSet;
 }
 export interface FieldIdentifier {
     Identifier: string;
 }
+/**
+ * Configures how to use the Bot Control managed rule group in the web ACL
+ */
+export interface AWSManagedRulesBotControlRuleSet {
+    InspectionLevel: ("COMMON" | "TARGETED");
+    EnableMachineLearning?: boolean;
+}
 /**
  * Configures how to use the Account Takeover Prevention managed rule group in the web ACL
  */
 export interface AWSManagedRulesATPRuleSet {
-    ResponseInspection?: ResponseInspection;
-    EnableRegexInPath?: boolean;
     LoginPath: string;
+    EnableRegexInPath?: boolean;
     RequestInspection?: RequestInspection;
+    ResponseInspection?: ResponseInspection;
+}
+/**
+ * Configures the inspection of login requests
+ */
+export interface RequestInspection {
+    PayloadType: ("JSON" | "FORM_ENCODED");
+    UsernameField: FieldIdentifier;
+    PasswordField: FieldIdentifier;
 }
 /**
  * Configures the inspection of login responses
  */
 export interface ResponseInspection {
+    StatusCode?: ResponseInspectionStatusCode;
     Header?: ResponseInspectionHeader;
     BodyContains?: ResponseInspectionBodyContains;
     Json?: ResponseInspectionJson;
-    StatusCode?: ResponseInspectionStatusCode;
+}
+/**
+ * Response status codes that indicate success or failure of a login request
+ */
+export interface ResponseInspectionStatusCode {
+    /**
+     * @minItems 1
+     * @maxItems 10
+     */
+    SuccessCodes: number[];
+    /**
+     * @minItems 1
+     * @maxItems 10
+     */
+    FailureCodes: number[];
 }
 /**
  * Response headers that indicate success or failure of a login request
  */
 export interface ResponseInspectionHeader {
+    Name: string;
     /**
      * @minItems 1
      * @maxItems 3
@@ -717,7 +590,6 @@ export interface ResponseInspectionHeader {
      * @maxItems 3
      */
     FailureValues: string[];
-    Name: string;
 }
 /**
  * Response body contents that indicate success or failure of a login request
@@ -751,64 +623,192 @@ export interface ResponseInspectionJson {
     FailureValues: string[];
 }
 /**
- * Response status codes that indicate success or failure of a login request
+ * Configures how to use the Account creation fraud prevention managed rule group in the web ACL
  */
-export interface ResponseInspectionStatusCode {
+export interface AWSManagedRulesACFPRuleSet {
+    CreationPath: string;
+    RegistrationPagePath: string;
+    RequestInspection: RequestInspectionACFP;
+    ResponseInspection?: ResponseInspection;
+    EnableRegexInPath?: boolean;
+}
+/**
+ * Configures the inspection of sign-up requests
+ */
+export interface RequestInspectionACFP {
+    PayloadType: ("JSON" | "FORM_ENCODED");
+    UsernameField?: FieldIdentifier;
+    PasswordField?: FieldIdentifier;
+    EmailField?: FieldIdentifier;
+    PhoneNumberFields?: FieldIdentifier[];
+    AddressFields?: FieldIdentifier[];
+}
+/**
+ * Configures how to use the AntiDDOS AWS managed rule group in the web ACL
+ */
+export interface AWSManagedRulesAntiDDoSRuleSet {
+    ClientSideActionConfig: ClientSideActionConfig;
+    SensitivityToBlock?: SensitivityToAct;
+}
+/**
+ * Client side action config for AntiDDOS AMR.
+ */
+export interface ClientSideActionConfig {
+    Challenge: ClientSideAction;
+}
+/**
+ * Client side action config for AntiDDOS AMR.
+ */
+export interface ClientSideAction {
+    UsageOfAction: UsageOfAction;
+    Sensitivity?: SensitivityToAct;
+    ExemptUriRegularExpressions?: RegularExpressionList;
+}
+/**
+ * Regex
+ */
+export interface Regex {
+    RegexString?: RegexPatternString;
+    [k: string]: unknown;
+}
+export interface RateBasedStatement {
+    Limit: RateLimit;
+    EvaluationWindowSec?: EvaluationWindowSec;
+    AggregateKeyType: ("CONSTANT" | "IP" | "FORWARDED_IP" | "CUSTOM_KEYS");
     /**
-     * @minItems 1
-     * @maxItems 10
+     * Specifies the aggregate keys to use in a rate-base rule.
+     *
+     * @maxItems 5
      */
-    SuccessCodes: number[];
+    CustomKeys?: RateBasedStatementCustomKey[];
+    ScopeDownStatement?: Statement;
+    ForwardedIPConfig?: ForwardedIPConfiguration;
+}
+/**
+ * Specifies a single custom aggregate key for a rate-base rule.
+ */
+export interface RateBasedStatementCustomKey {
+    Cookie?: RateLimitCookie;
+    ForwardedIP?: RateLimitForwardedIP;
+    Header?: RateLimitHeader;
+    HTTPMethod?: RateLimitHTTPMethod;
+    IP?: RateLimitIP;
+    LabelNamespace?: RateLimitLabelNamespace;
+    QueryArgument?: RateLimitQueryArgument;
+    QueryString?: RateLimitQueryString;
+    UriPath?: RateLimitUriPath;
+    JA3Fingerprint?: RateLimitJA3Fingerprint;
+    JA4Fingerprint?: RateLimitJA4Fingerprint;
+    ASN?: RateLimitAsn;
+}
+/**
+ * Specifies a cookie as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitCookie {
     /**
-     * @minItems 1
-     * @maxItems 10
+     * The name of the cookie to use.
      */
-    FailureCodes: number[];
+    Name: string;
+    TextTransformations: TextTransformation[];
 }
 /**
- * Configures the inspection of login requests
+ * Specifies the first IP address in an HTTP header as an aggregate key for a rate-based rule.
  */
-export interface RequestInspection {
-    UsernameField: FieldIdentifier;
-    PasswordField: FieldIdentifier;
-    PayloadType: ("JSON" | "FORM_ENCODED");
+export interface RateLimitForwardedIP {
+    [k: string]: unknown;
 }
 /**
- * Configures how to use the Bot Control managed rule group in the web ACL
+ * Specifies a header as an aggregate key for a rate-based rule.
  */
-export interface AWSManagedRulesBotControlRuleSet {
-    InspectionLevel: ("COMMON" | "TARGETED");
-    EnableMachineLearning?: boolean;
+export interface RateLimitHeader {
+    /**
+     * The name of the header to use.
+     */
+    Name: string;
+    TextTransformations: TextTransformation[];
 }
 /**
- * Configures how to use the Account creation fraud prevention managed rule group in the web ACL
+ * Specifies the request's HTTP method as an aggregate key for a rate-based rule.
  */
-export interface AWSManagedRulesACFPRuleSet {
-    RegistrationPagePath: string;
-    ResponseInspection?: ResponseInspection;
-    CreationPath: string;
-    EnableRegexInPath?: boolean;
-    RequestInspection: RequestInspectionACFP;
+export interface RateLimitHTTPMethod {
+    [k: string]: unknown;
 }
 /**
- * Configures the inspection of sign-up requests
+ * Specifies the IP address in the web request as an aggregate key for a rate-based rule.
  */
-export interface RequestInspectionACFP {
-    UsernameField?: FieldIdentifier;
-    EmailField?: FieldIdentifier;
-    PasswordField?: FieldIdentifier;
-    AddressFields?: FieldIdentifier[];
-    PayloadType: ("JSON" | "FORM_ENCODED");
-    PhoneNumberFields?: FieldIdentifier[];
+export interface RateLimitIP {
+    [k: string]: unknown;
 }
-export interface IPSetReferenceStatement {
-    IPSetForwardedIPConfig?: IPSetForwardedIPConfiguration;
-    Arn: ResourceArn;
+/**
+ * Specifies a label namespace to use as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitLabelNamespace {
+    /**
+     * The namespace to use for aggregation.
+     */
+    Namespace: string;
 }
-export interface IPSetForwardedIPConfiguration {
+/**
+ * Specifies a query argument in the request as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitQueryArgument {
+    /**
+     * The name of the query argument to use.
+     */
+    Name: string;
+    TextTransformations: TextTransformation[];
+}
+/**
+ * Specifies the request's query string as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitQueryString {
+    TextTransformations: TextTransformation[];
+}
+/**
+ * Specifies the request's URI Path as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitUriPath {
+    TextTransformations: TextTransformation[];
+}
+/**
+ * Specifies the request's JA3 fingerprint as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitJA3Fingerprint {
+    FallbackBehavior: ("MATCH" | "NO_MATCH");
+}
+/**
+ * Specifies the request's JA4 fingerprint as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitJA4Fingerprint {
     FallbackBehavior: ("MATCH" | "NO_MATCH");
-    HeaderName: string;
-    Position: ("FIRST" | "LAST" | "ANY");
+}
+/**
+ * Specifies the request's ASN as an aggregate key for a rate-based rule.
+ */
+export interface RateLimitAsn {
+    [k: string]: unknown;
+}
+export interface AndStatement {
+    Statements: Statement[];
+}
+export interface OrStatement {
+    Statements: Statement[];
+}
+export interface NotStatement {
+    Statement: Statement;
+}
+export interface LabelMatchStatement {
+    Scope: LabelMatchScope;
+    Key: LabelMatchKey;
+}
+export interface RegexMatchStatement {
+    RegexString: string;
+    FieldToMatch: FieldToMatch;
+    TextTransformations: TextTransformation[];
+}
+export interface AsnMatchStatement {
+    AsnList?: number[];
+    ForwardedIPConfig?: ForwardedIPConfiguration;
 }
 /**
  * Override a RuleGroup or ManagedRuleGroup behavior. This can only be applied to Rule that has RuleGroupReferenceStatement or ManagedRuleGroupReferenceStatement.
@@ -834,19 +834,47 @@ export interface Label {
  * Visibility Metric of the WebACL.
  */
 export interface VisibilityConfig {
-    MetricName: string;
     SampledRequestsEnabled: boolean;
     CloudWatchMetricsEnabled: boolean;
+    MetricName: string;
 }
 export interface CaptchaConfig {
     ImmunityTimeProperty?: ImmunityTimeProperty;
 }
+export interface ImmunityTimeProperty {
+    ImmunityTime: number;
+}
+export interface ChallengeConfig {
+    ImmunityTimeProperty?: ImmunityTimeProperty;
+}
 /**
- * Default Action WebACL will take against ingress traffic when there is no matching Rule.
+ * Collection of dataProtects.
  */
-export interface DefaultAction {
-    Block?: BlockAction;
-    Allow?: AllowAction;
+export interface DataProtectionConfig {
+    DataProtections: DataProtections;
+}
+export interface DataProtect {
+    Field: FieldToProtect;
+    Action: DataProtectionAction;
+    ExcludeRuleMatchDetails?: boolean;
+    ExcludeRateBasedDetails?: boolean;
+}
+/**
+ * Field in log to protect.
+ */
+export interface FieldToProtect {
+    /**
+     * Field type to protect
+     */
+    FieldType: ("SINGLE_HEADER" | "SINGLE_COOKIE" | "SINGLE_QUERY_ARGUMENT" | "QUERY_STRING" | "BODY");
+    /**
+     * List of field keys to protect
+     */
+    FieldKeys?: FieldToProtectKeyName[];
+}
+export interface Tag {
+    Key?: string;
+    Value?: string;
 }
 /**
  * Custom response key and body map.
@@ -864,7 +892,30 @@ export interface CustomResponseBody {
     ContentType: ResponseContentType;
     Content: ResponseContent;
 }
-export interface Tag {
-    Value?: string;
-    Key?: string;
+/**
+ * AssociationConfig for body inspection
+ */
+export interface AssociationConfig {
+    RequestBody?: RequestBody;
+}
+/**
+ * Map of AssociatedResourceType and RequestBodyAssociatedResourceTypeConfig
+ */
+export interface RequestBody {
+    [k: string]: RequestBodyAssociatedResourceTypeConfig;
+}
+/**
+ * Configures the inspection size in the request body.
+ *
+ * This interface was referenced by `RequestBody`'s JSON-Schema definition
+ * via the `patternProperty` "^(CLOUDFRONT|API_GATEWAY|COGNITO_USER_POOL|APP_RUNNER_SERVICE|VERIFIED_ACCESS_INSTANCE)$".
+ */
+export interface RequestBodyAssociatedResourceTypeConfig {
+    DefaultSizeInspectionLimit: SizeInspectionLimit;
+}
+/**
+ * Configures the options for on-source DDoS protection provided by supported resource type.
+ */
+export interface OnSourceDDoSProtectionConfig {
+    ALBLowReputationMode: ("ACTIVE_UNDER_DDOS" | "ALWAYS_ON");
 }