@pulumi/cloudngfwaws 1.1.0-alpha.1777010799 → 2.0.0

package/README.md

@@ -8,7 +8,7 @@ This package is available for several languages/platforms:
 
 - JavaScript/TypeScript: [`@pulumi/cloudngfwaws`](https://www.npmjs.com/package/@pulumi/cloudngfwaws)
 - Python: [`pulumi-cloudngfwaws`](https://pypi.org/project/pulumi-cloudngfwaws/)
-- Go: [`github.com/pulumi/pulumi-cloudngfwaws/sdk/go/cloudngfwaws`](https://pkg.go.dev/github.com/pulumi/pulumi-cloudngfwaws/sdk/go/cloudngfwaws)
+- Go: [`github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws`](https://pkg.go.dev/github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws)
 - .NET: [`Pulumi.CloudNgfwAws`](https://www.nuget.org/packages/Pulumi.CloudNgfwAws)
 
 ### Node.js (JavaScript/TypeScript)
@@ -38,7 +38,7 @@ pip install pulumi-cloudngfwaws
 To use from Go, use `go get` to grab the latest version of the library:
 
 ```bash
-go get github.com/pulumi/pulumi-cloudngfwaws/sdk/go/cloudngfwaws
+go get github.com/pulumi/pulumi-cloudngfwaws/sdk/v2/go/cloudngfwaws
 ```
 
 ### .NET

package/getNgfw.d.ts

@@ -8,25 +8,42 @@ import * as outputs from "./types/output";
  * * `Firewall`
  *
  * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = cloudngfwaws.getNgfw({
+ *     name: "example-instance",
+ * });
+ * ```
  */
-export declare function getNgfw(args: GetNgfwArgs, opts?: pulumi.InvokeOptions): Promise<GetNgfwResult>;
+export declare function getNgfw(args?: GetNgfwArgs, opts?: pulumi.InvokeOptions): Promise<GetNgfwResult>;
 /**
  * A collection of arguments for invoking getNgfw.
  */
 export interface GetNgfwArgs {
+    /**
+     * The Account Id.
+     */
+    accountId?: string;
     /**
      * The Firewall ID.
      */
-    firewallId: string;
+    firewallId?: string;
+    /**
+     * The NGFW name.
+     */
+    name?: string;
 }
 /**
  * A collection of values returned by getNgfw.
  */
 export interface GetNgfwResult {
     /**
-     * The description.
+     * The Account Id.
      */
-    readonly accountId: string;
+    readonly accountId?: string;
     /**
      * The list of allowed accounts for this NGFW.
      */
@@ -68,7 +85,7 @@ export interface GetNgfwResult {
     /**
      * The Firewall ID.
      */
-    readonly firewallId: string;
+    readonly firewallId?: string;
     /**
      * The global rulestack for this NGFW.
      */
@@ -92,12 +109,13 @@ export interface GetNgfwResult {
     /**
      * The NGFW name.
      */
-    readonly name: string;
+    readonly name?: string;
     readonly privateAccesses: outputs.GetNgfwPrivateAccess[];
     /**
      * The rulestack for this NGFW.
      */
     readonly rulestack: string;
+    readonly securityZones: outputs.GetNgfwSecurityZone[];
     readonly statuses: outputs.GetNgfwStatus[];
     /**
      * Subnet mappings.
@@ -109,6 +127,10 @@ export interface GetNgfwResult {
     readonly tags: {
         [key: string]: string;
     };
+    /**
+     * Firewall Instance Tier. Allowed values are 'base', 'standard', or 'premium'.
+     */
+    readonly tier: string;
     /**
      * The update token.
      */
@@ -127,14 +149,31 @@ export interface GetNgfwResult {
  * * `Firewall`
  *
  * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = cloudngfwaws.getNgfw({
+ *     name: "example-instance",
+ * });
+ * ```
  */
-export declare function getNgfwOutput(args: GetNgfwOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetNgfwResult>;
+export declare function getNgfwOutput(args?: GetNgfwOutputArgs, opts?: pulumi.InvokeOutputOptions): pulumi.Output<GetNgfwResult>;
 /**
  * A collection of arguments for invoking getNgfw.
  */
 export interface GetNgfwOutputArgs {
+    /**
+     * The Account Id.
+     */
+    accountId?: pulumi.Input<string>;
     /**
      * The Firewall ID.
      */
-    firewallId: pulumi.Input<string>;
+    firewallId?: pulumi.Input<string>;
+    /**
+     * The NGFW name.
+     */
+    name?: pulumi.Input<string>;
 }

package/getNgfw.js

@@ -13,11 +13,23 @@ const utilities = require("./utilities");
  * * `Firewall`
  *
  * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = cloudngfwaws.getNgfw({
+ *     name: "example-instance",
+ * });
+ * ```
  */
 function getNgfw(args, opts) {
+    args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invoke("cloudngfwaws:index/getNgfw:getNgfw", {
+        "accountId": args.accountId,
         "firewallId": args.firewallId,
+        "name": args.name,
     }, opts);
 }
 exports.getNgfw = getNgfw;
@@ -29,11 +41,23 @@ exports.getNgfw = getNgfw;
  * * `Firewall`
  *
  * ## Example Usage
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = cloudngfwaws.getNgfw({
+ *     name: "example-instance",
+ * });
+ * ```
  */
 function getNgfwOutput(args, opts) {
+    args = args || {};
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invokeOutput("cloudngfwaws:index/getNgfw:getNgfw", {
+        "accountId": args.accountId,
         "firewallId": args.firewallId,
+        "name": args.name,
     }, opts);
 }
 exports.getNgfwOutput = getNgfwOutput;

package/getNgfw.js.map

@@ -1 +1 @@
-{"version":3,"file":"getNgfw.js","sourceRoot":"","sources":["../getNgfw.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,yCAAyC;AAEzC;;;;;;;;GAQG;AACH,SAAgB,OAAO,CAAC,IAAiB,EAAE,IAA2B;IAClE,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,oCAAoC,EAAE;QAC/D,YAAY,EAAE,IAAI,CAAC,UAAU;KAChC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,0BAKC;AA8GD;;;;;;;;GAQG;AACH,SAAgB,aAAa,CAAC,IAAuB,EAAE,IAAiC;IACpF,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,oCAAoC,EAAE;QACrE,YAAY,EAAE,IAAI,CAAC,UAAU;KAChC,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AALD,sCAKC"}
+{"version":3,"file":"getNgfw.js","sourceRoot":"","sources":["../getNgfw.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,OAAO,CAAC,IAAkB,EAAE,IAA2B;IACnE,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,oCAAoC,EAAE;QAC/D,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,YAAY,EAAE,IAAI,CAAC,UAAU;QAC7B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,0BAQC;AA2HD;;;;;;;;;;;;;;;;;GAiBG;AACH,SAAgB,aAAa,CAAC,IAAwB,EAAE,IAAiC;IACrF,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,oCAAoC,EAAE;QACrE,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,YAAY,EAAE,IAAI,CAAC,UAAU;QAC7B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,sCAQC"}

package/getNgfwLogProfile.d.ts

@@ -28,6 +28,10 @@ export interface GetNgfwLogProfileArgs {
      * The unique ID of the account.
      */
     accountId?: string;
+    /**
+     * The Firewall Id for the NGFW.
+     */
+    firewallId?: string;
     /**
      * The name of the NGFW.
      */
@@ -56,7 +60,7 @@ export interface GetNgfwLogProfileResult {
     /**
      * The Firewall Id for the NGFW.
      */
-    readonly firewallId: string;
+    readonly firewallId?: string;
     /**
      * The provider-assigned unique ID for this managed resource.
      */
@@ -110,6 +114,10 @@ export interface GetNgfwLogProfileOutputArgs {
      * The unique ID of the account.
      */
     accountId?: pulumi.Input<string>;
+    /**
+     * The Firewall Id for the NGFW.
+     */
+    firewallId?: pulumi.Input<string>;
     /**
      * The name of the NGFW.
      */

package/getNgfwLogProfile.js

@@ -29,6 +29,7 @@ function getNgfwLogProfile(args, opts) {
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invoke("cloudngfwaws:index/getNgfwLogProfile:getNgfwLogProfile", {
         "accountId": args.accountId,
+        "firewallId": args.firewallId,
         "ngfw": args.ngfw,
     }, opts);
 }
@@ -57,6 +58,7 @@ function getNgfwLogProfileOutput(args, opts) {
     opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts || {});
     return pulumi.runtime.invokeOutput("cloudngfwaws:index/getNgfwLogProfile:getNgfwLogProfile", {
         "accountId": args.accountId,
+        "firewallId": args.firewallId,
         "ngfw": args.ngfw,
     }, opts);
 }

package/getNgfwLogProfile.js.map

@@ -1 +1 @@
-{"version":3,"file":"getNgfwLogProfile.js","sourceRoot":"","sources":["../getNgfwLogProfile.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,iBAAiB,CAAC,IAA4B,EAAE,IAA2B;IACvF,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,wDAAwD,EAAE;QACnF,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAPD,8CAOC;AAiED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,uBAAuB,CAAC,IAAkC,EAAE,IAAiC;IACzG,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,wDAAwD,EAAE;QACzF,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AAPD,0DAOC"}
+{"version":3,"file":"getNgfwLogProfile.js","sourceRoot":"","sources":["../getNgfwLogProfile.ts"],"names":[],"mappings":";AAAA,sEAAsE;AACtE,iFAAiF;;;AAEjF,yCAAyC;AAGzC,yCAAyC;AAEzC;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,iBAAiB,CAAC,IAA4B,EAAE,IAA2B;IACvF,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,wDAAwD,EAAE;QACnF,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,YAAY,EAAE,IAAI,CAAC,UAAU;QAC7B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,8CAQC;AAqED;;;;;;;;;;;;;;;;;;GAkBG;AACH,SAAgB,uBAAuB,CAAC,IAAkC,EAAE,IAAiC;IACzG,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;IAClB,IAAI,GAAG,MAAM,CAAC,YAAY,CAAC,SAAS,CAAC,oBAAoB,EAAE,EAAE,IAAI,IAAI,EAAE,CAAC,CAAC;IACzE,OAAO,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC,wDAAwD,EAAE;QACzF,WAAW,EAAE,IAAI,CAAC,SAAS;QAC3B,YAAY,EAAE,IAAI,CAAC,UAAU;QAC7B,MAAM,EAAE,IAAI,CAAC,IAAI;KACpB,EAAE,IAAI,CAAC,CAAC;AACb,CAAC;AARD,0DAQC"}

package/ngfw.d.ts

@@ -10,47 +10,272 @@ import * as outputs from "./types/output";
  *
  * * `Firewall`
  *
- * ## Example Usage
+ * ## Configuration Guide
+ *
+ * ***
+ *
+ * ### V1 Schema — Existing Deployments Only
+ *
+ * > **Important:** V1 schema is for existing customers who already have firewalls deployed with Terraform.
+ * New firewalls must be created using the V2 schema.
+ *
+ * ***
+ *
+ * #### 1. Managing an Existing Firewall (no configuration changes)
+ *
+ * Use the V1 schema as-is. No steps required beyond ensuring your existing state is in sync.
+ *
+ * **Steps:**
+ *
+ * 1. Verify there is no unintended drift:
+ *    2. If the plan is clean, no action needed. If drift is detected, review and apply:
+ *
+ * **Full example — existing V1 firewall:**
  *
  * ```typescript
  * import * as pulumi from "@pulumi/pulumi";
- * import * as aws from "@pulumi/aws";
  * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
  *
  * const rs = new cloudngfwaws.CommitRulestack("rs", {rulestack: "my-rulestack"});
  * const example = new cloudngfwaws.Ngfw("example", {
  *     name: "example-instance",
+ *     vpcId: exampleAwsVpc.id,
+ *     accountId: "111111111111",
  *     description: "Example description",
- *     azLists: ["use1-az1"],
+ *     endpointMode: "ServiceManaged",
+ *     subnetMappings: [
+ *         {
+ *             subnetId: subnet1.id,
+ *         },
+ *         {
+ *             subnetId: subnet2.id,
+ *         },
+ *     ],
  *     rulestack: rs.rulestack,
  *     tags: {
  *         Foo: "bar",
  *     },
  * });
- * const exampleVpc = new aws.index.Vpc("example", {
- *     cidrBlock: "172.16.0.0/16",
+ * ```
+ *
+ * ***
+ *
+ * #### 2. Configuring Egress NAT on an Existing Firewall (V1)
+ *
+ * Egress NAT can be added to an existing V1 firewall without recreating the resource.
+ *
+ * > `ipPoolType` accepts `AWSService` or `BYOIP`. Use `BYOIP` together with `ipamPoolId`
+ * if bringing your own IP pool.
+ *
+ * **Steps:**
+ *
+ * 1. Add the `egressNat` block to your existing resource.
+ *
+ * **Full example — existing V1 firewall with Egress NAT enabled:**
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = new cloudngfwaws.Ngfw("example", {
+ *     name: "example-instance",
+ *     vpcId: "vpc-0a1b2c3d4e5f00001",
+ *     accountId: "111111111111",
+ *     description: "Example description",
+ *     endpointMode: "CustomerManaged",
+ *     subnetMappings: [
+ *         {
+ *             availabilityZone: "us-east-1a",
+ *         },
+ *         {
+ *             availabilityZone: "us-east-1c",
+ *         },
+ *     ],
+ *     rulestack: "my-rulestack",
+ *     egressNats: [{
+ *         enabled: true,
+ *         settings: [{
+ *             ipPoolType: "AWSService",
+ *         }],
+ *     }],
+ *     tags: {
+ *         Foo: "bar",
+ *     },
+ * });
+ * ```
+ *
+ * **To disable Egress NAT:** set `enabled = false` and re-apply.
+ *
+ * ***
+ *
+ * #### 3. Configuring Security Zones on an Existing Firewall (V1)
+ *
+ * Security zones let you enable or disable Egress NAT per endpoint and add or remove private CIDR prefixes.
+ *
+ * > **Prerequisite:** Endpoints must be successfully created and in `ACCEPTED` state before
+ * security zones can be configured. Check `status.attachment[*].status` in Terraform state
+ * or the AWS console before proceeding.
+ *
+ * **Steps:**
+ *
+ * 1. Confirm endpoint status is `ACCEPTED`:
+ *
+ * **To remove private prefixes:** remove the CIDR entries from `cidrs` and re-apply.
+ * **To disable Egress NAT for a specific zone:** set `egressNatEnabled = false` and re-apply.
+ *
+ * ***
+ *
+ * ### V2 Schema — New Firewalls
+ *
+ * > **Important:** New firewalls can only be created using the V2 schema. Use `azList`
+ * instead of `subnetMapping`, and `endpoints` instead of `endpointMode`/`subnetMapping`.
+ *
+ * ***
+ *
+ * #### 1. Creating a New Firewall (V2)
+ *
+ * Firewall creation uses `azList` to specify availability zones.
+ * **Do not include `endpoints` during creation** — they must be added in a separate update after the firewall is running.
+ *
+ * **Steps:**
+ *
+ * 1. Define the resource with `azList` and no `endpoints` block.
+ * 2. Proceed to **Step 2** once the firewall reaches `RUNNING` state.
+ *
+ * **Full example — new V2 firewall (creation only):**
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = new cloudngfwaws.Ngfw("example", {
+ *     name: "my-firewall",
+ *     description: "My new firewall",
+ *     azLists: [
+ *         "use1-az1",
+ *         "use1-az4",
+ *     ],
+ *     allowlistAccounts: ["111111111111"],
  *     tags: {
- *         name: "tf-example",
+ *         Owner: "my-team",
  *     },
  * });
- * const subnet1 = new aws.index.Subnet("subnet1", {
- *     vpcId: myVpc.id,
- *     cidrBlock: "172.16.10.0/24",
- *     availabilityZone: "us-west-2a",
+ * ```
+ *
+ * ***
+ *
+ * #### 2. Adding Endpoints to a V2 Firewall
+ *
+ * Endpoints connect the firewall to customer VPCs. They must be added in a separate
+ * a separate update after the firewall is running.
+ *
+ * **Steps:**
+ *
+ * 1. Confirm the firewall status is `RUNNING`:
+ *
+ * **Full example — V2 firewall with endpoints added:**
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = new cloudngfwaws.Ngfw("example", {
+ *     name: "my-firewall",
+ *     description: "My new firewall",
+ *     azLists: [
+ *         "use1-az1",
+ *         "use1-az4",
+ *     ],
+ *     allowlistAccounts: ["111111111111"],
+ *     endpoints: [
+ *         {
+ *             accountId: "111111111111",
+ *             vpcId: "vpc-0a1b2c3d4e5f00002",
+ *             subnetId: "subnet-0a1b2c3d4e5f00001",
+ *             mode: "ServiceManaged",
+ *         },
+ *         {
+ *             accountId: "111111111111",
+ *             vpcId: "vpc-0a1b2c3d4e5f00003",
+ *             subnetId: "subnet-0a1b2c3d4e5f00002",
+ *             mode: "ServiceManaged",
+ *         },
+ *     ],
  *     tags: {
- *         name: "tf-example",
+ *         Owner: "my-team",
  *     },
  * });
- * const subnet2 = new aws.index.Subnet("subnet2", {
- *     vpcId: myVpc.id,
- *     cidrBlock: "172.16.20.0/24",
- *     availabilityZone: "us-west-2b",
+ * ```
+ *
+ * ***
+ *
+ * #### 3. Configuring Egress NAT on a V2 Firewall
+ *
+ * Egress NAT can be enabled at the firewall level once at least one endpoint is accepted.
+ *
+ * > **Prerequisite:** At least one endpoint must be in `ACCEPTED` state.
+ *
+ * **Steps:**
+ *
+ * 1. Add the `egressNat` block to the resource.
+ *
+ * **Full example — V2 firewall with Egress NAT enabled:**
+ *
+ * ```typescript
+ * import * as pulumi from "@pulumi/pulumi";
+ * import * as cloudngfwaws from "@pulumi/cloudngfwaws";
+ *
+ * const example = new cloudngfwaws.Ngfw("example", {
+ *     name: "my-firewall",
+ *     description: "My new firewall",
+ *     azLists: [
+ *         "use1-az1",
+ *         "use1-az4",
+ *     ],
+ *     allowlistAccounts: ["111111111111"],
+ *     endpoints: [
+ *         {
+ *             accountId: "111111111111",
+ *             vpcId: "vpc-0a1b2c3d4e5f00002",
+ *             subnetId: "subnet-0a1b2c3d4e5f00001",
+ *             mode: "ServiceManaged",
+ *         },
+ *         {
+ *             accountId: "111111111111",
+ *             vpcId: "vpc-0a1b2c3d4e5f00003",
+ *             subnetId: "subnet-0a1b2c3d4e5f00002",
+ *             mode: "ServiceManaged",
+ *         },
+ *     ],
+ *     egressNats: [{
+ *         enabled: true,
+ *         settings: [{
+ *             ipPoolType: "AWSService",
+ *         }],
+ *     }],
  *     tags: {
- *         name: "tf-example",
+ *         Owner: "my-team",
  *     },
  * });
  * ```
  *
+ * **To disable Egress NAT:** set `enabled = false` and re-apply.
+ *
+ * ***
+ *
+ * #### 4. Configuring Private Prefixes and Per-Endpoint Egress NAT (V2)
+ *
+ * Once an endpoint is accepted, you can enable or disable Egress NAT and configure private
+ * CIDR prefixes on a per-endpoint basis within the `endpoints` block.
+ *
+ * > **Prerequisite:** The endpoint must be in `ACCEPTED` state. The `endpointId`
+ * is a read-only computed value — retrieve it from Terraform state after apply:
+ *
+ * **To remove private prefixes:** remove the CIDR entries from `cidrs` and re-apply.
+ * **To disable per-endpoint Egress NAT:** set `egressNatEnabled = false` and re-apply.
+ *
+ * ***
+ *
  * ## Import
  *
  * import name is <account_id>:<name>
@@ -76,7 +301,7 @@ export declare class Ngfw extends pulumi.CustomResource {
      */
     static isInstance(obj: any): obj is Ngfw;
     /**
-     * The description.
+     * The Account Id.
      */
     readonly accountId: pulumi.Output<string | undefined>;
     /**
@@ -94,7 +319,7 @@ export declare class Ngfw extends pulumi.CustomResource {
     /**
      * The list of availability zone IDs for this NGFW.
      */
-    readonly azLists: pulumi.Output<string[]>;
+    readonly azLists: pulumi.Output<string[] | undefined>;
     /**
      * Enables or disables change protection for the NGFW.
      */
@@ -146,6 +371,7 @@ export declare class Ngfw extends pulumi.CustomResource {
      * The rulestack for this NGFW.
      */
     readonly rulestack: pulumi.Output<string | undefined>;
+    readonly securityZones: pulumi.Output<outputs.NgfwSecurityZone[] | undefined>;
     readonly statuses: pulumi.Output<outputs.NgfwStatus[]>;
     /**
      * Subnet mappings.
@@ -157,6 +383,10 @@ export declare class Ngfw extends pulumi.CustomResource {
     readonly tags: pulumi.Output<{
         [key: string]: string;
     }>;
+    /**
+     * Firewall Instance Tier. Allowed values are 'base', 'standard', or 'premium'.
+     */
+    readonly tier: pulumi.Output<string>;
     /**
      * The update token.
      */
@@ -173,14 +403,14 @@ export declare class Ngfw extends pulumi.CustomResource {
      * @param args The arguments to use to populate this resource's properties.
      * @param opts A bag of options that control this resource's behavior.
      */
-    constructor(name: string, args: NgfwArgs, opts?: pulumi.CustomResourceOptions);
+    constructor(name: string, args?: NgfwArgs, opts?: pulumi.CustomResourceOptions);
 }
 /**
  * Input properties used for looking up and filtering Ngfw resources.
  */
 export interface NgfwState {
     /**
-     * The description.
+     * The Account Id.
      */
     accountId?: pulumi.Input<string>;
     /**
@@ -250,6 +480,7 @@ export interface NgfwState {
      * The rulestack for this NGFW.
      */
     rulestack?: pulumi.Input<string>;
+    securityZones?: pulumi.Input<pulumi.Input<inputs.NgfwSecurityZone>[]>;
     statuses?: pulumi.Input<pulumi.Input<inputs.NgfwStatus>[]>;
     /**
      * Subnet mappings.
@@ -261,6 +492,10 @@ export interface NgfwState {
     tags?: pulumi.Input<{
         [key: string]: pulumi.Input<string>;
     }>;
+    /**
+     * Firewall Instance Tier. Allowed values are 'base', 'standard', or 'premium'.
+     */
+    tier?: pulumi.Input<string>;
     /**
      * The update token.
      */
@@ -276,7 +511,7 @@ export interface NgfwState {
  */
 export interface NgfwArgs {
     /**
-     * The description.
+     * The Account Id.
      */
     accountId?: pulumi.Input<string>;
     /**
@@ -294,7 +529,7 @@ export interface NgfwArgs {
     /**
      * The list of availability zone IDs for this NGFW.
      */
-    azLists: pulumi.Input<pulumi.Input<string>[]>;
+    azLists?: pulumi.Input<pulumi.Input<string>[]>;
     /**
      * Enables or disables change protection for the NGFW.
      */
@@ -309,6 +544,10 @@ export interface NgfwArgs {
      */
     endpointMode?: pulumi.Input<string>;
     endpoints?: pulumi.Input<pulumi.Input<inputs.NgfwEndpoint>[]>;
+    /**
+     * The Firewall ID.
+     */
+    firewallId?: pulumi.Input<string>;
     /**
      * The global rulestack for this NGFW.
      */
@@ -330,6 +569,7 @@ export interface NgfwArgs {
      * The rulestack for this NGFW.
      */
     rulestack?: pulumi.Input<string>;
+    securityZones?: pulumi.Input<pulumi.Input<inputs.NgfwSecurityZone>[]>;
     /**
      * Subnet mappings.
      */
@@ -340,6 +580,10 @@ export interface NgfwArgs {
     tags?: pulumi.Input<{
         [key: string]: pulumi.Input<string>;
     }>;
+    /**
+     * Firewall Instance Tier. Allowed values are 'base', 'standard', or 'premium'.
+     */
+    tier?: pulumi.Input<string>;
     userIds?: pulumi.Input<pulumi.Input<inputs.NgfwUserId>[]>;
     /**
      * The VPC ID for the NGFW.