diff --git a/examples/go.mod b/examples/go.mod index bee6feb9dea..435bcc60073 100644 --- a/examples/go.mod +++ b/examples/go.mod @@ -8,7 +8,7 @@ require ( github.com/aws/aws-sdk-go-v2/service/iam v1.33.1 github.com/pulumi/providertest v0.0.11 github.com/pulumi/pulumi-aws/provider/v6 v6.0.0-00010101000000-000000000000 - github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0 + github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a github.com/pulumi/pulumi-terraform-bridge/testing v0.0.2-0.20230927165309-e3fd9503f2d3 github.com/pulumi/pulumi/pkg/v3 v3.121.0 github.com/stretchr/testify v1.9.0 @@ -373,7 +373,7 @@ require ( github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect github.com/pulumi/esc v0.9.1 // indirect github.com/pulumi/inflector v0.1.1 // indirect - github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0 // indirect + github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a // indirect github.com/pulumi/pulumi-terraform-bridge/x/muxer v0.0.8 // indirect github.com/pulumi/pulumi/sdk/v3 v3.121.0 // indirect github.com/pulumi/terraform-diff-reader v0.0.2 // indirect diff --git a/examples/go.sum b/examples/go.sum index 29785d228ce..3751b44a2fa 100644 --- a/examples/go.sum +++ b/examples/go.sum @@ -2315,12 +2315,12 @@ github.com/pulumi/inflector v0.1.1 h1:dvlxlWtXwOJTUUtcYDvwnl6Mpg33prhK+7mzeF+Sob github.com/pulumi/inflector v0.1.1/go.mod h1:HUFCjcPTz96YtTuUlwG3i3EZG4WlniBvR9bd+iJxCUY= github.com/pulumi/providertest v0.0.11 h1:mg8MQ7Cq7+9XlHIkBD+aCqQO4mwAJEISngZgVdnQUe8= github.com/pulumi/providertest v0.0.11/go.mod h1:HsxjVsytcMIuNj19w1lT2W0QXY0oReXl1+h6eD2JXP8= -github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0 h1:0+A+ZkoZWy5EOd4zcnM7tjoQ4V1jV/koR8YvWJ8TK/E= -github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0/go.mod h1:JGOlvwSWY+jEt1V9sI/L8HAP9DBr74aXD10oi5nUJaI= +github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a h1:/qeuaUIEyEBh24KbALt0gk+9BzpxxrQxYt8f3RH2o/4= +github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a/go.mod h1:JGOlvwSWY+jEt1V9sI/L8HAP9DBr74aXD10oi5nUJaI= github.com/pulumi/pulumi-terraform-bridge/testing v0.0.2-0.20230927165309-e3fd9503f2d3 h1:bBWWeAtSPPYpKYlPZr2h0BiYgWQpHRIk0HO/MQmB+jc= github.com/pulumi/pulumi-terraform-bridge/testing v0.0.2-0.20230927165309-e3fd9503f2d3/go.mod h1:vAQ7DeddebQ7FHdRaSG6ijuS28FS9PC4j8Y9wUuue0c= -github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0 h1:Zv6OPQdkGERufe2Mq9D92xbTm5mg3uhllh0ryrcrrds= -github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0/go.mod h1:a7t2qe4smtB7HlbHlelQxjJQn8DFNB3Gbe5Ot2W7GZU= +github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a h1:aJqL7JhQWc8FN6CZ2fGyIBDBbJ0olMrnxWK8FzYIpYg= +github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a/go.mod h1:a7t2qe4smtB7HlbHlelQxjJQn8DFNB3Gbe5Ot2W7GZU= github.com/pulumi/pulumi-terraform-bridge/x/muxer v0.0.8 h1:mav2tSitA9BPJPLLahKgepHyYsMzwaTm4cvp0dcTMYw= github.com/pulumi/pulumi-terraform-bridge/x/muxer v0.0.8/go.mod h1:qUYk2c9i/yqMGNj9/bQyXpS39BxNDSXYjVN1njnq0zY= github.com/pulumi/pulumi/pkg/v3 v3.121.0 h1:cLUQJYGJKfgCY0ubJo8dVwmsIm2WcgTprb9Orc/yiFg= diff --git a/provider/cmd/pulumi-resource-aws/bridge-metadata.json b/provider/cmd/pulumi-resource-aws/bridge-metadata.json index c5d0e64727f..a162e269f2a 100644 --- a/provider/cmd/pulumi-resource-aws/bridge-metadata.json +++ b/provider/cmd/pulumi-resource-aws/bridge-metadata.json @@ -232628,4 +232628,4 @@ "aws:workspaces/getWorkspace:getWorkspace": 0 } } -} +} \ No newline at end of file diff --git a/provider/cmd/pulumi-resource-aws/schema.json b/provider/cmd/pulumi-resource-aws/schema.json index c56eaf217fa..b41dd4a582e 100644 --- a/provider/cmd/pulumi-resource-aws/schema.json +++ b/provider/cmd/pulumi-resource-aws/schema.json @@ -14,9 +14,7 @@ }, "language": { "csharp": { - "packageReferences": { - "Pulumi": "3.*" - }, + "compatibility": "tfbridge20", "namespaces": { "accessanalyzer": "AccessAnalyzer", "account": "Account", @@ -232,18 +230,19 @@ "workspaces": "Workspaces", "xray": "Xray" }, - "compatibility": "tfbridge20", + "packageReferences": { + "Pulumi": "3.*" + }, "respectSchemaVersion": true }, "go": { - "importBasePath": "github.com/pulumi/pulumi-aws/sdk/v6/go/aws", - "generateResourceContainerTypes": true, "generateExtraInputTypes": true, + "generateResourceContainerTypes": true, + "importBasePath": "github.com/pulumi/pulumi-aws/sdk/v6/go/aws", "respectSchemaVersion": true }, "nodejs": { - "packageDescription": "A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.", - "readme": "\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-aws)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-aws` repo](https://github.com/pulumi/pulumi-aws/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-aws` repo](https://github.com/hashicorp/terraform-provider-aws/issues).", + "compatibility": "tfbridge20", "dependencies": { "@pulumi/pulumi": "^3.0.0", "builtin-modules": "3.0.0", @@ -254,21 +253,22 @@ "@types/mime": "^2.0.0", "@types/node": "^10.0.0" }, - "compatibility": "tfbridge20", "disableUnionOutputTypes": true, + "packageDescription": "A Pulumi package for creating and managing Amazon Web Services (AWS) cloud resources.", + "readme": "\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-aws)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-aws` repo](https://github.com/pulumi/pulumi-aws/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-aws` repo](https://github.com/hashicorp/terraform-provider-aws/issues).", "respectSchemaVersion": true }, "python": { - "requires": { - "pulumi": "\u003e=3.0.0,\u003c4.0.0" - }, - "readme": "\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-aws)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-aws` repo](https://github.com/pulumi/pulumi-aws/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-aws` repo](https://github.com/hashicorp/terraform-provider-aws/issues).", "compatibility": "tfbridge20", - "respectSchemaVersion": true, + "inputTypes": "classes-and-dicts", "pyproject": { "enabled": true }, - "inputTypes": "classes-and-dicts" + "readme": "\u003e This provider is a derived work of the [Terraform Provider](https://github.com/hashicorp/terraform-provider-aws)\n\u003e distributed under [MPL 2.0](https://www.mozilla.org/en-US/MPL/2.0/). If you encounter a bug or missing feature,\n\u003e first check the [`pulumi-aws` repo](https://github.com/pulumi/pulumi-aws/issues); however, if that doesn't turn up anything,\n\u003e please consult the source [`terraform-provider-aws` repo](https://github.com/hashicorp/terraform-provider-aws/issues).", + "requires": { + "pulumi": "\u003e=3.0.0,\u003c4.0.0" + }, + "respectSchemaVersion": true } }, "config": { @@ -33589,102 +33589,42 @@ "ands": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAnd:getCostCategoryRuleRuleAnd" + "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRule:getCostCategoryRuleRule" }, "description": "Return results that match both `Dimension` objects.\n" }, "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleCostCategory:getCostCategoryRuleRuleCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleDimension:getCostCategoryRuleRuleDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "nots": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNot:getCostCategoryRuleRuleNot" - }, - "description": "Return results that do not match the `Dimension` object.\n" - }, - "ors": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOr:getCostCategoryRuleRuleOr" - }, - "description": "Return results that match either `Dimension` object.\n" - }, - "tags": { "type": "array", "items": { "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleTag:getCostCategoryRuleRuleTag" }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" - } - }, - "type": "object", - "required": [ - "ands", - "costCategories", - "dimensions", - "nots", - "ors", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:costexplorer/getCostCategoryRuleRuleAnd:getCostCategoryRuleRuleAnd": { - "properties": { - "ands": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndAnd:getCostCategoryRuleRuleAndAnd" - }, - "description": "Return results that match both `Dimension` objects.\n" - }, - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndCostCategory:getCostCategoryRuleRuleAndCostCategory" - }, "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" }, "dimensions": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndDimension:getCostCategoryRuleRuleAndDimension" + "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleTag:getCostCategoryRuleRuleTag" }, "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" }, "nots": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndNot:getCostCategoryRuleRuleAndNot" + "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRule:getCostCategoryRuleRule" }, "description": "Return results that do not match the `Dimension` object.\n" }, "ors": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndOr:getCostCategoryRuleRuleAndOr" + "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRule:getCostCategoryRuleRule" }, "description": "Return results that match either `Dimension` object.\n" }, "tags": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndTag:getCostCategoryRuleRuleAndTag" + "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleTag:getCostCategoryRuleRuleTag" }, "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" } @@ -33704,43 +33644,7 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleAndAnd:getCostCategoryRuleRuleAndAnd": { - "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndAndCostCategory:getCostCategoryRuleRuleAndAndCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndAndDimension:getCostCategoryRuleRuleAndAndDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndAndTag:getCostCategoryRuleRuleAndAndTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" - } - }, - "type": "object", - "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:costexplorer/getCostCategoryRuleRuleAndAndCostCategory:getCostCategoryRuleRuleAndAndCostCategory": { + "aws:costexplorer/getCostCategoryRuleRuleTag:getCostCategoryRuleRuleTag": { "properties": { "key": { "type": "string", @@ -33773,65 +33677,37 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleAndAndDimension:getCostCategoryRuleRuleAndAndDimension": { + "aws:costexplorer/getCostCategorySplitChargeRule:getCostCategorySplitChargeRule": { "properties": { - "key": { + "method": { "type": "string", - "description": "Key for the tag.\n" + "description": "Method that's used to define how to split your source costs across your targets. Valid values are `FIXED`, `PROPORTIONAL`, `EVEN`\n" }, - "matchOptions": { + "parameters": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:costexplorer/getCostCategorySplitChargeRuleParameter:getCostCategorySplitChargeRuleParameter" }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Configuration block for the parameters for a split charge method. This is only required for the `FIXED` method. See below.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" - } - }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:costexplorer/getCostCategoryRuleRuleAndAndTag:getCostCategoryRuleRuleAndAndTag": { - "properties": { - "key": { + "source": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Cost Category value that you want to split.\n" }, - "values": { + "targets": { "type": "array", "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Cost Category values that you want to split costs across. These values can't be used as a source in other split charge rules.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" + "method", + "parameters", + "source", + "targets" ], "language": { "nodejs": { @@ -33839,18 +33715,11 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleAndCostCategory:getCostCategoryRuleRuleAndCostCategory": { + "aws:costexplorer/getCostCategorySplitChargeRuleParameter:getCostCategorySplitChargeRuleParameter": { "properties": { - "key": { + "type": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Parameter type.\n" }, "values": { "type": "array", @@ -33862,8 +33731,7 @@ }, "type": "object", "required": [ - "key", - "matchOptions", + "type", "values" ], "language": { @@ -33872,80 +33740,61 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleAndDimension:getCostCategoryRuleRuleAndDimension": { + "aws:costexplorer/getTagsFilter:getTagsFilter": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { + "ands": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:costexplorer/getTagsFilterAnd:getTagsFilterAnd" }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Return results that match both `Dimension` objects.\n" }, - "values": { + "costCategory": { + "$ref": "#/types/aws:costexplorer/getTagsFilterCostCategory:getTagsFilterCostCategory", + "description": "Configuration block for the filter that's based on `CostCategory` values. See `cost_category` block below for details.\n" + }, + "dimension": { + "$ref": "#/types/aws:costexplorer/getTagsFilterDimension:getTagsFilterDimension", + "description": "Configuration block for the specific `Dimension` to use for `Expression`. See `dimension` block below for details.\n" + }, + "not": { + "$ref": "#/types/aws:costexplorer/getTagsFilterNot:getTagsFilterNot", + "description": "Return results that match both `Dimension` object.\n" + }, + "ors": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:costexplorer/getTagsFilterOr:getTagsFilterOr" }, - "description": "Parameter values.\n" + "description": "Return results that match both `Dimension` object.\n" + }, + "tags": { + "$ref": "#/types/aws:costexplorer/getTagsFilterTags:getTagsFilterTags", + "description": "Tags that match your request.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndNot:getCostCategoryRuleRuleAndNot": { + "aws:costexplorer/getTagsFilterAnd:getTagsFilterAnd": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndNotCostCategory:getCostCategoryRuleRuleAndNotCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" + "costCategory": { + "$ref": "#/types/aws:costexplorer/getTagsFilterAndCostCategory:getTagsFilterAndCostCategory" }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndNotDimension:getCostCategoryRuleRuleAndNotDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "dimension": { + "$ref": "#/types/aws:costexplorer/getTagsFilterAndDimension:getTagsFilterAndDimension" }, "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndNotTag:getCostCategoryRuleRuleAndNotTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "$ref": "#/types/aws:costexplorer/getTagsFilterAndTags:getTagsFilterAndTags", + "description": "Tags that match your request.\n" } }, - "type": "object", - "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndNotCostCategory:getCostCategoryRuleRuleAndNotCostCategory": { + "aws:costexplorer/getTagsFilterAndCostCategory:getTagsFilterAndCostCategory": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -33959,26 +33808,16 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndNotDimension:getCostCategoryRuleRuleAndNotDimension": { + "aws:costexplorer/getTagsFilterAndDimension:getTagsFilterAndDimension": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -33992,95 +33831,36 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndNotTag:getCostCategoryRuleRuleAndNotTag": { + "aws:costexplorer/getTagsFilterAndTags:getTagsFilterAndTags": { "properties": { "key": { - "type": "string", - "description": "Key for the tag.\n" + "type": "string" }, "matchOptions": { "type": "array", "items": { "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + } }, "values": { "type": "array", "items": { "type": "string" - }, - "description": "Parameter values.\n" - } - }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:costexplorer/getCostCategoryRuleRuleAndOr:getCostCategoryRuleRuleAndOr": { - "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndOrCostCategory:getCostCategoryRuleRuleAndOrCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndOrDimension:getCostCategoryRuleRuleAndOrDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleAndOrTag:getCostCategoryRuleRuleAndOrTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + } } }, - "type": "object", - "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndOrCostCategory:getCostCategoryRuleRuleAndOrCostCategory": { + "aws:costexplorer/getTagsFilterCostCategory:getTagsFilterCostCategory": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34094,26 +33874,16 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndOrDimension:getCostCategoryRuleRuleAndOrDimension": { + "aws:costexplorer/getTagsFilterDimension:getTagsFilterDimension": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34127,59 +33897,31 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndOrTag:getCostCategoryRuleRuleAndOrTag": { + "aws:costexplorer/getTagsFilterNot:getTagsFilterNot": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" + "costCategory": { + "$ref": "#/types/aws:costexplorer/getTagsFilterNotCostCategory:getTagsFilterNotCostCategory" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "dimension": { + "$ref": "#/types/aws:costexplorer/getTagsFilterNotDimension:getTagsFilterNotDimension" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "tags": { + "$ref": "#/types/aws:costexplorer/getTagsFilterNotTags:getTagsFilterNotTags", + "description": "Tags that match your request.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleAndTag:getCostCategoryRuleRuleAndTag": { + "aws:costexplorer/getTagsFilterNotCostCategory:getTagsFilterNotCostCategory": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34193,26 +33935,16 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleCostCategory:getCostCategoryRuleRuleCostCategory": { + "aws:costexplorer/getTagsFilterNotDimension:getTagsFilterNotDimension": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34226,155 +33958,51 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleDimension:getCostCategoryRuleRuleDimension": { + "aws:costexplorer/getTagsFilterNotTags:getTagsFilterNotTags": { "properties": { "key": { - "type": "string", - "description": "Key for the tag.\n" + "type": "string" }, "matchOptions": { "type": "array", "items": { "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + } }, "values": { "type": "array", "items": { "type": "string" - }, - "description": "Parameter values.\n" - } - }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:costexplorer/getCostCategoryRuleRuleNot:getCostCategoryRuleRuleNot": { - "properties": { - "ands": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotAnd:getCostCategoryRuleRuleNotAnd" - }, - "description": "Return results that match both `Dimension` objects.\n" - }, - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotCostCategory:getCostCategoryRuleRuleNotCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotDimension:getCostCategoryRuleRuleNotDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "nots": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotNot:getCostCategoryRuleRuleNotNot" - }, - "description": "Return results that do not match the `Dimension` object.\n" - }, - "ors": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotOr:getCostCategoryRuleRuleNotOr" - }, - "description": "Return results that match either `Dimension` object.\n" - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotTag:getCostCategoryRuleRuleNotTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + } } }, - "type": "object", - "required": [ - "ands", - "costCategories", - "dimensions", - "nots", - "ors", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotAnd:getCostCategoryRuleRuleNotAnd": { + "aws:costexplorer/getTagsFilterOr:getTagsFilterOr": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotAndCostCategory:getCostCategoryRuleRuleNotAndCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" + "costCategory": { + "$ref": "#/types/aws:costexplorer/getTagsFilterOrCostCategory:getTagsFilterOrCostCategory" }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotAndDimension:getCostCategoryRuleRuleNotAndDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "dimension": { + "$ref": "#/types/aws:costexplorer/getTagsFilterOrDimension:getTagsFilterOrDimension" }, "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotAndTag:getCostCategoryRuleRuleNotAndTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "$ref": "#/types/aws:costexplorer/getTagsFilterOrTags:getTagsFilterOrTags", + "description": "Tags that match your request.\n" } }, - "type": "object", - "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotAndCostCategory:getCostCategoryRuleRuleNotAndCostCategory": { + "aws:costexplorer/getTagsFilterOrCostCategory:getTagsFilterOrCostCategory": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34388,26 +34016,16 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotAndDimension:getCostCategoryRuleRuleNotAndDimension": { + "aws:costexplorer/getTagsFilterOrDimension:getTagsFilterOrDimension": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Unique name of the Cost Category.\n" }, "matchOptions": { "type": "array", @@ -34421,779 +34039,609 @@ "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "Specific value of the Cost Category.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotAndTag:getCostCategoryRuleRuleNotAndTag": { + "aws:costexplorer/getTagsFilterOrTags:getTagsFilterOrTags": { "properties": { "key": { - "type": "string", - "description": "Key for the tag.\n" + "type": "string" }, "matchOptions": { "type": "array", "items": { "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + } }, "values": { "type": "array", "items": { "type": "string" - }, - "description": "Parameter values.\n" + } } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotCostCategory:getCostCategoryRuleRuleNotCostCategory": { + "aws:costexplorer/getTagsFilterTags:getTagsFilterTags": { "properties": { "key": { - "type": "string", - "description": "Key for the tag.\n" + "type": "string" }, "matchOptions": { "type": "array", "items": { "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + } }, "values": { "type": "array", "items": { "type": "string" - }, - "description": "Parameter values.\n" + } } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotDimension:getCostCategoryRuleRuleNotDimension": { + "aws:costexplorer/getTagsSortBy:getTagsSortBy": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "key that's used to sort the data. Valid values are: `BlendedCost`, `UnblendedCost`, `AmortizedCost`, `NetAmortizedCost`, `NetUnblendedCost`, `UsageQuantity`, `NormalizedUsageAmount`.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "sortOrder": { + "type": "string", + "description": "order that's used to sort the data. Valid values are: `ASCENDING`, `DESCENDING`.\n" + } + }, + "type": "object" + }, + "aws:costexplorer/getTagsTimePeriod:getTagsTimePeriod": { + "properties": { + "end": { + "type": "string", + "description": "Beginning of the time period.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "start": { + "type": "string", + "description": "End of the time period.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "end", + "start" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotNot:getCostCategoryRuleRuleNotNot": { + "aws:customerprofiles/DomainMatching:DomainMatching": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotNotCostCategory:getCostCategoryRuleRuleNotNotCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" + "autoMerging": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMerging:DomainMatchingAutoMerging", + "description": "A block that specifies the configuration about the auto-merging process. Documented below.\n" }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotNotDimension:getCostCategoryRuleRuleNotNotDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "enabled": { + "type": "boolean", + "description": "The flag that enables the matching process of duplicate profiles.\n" }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotNotTag:getCostCategoryRuleRuleNotNotTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "exportingConfig": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingExportingConfig:DomainMatchingExportingConfig", + "description": "A block that specifies the configuration for exporting Identity Resolution results. Documented below.\n" + }, + "jobSchedule": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingJobSchedule:DomainMatchingJobSchedule", + "description": "A block that specifies the day and time when you want to start the Identity Resolution Job every week. Documented below.\n" } }, "type": "object", "required": [ - "costCategories", - "dimensions", - "tags" + "enabled" ], "language": { "nodejs": { - "requiredInputs": [] + "requiredOutputs": [ + "autoMerging", + "enabled" + ] } } }, - "aws:costexplorer/getCostCategoryRuleRuleNotNotCostCategory:getCostCategoryRuleRuleNotNotCostCategory": { + "aws:customerprofiles/DomainMatchingAutoMerging:DomainMatchingAutoMerging": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" + "conflictResolution": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMergingConflictResolution:DomainMatchingAutoMergingConflictResolution", + "description": "A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "consolidation": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMergingConsolidation:DomainMatchingAutoMergingConsolidation", + "description": "A block that specifies a list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged. Documented below.\n* `min_allowed_confidence_score_for_merging ` - (Optional) A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means higher similarity required to merge profiles.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "enabled": { + "type": "boolean", + "description": "The flag that enables the auto-merging of duplicate profiles.\n" + }, + "minAllowedConfidenceScoreForMerging": { + "type": "number" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "enabled" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotNotDimension:getCostCategoryRuleRuleNotNotDimension": { + "aws:customerprofiles/DomainMatchingAutoMergingConflictResolution:DomainMatchingAutoMergingConflictResolution": { "properties": { - "key": { + "conflictResolvingModel": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE`\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "sourceName": { + "type": "string", + "description": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "conflictResolvingModel" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotNotTag:getCostCategoryRuleRuleNotNotTag": { + "aws:customerprofiles/DomainMatchingAutoMergingConsolidation:DomainMatchingAutoMergingConsolidation": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { + "matchingAttributesLists": { "type": "array", "items": { - "type": "string" + "type": "array", + "items": { + "type": "string" + } }, - "description": "Parameter values.\n" + "description": "A list of matching criteria.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] + "matchingAttributesLists" + ] + }, + "aws:customerprofiles/DomainMatchingExportingConfig:DomainMatchingExportingConfig": { + "properties": { + "s3Exporting": { + "$ref": "#/types/aws:customerprofiles/DomainMatchingExportingConfigS3Exporting:DomainMatchingExportingConfigS3Exporting" } - } + }, + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleNotOr:getCostCategoryRuleRuleNotOr": { + "aws:customerprofiles/DomainMatchingExportingConfigS3Exporting:DomainMatchingExportingConfigS3Exporting": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotOrCostCategory:getCostCategoryRuleRuleNotOrCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotOrDimension:getCostCategoryRuleRuleNotOrDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "s3BucketName": { + "type": "string" }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleNotOrTag:getCostCategoryRuleRuleNotOrTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "s3KeyName": { + "type": "string" } }, "type": "object", "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "s3BucketName" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotOrCostCategory:getCostCategoryRuleRuleNotOrCostCategory": { + "aws:customerprofiles/DomainMatchingJobSchedule:DomainMatchingJobSchedule": { "properties": { - "key": { + "dayOfTheWeek": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "The day when the Identity Resolution Job should run every week.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "time": { + "type": "string", + "description": "The time when the Identity Resolution Job should run every week.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "dayOfTheWeek", + "time" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotOrDimension:getCostCategoryRuleRuleNotOrDimension": { + "aws:customerprofiles/DomainRuleBasedMatching:DomainRuleBasedMatching": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" + "attributeTypesSelector": { + "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingAttributeTypesSelector:DomainRuleBasedMatchingAttributeTypesSelector", + "description": "A block that configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles. Documented below.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "conflictResolution": { + "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingConflictResolution:DomainRuleBasedMatchingConflictResolution", + "description": "A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below.\n" }, - "values": { + "enabled": { + "type": "boolean", + "description": "The flag that enables the rule-based matching process of duplicate profiles.\n" + }, + "exportingConfig": { + "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingExportingConfig:DomainRuleBasedMatchingExportingConfig", + "description": "A block that specifies the configuration for exporting Identity Resolution results. Documented below.\n" + }, + "matchingRules": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingMatchingRule:DomainRuleBasedMatchingMatchingRule" }, - "description": "Parameter values.\n" + "description": "A block that configures how the rule-based matching process should match profiles. You can have up to 15 `rule` in the `natching_rules`. Documented below.\n" + }, + "maxAllowedRuleLevelForMatching": { + "type": "integer", + "description": "Indicates the maximum allowed rule level for matching.\n" + }, + "maxAllowedRuleLevelForMerging": { + "type": "integer", + "description": "Indicates the maximum allowed rule level for merging.\n" + }, + "status": { + "type": "string" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" + "enabled" ], "language": { "nodejs": { - "requiredInputs": [] + "requiredOutputs": [ + "enabled", + "status" + ] } } }, - "aws:costexplorer/getCostCategoryRuleRuleNotOrTag:getCostCategoryRuleRuleNotOrTag": { + "aws:customerprofiles/DomainRuleBasedMatchingAttributeTypesSelector:DomainRuleBasedMatchingAttributeTypesSelector": { "properties": { - "key": { + "addresses": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The `Address` type. You can choose from `Address`, `BusinessAddress`, `MaillingAddress`, and `ShippingAddress`.\n" + }, + "attributeMatchingModel": { "type": "string", - "description": "Key for the tag.\n" + "description": "Configures the `AttributeMatchingModel`, you can either choose `ONE_TO_ONE` or `MANY_TO_MANY`.\n" }, - "matchOptions": { + "emailAddresses": { "type": "array", "items": { "type": "string" }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "The `Email` type. You can choose from `EmailAddress`, `BusinessEmailAddress` and `PersonalEmailAddress`.\n" }, - "values": { + "phoneNumbers": { "type": "array", "items": { "type": "string" }, - "description": "Parameter values.\n" + "description": "The `PhoneNumber` type. You can choose from `PhoneNumber`, `HomePhoneNumber`, and `MobilePhoneNumber`.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "attributeMatchingModel" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleNotTag:getCostCategoryRuleRuleNotTag": { + "aws:customerprofiles/DomainRuleBasedMatchingConflictResolution:DomainRuleBasedMatchingConflictResolution": { "properties": { - "key": { + "conflictResolvingModel": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE`\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "sourceName": { + "type": "string", + "description": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] + "conflictResolvingModel" + ] + }, + "aws:customerprofiles/DomainRuleBasedMatchingExportingConfig:DomainRuleBasedMatchingExportingConfig": { + "properties": { + "s3Exporting": { + "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingExportingConfigS3Exporting:DomainRuleBasedMatchingExportingConfigS3Exporting" } - } + }, + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleOr:getCostCategoryRuleRuleOr": { + "aws:customerprofiles/DomainRuleBasedMatchingExportingConfigS3Exporting:DomainRuleBasedMatchingExportingConfigS3Exporting": { "properties": { - "ands": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrAnd:getCostCategoryRuleRuleOrAnd" - }, - "description": "Return results that match both `Dimension` objects.\n" + "s3BucketName": { + "type": "string" }, - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrCostCategory:getCostCategoryRuleRuleOrCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrDimension:getCostCategoryRuleRuleOrDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "nots": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrNot:getCostCategoryRuleRuleOrNot" - }, - "description": "Return results that do not match the `Dimension` object.\n" - }, - "ors": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrOr:getCostCategoryRuleRuleOrOr" - }, - "description": "Return results that match either `Dimension` object.\n" - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrTag:getCostCategoryRuleRuleOrTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "s3KeyName": { + "type": "string" } }, "type": "object", "required": [ - "ands", - "costCategories", - "dimensions", - "nots", - "ors", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "s3BucketName" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrAnd:getCostCategoryRuleRuleOrAnd": { + "aws:customerprofiles/DomainRuleBasedMatchingMatchingRule:DomainRuleBasedMatchingMatchingRule": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrAndCostCategory:getCostCategoryRuleRuleOrAndCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrAndDimension:getCostCategoryRuleRuleOrAndDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" - }, - "tags": { + "rules": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrAndTag:getCostCategoryRuleRuleOrAndTag" + "type": "string" }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "description": "A single rule level of the `match_rules`. Configures how the rule-based matching process should match profiles.\n" } }, "type": "object", "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "rules" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrAndCostCategory:getCostCategoryRuleRuleOrAndCostCategory": { + "aws:customerprofiles/ProfileAddress:ProfileAddress": { "properties": { - "key": { + "address1": { "type": "string", - "description": "Key for the tag.\n" + "description": "The first line of a customer address.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "address2": { + "type": "string", + "description": "The second line of a customer address.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "address3": { + "type": "string", + "description": "The third line of a customer address.\n" + }, + "address4": { + "type": "string", + "description": "The fourth line of a customer address.\n" + }, + "city": { + "type": "string", + "description": "The city in which a customer lives.\n" + }, + "country": { + "type": "string", + "description": "The country in which a customer lives.\n" + }, + "county": { + "type": "string", + "description": "The county in which a customer lives.\n" + }, + "postalCode": { + "type": "string", + "description": "The postal code of a customer address.\n" + }, + "province": { + "type": "string", + "description": "The province in which a customer lives.\n" + }, + "state": { + "type": "string", + "description": "The state in which a customer lives.\n" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleOrAndDimension:getCostCategoryRuleRuleOrAndDimension": { + "aws:customerprofiles/ProfileBillingAddress:ProfileBillingAddress": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" + "address1": { + "type": "string" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "address2": { + "type": "string" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "address3": { + "type": "string" + }, + "address4": { + "type": "string" + }, + "city": { + "type": "string" + }, + "country": { + "type": "string" + }, + "county": { + "type": "string" + }, + "postalCode": { + "type": "string" + }, + "province": { + "type": "string" + }, + "state": { + "type": "string" } }, - "type": "object", - "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] + "type": "object" + }, + "aws:customerprofiles/ProfileMailingAddress:ProfileMailingAddress": { + "properties": { + "address1": { + "type": "string" + }, + "address2": { + "type": "string" + }, + "address3": { + "type": "string" + }, + "address4": { + "type": "string" + }, + "city": { + "type": "string" + }, + "country": { + "type": "string" + }, + "county": { + "type": "string" + }, + "postalCode": { + "type": "string" + }, + "province": { + "type": "string" + }, + "state": { + "type": "string" } - } + }, + "type": "object" }, - "aws:costexplorer/getCostCategoryRuleRuleOrAndTag:getCostCategoryRuleRuleOrAndTag": { + "aws:customerprofiles/ProfileShippingAddress:ProfileShippingAddress": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" + "address1": { + "type": "string" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "address2": { + "type": "string" }, - "values": { + "address3": { + "type": "string" + }, + "address4": { + "type": "string" + }, + "city": { + "type": "string" + }, + "country": { + "type": "string" + }, + "county": { + "type": "string" + }, + "postalCode": { + "type": "string" + }, + "province": { + "type": "string" + }, + "state": { + "type": "string" + } + }, + "type": "object" + }, + "aws:datapipeline/PipelineDefinitionParameterObject:PipelineDefinitionParameterObject": { + "properties": { + "attributes": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:datapipeline/PipelineDefinitionParameterObjectAttribute:PipelineDefinitionParameterObjectAttribute" }, - "description": "Parameter values.\n" + "description": "Configuration block for attributes of the parameter object. See below\n" + }, + "id": { + "type": "string", + "description": "ID of the parameter object.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "id" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrCostCategory:getCostCategoryRuleRuleOrCostCategory": { + "aws:datapipeline/PipelineDefinitionParameterObjectAttribute:PipelineDefinitionParameterObjectAttribute": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Field identifier.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "stringValue" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrDimension:getCostCategoryRuleRuleOrDimension": { + "aws:datapipeline/PipelineDefinitionParameterValue:PipelineDefinitionParameterValue": { "properties": { - "key": { + "id": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "ID of the parameter value.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "id", + "stringValue" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrNot:getCostCategoryRuleRuleOrNot": { + "aws:datapipeline/PipelineDefinitionPipelineObject:PipelineDefinitionPipelineObject": { "properties": { - "costCategories": { + "fields": { "type": "array", "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrNotCostCategory:getCostCategoryRuleRuleOrNotCostCategory" + "$ref": "#/types/aws:datapipeline/PipelineDefinitionPipelineObjectField:PipelineDefinitionPipelineObjectField" }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" + "description": "Configuration block for Key-value pairs that define the properties of the object. See below\n" }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrNotDimension:getCostCategoryRuleRuleOrNotDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "id": { + "type": "string", + "description": "ID of the object.\n" }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrNotTag:getCostCategoryRuleRuleOrNotTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "name": { + "type": "string", + "description": "ARN of the storage connector.\n" } }, "type": "object", "required": [ - "costCategories", - "dimensions", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "id", + "name" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrNotCostCategory:getCostCategoryRuleRuleOrNotCostCategory": { + "aws:datapipeline/PipelineDefinitionPipelineObjectField:PipelineDefinitionPipelineObjectField": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Field identifier.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "refValue": { + "type": "string", + "description": "Field value, expressed as the identifier of another object\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "key" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrNotDimension:getCostCategoryRuleRuleOrNotDimension": { + "aws:datapipeline/getPipelineDefinitionParameterObject:getPipelineDefinitionParameterObject": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { + "attributes": { "type": "array", "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "$ref": "#/types/aws:datapipeline/getPipelineDefinitionParameterObjectAttribute:getPipelineDefinitionParameterObjectAttribute" + } }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "id": { + "type": "string", + "description": "ID of the object.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" + "attributes", + "id" ], "language": { "nodejs": { @@ -35201,32 +34649,21 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleOrNotTag:getCostCategoryRuleRuleOrNotTag": { + "aws:datapipeline/getPipelineDefinitionParameterObjectAttribute:getPipelineDefinitionParameterObjectAttribute": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Field identifier.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ "key", - "matchOptions", - "values" + "stringValue" ], "language": { "nodejs": { @@ -35234,35 +34671,21 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleOrOr:getCostCategoryRuleRuleOrOr": { + "aws:datapipeline/getPipelineDefinitionParameterValue:getPipelineDefinitionParameterValue": { "properties": { - "costCategories": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrOrCostCategory:getCostCategoryRuleRuleOrOrCostCategory" - }, - "description": "Configuration block for the filter that's based on `CostCategory` values. See below.\n" - }, - "dimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrOrDimension:getCostCategoryRuleRuleOrOrDimension" - }, - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See below.\n" + "id": { + "type": "string", + "description": "ID of the object.\n" }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategoryRuleRuleOrOrTag:getCostCategoryRuleRuleOrOrTag" - }, - "description": "Configuration block for the specific `Tag` to use for `Expression`. See below.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ - "costCategories", - "dimensions", - "tags" + "id", + "stringValue" ], "language": { "nodejs": { @@ -35270,32 +34693,28 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleOrOrCostCategory:getCostCategoryRuleRuleOrOrCostCategory": { + "aws:datapipeline/getPipelineDefinitionPipelineObject:getPipelineDefinitionPipelineObject": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { + "fields": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:datapipeline/getPipelineDefinitionPipelineObjectField:getPipelineDefinitionPipelineObjectField" }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "Key-value pairs that define the properties of the object. See below\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "id": { + "type": "string", + "description": "ID of the object.\n" + }, + "name": { + "type": "string", + "description": "ARN of the storage connector.\n" } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" + "id", + "name" ], "language": { "nodejs": { @@ -35303,32 +34722,26 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleOrOrDimension:getCostCategoryRuleRuleOrOrDimension": { + "aws:datapipeline/getPipelineDefinitionPipelineObjectField:getPipelineDefinitionPipelineObjectField": { "properties": { "key": { "type": "string", - "description": "Key for the tag.\n" + "description": "Field identifier.\n" }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "refValue": { + "type": "string", + "description": "Field value, expressed as the identifier of another object\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "stringValue": { + "type": "string", + "description": "Field value, expressed as a String.\n" } }, "type": "object", "required": [ "key", - "matchOptions", - "values" + "refValue", + "stringValue" ], "language": { "nodejs": { @@ -35336,1432 +34749,261 @@ } } }, - "aws:costexplorer/getCostCategoryRuleRuleOrOrTag:getCostCategoryRuleRuleOrOrTag": { + "aws:datasync/EfsLocationEc2Config:EfsLocationEc2Config": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { + "securityGroupArns": { "type": "array", "items": { "type": "string" }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "List of Amazon Resource Names (ARNs) of the EC2 Security Groups that are associated with the EFS Mount Target.\n", + "willReplaceOnChanges": true }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "subnetArn": { + "type": "string", + "description": "Amazon Resource Name (ARN) of the EC2 Subnet that is associated with the EFS Mount Target.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "securityGroupArns", + "subnetArn" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleOrTag:getCostCategoryRuleRuleOrTag": { + "aws:datasync/FsxOpenZfsFileSystemProtocol:FsxOpenZfsFileSystemProtocol": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "nfs": { + "$ref": "#/types/aws:datasync/FsxOpenZfsFileSystemProtocolNfs:FsxOpenZfsFileSystemProtocolNfs", + "description": "Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system. See below.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "nfs" + ] }, - "aws:costexplorer/getCostCategoryRuleRuleTag:getCostCategoryRuleRuleTag": { + "aws:datasync/FsxOpenZfsFileSystemProtocolNfs:FsxOpenZfsFileSystemProtocolNfs": { "properties": { - "key": { - "type": "string", - "description": "Key for the tag.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "mountOptions": { + "$ref": "#/types/aws:datasync/FsxOpenZfsFileSystemProtocolNfsMountOptions:FsxOpenZfsFileSystemProtocolNfsMountOptions", + "description": "Represents the mount options that are available for DataSync to access an NFS location. See below.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "key", - "matchOptions", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "mountOptions" + ] }, - "aws:costexplorer/getCostCategorySplitChargeRule:getCostCategorySplitChargeRule": { + "aws:datasync/FsxOpenZfsFileSystemProtocolNfsMountOptions:FsxOpenZfsFileSystemProtocolNfsMountOptions": { "properties": { - "method": { - "type": "string", - "description": "Method that's used to define how to split your source costs across your targets. Valid values are `FIXED`, `PROPORTIONAL`, `EVEN`\n" - }, - "parameters": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getCostCategorySplitChargeRuleParameter:getCostCategorySplitChargeRuleParameter" - }, - "description": "Configuration block for the parameters for a split charge method. This is only required for the `FIXED` method. See below.\n" - }, - "source": { + "version": { "type": "string", - "description": "Cost Category value that you want to split.\n" - }, - "targets": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Cost Category values that you want to split costs across. These values can't be used as a source in other split charge rules.\n" + "description": "The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC`\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "method", - "parameters", - "source", - "targets" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "type": "object" }, - "aws:costexplorer/getCostCategorySplitChargeRuleParameter:getCostCategorySplitChargeRuleParameter": { + "aws:datasync/LocationAzureBlobSasConfiguration:LocationAzureBlobSasConfiguration": { "properties": { - "type": { + "token": { "type": "string", - "description": "Parameter type.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Parameter values.\n" + "description": "A SAS token that provides permissions to access your Azure Blob Storage.\n" } }, "type": "object", "required": [ - "type", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } + "token" + ] }, - "aws:costexplorer/getTagsFilter:getTagsFilter": { + "aws:datasync/LocationFsxOntapFileSystemProtocol:LocationFsxOntapFileSystemProtocol": { "properties": { - "ands": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getTagsFilterAnd:getTagsFilterAnd" - }, - "description": "Return results that match both `Dimension` objects.\n" - }, - "costCategory": { - "$ref": "#/types/aws:costexplorer/getTagsFilterCostCategory:getTagsFilterCostCategory", - "description": "Configuration block for the filter that's based on `CostCategory` values. See `cost_category` block below for details.\n" - }, - "dimension": { - "$ref": "#/types/aws:costexplorer/getTagsFilterDimension:getTagsFilterDimension", - "description": "Configuration block for the specific `Dimension` to use for `Expression`. See `dimension` block below for details.\n" - }, - "not": { - "$ref": "#/types/aws:costexplorer/getTagsFilterNot:getTagsFilterNot", - "description": "Return results that match both `Dimension` object.\n" - }, - "ors": { - "type": "array", - "items": { - "$ref": "#/types/aws:costexplorer/getTagsFilterOr:getTagsFilterOr" - }, - "description": "Return results that match both `Dimension` object.\n" + "nfs": { + "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolNfs:LocationFsxOntapFileSystemProtocolNfs", + "description": "Network File System (NFS) protocol that DataSync uses to access your FSx ONTAP file system. See NFS below.\n", + "willReplaceOnChanges": true }, - "tags": { - "$ref": "#/types/aws:costexplorer/getTagsFilterTags:getTagsFilterTags", - "description": "Tags that match your request.\n" + "smb": { + "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolSmb:LocationFsxOntapFileSystemProtocolSmb", + "description": "Server Message Block (SMB) protocol that DataSync uses to access your FSx ONTAP file system. See [SMB] (#smb) below.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:costexplorer/getTagsFilterAnd:getTagsFilterAnd": { + "aws:datasync/LocationFsxOntapFileSystemProtocolNfs:LocationFsxOntapFileSystemProtocolNfs": { "properties": { - "costCategory": { - "$ref": "#/types/aws:costexplorer/getTagsFilterAndCostCategory:getTagsFilterAndCostCategory" - }, - "dimension": { - "$ref": "#/types/aws:costexplorer/getTagsFilterAndDimension:getTagsFilterAndDimension" - }, - "tags": { - "$ref": "#/types/aws:costexplorer/getTagsFilterAndTags:getTagsFilterAndTags", - "description": "Tags that match your request.\n" + "mountOptions": { + "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolNfsMountOptions:LocationFsxOntapFileSystemProtocolNfsMountOptions", + "description": "Mount options that are available for DataSync to access an NFS location. See NFS Mount Options below.\n", + "willReplaceOnChanges": true } }, - "type": "object" + "type": "object", + "required": [ + "mountOptions" + ] }, - "aws:costexplorer/getTagsFilterAndCostCategory:getTagsFilterAndCostCategory": { + "aws:datasync/LocationFsxOntapFileSystemProtocolNfsMountOptions:LocationFsxOntapFileSystemProtocolNfsMountOptions": { "properties": { - "key": { + "version": { "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:costexplorer/getTagsFilterAndDimension:getTagsFilterAndDimension": { + "aws:datasync/LocationFsxOntapFileSystemProtocolSmb:LocationFsxOntapFileSystemProtocolSmb": { "properties": { - "key": { + "domain": { "type": "string", - "description": "Unique name of the Cost Category.\n" + "description": "Fully qualified domain name of the Microsoft Active Directory (AD) that your storage virtual machine belongs to.\n", + "willReplaceOnChanges": true }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "mountOptions": { + "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolSmbMountOptions:LocationFsxOntapFileSystemProtocolSmbMountOptions", + "description": "Mount options that are available for DataSync to access an SMB location. See SMB Mount Options below.\n", + "willReplaceOnChanges": true }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" + "password": { + "type": "string", + "description": "Password of a user who has permission to access your SVM.\n", + "secret": true, + "willReplaceOnChanges": true + }, + "user": { + "type": "string", + "description": "Username that can mount the location and access the files, folders, and metadata that you need in the SVM.\n", + "willReplaceOnChanges": true } }, - "type": "object" + "type": "object", + "required": [ + "mountOptions", + "password", + "user" + ] }, - "aws:costexplorer/getTagsFilterAndTags:getTagsFilterAndTags": { + "aws:datasync/LocationFsxOntapFileSystemProtocolSmbMountOptions:LocationFsxOntapFileSystemProtocolSmbMountOptions": { "properties": { - "key": { - "type": "string" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - } - }, - "values": { - "type": "array", - "items": { - "type": "string" - } + "version": { + "type": "string", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:costexplorer/getTagsFilterCostCategory:getTagsFilterCostCategory": { + "aws:datasync/LocationHdfsNameNode:LocationHdfsNameNode": { "properties": { - "key": { + "hostname": { "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "The hostname of the NameNode in the HDFS cluster. This value is the IP address or Domain Name Service (DNS) name of the NameNode. An agent that's installed on-premises uses this hostname to communicate with the NameNode in the network.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" + "port": { + "type": "integer", + "description": "The port that the NameNode uses to listen to client requests.\n" } }, - "type": "object" + "type": "object", + "required": [ + "hostname", + "port" + ] }, - "aws:costexplorer/getTagsFilterDimension:getTagsFilterDimension": { + "aws:datasync/LocationHdfsQopConfiguration:LocationHdfsQopConfiguration": { "properties": { - "key": { + "dataTransferProtection": { "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your dfs.data.transfer.protection setting in the hdfs-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" + "rpcProtection": { + "type": "string", + "description": "The RPC protection setting configured on the HDFS cluster. This setting corresponds to your hadoop.rpc.protection setting in your core-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`.\n" } }, - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "dataTransferProtection", + "rpcProtection" + ] + } + } }, - "aws:costexplorer/getTagsFilterNot:getTagsFilterNot": { + "aws:datasync/LocationSmbMountOptions:LocationSmbMountOptions": { "properties": { - "costCategory": { - "$ref": "#/types/aws:costexplorer/getTagsFilterNotCostCategory:getTagsFilterNotCostCategory" - }, - "dimension": { - "$ref": "#/types/aws:costexplorer/getTagsFilterNotDimension:getTagsFilterNotDimension" - }, - "tags": { - "$ref": "#/types/aws:costexplorer/getTagsFilterNotTags:getTagsFilterNotTags", - "description": "Tags that match your request.\n" + "version": { + "type": "string", + "description": "The specific SMB version that you want DataSync to use for mounting your SMB share. Valid values: `AUTOMATIC`, `SMB2`, and `SMB3`. Default: `AUTOMATIC`\n" } }, "type": "object" }, - "aws:costexplorer/getTagsFilterNotCostCategory:getTagsFilterNotCostCategory": { + "aws:datasync/NfsLocationMountOptions:NfsLocationMountOptions": { "properties": { - "key": { + "version": { "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" + "description": "The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC`\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:costexplorer/getTagsFilterNotDimension:getTagsFilterNotDimension": { + "aws:datasync/NfsLocationOnPremConfig:NfsLocationOnPremConfig": { "properties": { - "key": { - "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { + "agentArns": { "type": "array", "items": { "type": "string" }, - "description": "Specific value of the Cost Category.\n" + "description": "List of Amazon Resource Names (ARNs) of the DataSync Agents used to connect to the NFS server.\n", + "willReplaceOnChanges": true } }, - "type": "object" + "type": "object", + "required": [ + "agentArns" + ] }, - "aws:costexplorer/getTagsFilterNotTags:getTagsFilterNotTags": { + "aws:datasync/S3LocationS3Config:S3LocationS3Config": { "properties": { - "key": { - "type": "string" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - } - }, - "values": { - "type": "array", - "items": { - "type": "string" - } + "bucketAccessRoleArn": { + "type": "string", + "description": "ARN of the IAM Role used to connect to the S3 Bucket.\n", + "willReplaceOnChanges": true } }, - "type": "object" + "type": "object", + "required": [ + "bucketAccessRoleArn" + ] }, - "aws:costexplorer/getTagsFilterOr:getTagsFilterOr": { + "aws:datasync/TaskExcludes:TaskExcludes": { "properties": { - "costCategory": { - "$ref": "#/types/aws:costexplorer/getTagsFilterOrCostCategory:getTagsFilterOrCostCategory" - }, - "dimension": { - "$ref": "#/types/aws:costexplorer/getTagsFilterOrDimension:getTagsFilterOrDimension" + "filterType": { + "type": "string", + "description": "The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`.\n" }, - "tags": { - "$ref": "#/types/aws:costexplorer/getTagsFilterOrTags:getTagsFilterOrTags", - "description": "Tags that match your request.\n" + "value": { + "type": "string", + "description": "A single filter string that consists of the patterns to exclude. The patterns are delimited by \"|\" (that is, a pipe), for example: `/folder1|/folder2`\n" } }, "type": "object" }, - "aws:costexplorer/getTagsFilterOrCostCategory:getTagsFilterOrCostCategory": { + "aws:datasync/TaskIncludes:TaskIncludes": { "properties": { - "key": { + "filterType": { "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" + "description": "The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`.\n" }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" - } - }, - "type": "object" - }, - "aws:costexplorer/getTagsFilterOrDimension:getTagsFilterOrDimension": { - "properties": { - "key": { - "type": "string", - "description": "Unique name of the Cost Category.\n" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific value of the Cost Category.\n" - } - }, - "type": "object" - }, - "aws:costexplorer/getTagsFilterOrTags:getTagsFilterOrTags": { - "properties": { - "key": { - "type": "string" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - } - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:costexplorer/getTagsFilterTags:getTagsFilterTags": { - "properties": { - "key": { - "type": "string" - }, - "matchOptions": { - "type": "array", - "items": { - "type": "string" - } - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:costexplorer/getTagsSortBy:getTagsSortBy": { - "properties": { - "key": { - "type": "string", - "description": "key that's used to sort the data. Valid values are: `BlendedCost`, `UnblendedCost`, `AmortizedCost`, `NetAmortizedCost`, `NetUnblendedCost`, `UsageQuantity`, `NormalizedUsageAmount`.\n" - }, - "sortOrder": { - "type": "string", - "description": "order that's used to sort the data. Valid values are: `ASCENDING`, `DESCENDING`.\n" - } - }, - "type": "object" - }, - "aws:costexplorer/getTagsTimePeriod:getTagsTimePeriod": { - "properties": { - "end": { - "type": "string", - "description": "Beginning of the time period.\n" - }, - "start": { - "type": "string", - "description": "End of the time period.\n" - } - }, - "type": "object", - "required": [ - "end", - "start" - ] - }, - "aws:customerprofiles/DomainMatching:DomainMatching": { - "properties": { - "autoMerging": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMerging:DomainMatchingAutoMerging", - "description": "A block that specifies the configuration about the auto-merging process. Documented below.\n" - }, - "enabled": { - "type": "boolean", - "description": "The flag that enables the matching process of duplicate profiles.\n" - }, - "exportingConfig": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingExportingConfig:DomainMatchingExportingConfig", - "description": "A block that specifies the configuration for exporting Identity Resolution results. Documented below.\n" - }, - "jobSchedule": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingJobSchedule:DomainMatchingJobSchedule", - "description": "A block that specifies the day and time when you want to start the Identity Resolution Job every week. Documented below.\n" - } - }, - "type": "object", - "required": [ - "enabled" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "autoMerging", - "enabled" - ] - } - } - }, - "aws:customerprofiles/DomainMatchingAutoMerging:DomainMatchingAutoMerging": { - "properties": { - "conflictResolution": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMergingConflictResolution:DomainMatchingAutoMergingConflictResolution", - "description": "A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below.\n" - }, - "consolidation": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingAutoMergingConsolidation:DomainMatchingAutoMergingConsolidation", - "description": "A block that specifies a list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged. Documented below.\n* `min_allowed_confidence_score_for_merging ` - (Optional) A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means higher similarity required to merge profiles.\n" - }, - "enabled": { - "type": "boolean", - "description": "The flag that enables the auto-merging of duplicate profiles.\n" - }, - "minAllowedConfidenceScoreForMerging": { - "type": "number" - } - }, - "type": "object", - "required": [ - "enabled" - ] - }, - "aws:customerprofiles/DomainMatchingAutoMergingConflictResolution:DomainMatchingAutoMergingConflictResolution": { - "properties": { - "conflictResolvingModel": { - "type": "string", - "description": "How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE`\n" - }, - "sourceName": { - "type": "string", - "description": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`.\n" - } - }, - "type": "object", - "required": [ - "conflictResolvingModel" - ] - }, - "aws:customerprofiles/DomainMatchingAutoMergingConsolidation:DomainMatchingAutoMergingConsolidation": { - "properties": { - "matchingAttributesLists": { - "type": "array", - "items": { - "type": "array", - "items": { - "type": "string" - } - }, - "description": "A list of matching criteria.\n" - } - }, - "type": "object", - "required": [ - "matchingAttributesLists" - ] - }, - "aws:customerprofiles/DomainMatchingExportingConfig:DomainMatchingExportingConfig": { - "properties": { - "s3Exporting": { - "$ref": "#/types/aws:customerprofiles/DomainMatchingExportingConfigS3Exporting:DomainMatchingExportingConfigS3Exporting" - } - }, - "type": "object" - }, - "aws:customerprofiles/DomainMatchingExportingConfigS3Exporting:DomainMatchingExportingConfigS3Exporting": { - "properties": { - "s3BucketName": { - "type": "string" - }, - "s3KeyName": { - "type": "string" - } - }, - "type": "object", - "required": [ - "s3BucketName" - ] - }, - "aws:customerprofiles/DomainMatchingJobSchedule:DomainMatchingJobSchedule": { - "properties": { - "dayOfTheWeek": { - "type": "string", - "description": "The day when the Identity Resolution Job should run every week.\n" - }, - "time": { - "type": "string", - "description": "The time when the Identity Resolution Job should run every week.\n" - } - }, - "type": "object", - "required": [ - "dayOfTheWeek", - "time" - ] - }, - "aws:customerprofiles/DomainRuleBasedMatching:DomainRuleBasedMatching": { - "properties": { - "attributeTypesSelector": { - "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingAttributeTypesSelector:DomainRuleBasedMatchingAttributeTypesSelector", - "description": "A block that configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles. Documented below.\n" - }, - "conflictResolution": { - "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingConflictResolution:DomainRuleBasedMatchingConflictResolution", - "description": "A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below.\n" - }, - "enabled": { - "type": "boolean", - "description": "The flag that enables the rule-based matching process of duplicate profiles.\n" - }, - "exportingConfig": { - "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingExportingConfig:DomainRuleBasedMatchingExportingConfig", - "description": "A block that specifies the configuration for exporting Identity Resolution results. Documented below.\n" - }, - "matchingRules": { - "type": "array", - "items": { - "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingMatchingRule:DomainRuleBasedMatchingMatchingRule" - }, - "description": "A block that configures how the rule-based matching process should match profiles. You can have up to 15 `rule` in the `natching_rules`. Documented below.\n" - }, - "maxAllowedRuleLevelForMatching": { - "type": "integer", - "description": "Indicates the maximum allowed rule level for matching.\n" - }, - "maxAllowedRuleLevelForMerging": { - "type": "integer", - "description": "Indicates the maximum allowed rule level for merging.\n" - }, - "status": { - "type": "string" - } - }, - "type": "object", - "required": [ - "enabled" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "enabled", - "status" - ] - } - } - }, - "aws:customerprofiles/DomainRuleBasedMatchingAttributeTypesSelector:DomainRuleBasedMatchingAttributeTypesSelector": { - "properties": { - "addresses": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The `Address` type. You can choose from `Address`, `BusinessAddress`, `MaillingAddress`, and `ShippingAddress`.\n" - }, - "attributeMatchingModel": { - "type": "string", - "description": "Configures the `AttributeMatchingModel`, you can either choose `ONE_TO_ONE` or `MANY_TO_MANY`.\n" - }, - "emailAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The `Email` type. You can choose from `EmailAddress`, `BusinessEmailAddress` and `PersonalEmailAddress`.\n" - }, - "phoneNumbers": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The `PhoneNumber` type. You can choose from `PhoneNumber`, `HomePhoneNumber`, and `MobilePhoneNumber`.\n" - } - }, - "type": "object", - "required": [ - "attributeMatchingModel" - ] - }, - "aws:customerprofiles/DomainRuleBasedMatchingConflictResolution:DomainRuleBasedMatchingConflictResolution": { - "properties": { - "conflictResolvingModel": { - "type": "string", - "description": "How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE`\n" - }, - "sourceName": { - "type": "string", - "description": "The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`.\n" - } - }, - "type": "object", - "required": [ - "conflictResolvingModel" - ] - }, - "aws:customerprofiles/DomainRuleBasedMatchingExportingConfig:DomainRuleBasedMatchingExportingConfig": { - "properties": { - "s3Exporting": { - "$ref": "#/types/aws:customerprofiles/DomainRuleBasedMatchingExportingConfigS3Exporting:DomainRuleBasedMatchingExportingConfigS3Exporting" - } - }, - "type": "object" - }, - "aws:customerprofiles/DomainRuleBasedMatchingExportingConfigS3Exporting:DomainRuleBasedMatchingExportingConfigS3Exporting": { - "properties": { - "s3BucketName": { - "type": "string" - }, - "s3KeyName": { - "type": "string" - } - }, - "type": "object", - "required": [ - "s3BucketName" - ] - }, - "aws:customerprofiles/DomainRuleBasedMatchingMatchingRule:DomainRuleBasedMatchingMatchingRule": { - "properties": { - "rules": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A single rule level of the `match_rules`. Configures how the rule-based matching process should match profiles.\n" - } - }, - "type": "object", - "required": [ - "rules" - ] - }, - "aws:customerprofiles/ProfileAddress:ProfileAddress": { - "properties": { - "address1": { - "type": "string", - "description": "The first line of a customer address.\n" - }, - "address2": { - "type": "string", - "description": "The second line of a customer address.\n" - }, - "address3": { - "type": "string", - "description": "The third line of a customer address.\n" - }, - "address4": { - "type": "string", - "description": "The fourth line of a customer address.\n" - }, - "city": { - "type": "string", - "description": "The city in which a customer lives.\n" - }, - "country": { - "type": "string", - "description": "The country in which a customer lives.\n" - }, - "county": { - "type": "string", - "description": "The county in which a customer lives.\n" - }, - "postalCode": { - "type": "string", - "description": "The postal code of a customer address.\n" - }, - "province": { - "type": "string", - "description": "The province in which a customer lives.\n" - }, - "state": { - "type": "string", - "description": "The state in which a customer lives.\n" - } - }, - "type": "object" - }, - "aws:customerprofiles/ProfileBillingAddress:ProfileBillingAddress": { - "properties": { - "address1": { - "type": "string" - }, - "address2": { - "type": "string" - }, - "address3": { - "type": "string" - }, - "address4": { - "type": "string" - }, - "city": { - "type": "string" - }, - "country": { - "type": "string" - }, - "county": { - "type": "string" - }, - "postalCode": { - "type": "string" - }, - "province": { - "type": "string" - }, - "state": { - "type": "string" - } - }, - "type": "object" - }, - "aws:customerprofiles/ProfileMailingAddress:ProfileMailingAddress": { - "properties": { - "address1": { - "type": "string" - }, - "address2": { - "type": "string" - }, - "address3": { - "type": "string" - }, - "address4": { - "type": "string" - }, - "city": { - "type": "string" - }, - "country": { - "type": "string" - }, - "county": { - "type": "string" - }, - "postalCode": { - "type": "string" - }, - "province": { - "type": "string" - }, - "state": { - "type": "string" - } - }, - "type": "object" - }, - "aws:customerprofiles/ProfileShippingAddress:ProfileShippingAddress": { - "properties": { - "address1": { - "type": "string" - }, - "address2": { - "type": "string" - }, - "address3": { - "type": "string" - }, - "address4": { - "type": "string" - }, - "city": { - "type": "string" - }, - "country": { - "type": "string" - }, - "county": { - "type": "string" - }, - "postalCode": { - "type": "string" - }, - "province": { - "type": "string" - }, - "state": { - "type": "string" - } - }, - "type": "object" - }, - "aws:datapipeline/PipelineDefinitionParameterObject:PipelineDefinitionParameterObject": { - "properties": { - "attributes": { - "type": "array", - "items": { - "$ref": "#/types/aws:datapipeline/PipelineDefinitionParameterObjectAttribute:PipelineDefinitionParameterObjectAttribute" - }, - "description": "Configuration block for attributes of the parameter object. See below\n" - }, - "id": { - "type": "string", - "description": "ID of the parameter object.\n" - } - }, - "type": "object", - "required": [ - "id" - ] - }, - "aws:datapipeline/PipelineDefinitionParameterObjectAttribute:PipelineDefinitionParameterObjectAttribute": { - "properties": { - "key": { - "type": "string", - "description": "Field identifier.\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "key", - "stringValue" - ] - }, - "aws:datapipeline/PipelineDefinitionParameterValue:PipelineDefinitionParameterValue": { - "properties": { - "id": { - "type": "string", - "description": "ID of the parameter value.\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "id", - "stringValue" - ] - }, - "aws:datapipeline/PipelineDefinitionPipelineObject:PipelineDefinitionPipelineObject": { - "properties": { - "fields": { - "type": "array", - "items": { - "$ref": "#/types/aws:datapipeline/PipelineDefinitionPipelineObjectField:PipelineDefinitionPipelineObjectField" - }, - "description": "Configuration block for Key-value pairs that define the properties of the object. See below\n" - }, - "id": { - "type": "string", - "description": "ID of the object.\n" - }, - "name": { - "type": "string", - "description": "ARN of the storage connector.\n" - } - }, - "type": "object", - "required": [ - "id", - "name" - ] - }, - "aws:datapipeline/PipelineDefinitionPipelineObjectField:PipelineDefinitionPipelineObjectField": { - "properties": { - "key": { - "type": "string", - "description": "Field identifier.\n" - }, - "refValue": { - "type": "string", - "description": "Field value, expressed as the identifier of another object\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "key" - ] - }, - "aws:datapipeline/getPipelineDefinitionParameterObject:getPipelineDefinitionParameterObject": { - "properties": { - "attributes": { - "type": "array", - "items": { - "$ref": "#/types/aws:datapipeline/getPipelineDefinitionParameterObjectAttribute:getPipelineDefinitionParameterObjectAttribute" - } - }, - "id": { - "type": "string", - "description": "ID of the object.\n" - } - }, - "type": "object", - "required": [ - "attributes", - "id" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:datapipeline/getPipelineDefinitionParameterObjectAttribute:getPipelineDefinitionParameterObjectAttribute": { - "properties": { - "key": { - "type": "string", - "description": "Field identifier.\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "key", - "stringValue" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:datapipeline/getPipelineDefinitionParameterValue:getPipelineDefinitionParameterValue": { - "properties": { - "id": { - "type": "string", - "description": "ID of the object.\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "id", - "stringValue" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:datapipeline/getPipelineDefinitionPipelineObject:getPipelineDefinitionPipelineObject": { - "properties": { - "fields": { - "type": "array", - "items": { - "$ref": "#/types/aws:datapipeline/getPipelineDefinitionPipelineObjectField:getPipelineDefinitionPipelineObjectField" - }, - "description": "Key-value pairs that define the properties of the object. See below\n" - }, - "id": { - "type": "string", - "description": "ID of the object.\n" - }, - "name": { - "type": "string", - "description": "ARN of the storage connector.\n" - } - }, - "type": "object", - "required": [ - "id", - "name" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:datapipeline/getPipelineDefinitionPipelineObjectField:getPipelineDefinitionPipelineObjectField": { - "properties": { - "key": { - "type": "string", - "description": "Field identifier.\n" - }, - "refValue": { - "type": "string", - "description": "Field value, expressed as the identifier of another object\n" - }, - "stringValue": { - "type": "string", - "description": "Field value, expressed as a String.\n" - } - }, - "type": "object", - "required": [ - "key", - "refValue", - "stringValue" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:datasync/EfsLocationEc2Config:EfsLocationEc2Config": { - "properties": { - "securityGroupArns": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of Amazon Resource Names (ARNs) of the EC2 Security Groups that are associated with the EFS Mount Target.\n", - "willReplaceOnChanges": true - }, - "subnetArn": { - "type": "string", - "description": "Amazon Resource Name (ARN) of the EC2 Subnet that is associated with the EFS Mount Target.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "securityGroupArns", - "subnetArn" - ] - }, - "aws:datasync/FsxOpenZfsFileSystemProtocol:FsxOpenZfsFileSystemProtocol": { - "properties": { - "nfs": { - "$ref": "#/types/aws:datasync/FsxOpenZfsFileSystemProtocolNfs:FsxOpenZfsFileSystemProtocolNfs", - "description": "Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system. See below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "nfs" - ] - }, - "aws:datasync/FsxOpenZfsFileSystemProtocolNfs:FsxOpenZfsFileSystemProtocolNfs": { - "properties": { - "mountOptions": { - "$ref": "#/types/aws:datasync/FsxOpenZfsFileSystemProtocolNfsMountOptions:FsxOpenZfsFileSystemProtocolNfsMountOptions", - "description": "Represents the mount options that are available for DataSync to access an NFS location. See below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "mountOptions" - ] - }, - "aws:datasync/FsxOpenZfsFileSystemProtocolNfsMountOptions:FsxOpenZfsFileSystemProtocolNfsMountOptions": { - "properties": { - "version": { - "type": "string", - "description": "The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC`\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:datasync/LocationAzureBlobSasConfiguration:LocationAzureBlobSasConfiguration": { - "properties": { - "token": { - "type": "string", - "description": "A SAS token that provides permissions to access your Azure Blob Storage.\n" - } - }, - "type": "object", - "required": [ - "token" - ] - }, - "aws:datasync/LocationFsxOntapFileSystemProtocol:LocationFsxOntapFileSystemProtocol": { - "properties": { - "nfs": { - "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolNfs:LocationFsxOntapFileSystemProtocolNfs", - "description": "Network File System (NFS) protocol that DataSync uses to access your FSx ONTAP file system. See NFS below.\n", - "willReplaceOnChanges": true - }, - "smb": { - "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolSmb:LocationFsxOntapFileSystemProtocolSmb", - "description": "Server Message Block (SMB) protocol that DataSync uses to access your FSx ONTAP file system. See [SMB] (#smb) below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:datasync/LocationFsxOntapFileSystemProtocolNfs:LocationFsxOntapFileSystemProtocolNfs": { - "properties": { - "mountOptions": { - "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolNfsMountOptions:LocationFsxOntapFileSystemProtocolNfsMountOptions", - "description": "Mount options that are available for DataSync to access an NFS location. See NFS Mount Options below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "mountOptions" - ] - }, - "aws:datasync/LocationFsxOntapFileSystemProtocolNfsMountOptions:LocationFsxOntapFileSystemProtocolNfsMountOptions": { - "properties": { - "version": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:datasync/LocationFsxOntapFileSystemProtocolSmb:LocationFsxOntapFileSystemProtocolSmb": { - "properties": { - "domain": { - "type": "string", - "description": "Fully qualified domain name of the Microsoft Active Directory (AD) that your storage virtual machine belongs to.\n", - "willReplaceOnChanges": true - }, - "mountOptions": { - "$ref": "#/types/aws:datasync/LocationFsxOntapFileSystemProtocolSmbMountOptions:LocationFsxOntapFileSystemProtocolSmbMountOptions", - "description": "Mount options that are available for DataSync to access an SMB location. See SMB Mount Options below.\n", - "willReplaceOnChanges": true - }, - "password": { - "type": "string", - "description": "Password of a user who has permission to access your SVM.\n", - "secret": true, - "willReplaceOnChanges": true - }, - "user": { - "type": "string", - "description": "Username that can mount the location and access the files, folders, and metadata that you need in the SVM.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "mountOptions", - "password", - "user" - ] - }, - "aws:datasync/LocationFsxOntapFileSystemProtocolSmbMountOptions:LocationFsxOntapFileSystemProtocolSmbMountOptions": { - "properties": { - "version": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:datasync/LocationHdfsNameNode:LocationHdfsNameNode": { - "properties": { - "hostname": { - "type": "string", - "description": "The hostname of the NameNode in the HDFS cluster. This value is the IP address or Domain Name Service (DNS) name of the NameNode. An agent that's installed on-premises uses this hostname to communicate with the NameNode in the network.\n" - }, - "port": { - "type": "integer", - "description": "The port that the NameNode uses to listen to client requests.\n" - } - }, - "type": "object", - "required": [ - "hostname", - "port" - ] - }, - "aws:datasync/LocationHdfsQopConfiguration:LocationHdfsQopConfiguration": { - "properties": { - "dataTransferProtection": { - "type": "string", - "description": "The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your dfs.data.transfer.protection setting in the hdfs-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`.\n" - }, - "rpcProtection": { - "type": "string", - "description": "The RPC protection setting configured on the HDFS cluster. This setting corresponds to your hadoop.rpc.protection setting in your core-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "dataTransferProtection", - "rpcProtection" - ] - } - } - }, - "aws:datasync/LocationSmbMountOptions:LocationSmbMountOptions": { - "properties": { - "version": { - "type": "string", - "description": "The specific SMB version that you want DataSync to use for mounting your SMB share. Valid values: `AUTOMATIC`, `SMB2`, and `SMB3`. Default: `AUTOMATIC`\n" - } - }, - "type": "object" - }, - "aws:datasync/NfsLocationMountOptions:NfsLocationMountOptions": { - "properties": { - "version": { - "type": "string", - "description": "The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC`\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:datasync/NfsLocationOnPremConfig:NfsLocationOnPremConfig": { - "properties": { - "agentArns": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of Amazon Resource Names (ARNs) of the DataSync Agents used to connect to the NFS server.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "agentArns" - ] - }, - "aws:datasync/S3LocationS3Config:S3LocationS3Config": { - "properties": { - "bucketAccessRoleArn": { - "type": "string", - "description": "ARN of the IAM Role used to connect to the S3 Bucket.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "bucketAccessRoleArn" - ] - }, - "aws:datasync/TaskExcludes:TaskExcludes": { - "properties": { - "filterType": { - "type": "string", - "description": "The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`.\n" - }, - "value": { - "type": "string", - "description": "A single filter string that consists of the patterns to exclude. The patterns are delimited by \"|\" (that is, a pipe), for example: `/folder1|/folder2`\n" - } - }, - "type": "object" - }, - "aws:datasync/TaskIncludes:TaskIncludes": { - "properties": { - "filterType": { - "type": "string", - "description": "The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`.\n" - }, - "value": { - "type": "string", - "description": "A single filter string that consists of the patterns to include. The patterns are delimited by \"|\" (that is, a pipe), for example: `/folder1|/folder2`\n" + "value": { + "type": "string", + "description": "A single filter string that consists of the patterns to include. The patterns are delimited by \"|\" (that is, a pipe), for example: `/folder1|/folder2`\n" } }, "type": "object" @@ -136835,8437 +135077,65 @@ "comparison": { "type": "string" }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersFindingProviderFieldsRelatedFindingsProductArn:InsightFiltersFindingProviderFieldsRelatedFindingsProductArn": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersFindingProviderFieldsSeverityLabel:InsightFiltersFindingProviderFieldsSeverityLabel": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersFindingProviderFieldsSeverityOriginal:InsightFiltersFindingProviderFieldsSeverityOriginal": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersFindingProviderFieldsType:InsightFiltersFindingProviderFieldsType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersFirstObservedAt:InsightFiltersFirstObservedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersFirstObservedAtDateRange:InsightFiltersFirstObservedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersFirstObservedAtDateRange:InsightFiltersFirstObservedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersGeneratorId:InsightFiltersGeneratorId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersId:InsightFiltersId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersKeyword:InsightFiltersKeyword": { - "properties": { - "value": { - "type": "string", - "description": "A value for the keyword.\n" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "aws:securityhub/InsightFiltersLastObservedAt:InsightFiltersLastObservedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersLastObservedAtDateRange:InsightFiltersLastObservedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersLastObservedAtDateRange:InsightFiltersLastObservedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersMalwareName:InsightFiltersMalwareName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersMalwarePath:InsightFiltersMalwarePath": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersMalwareState:InsightFiltersMalwareState": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersMalwareType:InsightFiltersMalwareType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkDestinationDomain:InsightFiltersNetworkDestinationDomain": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkDestinationIpv4:InsightFiltersNetworkDestinationIpv4": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersNetworkDestinationIpv6:InsightFiltersNetworkDestinationIpv6": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersNetworkDestinationPort:InsightFiltersNetworkDestinationPort": { - "properties": { - "eq": { - "type": "string" - }, - "gte": { - "type": "string" - }, - "lte": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersNetworkDirection:InsightFiltersNetworkDirection": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkProtocol:InsightFiltersNetworkProtocol": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkSourceDomain:InsightFiltersNetworkSourceDomain": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkSourceIpv4:InsightFiltersNetworkSourceIpv4": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersNetworkSourceIpv6:InsightFiltersNetworkSourceIpv6": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersNetworkSourceMac:InsightFiltersNetworkSourceMac": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNetworkSourcePort:InsightFiltersNetworkSourcePort": { - "properties": { - "eq": { - "type": "string" - }, - "gte": { - "type": "string" - }, - "lte": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersNoteText:InsightFiltersNoteText": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersNoteUpdatedAt:InsightFiltersNoteUpdatedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersNoteUpdatedAtDateRange:InsightFiltersNoteUpdatedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersNoteUpdatedAtDateRange:InsightFiltersNoteUpdatedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersNoteUpdatedBy:InsightFiltersNoteUpdatedBy": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersProcessLaunchedAt:InsightFiltersProcessLaunchedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersProcessLaunchedAtDateRange:InsightFiltersProcessLaunchedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersProcessLaunchedAtDateRange:InsightFiltersProcessLaunchedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersProcessName:InsightFiltersProcessName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersProcessParentPid:InsightFiltersProcessParentPid": { - "properties": { - "eq": { - "type": "string" - }, - "gte": { - "type": "string" - }, - "lte": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersProcessPath:InsightFiltersProcessPath": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersProcessPid:InsightFiltersProcessPid": { - "properties": { - "eq": { - "type": "string" - }, - "gte": { - "type": "string" - }, - "lte": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersProcessTerminatedAt:InsightFiltersProcessTerminatedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersProcessTerminatedAtDateRange:InsightFiltersProcessTerminatedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersProcessTerminatedAtDateRange:InsightFiltersProcessTerminatedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersProductArn:InsightFiltersProductArn": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersProductField:InsightFiltersProductField": { - "properties": { - "comparison": { - "type": "string" - }, - "key": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "key", - "value" - ] - }, - "aws:securityhub/InsightFiltersProductName:InsightFiltersProductName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersRecommendationText:InsightFiltersRecommendationText": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersRecordState:InsightFiltersRecordState": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersRelatedFindingsId:InsightFiltersRelatedFindingsId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersRelatedFindingsProductArn:InsightFiltersRelatedFindingsProductArn": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn:InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceImageId:InsightFiltersResourceAwsEc2InstanceImageId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIpv4Address:InsightFiltersResourceAwsEc2InstanceIpv4Address": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIpv6Address:InsightFiltersResourceAwsEc2InstanceIpv6Address": { - "properties": { - "cidr": { - "type": "string" - } - }, - "type": "object", - "required": [ - "cidr" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceKeyName:InsightFiltersResourceAwsEc2InstanceKeyName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAt:InsightFiltersResourceAwsEc2InstanceLaunchedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange:InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange:InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceSubnetId:InsightFiltersResourceAwsEc2InstanceSubnetId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceType:InsightFiltersResourceAwsEc2InstanceType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsEc2InstanceVpcId:InsightFiltersResourceAwsEc2InstanceVpcId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAt:InsightFiltersResourceAwsIamAccessKeyCreatedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange:InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange:InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyStatus:InsightFiltersResourceAwsIamAccessKeyStatus": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyUserName:InsightFiltersResourceAwsIamAccessKeyUserName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsS3BucketOwnerId:InsightFiltersResourceAwsS3BucketOwnerId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceAwsS3BucketOwnerName:InsightFiltersResourceAwsS3BucketOwnerName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceContainerImageId:InsightFiltersResourceContainerImageId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceContainerImageName:InsightFiltersResourceContainerImageName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceContainerLaunchedAt:InsightFiltersResourceContainerLaunchedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersResourceContainerLaunchedAtDateRange:InsightFiltersResourceContainerLaunchedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersResourceContainerLaunchedAtDateRange:InsightFiltersResourceContainerLaunchedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceContainerName:InsightFiltersResourceContainerName": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceDetailsOther:InsightFiltersResourceDetailsOther": { - "properties": { - "comparison": { - "type": "string" - }, - "key": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "key", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceId:InsightFiltersResourceId": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourcePartition:InsightFiltersResourcePartition": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceRegion:InsightFiltersResourceRegion": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceTag:InsightFiltersResourceTag": { - "properties": { - "comparison": { - "type": "string" - }, - "key": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "key", - "value" - ] - }, - "aws:securityhub/InsightFiltersResourceType:InsightFiltersResourceType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersSeverityLabel:InsightFiltersSeverityLabel": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersSourceUrl:InsightFiltersSourceUrl": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorCategory:InsightFiltersThreatIntelIndicatorCategory": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAt:InsightFiltersThreatIntelIndicatorLastObservedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAtDateRange:InsightFiltersThreatIntelIndicatorLastObservedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAtDateRange:InsightFiltersThreatIntelIndicatorLastObservedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorSource:InsightFiltersThreatIntelIndicatorSource": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorSourceUrl:InsightFiltersThreatIntelIndicatorSourceUrl": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorType:InsightFiltersThreatIntelIndicatorType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersThreatIntelIndicatorValue:InsightFiltersThreatIntelIndicatorValue": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersTitle:InsightFiltersTitle": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersType:InsightFiltersType": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersUpdatedAt:InsightFiltersUpdatedAt": { - "properties": { - "dateRange": { - "$ref": "#/types/aws:securityhub/InsightFiltersUpdatedAtDateRange:InsightFiltersUpdatedAtDateRange" - }, - "end": { - "type": "string" - }, - "start": { - "type": "string" - } - }, - "type": "object" - }, - "aws:securityhub/InsightFiltersUpdatedAtDateRange:InsightFiltersUpdatedAtDateRange": { - "properties": { - "unit": { - "type": "string", - "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" - }, - "value": { - "type": "integer", - "description": "A date range value for the date filter, provided as an Integer.\n" - } - }, - "type": "object", - "required": [ - "unit", - "value" - ] - }, - "aws:securityhub/InsightFiltersUserDefinedValue:InsightFiltersUserDefinedValue": { - "properties": { - "comparison": { - "type": "string" - }, - "key": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "key", - "value" - ] - }, - "aws:securityhub/InsightFiltersVerificationState:InsightFiltersVerificationState": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/InsightFiltersWorkflowStatus:InsightFiltersWorkflowStatus": { - "properties": { - "comparison": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparison", - "value" - ] - }, - "aws:securityhub/OrganizationConfigurationOrganizationConfiguration:OrganizationConfigurationOrganizationConfiguration": { - "properties": { - "configurationType": { - "type": "string", - "description": "Indicates whether the organization uses local or central configuration. If using central configuration, `auto_enable` must be set to `false` and `auto_enable_standards` set to `NONE`. More information can be found in the [documentation for central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). Valid values: `LOCAL`, `CENTRAL`.\n" - } - }, - "type": "object", - "required": [ - "configurationType" - ] - }, - "aws:securitylake/AwsLogSourceSource:AwsLogSourceSource": { - "properties": { - "accounts": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specify the AWS account information where you want to enable Security Lake.\nIf not specified, uses all accounts included in the Security Lake.\n" - }, - "regions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specify the Regions where you want to enable Security Lake.\n" - }, - "sourceName": { - "type": "string", - "description": "The name for a AWS source. This must be a Regionally unique value. Valid values: `ROUTE53`, `VPC_FLOW`, `SH_FINDINGS`, `CLOUD_TRAIL_MGMT`, `LAMBDA_EXECUTION`, `S3_DATA`.\n" - }, - "sourceVersion": { - "type": "string", - "description": "The version for a AWS source.\nIf not specified, the version will be the default.\nThis must be a Regionally unique value.\n" - } - }, - "type": "object", - "required": [ - "regions", - "sourceName" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "accounts", - "regions", - "sourceName", - "sourceVersion" - ] - } - } - }, - "aws:securitylake/CustomLogSourceAttribute:CustomLogSourceAttribute": { - "properties": { - "crawlerArn": { - "type": "string", - "description": "The ARN of the AWS Glue crawler.\n" - }, - "databaseArn": { - "type": "string", - "description": "The ARN of the AWS Glue database where results are written.\n" - }, - "tableArn": { - "type": "string", - "description": "The ARN of the AWS Glue table.\n" - } - }, - "type": "object", - "required": [ - "crawlerArn", - "databaseArn", - "tableArn" - ] - }, - "aws:securitylake/CustomLogSourceConfiguration:CustomLogSourceConfiguration": { - "properties": { - "crawlerConfiguration": { - "$ref": "#/types/aws:securitylake/CustomLogSourceConfigurationCrawlerConfiguration:CustomLogSourceConfigurationCrawlerConfiguration", - "description": "The configuration for the Glue Crawler for the third-party custom source.\n" - }, - "providerIdentity": { - "$ref": "#/types/aws:securitylake/CustomLogSourceConfigurationProviderIdentity:CustomLogSourceConfigurationProviderIdentity", - "description": "The identity of the log provider for the third-party custom source.\n" - } - }, - "type": "object" - }, - "aws:securitylake/CustomLogSourceConfigurationCrawlerConfiguration:CustomLogSourceConfigurationCrawlerConfiguration": { - "properties": { - "roleArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler.\n" - } - }, - "type": "object", - "required": [ - "roleArn" - ] - }, - "aws:securitylake/CustomLogSourceConfigurationProviderIdentity:CustomLogSourceConfigurationProviderIdentity": { - "properties": { - "externalId": { - "type": "string", - "description": "The external ID used to estalish trust relationship with the AWS identity.\n" - }, - "principal": { - "type": "string", - "description": "The AWS identity principal.\n" - } - }, - "type": "object", - "required": [ - "externalId", - "principal" - ] - }, - "aws:securitylake/CustomLogSourceProviderDetail:CustomLogSourceProviderDetail": { - "properties": { - "location": { - "type": "string", - "description": "The location of the partition in the Amazon S3 bucket for Security Lake.\n" - }, - "roleArn": { - "type": "string", - "description": "The ARN of the IAM role to be used by the entity putting logs into your custom source partition.\n" - } - }, - "type": "object", - "required": [ - "location", - "roleArn" - ] - }, - "aws:securitylake/DataLakeConfiguration:DataLakeConfiguration": { - "properties": { - "encryptionConfigurations": { - "type": "array", - "items": { - "$ref": "#/types/aws:securitylake/DataLakeConfigurationEncryptionConfiguration:DataLakeConfigurationEncryptionConfiguration" - }, - "description": "Provides encryption details of Amazon Security Lake object.\n" - }, - "lifecycleConfiguration": { - "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfiguration:DataLakeConfigurationLifecycleConfiguration", - "description": "Provides lifecycle details of Amazon Security Lake object.\n" - }, - "region": { - "type": "string", - "description": "The AWS Regions where Security Lake is automatically enabled.\n" - }, - "replicationConfiguration": { - "$ref": "#/types/aws:securitylake/DataLakeConfigurationReplicationConfiguration:DataLakeConfigurationReplicationConfiguration", - "description": "Provides replication details of Amazon Security Lake object.\n" - } - }, - "type": "object", - "required": [ - "region" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "encryptionConfigurations", - "region" - ] - } - } - }, - "aws:securitylake/DataLakeConfigurationEncryptionConfiguration:DataLakeConfigurationEncryptionConfiguration": { - "properties": { - "kmsKeyId": { - "type": "string", - "description": "The id of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object.\n" - } - }, - "type": "object", - "required": [ - "kmsKeyId" - ] - }, - "aws:securitylake/DataLakeConfigurationLifecycleConfiguration:DataLakeConfigurationLifecycleConfiguration": { - "properties": { - "expiration": { - "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfigurationExpiration:DataLakeConfigurationLifecycleConfigurationExpiration", - "description": "Provides data expiration details of Amazon Security Lake object.\n" - }, - "transitions": { - "type": "array", - "items": { - "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfigurationTransition:DataLakeConfigurationLifecycleConfigurationTransition" - }, - "description": "Provides data storage transition details of Amazon Security Lake object.\n" - } - }, - "type": "object" - }, - "aws:securitylake/DataLakeConfigurationLifecycleConfigurationExpiration:DataLakeConfigurationLifecycleConfigurationExpiration": { - "properties": { - "days": { - "type": "integer", - "description": "Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object.\n" - } - }, - "type": "object" - }, - "aws:securitylake/DataLakeConfigurationLifecycleConfigurationTransition:DataLakeConfigurationLifecycleConfigurationTransition": { - "properties": { - "days": { - "type": "integer", - "description": "Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object.\n" - }, - "storageClass": { - "type": "string", - "description": "The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads.\n" - } - }, - "type": "object" - }, - "aws:securitylake/DataLakeConfigurationReplicationConfiguration:DataLakeConfigurationReplicationConfiguration": { - "properties": { - "regions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket.\n" - }, - "roleArn": { - "type": "string", - "description": "Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct.\n" - } - }, - "type": "object" - }, - "aws:securitylake/DataLakeTimeouts:DataLakeTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - }, - "delete": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" - }, - "update": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - } - }, - "type": "object" - }, - "aws:securitylake/SubscriberNotificationConfiguration:SubscriberNotificationConfiguration": { - "properties": { - "httpsNotificationConfiguration": { - "$ref": "#/types/aws:securitylake/SubscriberNotificationConfigurationHttpsNotificationConfiguration:SubscriberNotificationConfigurationHttpsNotificationConfiguration", - "description": "The configurations for HTTPS subscriber notification.\n" - }, - "sqsNotificationConfiguration": { - "$ref": "#/types/aws:securitylake/SubscriberNotificationConfigurationSqsNotificationConfiguration:SubscriberNotificationConfigurationSqsNotificationConfiguration", - "description": "The configurations for SQS subscriber notification.\nThere are no parameters within `sqs_notification_configuration`.\n" - } - }, - "type": "object" - }, - "aws:securitylake/SubscriberNotificationConfigurationHttpsNotificationConfiguration:SubscriberNotificationConfigurationHttpsNotificationConfiguration": { - "properties": { - "authorizationApiKeyName": { - "type": "string", - "description": "The API key name for the notification subscription.\n" - }, - "authorizationApiKeyValue": { - "type": "string", - "description": "The API key value for the notification subscription.\n", - "secret": true - }, - "endpoint": { - "type": "string", - "description": "The subscription endpoint in Security Lake.\nIf you prefer notification with an HTTPS endpoint, populate this field.\n" - }, - "httpMethod": { - "type": "string", - "description": "The HTTP method used for the notification subscription.\nValid values are `POST` and `PUT`.\n" - }, - "targetRoleArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the EventBridge API destinations IAM role that you created.\nFor more information about ARNs and how to use them in policies, see Managing data access and AWS Managed Policies in the Amazon Security Lake User Guide.\n" - } - }, - "type": "object", - "required": [ - "endpoint", - "targetRoleArn" - ] - }, - "aws:securitylake/SubscriberNotificationConfigurationSqsNotificationConfiguration:SubscriberNotificationConfigurationSqsNotificationConfiguration": { - "type": "object" - }, - "aws:securitylake/SubscriberSource:SubscriberSource": { - "properties": { - "awsLogSourceResource": { - "$ref": "#/types/aws:securitylake/SubscriberSourceAwsLogSourceResource:SubscriberSourceAwsLogSourceResource", - "description": "Amazon Security Lake supports log and event collection for natively supported AWS services.\n" - }, - "customLogSourceResource": { - "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResource:SubscriberSourceCustomLogSourceResource", - "description": "Amazon Security Lake supports custom source types.\n" - } - }, - "type": "object" - }, - "aws:securitylake/SubscriberSourceAwsLogSourceResource:SubscriberSourceAwsLogSourceResource": { - "properties": { - "sourceName": { - "type": "string", - "description": "The name for a third-party custom source. This must be a Regionally unique value.\n" - }, - "sourceVersion": { - "type": "string", - "description": "The version for a third-party custom source. This must be a Regionally unique value.\n" - } - }, - "type": "object", - "required": [ - "sourceName" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "sourceName", - "sourceVersion" - ] - } - } - }, - "aws:securitylake/SubscriberSourceCustomLogSourceResource:SubscriberSourceCustomLogSourceResource": { - "properties": { - "attributes": { - "type": "array", - "items": { - "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResourceAttribute:SubscriberSourceCustomLogSourceResourceAttribute" - }, - "description": "The attributes of a third-party custom source.\n" - }, - "providers": { - "type": "array", - "items": { - "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResourceProvider:SubscriberSourceCustomLogSourceResourceProvider" - } - }, - "sourceName": { - "type": "string", - "description": "The name for a third-party custom source. This must be a Regionally unique value.\n" - }, - "sourceVersion": { - "type": "string", - "description": "The version for a third-party custom source. This must be a Regionally unique value.\n" - } - }, - "type": "object", - "required": [ - "sourceName" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "attributes", - "providers", - "sourceName", - "sourceVersion" - ] - } - } - }, - "aws:securitylake/SubscriberSourceCustomLogSourceResourceAttribute:SubscriberSourceCustomLogSourceResourceAttribute": { - "properties": { - "crawlerArn": { - "type": "string", - "description": "The ARN of the AWS Glue crawler.\n" - }, - "databaseArn": { - "type": "string", - "description": "The ARN of the AWS Glue database where results are written.\n" - }, - "tableArn": { - "type": "string", - "description": "The ARN of the AWS Glue table.\n" - } - }, - "type": "object", - "required": [ - "crawlerArn", - "databaseArn", - "tableArn" - ] - }, - "aws:securitylake/SubscriberSourceCustomLogSourceResourceProvider:SubscriberSourceCustomLogSourceResourceProvider": { - "properties": { - "location": { - "type": "string", - "description": "The location of the partition in the Amazon S3 bucket for Security Lake.\n" - }, - "roleArn": { - "type": "string", - "description": "The ARN of the IAM role to be used by the entity putting logs into your custom source partition.\n" - } - }, - "type": "object", - "required": [ - "location", - "roleArn" - ] - }, - "aws:securitylake/SubscriberSubscriberIdentity:SubscriberSubscriberIdentity": { - "properties": { - "externalId": { - "type": "string", - "description": "The AWS Regions where Security Lake is automatically enabled.\n" - }, - "principal": { - "type": "string", - "description": "Provides encryption details of Amazon Security Lake object.\n" - } - }, - "type": "object", - "required": [ - "externalId", - "principal" - ] - }, - "aws:securitylake/SubscriberTimeouts:SubscriberTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - }, - "delete": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" - }, - "update": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - } - }, - "type": "object" - }, - "aws:servicecatalog/ProductProvisioningArtifactParameters:ProductProvisioningArtifactParameters": { - "properties": { - "description": { - "type": "string", - "description": "Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact.\n", - "willReplaceOnChanges": true - }, - "disableTemplateValidation": { - "type": "boolean", - "description": "Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid.\n", - "willReplaceOnChanges": true - }, - "name": { - "type": "string", - "description": "Name of the provisioning artifact (for example, `v1`, `v2beta`). No spaces are allowed.\n", - "willReplaceOnChanges": true - }, - "templatePhysicalId": { - "type": "string", - "description": "Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as `arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID]`.\n", - "willReplaceOnChanges": true - }, - "templateUrl": { - "type": "string", - "description": "Template source as URL of the CloudFormation template in Amazon S3.\n", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "description": "Type of provisioning artifact. See [AWS Docs](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProvisioningArtifactProperties.html) for valid list of values.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:servicecatalog/ProvisionedProductOutput:ProvisionedProductOutput": { - "properties": { - "description": { - "type": "string", - "description": "The description of the output.\n" - }, - "key": { - "type": "string", - "description": "The output key.\n" - }, - "value": { - "type": "string", - "description": "The output value.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "description", - "key", - "value" - ] - } - } - }, - "aws:servicecatalog/ProvisionedProductProvisioningParameter:ProvisionedProductProvisioningParameter": { - "properties": { - "key": { - "type": "string", - "description": "Parameter key.\n" - }, - "usePreviousValue": { - "type": "boolean", - "description": "Whether to ignore `value` and keep the previous parameter value. Ignored when initially provisioning a product.\n" - }, - "value": { - "type": "string", - "description": "Parameter value.\n" - } - }, - "type": "object", - "required": [ - "key" - ] - }, - "aws:servicecatalog/ProvisionedProductStackSetProvisioningPreferences:ProvisionedProductStackSetProvisioningPreferences": { - "properties": { - "accounts": { - "type": "array", - "items": { - "type": "string" - }, - "description": "One or more AWS accounts that will have access to the provisioned product. The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the `aws_servicecatalog_provisioning_parameters` data source. If no values are specified, the default value is all accounts from the STACKSET constraint.\n" - }, - "failureToleranceCount": { - "type": "integer", - "description": "Number of accounts, per region, for which this operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. You must specify either `failure_tolerance_count` or `failure_tolerance_percentage`, but not both. The default value is 0 if no value is specified.\n" - }, - "failureTolerancePercentage": { - "type": "integer", - "description": "Percentage of accounts, per region, for which this stack operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. You must specify either `failure_tolerance_count` or `failure_tolerance_percentage`, but not both.\n" - }, - "maxConcurrencyCount": { - "type": "integer", - "description": "Maximum number of accounts in which to perform this operation at one time. This is dependent on the value of `failure_tolerance_count`. `max_concurrency_count` is at most one more than the `failure_tolerance_count`. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `max_concurrency_count` or `max_concurrency_percentage`, but not both.\n" - }, - "maxConcurrencyPercentage": { - "type": "integer", - "description": "Maximum percentage of accounts in which to perform this operation at one time. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. This is true except in cases where rounding down would result is zero. In this case, AWS Service Catalog sets the number as 1 instead. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `max_concurrency_count` or `max_concurrency_percentage`, but not both.\n" - }, - "regions": { - "type": "array", - "items": { - "type": "string" - }, - "description": "One or more AWS Regions where the provisioned product will be available. The specified regions should be within the list of regions from the STACKSET constraint. To get the list of regions in the STACKSET constraint, use the `aws_servicecatalog_provisioning_parameters` data source. If no values are specified, the default value is all regions from the STACKSET constraint.\n" - } - }, - "type": "object" - }, - "aws:servicecatalog/ServiceActionDefinition:ServiceActionDefinition": { - "properties": { - "assumeRole": { - "type": "string", - "description": "ARN of the role that performs the self-service actions on your behalf. For example, `arn:aws:iam::12345678910:role/ActionRole`. To reuse the provisioned product launch role, set to `LAUNCH_ROLE`.\n" - }, - "name": { - "type": "string", - "description": "Name of the SSM document. For example, `AWS-RestartEC2Instance`. If you are using a shared SSM document, you must provide the ARN instead of the name.\n" - }, - "parameters": { - "type": "string", - "description": "List of parameters in JSON format. For example: `[{\\\"Name\\\":\\\"InstanceId\\\",\\\"Type\\\":\\\"TARGET\\\"}]` or `[{\\\"Name\\\":\\\"InstanceId\\\",\\\"Type\\\":\\\"TEXT_VALUE\\\"}]`.\n" - }, - "type": { - "type": "string", - "description": "Service action definition type. Valid value is `SSM_AUTOMATION`. Default is `SSM_AUTOMATION`.\n", - "willReplaceOnChanges": true - }, - "version": { - "type": "string", - "description": "SSM document version. For example, `1`.\n" - } - }, - "type": "object", - "required": [ - "name", - "version" - ] - }, - "aws:servicecatalog/getLaunchPathsSummary:getLaunchPathsSummary": { - "properties": { - "constraintSummaries": { - "type": "array", - "items": { - "$ref": "#/types/aws:servicecatalog/getLaunchPathsSummaryConstraintSummary:getLaunchPathsSummaryConstraintSummary" - }, - "description": "Block for constraints on the portfolio-product relationship. See details below.\n" - }, - "name": { - "type": "string", - "description": "Name of the portfolio to which the path was assigned.\n" - }, - "pathId": { - "type": "string", - "description": "Identifier of the product path.\n" - }, - "tags": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "Tags associated with this product path.\n" - } - }, - "type": "object", - "required": [ - "constraintSummaries", - "name", - "pathId", - "tags" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicecatalog/getLaunchPathsSummaryConstraintSummary:getLaunchPathsSummaryConstraintSummary": { - "properties": { - "description": { - "type": "string", - "description": "Description of the constraint.\n" - }, - "type": { - "type": "string", - "description": "Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`.\n" - } - }, - "type": "object", - "required": [ - "description", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicecatalog/getPortfolioConstraintsDetail:getPortfolioConstraintsDetail": { - "properties": { - "constraintId": { - "type": "string", - "description": "Identifier of the constraint.\n" - }, - "description": { - "type": "string", - "description": "Description of the constraint.\n" - }, - "owner": { - "type": "string" - }, - "portfolioId": { - "type": "string", - "description": "Portfolio identifier.\n\nThe following arguments are optional:\n" - }, - "productId": { - "type": "string", - "description": "Product identifier.\n" - }, - "type": { - "type": "string", - "description": "Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`.\n" - } - }, - "type": "object", - "required": [ - "constraintId", - "description", - "owner", - "portfolioId", - "productId", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicecatalog/getProvisioningArtifactsProvisioningArtifactDetail:getProvisioningArtifactsProvisioningArtifactDetail": { - "properties": { - "active": { - "type": "boolean", - "description": "Indicates whether the product version is active.\n" - }, - "createdTime": { - "type": "string", - "description": "The UTC time stamp of the creation time.\n" - }, - "description": { - "type": "string", - "description": "The description of the provisioning artifact.\n" - }, - "guidance": { - "type": "string", - "description": "Information set by the administrator to provide guidance to end users about which provisioning artifacts to use.\n" - }, - "id": { - "type": "string", - "description": "The identifier of the provisioning artifact.\n" - }, - "name": { - "type": "string", - "description": "The name of the provisioning artifact.\n" - }, - "type": { - "type": "string", - "description": "The type of provisioning artifact.\n" - } - }, - "type": "object", - "required": [ - "active", - "createdTime", - "description", - "guidance", - "id", - "name", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicediscovery/ServiceDnsConfig:ServiceDnsConfig": { - "properties": { - "dnsRecords": { - "type": "array", - "items": { - "$ref": "#/types/aws:servicediscovery/ServiceDnsConfigDnsRecord:ServiceDnsConfigDnsRecord" - }, - "description": "An array that contains one DnsRecord object for each resource record set.\n" - }, - "namespaceId": { - "type": "string", - "description": "The ID of the namespace to use for DNS configuration.\n", - "willReplaceOnChanges": true - }, - "routingPolicy": { - "type": "string", - "description": "The routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "dnsRecords", - "namespaceId" - ] - }, - "aws:servicediscovery/ServiceDnsConfigDnsRecord:ServiceDnsConfigDnsRecord": { - "properties": { - "ttl": { - "type": "integer", - "description": "The amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set.\n" - }, - "type": { - "type": "string", - "description": "The type of the resource, which indicates the value that Amazon Route 53 returns in response to DNS queries. Valid Values: A, AAAA, SRV, CNAME\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "ttl", - "type" - ] - }, - "aws:servicediscovery/ServiceHealthCheckConfig:ServiceHealthCheckConfig": { - "properties": { - "failureThreshold": { - "type": "integer", - "description": "The number of consecutive health checks. Maximum value of 10.\n" - }, - "resourcePath": { - "type": "string", - "description": "The path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /.\n" - }, - "type": { - "type": "string", - "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:servicediscovery/ServiceHealthCheckCustomConfig:ServiceHealthCheckCustomConfig": { - "properties": { - "failureThreshold": { - "type": "integer", - "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:servicediscovery/getServiceDnsConfig:getServiceDnsConfig": { - "properties": { - "dnsRecords": { - "type": "array", - "items": { - "$ref": "#/types/aws:servicediscovery/getServiceDnsConfigDnsRecord:getServiceDnsConfigDnsRecord" - }, - "description": "An array that contains one DnsRecord object for each resource record set.\n" - }, - "namespaceId": { - "type": "string", - "description": "ID of the namespace that the service belongs to.\n" - }, - "routingPolicy": { - "type": "string", - "description": "Routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED\n" - } - }, - "type": "object", - "required": [ - "dnsRecords", - "namespaceId", - "routingPolicy" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicediscovery/getServiceDnsConfigDnsRecord:getServiceDnsConfigDnsRecord": { - "properties": { - "ttl": { - "type": "integer", - "description": "Amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set.\n" - }, - "type": { - "type": "string", - "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n" - } - }, - "type": "object", - "required": [ - "ttl", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicediscovery/getServiceHealthCheckConfig:getServiceHealthCheckConfig": { - "properties": { - "failureThreshold": { - "type": "integer", - "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n" - }, - "resourcePath": { - "type": "string", - "description": "Path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /.\n" - }, - "type": { - "type": "string", - "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n" - } - }, - "type": "object", - "required": [ - "failureThreshold", - "resourcePath", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicediscovery/getServiceHealthCheckCustomConfig:getServiceHealthCheckCustomConfig": { - "properties": { - "failureThreshold": { - "type": "integer", - "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n" - } - }, - "type": "object", - "required": [ - "failureThreshold" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicequotas/ServiceQuotaUsageMetric:ServiceQuotaUsageMetric": { - "properties": { - "metricDimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:servicequotas/ServiceQuotaUsageMetricMetricDimension:ServiceQuotaUsageMetricMetricDimension" - }, - "description": "The metric dimensions.\n" - }, - "metricName": { - "type": "string", - "description": "The name of the metric.\n" - }, - "metricNamespace": { - "type": "string", - "description": "The namespace of the metric.\n" - }, - "metricStatisticRecommendation": { - "type": "string", - "description": "The metric statistic that AWS recommend you use when determining quota usage.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "metricDimensions", - "metricName", - "metricNamespace", - "metricStatisticRecommendation" - ] - } - } - }, - "aws:servicequotas/ServiceQuotaUsageMetricMetricDimension:ServiceQuotaUsageMetricMetricDimension": { - "properties": { - "class": { - "type": "string" - }, - "resource": { - "type": "string" - }, - "service": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "class", - "resource", - "service", - "type" - ] - } - } - }, - "aws:servicequotas/getServiceQuotaUsageMetric:getServiceQuotaUsageMetric": { - "properties": { - "metricDimensions": { - "type": "array", - "items": { - "$ref": "#/types/aws:servicequotas/getServiceQuotaUsageMetricMetricDimension:getServiceQuotaUsageMetricMetricDimension" - }, - "description": "The metric dimensions.\n" - }, - "metricName": { - "type": "string", - "description": "The name of the metric.\n" - }, - "metricNamespace": { - "type": "string", - "description": "The namespace of the metric.\n" - }, - "metricStatisticRecommendation": { - "type": "string", - "description": "The metric statistic that AWS recommend you use when determining quota usage.\n" - } - }, - "type": "object", - "required": [ - "metricDimensions", - "metricName", - "metricNamespace", - "metricStatisticRecommendation" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicequotas/getServiceQuotaUsageMetricMetricDimension:getServiceQuotaUsageMetricMetricDimension": { - "properties": { - "class": { - "type": "string" - }, - "resource": { - "type": "string" - }, - "service": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "class", - "resource", - "service", - "type" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:servicequotas/getTemplatesTemplate:getTemplatesTemplate": { - "properties": { - "globalQuota": { - "type": "boolean", - "description": "Indicates whether the quota is global.\n" - }, - "quotaCode": { - "type": "string", - "description": "Quota identifier.\n" - }, - "quotaName": { - "type": "string", - "description": "Quota name.\n" - }, - "region": { - "type": "string", - "description": "AWS Region to which the quota increases apply.\n" - }, - "serviceCode": { - "type": "string", - "description": "(Required) Service identifier.\n" - }, - "serviceName": { - "type": "string", - "description": "Service name.\n" - }, - "unit": { - "type": "string", - "description": "Unit of measurement.\n" - }, - "value": { - "type": "number", - "description": "(Required) The new, increased value for the quota.\n" - } - }, - "type": "object", - "required": [ - "globalQuota", - "quotaCode", - "quotaName", - "region", - "serviceCode", - "serviceName", - "unit", - "value" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ses/ConfigurationSetDeliveryOptions:ConfigurationSetDeliveryOptions": { - "properties": { - "tlsPolicy": { - "type": "string", - "description": "Whether messages that use the configuration set are required to use Transport Layer Security (TLS). If the value is `Require`, messages are only delivered if a TLS connection can be established. If the value is `Optional`, messages can be delivered in plain text if a TLS connection can't be established. Valid values: `Require` or `Optional`. Defaults to `Optional`.\n" - } - }, - "type": "object" - }, - "aws:ses/ConfigurationSetTrackingOptions:ConfigurationSetTrackingOptions": { - "properties": { - "customRedirectDomain": { - "type": "string", - "description": "Custom subdomain that is used to redirect email recipients to the Amazon SES event tracking domain.\n" - } - }, - "type": "object" - }, - "aws:ses/EventDestinationCloudwatchDestination:EventDestinationCloudwatchDestination": { - "properties": { - "defaultValue": { - "type": "string", - "description": "The default value for the event\n" - }, - "dimensionName": { - "type": "string", - "description": "The name for the dimension\n" - }, - "valueSource": { - "type": "string", - "description": "The source for the value. May be any of `\"messageTag\"`, `\"emailHeader\"` or `\"linkTag\"`.\n" - } - }, - "type": "object", - "required": [ - "defaultValue", - "dimensionName", - "valueSource" - ] - }, - "aws:ses/EventDestinationKinesisDestination:EventDestinationKinesisDestination": { - "properties": { - "roleArn": { - "type": "string", - "description": "The ARN of the role that has permissions to access the Kinesis Stream\n" - }, - "streamArn": { - "type": "string", - "description": "The ARN of the Kinesis Stream\n" - } - }, - "type": "object", - "required": [ - "roleArn", - "streamArn" - ] - }, - "aws:ses/EventDestinationSnsDestination:EventDestinationSnsDestination": { - "properties": { - "topicArn": { - "type": "string", - "description": "The ARN of the SNS topic\n" - } - }, - "type": "object", - "required": [ - "topicArn" - ] - }, - "aws:ses/ReceiptRuleAddHeaderAction:ReceiptRuleAddHeaderAction": { - "properties": { - "headerName": { - "type": "string", - "description": "The name of the header to add\n" - }, - "headerValue": { - "type": "string", - "description": "The value of the header to add\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - } - }, - "type": "object", - "required": [ - "headerName", - "headerValue", - "position" - ] - }, - "aws:ses/ReceiptRuleBounceAction:ReceiptRuleBounceAction": { - "properties": { - "message": { - "type": "string", - "description": "The message to send\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "sender": { - "type": "string", - "description": "The email address of the sender\n" - }, - "smtpReplyCode": { - "type": "string", - "description": "The RFC 5321 SMTP reply code\n" - }, - "statusCode": { - "type": "string", - "description": "The RFC 3463 SMTP enhanced status code\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "message", - "position", - "sender", - "smtpReplyCode" - ] - }, - "aws:ses/ReceiptRuleLambdaAction:ReceiptRuleLambdaAction": { - "properties": { - "functionArn": { - "type": "string", - "description": "The ARN of the Lambda function to invoke\n" - }, - "invocationType": { - "type": "string", - "description": "`Event` or `RequestResponse`\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "functionArn", - "position" - ] - }, - "aws:ses/ReceiptRuleS3Action:ReceiptRuleS3Action": { - "properties": { - "bucketName": { - "type": "string", - "description": "The name of the S3 bucket\n" - }, - "kmsKeyArn": { - "type": "string", - "description": "The ARN of the KMS key\n" - }, - "objectKeyPrefix": { - "type": "string", - "description": "The key prefix of the S3 bucket\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "bucketName", - "position" - ] - }, - "aws:ses/ReceiptRuleSnsAction:ReceiptRuleSnsAction": { - "properties": { - "encoding": { - "type": "string", - "description": "The encoding to use for the email within the Amazon SNS notification. Default value is `UTF-8`.\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "position", - "topicArn" - ] - }, - "aws:ses/ReceiptRuleStopAction:ReceiptRuleStopAction": { - "properties": { - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "scope": { - "type": "string", - "description": "The scope to apply. The only acceptable value is `RuleSet`.\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "position", - "scope" - ] - }, - "aws:ses/ReceiptRuleWorkmailAction:ReceiptRuleWorkmailAction": { - "properties": { - "organizationArn": { - "type": "string", - "description": "The ARN of the WorkMail organization\n" - }, - "position": { - "type": "integer", - "description": "The position of the action in the receipt rule\n" - }, - "topicArn": { - "type": "string", - "description": "The ARN of an SNS topic to notify\n" - } - }, - "type": "object", - "required": [ - "organizationArn", - "position" - ] - }, - "aws:sesv2/AccountVdmAttributesDashboardAttributes:AccountVdmAttributesDashboardAttributes": { - "properties": { - "engagementMetrics": { - "type": "string", - "description": "Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/AccountVdmAttributesGuardianAttributes:AccountVdmAttributesGuardianAttributes": { - "properties": { - "optimizedSharedDelivery": { - "type": "string", - "description": "Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ConfigurationSetDeliveryOptions:ConfigurationSetDeliveryOptions": { - "properties": { - "sendingPoolName": { - "type": "string", - "description": "The name of the dedicated IP pool to associate with the configuration set.\n" - }, - "tlsPolicy": { - "type": "string", - "description": "Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). Valid values: `REQUIRE`, `OPTIONAL`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestination:ConfigurationSetEventDestinationEventDestination": { - "properties": { - "cloudWatchDestination": { - "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestination:ConfigurationSetEventDestinationEventDestinationCloudWatchDestination", - "description": "An object that defines an Amazon CloudWatch destination for email events. See cloud_watch_destination below\n" - }, - "enabled": { - "type": "boolean", - "description": "When the event destination is enabled, the specified event types are sent to the destinations. Default: `false`.\n" - }, - "kinesisFirehoseDestination": { - "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination:ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination", - "description": "An object that defines an Amazon Kinesis Data Firehose destination for email events. See kinesis_firehose_destination below.\n" - }, - "matchingEventTypes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array that specifies which events the Amazon SES API v2 should send to the destinations. Valid values: `SEND`, `REJECT`, `BOUNCE`, `COMPLAINT`, `DELIVERY`, `OPEN`, `CLICK`, `RENDERING_FAILURE`, `DELIVERY_DELAY`, `SUBSCRIPTION`.\n\nThe following arguments are optional:\n" - }, - "pinpointDestination": { - "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationPinpointDestination:ConfigurationSetEventDestinationEventDestinationPinpointDestination", - "description": "An object that defines an Amazon Pinpoint project destination for email events. See pinpoint_destination below.\n" - }, - "snsDestination": { - "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationSnsDestination:ConfigurationSetEventDestinationEventDestinationSnsDestination", - "description": "An object that defines an Amazon SNS destination for email events. See sns_destination below.\n" - } - }, - "type": "object", - "required": [ - "matchingEventTypes" - ] - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestination:ConfigurationSetEventDestinationEventDestinationCloudWatchDestination": { - "properties": { - "dimensionConfigurations": { - "type": "array", - "items": { - "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration:ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration" - }, - "description": "An array of objects that define the dimensions to use when you send email events to Amazon CloudWatch. See dimension_configuration below.\n" - } - }, - "type": "object", - "required": [ - "dimensionConfigurations" - ] - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration:ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration": { - "properties": { - "defaultDimensionValue": { - "type": "string", - "description": "The default value of the dimension that is published to Amazon CloudWatch if you don't provide the value of the dimension when you send an email.\n" - }, - "dimensionName": { - "type": "string", - "description": "The name of an Amazon CloudWatch dimension associated with an email sending metric.\n" - }, - "dimensionValueSource": { - "type": "string", - "description": "The location where the Amazon SES API v2 finds the value of a dimension to publish to Amazon CloudWatch. Valid values: `MESSAGE_TAG`, `EMAIL_HEADER`, `LINK_TAG`.\n" - } - }, - "type": "object", - "required": [ - "defaultDimensionValue", - "dimensionName", - "dimensionValueSource" - ] - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination:ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination": { - "properties": { - "deliveryStreamArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the Amazon Kinesis Data Firehose stream that the Amazon SES API v2 sends email events to.\n" - }, - "iamRoleArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the IAM role that the Amazon SES API v2 uses to send email events to the Amazon Kinesis Data Firehose stream.\n" - } - }, - "type": "object", - "required": [ - "deliveryStreamArn", - "iamRoleArn" - ] - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestinationPinpointDestination:ConfigurationSetEventDestinationEventDestinationPinpointDestination": { - "properties": { - "applicationArn": { - "type": "string" - } - }, - "type": "object", - "required": [ - "applicationArn" - ] - }, - "aws:sesv2/ConfigurationSetEventDestinationEventDestinationSnsDestination:ConfigurationSetEventDestinationEventDestinationSnsDestination": { - "properties": { - "topicArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the Amazon SNS topic to publish email events to.\n" - } - }, - "type": "object", - "required": [ - "topicArn" - ] - }, - "aws:sesv2/ConfigurationSetReputationOptions:ConfigurationSetReputationOptions": { - "properties": { - "lastFreshStart": { - "type": "string", - "description": "The date and time (in Unix time) when the reputation metrics were last given a fresh start. When your account is given a fresh start, your reputation metrics are calculated starting from the date of the fresh start.\n" - }, - "reputationMetricsEnabled": { - "type": "boolean", - "description": "If `true`, tracking of reputation metrics is enabled for the configuration set. If `false`, tracking of reputation metrics is disabled for the configuration set.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "lastFreshStart", - "reputationMetricsEnabled" - ] - } - } - }, - "aws:sesv2/ConfigurationSetSendingOptions:ConfigurationSetSendingOptions": { - "properties": { - "sendingEnabled": { - "type": "boolean", - "description": "If `true`, email sending is enabled for the configuration set. If `false`, email sending is disabled for the configuration set.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "sendingEnabled" - ] - } - } - }, - "aws:sesv2/ConfigurationSetSuppressionOptions:ConfigurationSetSuppressionOptions": { - "properties": { - "suppressedReasons": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list that contains the reasons that email addresses are automatically added to the suppression list for your account. Valid values: `BOUNCE`, `COMPLAINT`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ConfigurationSetTrackingOptions:ConfigurationSetTrackingOptions": { - "properties": { - "customRedirectDomain": { - "type": "string", - "description": "The domain to use for tracking open and click events.\n" - } - }, - "type": "object", - "required": [ - "customRedirectDomain" - ] - }, - "aws:sesv2/ConfigurationSetVdmOptions:ConfigurationSetVdmOptions": { - "properties": { - "dashboardOptions": { - "$ref": "#/types/aws:sesv2/ConfigurationSetVdmOptionsDashboardOptions:ConfigurationSetVdmOptionsDashboardOptions", - "description": "Specifies additional settings for your VDM configuration as applicable to the Dashboard.\n" - }, - "guardianOptions": { - "$ref": "#/types/aws:sesv2/ConfigurationSetVdmOptionsGuardianOptions:ConfigurationSetVdmOptionsGuardianOptions", - "description": "Specifies additional settings for your VDM configuration as applicable to the Guardian.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ConfigurationSetVdmOptionsDashboardOptions:ConfigurationSetVdmOptionsDashboardOptions": { - "properties": { - "engagementMetrics": { - "type": "string", - "description": "Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ConfigurationSetVdmOptionsGuardianOptions:ConfigurationSetVdmOptionsGuardianOptions": { - "properties": { - "optimizedSharedDelivery": { - "type": "string", - "description": "Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`.\n" - } - }, - "type": "object" - }, - "aws:sesv2/ContactListTopic:ContactListTopic": { - "properties": { - "defaultSubscriptionStatus": { - "type": "string", - "description": "Default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic.\n" - }, - "description": { - "type": "string", - "description": "Description of what the topic is about, which the contact will see.\n" - }, - "displayName": { - "type": "string", - "description": "Name of the topic the contact will see.\n" - }, - "topicName": { - "type": "string", - "description": "Name of the topic.\n\nThe following arguments are optional:\n" - } - }, - "type": "object", - "required": [ - "defaultSubscriptionStatus", - "displayName", - "topicName" - ] - }, - "aws:sesv2/EmailIdentityDkimSigningAttributes:EmailIdentityDkimSigningAttributes": { - "properties": { - "currentSigningKeyLength": { - "type": "string", - "description": "[Easy DKIM] The key length of the DKIM key pair in use.\n" - }, - "domainSigningPrivateKey": { - "type": "string", - "description": "[Bring Your Own DKIM] A private key that's used to generate a DKIM signature. The private key must use 1024 or 2048-bit RSA encryption, and must be encoded using base64 encoding.\n\n\u003e **NOTE:** You have to delete the first and last lines ('-----BEGIN PRIVATE KEY-----' and '-----END PRIVATE KEY-----', respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks.\n", - "secret": true - }, - "domainSigningSelector": { - "type": "string", - "description": "[Bring Your Own DKIM] A string that's used to identify a public key in the DNS configuration for a domain.\n" - }, - "lastKeyGenerationTimestamp": { - "type": "string", - "description": "[Easy DKIM] The last time a key pair was generated for this identity.\n" - }, - "nextSigningKeyLength": { - "type": "string", - "description": "[Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. Valid values: `RSA_1024_BIT`, `RSA_2048_BIT`.\n" - }, - "signingAttributesOrigin": { - "type": "string", - "description": "A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM).\n" - }, - "status": { - "type": "string", - "description": "Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses.\n" - }, - "tokens": { - "type": "array", - "items": { - "type": "string" - }, - "description": "If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "currentSigningKeyLength", - "lastKeyGenerationTimestamp", - "nextSigningKeyLength", - "signingAttributesOrigin", - "status", - "tokens" - ] - } - } - }, - "aws:sesv2/getConfigurationSetDeliveryOption:getConfigurationSetDeliveryOption": { - "properties": { - "sendingPoolName": { - "type": "string", - "description": "The name of the dedicated IP pool to associate with the configuration set.\n" - }, - "tlsPolicy": { - "type": "string", - "description": "Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS).\n" - } - }, - "type": "object", - "required": [ - "sendingPoolName", - "tlsPolicy" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetReputationOption:getConfigurationSetReputationOption": { - "properties": { - "lastFreshStart": { - "type": "string", - "description": "The date and time (in Unix time) when the reputation metrics were last given a fresh start.\n" - }, - "reputationMetricsEnabled": { - "type": "boolean", - "description": "Specifies whether tracking of reputation metrics is enabled.\n" - } - }, - "type": "object", - "required": [ - "lastFreshStart", - "reputationMetricsEnabled" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetSendingOption:getConfigurationSetSendingOption": { - "properties": { - "sendingEnabled": { - "type": "boolean", - "description": "Specifies whether email sending is enabled.\n" - } - }, - "type": "object", - "required": [ - "sendingEnabled" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetSuppressionOption:getConfigurationSetSuppressionOption": { - "properties": { - "suppressedReasons": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list that contains the reasons that email addresses are automatically added to the suppression list for your account.\n" - } - }, - "type": "object", - "required": [ - "suppressedReasons" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetTrackingOption:getConfigurationSetTrackingOption": { - "properties": { - "customRedirectDomain": { - "type": "string", - "description": "The domain to use for tracking open and click events.\n" - } - }, - "type": "object", - "required": [ - "customRedirectDomain" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetVdmOption:getConfigurationSetVdmOption": { - "properties": { - "dashboardOptions": { - "type": "array", - "items": { - "$ref": "#/types/aws:sesv2/getConfigurationSetVdmOptionDashboardOption:getConfigurationSetVdmOptionDashboardOption" - }, - "description": "Specifies additional settings for your VDM configuration as applicable to the Dashboard.\n" - }, - "guardianOptions": { - "type": "array", - "items": { - "$ref": "#/types/aws:sesv2/getConfigurationSetVdmOptionGuardianOption:getConfigurationSetVdmOptionGuardianOption" - }, - "description": "Specifies additional settings for your VDM configuration as applicable to the Guardian.\n" - } - }, - "type": "object", - "required": [ - "dashboardOptions", - "guardianOptions" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetVdmOptionDashboardOption:getConfigurationSetVdmOptionDashboardOption": { - "properties": { - "engagementMetrics": { - "type": "string", - "description": "Specifies the status of your VDM engagement metrics collection.\n" - } - }, - "type": "object", - "required": [ - "engagementMetrics" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getConfigurationSetVdmOptionGuardianOption:getConfigurationSetVdmOptionGuardianOption": { - "properties": { - "optimizedSharedDelivery": { - "type": "string", - "description": "Specifies the status of your VDM optimized shared delivery.\n" - } - }, - "type": "object", - "required": [ - "optimizedSharedDelivery" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getDedicatedIpPoolDedicatedIp:getDedicatedIpPoolDedicatedIp": { - "properties": { - "ip": { - "type": "string", - "description": "IPv4 address.\n" - }, - "warmupPercentage": { - "type": "integer", - "description": "Indicates how complete the dedicated IP warm-up process is. When this value equals `1`, the address has completed the warm-up process and is ready for use.\n" - }, - "warmupStatus": { - "type": "string", - "description": "The warm-up status of a dedicated IP address. Valid values: `IN_PROGRESS`, `DONE`.\n" - } - }, - "type": "object", - "required": [ - "ip", - "warmupPercentage", - "warmupStatus" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sesv2/getEmailIdentityDkimSigningAttribute:getEmailIdentityDkimSigningAttribute": { - "properties": { - "currentSigningKeyLength": { - "type": "string", - "description": "[Easy DKIM] The key length of the DKIM key pair in use.\n" - }, - "domainSigningPrivateKey": { - "type": "string", - "secret": true - }, - "domainSigningSelector": { - "type": "string" - }, - "lastKeyGenerationTimestamp": { - "type": "string", - "description": "[Easy DKIM] The last time a key pair was generated for this identity.\n" - }, - "nextSigningKeyLength": { - "type": "string", - "description": "[Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day.\n" - }, - "signingAttributesOrigin": { - "type": "string", - "description": "A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM).\n" - }, - "status": { - "type": "string", - "description": "Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses.\n" - }, - "tokens": { - "type": "array", - "items": { - "type": "string" - }, - "description": "If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key.\n" - } - }, - "type": "object", - "required": [ - "currentSigningKeyLength", - "domainSigningPrivateKey", - "domainSigningSelector", - "lastKeyGenerationTimestamp", - "nextSigningKeyLength", - "signingAttributesOrigin", - "status", - "tokens" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:sfn/AliasRoutingConfiguration:AliasRoutingConfiguration": { - "properties": { - "stateMachineVersionArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the state machine version.\n" - }, - "weight": { - "type": "integer", - "description": "Percentage of traffic routed to the state machine version.\n" - } - }, - "type": "object", - "required": [ - "stateMachineVersionArn", - "weight" - ] - }, - "aws:sfn/StateMachineLoggingConfiguration:StateMachineLoggingConfiguration": { - "properties": { - "includeExecutionData": { - "type": "boolean", - "description": "Determines whether execution data is included in your log. When set to `false`, data is excluded.\n" - }, - "level": { - "type": "string", - "description": "Defines which category of execution history events are logged. Valid values: `ALL`, `ERROR`, `FATAL`, `OFF`\n" - }, - "logDestination": { - "type": "string", - "description": "Amazon Resource Name (ARN) of a CloudWatch log group. Make sure the State Machine has the correct IAM policies for logging. The ARN must end with `:*`\n" - } - }, - "type": "object" - }, - "aws:sfn/StateMachineTracingConfiguration:StateMachineTracingConfiguration": { - "properties": { - "enabled": { - "type": "boolean", - "description": "When set to `true`, AWS X-Ray tracing is enabled. Make sure the State Machine has the correct IAM policies for logging. See the [AWS Step Functions Developer Guide](https://docs.aws.amazon.com/step-functions/latest/dg/xray-iam.html) for details.\n" - } - }, - "type": "object" - }, - "aws:sfn/getAliasRoutingConfiguration:getAliasRoutingConfiguration": { - "properties": { - "stateMachineVersionArn": { - "type": "string" - }, - "weight": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "stateMachineVersionArn", - "weight" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:shield/ApplicationLayerAutomaticResponseTimeouts:ApplicationLayerAutomaticResponseTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - }, - "delete": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" - }, - "update": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - } - }, - "type": "object" - }, - "aws:shield/DrtAccessLogBucketAssociationTimeouts:DrtAccessLogBucketAssociationTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - }, - "delete": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" - } - }, - "type": "object" - }, - "aws:shield/DrtAccessRoleArnAssociationTimeouts:DrtAccessRoleArnAssociationTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - }, - "delete": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" - }, - "update": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - } - }, - "type": "object" - }, - "aws:shield/ProactiveEngagementEmergencyContact:ProactiveEngagementEmergencyContact": { - "properties": { - "contactNotes": { - "type": "string" - }, - "emailAddress": { - "type": "string" - }, - "phoneNumber": { - "type": "string" - } - }, - "type": "object", - "required": [ - "emailAddress" - ] - }, - "aws:signer/SigningJobDestination:SigningJobDestination": { - "properties": { - "s3": { - "$ref": "#/types/aws:signer/SigningJobDestinationS3:SigningJobDestinationS3", - "description": "A configuration block describing the S3 Destination object: See S3 Destination below for details.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "s3" - ] - }, - "aws:signer/SigningJobDestinationS3:SigningJobDestinationS3": { - "properties": { - "bucket": { - "type": "string", - "willReplaceOnChanges": true - }, - "prefix": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "bucket" - ] - }, - "aws:signer/SigningJobRevocationRecord:SigningJobRevocationRecord": { - "properties": { - "reason": { - "type": "string" - }, - "revokedAt": { - "type": "string" - }, - "revokedBy": { - "type": "string" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "reason", - "revokedAt", - "revokedBy" - ] - } - } - }, - "aws:signer/SigningJobSignedObject:SigningJobSignedObject": { - "properties": { - "s3s": { - "type": "array", - "items": { - "$ref": "#/types/aws:signer/SigningJobSignedObjectS3:SigningJobSignedObjectS3" - } - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "s3s" - ] - } - } - }, - "aws:signer/SigningJobSignedObjectS3:SigningJobSignedObjectS3": { - "properties": { - "bucket": { - "type": "string" - }, - "key": { - "type": "string" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "bucket", - "key" - ] - } - } - }, - "aws:signer/SigningJobSource:SigningJobSource": { - "properties": { - "s3": { - "$ref": "#/types/aws:signer/SigningJobSourceS3:SigningJobSourceS3", - "description": "A configuration block describing the S3 Source object: See S3 Source below for details.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "s3" - ] - }, - "aws:signer/SigningJobSourceS3:SigningJobSourceS3": { - "properties": { - "bucket": { - "type": "string", - "willReplaceOnChanges": true - }, - "key": { - "type": "string", - "willReplaceOnChanges": true - }, - "version": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "bucket", - "key", - "version" - ] - }, - "aws:signer/SigningProfileRevocationRecord:SigningProfileRevocationRecord": { - "properties": { - "revocationEffectiveFrom": { - "type": "string", - "description": "The time when revocation becomes effective.\n" - }, - "revokedAt": { - "type": "string", - "description": "The time when the signing profile was revoked.\n" - }, - "revokedBy": { - "type": "string", - "description": "The identity of the revoker.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "revocationEffectiveFrom", - "revokedAt", - "revokedBy" - ] - } - } - }, - "aws:signer/SigningProfileSignatureValidityPeriod:SigningProfileSignatureValidityPeriod": { - "properties": { - "type": { - "type": "string", - "description": "The time unit for signature validity. Valid values: `DAYS`, `MONTHS`, `YEARS`.\n", - "willReplaceOnChanges": true - }, - "value": { - "type": "integer", - "description": "The numerical value of the time unit for signature validity.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type", - "value" - ] - }, - "aws:signer/SigningProfileSigningMaterial:SigningProfileSigningMaterial": { - "properties": { - "certificateArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the certificates that is used to sign your code.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "certificateArn" - ] - }, - "aws:signer/getSigningJobRevocationRecord:getSigningJobRevocationRecord": { - "properties": { - "reason": { - "type": "string" - }, - "revokedAt": { - "type": "string" - }, - "revokedBy": { - "type": "string" - } - }, - "type": "object", - "required": [ - "reason", - "revokedAt", - "revokedBy" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningJobSignedObject:getSigningJobSignedObject": { - "properties": { - "s3s": { - "type": "array", - "items": { - "$ref": "#/types/aws:signer/getSigningJobSignedObjectS3:getSigningJobSignedObjectS3" - } - } - }, - "type": "object", - "required": [ - "s3s" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningJobSignedObjectS3:getSigningJobSignedObjectS3": { - "properties": { - "bucket": { - "type": "string" - }, - "key": { - "type": "string" - } - }, - "type": "object", - "required": [ - "bucket", - "key" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningJobSource:getSigningJobSource": { - "properties": { - "s3s": { - "type": "array", - "items": { - "$ref": "#/types/aws:signer/getSigningJobSourceS3:getSigningJobSourceS3" - } - } - }, - "type": "object", - "required": [ - "s3s" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningJobSourceS3:getSigningJobSourceS3": { - "properties": { - "bucket": { - "type": "string" - }, - "key": { - "type": "string" - }, - "version": { - "type": "string" - } - }, - "type": "object", - "required": [ - "bucket", - "key", - "version" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningProfileRevocationRecord:getSigningProfileRevocationRecord": { - "properties": { - "revocationEffectiveFrom": { - "type": "string" - }, - "revokedAt": { - "type": "string" - }, - "revokedBy": { - "type": "string" - } - }, - "type": "object", - "required": [ - "revocationEffectiveFrom", - "revokedAt", - "revokedBy" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:signer/getSigningProfileSignatureValidityPeriod:getSigningProfileSignatureValidityPeriod": { - "properties": { - "type": { - "type": "string" - }, - "value": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "type", - "value" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssm/AssociationOutputLocation:AssociationOutputLocation": { - "properties": { - "s3BucketName": { - "type": "string", - "description": "The S3 bucket name.\n" - }, - "s3KeyPrefix": { - "type": "string", - "description": "The S3 bucket prefix. Results stored in the root if not configured.\n" - }, - "s3Region": { - "type": "string", - "description": "The S3 bucket region.\n\nTargets specify what instance IDs or tags to apply the document to and has these keys:\n" - } - }, - "type": "object", - "required": [ - "s3BucketName" - ] - }, - "aws:ssm/AssociationTarget:AssociationTarget": { - "properties": { - "key": { - "type": "string", - "description": "Either `InstanceIds` or `tag:Tag Name` to specify an EC2 tag.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list of instance IDs or tag values. AWS currently limits this list size to one value.\n" - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/ContactsRotationRecurrence:ContactsRotationRecurrence": { - "properties": { - "dailySettings": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceDailySetting:ContactsRotationRecurrenceDailySetting" - } - }, - "monthlySettings": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceMonthlySetting:ContactsRotationRecurrenceMonthlySetting" - }, - "description": "(Optional) Information about on-call rotations that recur monthly. See Monthly Settings for more details.\n" - }, - "numberOfOnCalls": { - "type": "integer", - "description": "(Required) The number of contacts, or shift team members designated to be on call concurrently during a shift.\n" - }, - "recurrenceMultiplier": { - "type": "integer", - "description": "(Required) The number of days, weeks, or months a single rotation lasts.\n" - }, - "shiftCoverages": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverage:ContactsRotationRecurrenceShiftCoverage" - }, - "description": "(Optional) Information about the days of the week that the on-call rotation coverage includes. See Shift Coverages for more details.\n" - }, - "weeklySettings": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceWeeklySetting:ContactsRotationRecurrenceWeeklySetting" - }, - "description": "(Optional) Information about on-call rotations that recur weekly. See Weekly Settings for more details.\n" - } - }, - "type": "object", - "required": [ - "numberOfOnCalls", - "recurrenceMultiplier" - ] - }, - "aws:ssm/ContactsRotationRecurrenceDailySetting:ContactsRotationRecurrenceDailySetting": { - "properties": { - "hourOfDay": { - "type": "integer", - "description": "(Required) The hour of the day.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "(Required) The minutes of the hour.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay", - "minuteOfHour" - ] - }, - "aws:ssm/ContactsRotationRecurrenceMonthlySetting:ContactsRotationRecurrenceMonthlySetting": { - "properties": { - "dayOfMonth": { - "type": "integer", - "description": "(Required) The day of the month when monthly recurring on-call rotations begin.\n" - }, - "handOffTime": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceMonthlySettingHandOffTime:ContactsRotationRecurrenceMonthlySettingHandOffTime", - "description": "(Required) The hand off time. See Hand Off Time for more details.\n" - } - }, - "type": "object", - "required": [ - "dayOfMonth" - ] - }, - "aws:ssm/ContactsRotationRecurrenceMonthlySettingHandOffTime:ContactsRotationRecurrenceMonthlySettingHandOffTime": { - "properties": { - "hourOfDay": { - "type": "integer", - "description": "(Required) The hour of the day.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "(Required) The minutes of the hour.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay", - "minuteOfHour" - ] - }, - "aws:ssm/ContactsRotationRecurrenceShiftCoverage:ContactsRotationRecurrenceShiftCoverage": { - "properties": { - "coverageTimes": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTime:ContactsRotationRecurrenceShiftCoverageCoverageTime" - }, - "description": "(Required) Information about when an on-call shift begins and ends. See Coverage Times for more details.\n" - }, - "mapBlockKey": { - "type": "string" - } - }, - "type": "object", - "required": [ - "mapBlockKey" - ] - }, - "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTime:ContactsRotationRecurrenceShiftCoverageCoverageTime": { - "properties": { - "end": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd:ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd", - "description": "(Required) The end time of the on-call shift. See Hand Off Time for more details.\n" - }, - "start": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeStart:ContactsRotationRecurrenceShiftCoverageCoverageTimeStart", - "description": "(Required) The start time of the on-call shift. See Hand Off Time for more details.\n" - } - }, - "type": "object" - }, - "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd:ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd": { - "properties": { - "hourOfDay": { - "type": "integer", - "description": "(Required) The hour of the day.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "(Required) The minutes of the hour.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay", - "minuteOfHour" - ] - }, - "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeStart:ContactsRotationRecurrenceShiftCoverageCoverageTimeStart": { - "properties": { - "hourOfDay": { - "type": "integer", - "description": "(Required) The hour of the day.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "(Required) The minutes of the hour.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay", - "minuteOfHour" - ] - }, - "aws:ssm/ContactsRotationRecurrenceWeeklySetting:ContactsRotationRecurrenceWeeklySetting": { - "properties": { - "dayOfWeek": { - "type": "string", - "description": "(Required) The day of the week when the shift coverage occurs.\n" - }, - "handOffTime": { - "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceWeeklySettingHandOffTime:ContactsRotationRecurrenceWeeklySettingHandOffTime", - "description": "(Required) The hand off time. See Hand Off Time for more details.\n" - } - }, - "type": "object", - "required": [ - "dayOfWeek" - ] - }, - "aws:ssm/ContactsRotationRecurrenceWeeklySettingHandOffTime:ContactsRotationRecurrenceWeeklySettingHandOffTime": { - "properties": { - "hourOfDay": { - "type": "integer", - "description": "(Required) The hour of the day.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "(Required) The minutes of the hour.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay", - "minuteOfHour" - ] - }, - "aws:ssm/DocumentAttachmentsSource:DocumentAttachmentsSource": { - "properties": { - "key": { - "type": "string", - "description": "The key of a key-value pair that identifies the location of an attachment to the document. Valid values: `SourceUrl`, `S3FileUrl`, `AttachmentReference`.\n" - }, - "name": { - "type": "string", - "description": "The name of the document attachment file.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The value of a key-value pair that identifies the location of an attachment to the document. The argument format is a list of a single string that depends on the type of key you specify - see the [API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_AttachmentsSource.html) for details.\n" - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/DocumentParameter:DocumentParameter": { - "properties": { - "defaultValue": { - "type": "string", - "description": "If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional.\n" - }, - "description": { - "type": "string", - "description": "A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional.\n" - }, - "name": { - "type": "string", - "description": "The name of the document.\n" - }, - "type": { - "type": "string", - "description": "The type of parameter. Valid values: `String`, `StringList`.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "defaultValue", - "description", - "name", - "type" - ] - } - } - }, - "aws:ssm/MaintenanceWindowTargetTarget:MaintenanceWindowTargetTarget": { - "properties": { - "key": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/MaintenanceWindowTaskTarget:MaintenanceWindowTaskTarget": { - "properties": { - "key": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParameters:MaintenanceWindowTaskTaskInvocationParameters": { - "properties": { - "automationParameters": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParameters:MaintenanceWindowTaskTaskInvocationParametersAutomationParameters", - "description": "The parameters for an AUTOMATION task type. Documented below.\n" - }, - "lambdaParameters": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersLambdaParameters:MaintenanceWindowTaskTaskInvocationParametersLambdaParameters", - "description": "The parameters for a LAMBDA task type. Documented below.\n" - }, - "runCommandParameters": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters:MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters", - "description": "The parameters for a RUN_COMMAND task type. Documented below.\n" - }, - "stepFunctionsParameters": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters:MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters", - "description": "The parameters for a STEP_FUNCTIONS task type. Documented below.\n" - } - }, - "type": "object" - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParameters:MaintenanceWindowTaskTaskInvocationParametersAutomationParameters": { - "properties": { - "documentVersion": { - "type": "string", - "description": "The version of an Automation document to use during task execution.\n" - }, - "parameters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter:MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter" - }, - "description": "The parameters for the RUN_COMMAND task execution. Documented below.\n" - } - }, - "type": "object" - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter:MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter": { - "properties": { - "name": { - "type": "string", - "description": "The parameter name.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The array of strings.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersLambdaParameters:MaintenanceWindowTaskTaskInvocationParametersLambdaParameters": { - "properties": { - "clientContext": { - "type": "string", - "description": "Pass client-specific information to the Lambda function that you are invoking.\n" - }, - "payload": { - "type": "string", - "description": "JSON to provide to your Lambda function as input.\n", - "secret": true - }, - "qualifier": { - "type": "string", - "description": "Specify a Lambda function version or alias name.\n" - } - }, - "type": "object" - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters:MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters": { - "properties": { - "cloudwatchConfig": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig", - "description": "Configuration options for sending command output to CloudWatch Logs. Documented below.\n" - }, - "comment": { - "type": "string", - "description": "Information about the command(s) to execute.\n" - }, - "documentHash": { - "type": "string", - "description": "The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated.\n" - }, - "documentHashType": { - "type": "string", - "description": "SHA-256 or SHA-1. SHA-1 hashes have been deprecated. Valid values: `Sha256` and `Sha1`\n" - }, - "documentVersion": { - "type": "string" - }, - "notificationConfig": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig", - "description": "Configurations for sending notifications about command status changes on a per-instance basis. Documented below.\n" - }, - "outputS3Bucket": { - "type": "string", - "description": "The name of the Amazon S3 bucket.\n" - }, - "outputS3KeyPrefix": { - "type": "string", - "description": "The Amazon S3 bucket subfolder.\n" - }, - "parameters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter" - }, - "description": "The parameters for the RUN_COMMAND task execution. Documented below.\n" - }, - "serviceRoleArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.\n" - }, - "timeoutSeconds": { - "type": "integer", - "description": "If this time is reached and the command has not already started executing, it doesn't run.\n" - } - }, - "type": "object" - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig": { - "properties": { - "cloudwatchLogGroupName": { - "type": "string", - "description": "The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName.\n" - }, - "cloudwatchOutputEnabled": { - "type": "boolean", - "description": "Enables Systems Manager to send command output to CloudWatch Logs.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "cloudwatchLogGroupName" - ] - } - } - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig": { - "properties": { - "notificationArn": { - "type": "string", - "description": "An Amazon Resource Name (ARN) for a Simple Notification Service (SNS) topic. Run Command pushes notifications about command status changes to this topic.\n" - }, - "notificationEvents": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The different events for which you can receive notifications. Valid values: `All`, `InProgress`, `Success`, `TimedOut`, `Cancelled`, and `Failed`\n" - }, - "notificationType": { - "type": "string", - "description": "When specified with `Command`, receive notification when the status of a command changes. When specified with `Invocation`, for commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. Valid values: `Command` and `Invocation`\n" - } - }, - "type": "object" - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter": { - "properties": { - "name": { - "type": "string", - "description": "The parameter name.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The array of strings.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters:MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters": { - "properties": { - "input": { - "type": "string", - "description": "The inputs for the STEP_FUNCTION task.\n", - "secret": true - }, - "name": { - "type": "string", - "description": "The name of the STEP_FUNCTION task.\n" - } - }, - "type": "object" - }, - "aws:ssm/ParameterType:ParameterType": { - "type": "string", - "enum": [ - { - "value": "String" - }, - { - "value": "StringList" - }, - { - "value": "SecureString" - } - ] - }, - "aws:ssm/PatchBaselineApprovalRule:PatchBaselineApprovalRule": { - "properties": { - "approveAfterDays": { - "type": "integer", - "description": "Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approve_until_date`.\n" - }, - "approveUntilDate": { - "type": "string", - "description": "Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`\n" - }, - "complianceLevel": { - "type": "string", - "description": "Compliance level for patches approved by this rule. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, and `UNSPECIFIED`. The default value is `UNSPECIFIED`.\n" - }, - "enableNonSecurity": { - "type": "boolean", - "description": "Boolean enabling the application of non-security updates. The default value is `false`. Valid for Linux instances only.\n" - }, - "patchFilters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/PatchBaselineApprovalRulePatchFilter:PatchBaselineApprovalRulePatchFilter" - }, - "description": "Patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and the `operating_system` value can be found in the [SSM DescribePatchProperties API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html). Valid Values are exact values for the patch property given as the key, or a wildcard `*`, which matches all values. `PATCH_SET` defaults to `OS` if unspecified\n" - } - }, - "type": "object", - "required": [ - "patchFilters" - ] - }, - "aws:ssm/PatchBaselineApprovalRulePatchFilter:PatchBaselineApprovalRulePatchFilter": { - "properties": { - "key": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/PatchBaselineGlobalFilter:PatchBaselineGlobalFilter": { - "properties": { - "key": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssm/PatchBaselineSource:PatchBaselineSource": { - "properties": { - "configuration": { - "type": "string", - "description": "Value of the yum repo configuration. For information about other options available for your yum repository configuration, see the [`dnf.conf` documentation](https://man7.org/linux/man-pages/man5/dnf.conf.5.html)\n" - }, - "name": { - "type": "string", - "description": "Name specified to identify the patch source.\n" - }, - "products": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific operating system versions a patch repository applies to, such as `\"Ubuntu16.04\"`, `\"AmazonLinux2016.09\"`, `\"RedhatEnterpriseLinux7.2\"` or `\"Suse12.7\"`. For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html).\n" - } - }, - "type": "object", - "required": [ - "configuration", - "name", - "products" - ] - }, - "aws:ssm/ResourceDataSyncS3Destination:ResourceDataSyncS3Destination": { - "properties": { - "bucketName": { - "type": "string", - "description": "Name of S3 bucket where the aggregated data is stored.\n", - "willReplaceOnChanges": true - }, - "kmsKeyArn": { - "type": "string", - "description": "ARN of an encryption key for a destination in Amazon S3.\n", - "willReplaceOnChanges": true - }, - "prefix": { - "type": "string", - "description": "Prefix for the bucket.\n", - "willReplaceOnChanges": true - }, - "region": { - "type": "string", - "description": "Region with the bucket targeted by the Resource Data Sync.\n", - "willReplaceOnChanges": true - }, - "syncFormat": { - "type": "string", - "description": "A supported sync format. Only JsonSerDe is currently supported. Defaults to JsonSerDe.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "bucketName", - "region" - ] - }, - "aws:ssm/getContactsRotationRecurrence:getContactsRotationRecurrence": { - "properties": { - "dailySettings": { - "type": "array", - "items": { - "$ref": "pulumi.json#/Any" - } - }, - "monthlySettings": { - "type": "array", - "items": { - "$ref": "pulumi.json#/Any" - } - }, - "numberOfOnCalls": { - "type": "integer" - }, - "recurrenceMultiplier": { - "type": "integer" - }, - "shiftCoverages": { - "type": "array", - "items": { - "$ref": "pulumi.json#/Any" - } - }, - "weeklySettings": { - "type": "array", - "items": { - "$ref": "pulumi.json#/Any" - } - } - }, - "type": "object", - "required": [ - "dailySettings", - "monthlySettings", - "numberOfOnCalls", - "recurrenceMultiplier", - "shiftCoverages", - "weeklySettings" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssm/getInstancesFilter:getInstancesFilter": { - "properties": { - "name": { - "type": "string", - "description": "Name of the filter field. Valid values can be found in the [SSM InstanceInformationStringFilter API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_InstanceInformationStringFilter.html).\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:ssm/getMaintenanceWindowsFilter:getMaintenanceWindowsFilter": { - "properties": { - "name": { - "type": "string", - "description": "Name of the filter field. Valid values can be found in the [SSM DescribeMaintenanceWindows API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeMaintenanceWindows.html#API_DescribeMaintenanceWindows_RequestSyntax).\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:ssm/getPatchBaselineApprovalRule:getPatchBaselineApprovalRule": { - "properties": { - "approveAfterDays": { - "type": "integer", - "description": "Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline.\n" - }, - "approveUntilDate": { - "type": "string", - "description": "Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`\n" - }, - "complianceLevel": { - "type": "string", - "description": "Compliance level for patches approved by this rule.\n" - }, - "enableNonSecurity": { - "type": "boolean", - "description": "Boolean enabling the application of non-security updates.\n" - }, - "patchFilters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssm/getPatchBaselineApprovalRulePatchFilter:getPatchBaselineApprovalRulePatchFilter" - }, - "description": "Patch filter group that defines the criteria for the rule.\n" - } - }, - "type": "object", - "required": [ - "approveAfterDays", - "approveUntilDate", - "complianceLevel", - "enableNonSecurity", - "patchFilters" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssm/getPatchBaselineApprovalRulePatchFilter:getPatchBaselineApprovalRulePatchFilter": { - "properties": { - "key": { - "type": "string", - "description": "Key for the filter.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Value for the filter.\n" - } - }, - "type": "object", - "required": [ - "key", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssm/getPatchBaselineGlobalFilter:getPatchBaselineGlobalFilter": { - "properties": { - "key": { - "type": "string", - "description": "Key for the filter.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Value for the filter.\n" - } - }, - "type": "object", - "required": [ - "key", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssm/getPatchBaselineSource:getPatchBaselineSource": { - "properties": { - "configuration": { - "type": "string", - "description": "Value of the yum repo configuration.\n" - }, - "name": { - "type": "string", - "description": "Name specified to identify the patch source.\n" - }, - "products": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Specific operating system versions a patch repository applies to.\n" - } - }, - "type": "object", - "required": [ - "configuration", - "name", - "products" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmcontacts/ContactChannelDeliveryAddress:ContactChannelDeliveryAddress": { - "properties": { - "simpleAddress": { - "type": "string", - "description": "Details to engage this contact channel. The expected format depends on the contact channel type and is described in the [`ContactChannelAddress` section of the SSM Contacts API Reference](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_ContactChannelAddress.html).\n" - } - }, - "type": "object", - "required": [ - "simpleAddress" - ] - }, - "aws:ssmcontacts/PlanStage:PlanStage": { - "properties": { - "durationInMinutes": { - "type": "integer", - "description": "The time to wait until beginning the next stage. The duration can only be set to 0 if a target is specified.\n" - }, - "targets": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmcontacts/PlanStageTarget:PlanStageTarget" - }, - "description": "One or more configuration blocks for specifying the contacts or contact methods that the escalation plan or engagement plan is engaging. See Target below for more details.\n" - } - }, - "type": "object", - "required": [ - "durationInMinutes" - ] - }, - "aws:ssmcontacts/PlanStageTarget:PlanStageTarget": { - "properties": { - "channelTargetInfo": { - "$ref": "#/types/aws:ssmcontacts/PlanStageTargetChannelTargetInfo:PlanStageTargetChannelTargetInfo", - "description": "A configuration block for specifying information about the contact channel that Incident Manager engages. See Channel Target Info for more details.\n" - }, - "contactTargetInfo": { - "$ref": "#/types/aws:ssmcontacts/PlanStageTargetContactTargetInfo:PlanStageTargetContactTargetInfo", - "description": "A configuration block for specifying information about the contact that Incident Manager engages. See Contact Target Info for more details.\n" - } - }, - "type": "object" - }, - "aws:ssmcontacts/PlanStageTargetChannelTargetInfo:PlanStageTargetChannelTargetInfo": { - "properties": { - "contactChannelId": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the contact channel.\n" - }, - "retryIntervalInMinutes": { - "type": "integer", - "description": "The number of minutes to wait before retrying to send engagement if the engagement initially failed.\n" - } - }, - "type": "object", - "required": [ - "contactChannelId" - ] - }, - "aws:ssmcontacts/PlanStageTargetContactTargetInfo:PlanStageTargetContactTargetInfo": { - "properties": { - "contactId": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the contact.\n" - }, - "isEssential": { - "type": "boolean", - "description": "A Boolean value determining if the contact's acknowledgement stops the progress of stages in the plan.\n" - } - }, - "type": "object", - "required": [ - "isEssential" - ] - }, - "aws:ssmcontacts/getContactChannelDeliveryAddress:getContactChannelDeliveryAddress": { - "properties": { - "simpleAddress": { - "type": "string" - } - }, - "type": "object", - "required": [ - "simpleAddress" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmcontacts/getPlanStage:getPlanStage": { - "properties": { - "durationInMinutes": { - "type": "integer" - }, - "targets": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmcontacts/getPlanStageTarget:getPlanStageTarget" - } - } - }, - "type": "object", - "required": [ - "durationInMinutes", - "targets" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmcontacts/getPlanStageTarget:getPlanStageTarget": { - "properties": { - "channelTargetInfos": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmcontacts/getPlanStageTargetChannelTargetInfo:getPlanStageTargetChannelTargetInfo" - } - }, - "contactTargetInfos": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmcontacts/getPlanStageTargetContactTargetInfo:getPlanStageTargetContactTargetInfo" - } - } - }, - "type": "object", - "required": [ - "channelTargetInfos", - "contactTargetInfos" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmcontacts/getPlanStageTargetChannelTargetInfo:getPlanStageTargetChannelTargetInfo": { - "properties": { - "contactChannelId": { - "type": "string" - }, - "retryIntervalInMinutes": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "contactChannelId", - "retryIntervalInMinutes" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmcontacts/getPlanStageTargetContactTargetInfo:getPlanStageTargetContactTargetInfo": { - "properties": { - "contactId": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the contact or escalation plan.\n" - }, - "isEssential": { - "type": "boolean" - } - }, - "type": "object", - "required": [ - "contactId", - "isEssential" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/ReplicationSetRegion:ReplicationSetRegion": { - "properties": { - "kmsKeyArn": { - "type": "string", - "description": "The Amazon Resource name (ARN) of the customer managed key. If omitted, AWS manages the AWS KMS keys for you, using an AWS owned key, as indicated by a default value of `DefaultKey`.\n\nThe following arguments are optional:\n" - }, - "name": { - "type": "string", - "description": "The name of the Region, such as `ap-southeast-2`.\n" - }, - "status": { - "type": "string", - "description": "The current status of the Region.\n* Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED`\n" - }, - "statusMessage": { - "type": "string", - "description": "More information about the status of a Region.\n" - } - }, - "type": "object", - "required": [ - "name" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "name", - "status", - "statusMessage" - ] - } - } - }, - "aws:ssmincidents/ResponsePlanAction:ResponsePlanAction": { - "properties": { - "ssmAutomations": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/ResponsePlanActionSsmAutomation:ResponsePlanActionSsmAutomation" - } - } - }, - "type": "object" - }, - "aws:ssmincidents/ResponsePlanActionSsmAutomation:ResponsePlanActionSsmAutomation": { - "properties": { - "documentName": { - "type": "string" - }, - "documentVersion": { - "type": "string" - }, - "dynamicParameters": { - "type": "object", - "additionalProperties": { - "type": "string" - } - }, - "parameters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/ResponsePlanActionSsmAutomationParameter:ResponsePlanActionSsmAutomationParameter" - } - }, - "roleArn": { - "type": "string" - }, - "targetAccount": { - "type": "string" - } - }, - "type": "object", - "required": [ - "documentName", - "roleArn" - ] - }, - "aws:ssmincidents/ResponsePlanActionSsmAutomationParameter:ResponsePlanActionSsmAutomationParameter": { - "properties": { - "name": { - "type": "string", - "description": "The name of the response plan.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:ssmincidents/ResponsePlanIncidentTemplate:ResponsePlanIncidentTemplate": { - "properties": { - "dedupeString": { - "type": "string", - "description": "A string used to stop Incident Manager from creating multiple incident records for the same incident.\n" - }, - "impact": { - "type": "integer", - "description": "The impact value of a generated incident. The following values are supported:\n" - }, - "incidentTags": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident.\n" - }, - "notificationTargets": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/ResponsePlanIncidentTemplateNotificationTarget:ResponsePlanIncidentTemplateNotificationTarget" - }, - "description": "The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notification_target` configuration block supports the following argument:\n" - }, - "summary": { - "type": "string", - "description": "The summary of an incident.\n" - }, - "title": { - "type": "string", - "description": "The title of a generated incident.\n" - } - }, - "type": "object", - "required": [ - "impact", - "title" - ] - }, - "aws:ssmincidents/ResponsePlanIncidentTemplateNotificationTarget:ResponsePlanIncidentTemplateNotificationTarget": { - "properties": { - "snsTopicArn": { - "type": "string", - "description": "The ARN of the Amazon SNS topic.\n\nThe following arguments are optional:\n" - } - }, - "type": "object", - "required": [ - "snsTopicArn" - ] - }, - "aws:ssmincidents/ResponsePlanIntegration:ResponsePlanIntegration": { - "properties": { - "pagerduties": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/ResponsePlanIntegrationPagerduty:ResponsePlanIntegrationPagerduty" - } - } - }, - "type": "object" - }, - "aws:ssmincidents/ResponsePlanIntegrationPagerduty:ResponsePlanIntegrationPagerduty": { - "properties": { - "name": { - "type": "string", - "description": "The name of the response plan.\n" - }, - "secretId": { - "type": "string" - }, - "serviceId": { - "type": "string" - } - }, - "type": "object", - "required": [ - "name", - "secretId", - "serviceId" - ] - }, - "aws:ssmincidents/getReplicationSetRegion:getReplicationSetRegion": { - "properties": { - "kmsKeyArn": { - "type": "string", - "description": "The ARN of the AWS Key Management Service (AWS KMS) encryption key.\n" - }, - "name": { - "type": "string", - "description": "The name of the Region.\n" - }, - "status": { - "type": "string", - "description": "The current status of the Region.\n* Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED`\n" - }, - "statusMessage": { - "type": "string", - "description": "More information about the status of a Region.\n" - } - }, - "type": "object", - "required": [ - "kmsKeyArn", - "name", - "status", - "statusMessage" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanAction:getResponsePlanAction": { - "properties": { - "ssmAutomations": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/getResponsePlanActionSsmAutomation:getResponsePlanActionSsmAutomation" - }, - "description": "The Systems Manager automation document to start as the runbook at the beginning of the incident. The following values are supported:\n" - } - }, - "type": "object", - "required": [ - "ssmAutomations" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanActionSsmAutomation:getResponsePlanActionSsmAutomation": { - "properties": { - "documentName": { - "type": "string", - "description": "The automation document's name.\n" - }, - "documentVersion": { - "type": "string", - "description": "The version of the automation document to use at runtime.\n" - }, - "dynamicParameters": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "The key-value pair used to resolve dynamic parameter values when processing a Systems Manager Automation runbook.\n" - }, - "parameters": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/getResponsePlanActionSsmAutomationParameter:getResponsePlanActionSsmAutomationParameter" - }, - "description": "The key-value pair parameters used when the automation document runs. The following values are supported:\n" - }, - "roleArn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the role that the automation document assumes when it runs commands.\n" - }, - "targetAccount": { - "type": "string", - "description": "The account that runs the automation document. This can be in either the management account or an application account.\n" - } - }, - "type": "object", - "required": [ - "documentName", - "documentVersion", - "dynamicParameters", - "parameters", - "roleArn", - "targetAccount" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanActionSsmAutomationParameter:getResponsePlanActionSsmAutomationParameter": { - "properties": { - "name": { - "type": "string", - "description": "The name of the PagerDuty configuration.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "The values for the associated parameter name.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanIncidentTemplate:getResponsePlanIncidentTemplate": { - "properties": { - "dedupeString": { - "type": "string", - "description": "A string used to stop Incident Manager from creating multiple incident records for the same incident.\n" - }, - "impact": { - "type": "integer", - "description": "The impact value of a generated incident. The following values are supported:\n" - }, - "incidentTags": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident.\n" - }, - "notificationTargets": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/getResponsePlanIncidentTemplateNotificationTarget:getResponsePlanIncidentTemplateNotificationTarget" - }, - "description": "The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notification_target` configuration block supports the following argument:\n" - }, - "summary": { - "type": "string", - "description": "The summary of an incident.\n" - }, - "title": { - "type": "string", - "description": "The title of a generated incident.\n" - } - }, - "type": "object", - "required": [ - "dedupeString", - "impact", - "incidentTags", - "notificationTargets", - "summary", - "title" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanIncidentTemplateNotificationTarget:getResponsePlanIncidentTemplateNotificationTarget": { - "properties": { - "snsTopicArn": { - "type": "string", - "description": "The ARN of the Amazon SNS topic.\n" - } - }, - "type": "object", - "required": [ - "snsTopicArn" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanIntegration:getResponsePlanIntegration": { - "properties": { - "pagerduties": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssmincidents/getResponsePlanIntegrationPagerduty:getResponsePlanIntegrationPagerduty" - }, - "description": "Details about the PagerDuty configuration for a response plan. The following values are supported:\n" - } - }, - "type": "object", - "required": [ - "pagerduties" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssmincidents/getResponsePlanIntegrationPagerduty:getResponsePlanIntegrationPagerduty": { - "properties": { - "name": { - "type": "string", - "description": "The name of the PagerDuty configuration.\n" - }, - "secretId": { - "type": "string", - "description": "The ID of the AWS Secrets Manager secret that stores your PagerDuty key \u0026mdash; either a General Access REST API Key or User Token REST API Key \u0026mdash; and other user credentials.\n" - }, - "serviceId": { - "type": "string", - "description": "The ID of the PagerDuty service that the response plan associates with an incident when it launches.\n" - } - }, - "type": "object", - "required": [ - "name", - "secretId", - "serviceId" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/ApplicationPortalOptions:ApplicationPortalOptions": { - "properties": { - "signInOptions": { - "$ref": "#/types/aws:ssoadmin/ApplicationPortalOptionsSignInOptions:ApplicationPortalOptionsSignInOptions", - "description": "Sign-in options for the access portal. See `sign_in_options` below.\n" - }, - "visibility": { - "type": "string", - "description": "Indicates whether this application is visible in the access portal. Valid values are `ENABLED` and `DISABLED`.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "visibility" - ] - } - } - }, - "aws:ssoadmin/ApplicationPortalOptionsSignInOptions:ApplicationPortalOptionsSignInOptions": { - "properties": { - "applicationUrl": { - "type": "string", - "description": "URL that accepts authentication requests for an application.\n" - }, - "origin": { - "type": "string", - "description": "Determines how IAM Identity Center navigates the user to the target application.\nValid values are `APPLICATION` and `IDENTITY_CENTER`.\nIf `APPLICATION` is set, IAM Identity Center redirects the customer to the configured `application_url`.\nIf `IDENTITY_CENTER` is set, IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application.\n" - } - }, - "type": "object", - "required": [ - "origin" - ] - }, - "aws:ssoadmin/CustomerManagedPolicyAttachmentCustomerManagedPolicyReference:CustomerManagedPolicyAttachmentCustomerManagedPolicyReference": { - "properties": { - "name": { - "type": "string", - "description": "Name of the customer managed IAM Policy to be attached.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:ssoadmin/InstanceAccessControlAttributesAttribute:InstanceAccessControlAttributesAttribute": { - "properties": { - "key": { - "type": "string" - }, - "values": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssoadmin/InstanceAccessControlAttributesAttributeValue:InstanceAccessControlAttributesAttributeValue" - } - } - }, - "type": "object", - "required": [ - "key", - "values" - ] - }, - "aws:ssoadmin/InstanceAccessControlAttributesAttributeValue:InstanceAccessControlAttributesAttributeValue": { - "properties": { - "sources": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object", - "required": [ - "sources" - ] - }, - "aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundary:PermissionsBoundaryAttachmentPermissionsBoundary": { - "properties": { - "customerManagedPolicyReference": { - "$ref": "#/types/aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference:PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference", - "description": "Specifies the name and path of a customer managed policy. See below.\n", - "willReplaceOnChanges": true - }, - "managedPolicyArn": { - "type": "string", - "description": "AWS-managed IAM policy ARN to use as the permissions boundary.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference:PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference": { - "properties": { - "name": { - "type": "string", - "description": "Name of the customer managed IAM Policy to be attached.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfiguration": { - "properties": { - "oidcJwtConfiguration": { - "$ref": "#/types/aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration", - "description": "A block that describes the settings for a trusted token issuer that works with OpenID Connect (OIDC) by using JSON Web Tokens (JWT). See Documented below below.\n" - } - }, - "type": "object" - }, - "aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration": { - "properties": { - "claimAttributePath": { - "type": "string", - "description": "Specifies the path of the source attribute in the JWT from the trusted token issuer.\n" - }, - "identityStoreAttributePath": { - "type": "string", - "description": "Specifies path of the destination attribute in a JWT from IAM Identity Center. The attribute mapped by this JMESPath expression is compared against the attribute mapped by `claim_attribute_path` when a trusted token issuer token is exchanged for an IAM Identity Center token.\n" - }, - "issuerUrl": { - "type": "string", - "description": "Specifies the URL that IAM Identity Center uses for OpenID Discovery. OpenID Discovery is used to obtain the information required to verify the tokens that the trusted token issuer generates.\n" - }, - "jwksRetrievalOption": { - "type": "string", - "description": "The method that the trusted token issuer can use to retrieve the JSON Web Key Set used to verify a JWT. Valid values are `OPEN_ID_DISCOVERY`\n" - } - }, - "type": "object", - "required": [ - "claimAttributePath", - "identityStoreAttributePath", - "issuerUrl", - "jwksRetrievalOption" - ] - }, - "aws:ssoadmin/getApplicationAssignmentsApplicationAssignment:getApplicationAssignmentsApplicationAssignment": { - "properties": { - "applicationArn": { - "type": "string", - "description": "ARN of the application.\n" - }, - "principalId": { - "type": "string", - "description": "An identifier for an object in IAM Identity Center, such as a user or group.\n" - }, - "principalType": { - "type": "string", - "description": "Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`.\n" - } - }, - "type": "object", - "required": [ - "applicationArn", - "principalId", - "principalType" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/getApplicationPortalOption:getApplicationPortalOption": { - "properties": { - "signInOptions": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssoadmin/getApplicationPortalOptionSignInOption:getApplicationPortalOptionSignInOption" - } - }, - "visibility": { - "type": "string" - } - }, - "type": "object", - "required": [ - "visibility" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/getApplicationPortalOptionSignInOption:getApplicationPortalOptionSignInOption": { - "properties": { - "applicationUrl": { - "type": "string" - }, - "origin": { - "type": "string" - } - }, - "type": "object", - "required": [ - "applicationUrl", - "origin" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/getApplicationProvidersApplicationProvider:getApplicationProvidersApplicationProvider": { - "properties": { - "applicationProviderArn": { - "type": "string", - "description": "ARN of the application provider.\n" - }, - "displayDatas": { - "type": "array", - "items": { - "$ref": "#/types/aws:ssoadmin/getApplicationProvidersApplicationProviderDisplayData:getApplicationProvidersApplicationProviderDisplayData" - }, - "description": "An object describing how IAM Identity Center represents the application provider in the portal. See `display_data` below.\n" - }, - "federationProtocol": { - "type": "string", - "description": "Protocol that the application provider uses to perform federation. Valid values are `SAML` and `OAUTH`.\n" - } - }, - "type": "object", - "required": [ - "applicationProviderArn", - "federationProtocol" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/getApplicationProvidersApplicationProviderDisplayData:getApplicationProvidersApplicationProviderDisplayData": { - "properties": { - "description": { - "type": "string", - "description": "Description of the application provider.\n" - }, - "displayName": { - "type": "string", - "description": "Name of the application provider.\n" - }, - "iconUrl": { - "type": "string", - "description": "URL that points to an icon that represents the application provider.\n" - } - }, - "type": "object", - "required": [ - "description", - "displayName", - "iconUrl" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:ssoadmin/getPrincipalApplicationAssignmentsApplicationAssignment:getPrincipalApplicationAssignmentsApplicationAssignment": { - "properties": { - "applicationArn": { - "type": "string", - "description": "ARN of the application.\n" - }, - "principalId": { - "type": "string", - "description": "An identifier for an object in IAM Identity Center, such as a user or group.\n" - }, - "principalType": { - "type": "string", - "description": "Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`.\n" - } - }, - "type": "object", - "required": [ - "applicationArn", - "principalId", - "principalType" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:storagegateway/FileSystemAssociationCacheAttributes:FileSystemAssociationCacheAttributes": { - "properties": { - "cacheStaleTimeoutInSeconds": { - "type": "integer", - "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: `0` or `300` to `2592000` seconds (5 minutes to 30 days). Defaults to `0`\n" - } - }, - "type": "object" - }, - "aws:storagegateway/GatewayGatewayNetworkInterface:GatewayGatewayNetworkInterface": { - "properties": { - "ipv4Address": { - "type": "string", - "description": "The Internet Protocol version 4 (IPv4) address of the interface.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "ipv4Address" - ] - } - } - }, - "aws:storagegateway/GatewayMaintenanceStartTime:GatewayMaintenanceStartTime": { - "properties": { - "dayOfMonth": { - "type": "string", - "description": "The day of the month component of the maintenance start time represented as an ordinal number from 1 to 28, where 1 represents the first day of the month and 28 represents the last day of the month.\n" - }, - "dayOfWeek": { - "type": "string", - "description": "The day of the week component of the maintenance start time week represented as an ordinal number from 0 to 6, where 0 represents Sunday and 6 Saturday.\n" - }, - "hourOfDay": { - "type": "integer", - "description": "The hour component of the maintenance start time represented as _hh_, where _hh_ is the hour (00 to 23). The hour of the day is in the time zone of the gateway.\n" - }, - "minuteOfHour": { - "type": "integer", - "description": "The minute component of the maintenance start time represented as _mm_, where _mm_ is the minute (00 to 59). The minute of the hour is in the time zone of the gateway.\n" - } - }, - "type": "object", - "required": [ - "hourOfDay" - ] - }, - "aws:storagegateway/GatewaySmbActiveDirectorySettings:GatewaySmbActiveDirectorySettings": { - "properties": { - "activeDirectoryStatus": { - "type": "string" - }, - "domainControllers": { - "type": "array", - "items": { - "type": "string" - }, - "description": "List of IPv4 addresses, NetBIOS names, or host names of your domain server.\nIf you need to specify the port number include it after the colon (“:”). For example, `mydc.mydomain.com:389`.\n" - }, - "domainName": { - "type": "string", - "description": "The name of the domain that you want the gateway to join.\n" - }, - "organizationalUnit": { - "type": "string", - "description": "The organizational unit (OU) is a container in an Active Directory that can hold users, groups,\ncomputers, and other OUs and this parameter specifies the OU that the gateway will join within the AD domain.\n" - }, - "password": { - "type": "string", - "description": "The password of the user who has permission to add the gateway to the Active Directory domain.\n", - "secret": true - }, - "timeoutInSeconds": { - "type": "integer", - "description": "Specifies the time in seconds, in which the JoinDomain operation must complete. The default is `20` seconds.\n" - }, - "username": { - "type": "string", - "description": "The user name of user who has permission to add the gateway to the Active Directory domain.\n" - } - }, - "type": "object", - "required": [ - "domainName", - "password", - "username" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "activeDirectoryStatus", - "domainName", - "password", - "username" - ] - } - } - }, - "aws:storagegateway/NfsFileShareCacheAttributes:NfsFileShareCacheAttributes": { - "properties": { - "cacheStaleTimeoutInSeconds": { - "type": "integer", - "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days)\n" - } - }, - "type": "object" - }, - "aws:storagegateway/NfsFileShareNfsFileShareDefaults:NfsFileShareNfsFileShareDefaults": { - "properties": { - "directoryMode": { - "type": "string", - "description": "The Unix directory mode in the string form \"nnnn\". Defaults to `\"0777\"`.\n" - }, - "fileMode": { - "type": "string", - "description": "The Unix file mode in the string form \"nnnn\". Defaults to `\"0666\"`.\n" - }, - "groupId": { - "type": "string", - "description": "The default group ID for the file share (unless the files have another group ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`.\n" - }, - "ownerId": { - "type": "string", - "description": "The default owner ID for the file share (unless the files have another owner ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`.\n" - } - }, - "type": "object" - }, - "aws:storagegateway/SmbFileShareCacheAttributes:SmbFileShareCacheAttributes": { - "properties": { - "cacheStaleTimeoutInSeconds": { - "type": "integer", - "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days)\n" - } - }, - "type": "object" - }, - "aws:synthetics/CanaryArtifactConfig:CanaryArtifactConfig": { - "properties": { - "s3Encryption": { - "$ref": "#/types/aws:synthetics/CanaryArtifactConfigS3Encryption:CanaryArtifactConfigS3Encryption", - "description": "Configuration of the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3. See S3 Encryption.\n" - } - }, - "type": "object" - }, - "aws:synthetics/CanaryArtifactConfigS3Encryption:CanaryArtifactConfigS3Encryption": { - "properties": { - "encryptionMode": { - "type": "string", - "description": "The encryption method to use for artifacts created by this canary. Valid values are: `SSE_S3` and `SSE_KMS`.\n" - }, - "kmsKeyArn": { - "type": "string", - "description": "The ARN of the customer-managed KMS key to use, if you specify `SSE_KMS` for `encryption_mode`.\n" - } - }, - "type": "object" - }, - "aws:synthetics/CanaryRunConfig:CanaryRunConfig": { - "properties": { - "activeTracing": { - "type": "boolean", - "description": "Whether this canary is to use active AWS X-Ray tracing when it runs. You can enable active tracing only for canaries that use version syn-nodejs-2.0 or later for their canary runtime.\n" - }, - "environmentVariables": { - "type": "object", - "additionalProperties": { - "type": "string" - }, - "description": "Map of environment variables that are accessible from the canary during execution. Please see [AWS Docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) for variables reserved for Lambda.\n" - }, - "memoryInMb": { - "type": "integer", - "description": "Maximum amount of memory available to the canary while it is running, in MB. The value you specify must be a multiple of 64.\n" - }, - "timeoutInSeconds": { - "type": "integer", - "description": "Number of seconds the canary is allowed to run before it must stop. If you omit this field, the frequency of the canary is used, up to a maximum of 840 (14 minutes).\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "memoryInMb" - ] - } - } - }, - "aws:synthetics/CanarySchedule:CanarySchedule": { - "properties": { - "durationInSeconds": { - "type": "integer", - "description": "Duration in seconds, for the canary to continue making regular runs according to the schedule in the Expression value.\n" - }, - "expression": { - "type": "string", - "description": "Rate expression or cron expression that defines how often the canary is to run. For rate expression, the syntax is `rate(number unit)`. _unit_ can be `minute`, `minutes`, or `hour`. For cron expression, the syntax is `cron(expression)`. For more information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html).\n" - } - }, - "type": "object", - "required": [ - "expression" - ] - }, - "aws:synthetics/CanaryTimeline:CanaryTimeline": { - "properties": { - "created": { - "type": "string", - "description": "Date and time the canary was created.\n" - }, - "lastModified": { - "type": "string", - "description": "Date and time the canary was most recently modified.\n" - }, - "lastStarted": { - "type": "string", - "description": "Date and time that the canary's most recent run started.\n" - }, - "lastStopped": { - "type": "string", - "description": "Date and time that the canary's most recent run ended.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "created", - "lastModified", - "lastStarted", - "lastStopped" - ] - } - } - }, - "aws:synthetics/CanaryVpcConfig:CanaryVpcConfig": { - "properties": { - "securityGroupIds": { - "type": "array", - "items": { - "type": "string" - }, - "description": "IDs of the security groups for this canary.\n" - }, - "subnetIds": { - "type": "array", - "items": { - "type": "string" - }, - "description": "IDs of the subnets where this canary is to run.\n" - }, - "vpcId": { - "type": "string", - "description": "ID of the VPC where this canary is to run.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "vpcId" - ] - } - } - }, - "aws:timestreamwrite/TableMagneticStoreWriteProperties:TableMagneticStoreWriteProperties": { - "properties": { - "enableMagneticStoreWrites": { - "type": "boolean", - "description": "A flag to enable magnetic store writes.\n" - }, - "magneticStoreRejectedDataLocation": { - "$ref": "#/types/aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation", - "description": "The location to write error reports for records rejected asynchronously during magnetic store writes. See Magnetic Store Rejected Data Location below for more details.\n" - } - }, - "type": "object" - }, - "aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation": { - "properties": { - "s3Configuration": { - "$ref": "#/types/aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration", - "description": "Configuration of an S3 location to write error reports for records rejected, asynchronously, during magnetic store writes. See S3 Configuration below for more details.\n" - } - }, - "type": "object" - }, - "aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration": { - "properties": { - "bucketName": { - "type": "string", - "description": "Bucket name of the customer S3 bucket.\n" - }, - "encryptionOption": { - "type": "string", - "description": "Encryption option for the customer s3 location. Options are S3 server side encryption with an S3-managed key or KMS managed key. Valid values are `SSE_KMS` and `SSE_S3`.\n" - }, - "kmsKeyId": { - "type": "string", - "description": "KMS key arn for the customer s3 location when encrypting with a KMS managed key.\n" - }, - "objectKeyPrefix": { - "type": "string", - "description": "Object key prefix for the customer S3 location.\n" - } - }, - "type": "object" - }, - "aws:timestreamwrite/TableRetentionProperties:TableRetentionProperties": { - "properties": { - "magneticStoreRetentionPeriodInDays": { - "type": "integer", - "description": "The duration for which data must be stored in the magnetic store. Minimum value of 1. Maximum value of 73000.\n" - }, - "memoryStoreRetentionPeriodInHours": { - "type": "integer", - "description": "The duration for which data must be stored in the memory store. Minimum value of 1. Maximum value of 8766.\n" - } - }, - "type": "object", - "required": [ - "magneticStoreRetentionPeriodInDays", - "memoryStoreRetentionPeriodInHours" - ] - }, - "aws:timestreamwrite/TableSchema:TableSchema": { - "properties": { - "compositePartitionKey": { - "$ref": "#/types/aws:timestreamwrite/TableSchemaCompositePartitionKey:TableSchemaCompositePartitionKey", - "description": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed. See Composite Partition Key below for more details.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "compositePartitionKey" - ] - } - } - }, - "aws:timestreamwrite/TableSchemaCompositePartitionKey:TableSchemaCompositePartitionKey": { - "properties": { - "enforcementInRecord": { - "type": "string", - "description": "The level of enforcement for the specification of a dimension key in ingested records. Valid values: `REQUIRED`, `OPTIONAL`.\n" - }, - "name": { - "type": "string", - "description": "The name of the attribute used for a dimension key.\n", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "description": "The type of the partition key. Valid values: `DIMENSION`, `MEASURE`.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:transcribe/LanguageModelInputDataConfig:LanguageModelInputDataConfig": { - "properties": { - "dataAccessRoleArn": { - "type": "string", - "description": "IAM role with access to S3 bucket.\n", - "willReplaceOnChanges": true - }, - "s3Uri": { - "type": "string", - "description": "S3 URI where training data is located.\n", - "willReplaceOnChanges": true - }, - "tuningDataS3Uri": { - "type": "string", - "description": "S3 URI where tuning data is located.\n\nThe following arguments are optional:\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "dataAccessRoleArn", - "s3Uri" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "dataAccessRoleArn", - "s3Uri", - "tuningDataS3Uri" - ] - } - } - }, - "aws:transfer/AccessHomeDirectoryMapping:AccessHomeDirectoryMapping": { - "properties": { - "entry": { - "type": "string", - "description": "Represents an entry and a target.\n" - }, - "target": { - "type": "string", - "description": "Represents the map target.\n" - } - }, - "type": "object", - "required": [ - "entry", - "target" - ] - }, - "aws:transfer/AccessPosixProfile:AccessPosixProfile": { - "properties": { - "gid": { - "type": "integer", - "description": "The POSIX group ID used for all EFS operations by this user.\n" - }, - "secondaryGids": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "The secondary POSIX group IDs used for all EFS operations by this user.\n" - }, - "uid": { - "type": "integer", - "description": "The POSIX user ID used for all EFS operations by this user.\n" - } - }, - "type": "object", - "required": [ - "gid", - "uid" - ] - }, - "aws:transfer/ConnectorAs2Config:ConnectorAs2Config": { - "properties": { - "compression": { - "type": "string" - }, - "encryptionAlgorithm": { - "type": "string" - }, - "localProfileId": { - "type": "string" - }, - "mdnResponse": { - "type": "string" - }, - "mdnSigningAlgorithm": { - "type": "string" - }, - "messageSubject": { - "type": "string" - }, - "partnerProfileId": { - "type": "string" - }, - "signingAlgorithm": { - "type": "string" - } - }, - "type": "object", - "required": [ - "compression", - "encryptionAlgorithm", - "localProfileId", - "mdnResponse", - "partnerProfileId", - "signingAlgorithm" - ] - }, - "aws:transfer/ConnectorSftpConfig:ConnectorSftpConfig": { - "properties": { - "trustedHostKeys": { - "type": "array", - "items": { - "type": "string" - } - }, - "userSecretId": { - "type": "string" - } - }, - "type": "object" - }, - "aws:transfer/ServerEndpointDetails:ServerEndpointDetails": { - "properties": { - "addressAllocationIds": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when `endpoint_type` is set to `VPC`.\n" - }, - "securityGroupIds": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when `endpoint_type` is set to `VPC`.\n" - }, - "subnetIds": { - "type": "array", - "items": { - "type": "string" - }, - "description": "A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when `endpoint_type` is set to `VPC`.\n" - }, - "vpcEndpointId": { - "type": "string", - "description": "The ID of the VPC endpoint. This property can only be used when `endpoint_type` is set to `VPC_ENDPOINT`\n" - }, - "vpcId": { - "type": "string", - "description": "The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpoint_type` is set to `VPC`.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "securityGroupIds", - "vpcEndpointId" - ] - } - } - }, - "aws:transfer/ServerProtocolDetails:ServerProtocolDetails": { - "properties": { - "as2Transports": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Indicates the transport method for the AS2 messages. Currently, only `HTTP` is supported.\n" - }, - "passiveIp": { - "type": "string", - "description": "Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer.\n" - }, - "setStatOption": { - "type": "string", - "description": "Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`.\n" - }, - "tlsSessionResumptionMode": { - "type": "string", - "description": "A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "as2Transports", - "passiveIp", - "setStatOption", - "tlsSessionResumptionMode" - ] - } - } - }, - "aws:transfer/ServerS3StorageOptions:ServerS3StorageOptions": { - "properties": { - "directoryListingOptimization": { - "type": "string", - "description": "Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are `DISABLED`, `ENABLED`.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "directoryListingOptimization" - ] - } - } - }, - "aws:transfer/ServerWorkflowDetails:ServerWorkflowDetails": { - "properties": { - "onPartialUpload": { - "$ref": "#/types/aws:transfer/ServerWorkflowDetailsOnPartialUpload:ServerWorkflowDetailsOnPartialUpload", - "description": "A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See `on_partial_upload` block below for details.\n" - }, - "onUpload": { - "$ref": "#/types/aws:transfer/ServerWorkflowDetailsOnUpload:ServerWorkflowDetailsOnUpload", - "description": "A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See `on_upload` block below for details.\n" - } - }, - "type": "object" - }, - "aws:transfer/ServerWorkflowDetailsOnPartialUpload:ServerWorkflowDetailsOnPartialUpload": { - "properties": { - "executionRole": { - "type": "string", - "description": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.\n" - }, - "workflowId": { - "type": "string", - "description": "A unique identifier for the workflow.\n" - } - }, - "type": "object", - "required": [ - "executionRole", - "workflowId" - ] - }, - "aws:transfer/ServerWorkflowDetailsOnUpload:ServerWorkflowDetailsOnUpload": { - "properties": { - "executionRole": { - "type": "string", - "description": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.\n" - }, - "workflowId": { - "type": "string", - "description": "A unique identifier for the workflow.\n" - } - }, - "type": "object", - "required": [ - "executionRole", - "workflowId" - ] - }, - "aws:transfer/UserHomeDirectoryMapping:UserHomeDirectoryMapping": { - "properties": { - "entry": { - "type": "string", - "description": "Represents an entry and a target.\n" - }, - "target": { - "type": "string", - "description": "Represents the map target.\n\nThe `Restricted` option is achieved using the following mapping:\n\n```\nhome_directory_mappings {\nentry = \"/\"\ntarget = \"/${aws_s3_bucket.foo.id}/$${Transfer:UserName}\"\n}\n```\n" - } - }, - "type": "object", - "required": [ - "entry", - "target" - ] - }, - "aws:transfer/UserPosixProfile:UserPosixProfile": { - "properties": { - "gid": { - "type": "integer", - "description": "The POSIX group ID used for all EFS operations by this user.\n" - }, - "secondaryGids": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "The secondary POSIX group IDs used for all EFS operations by this user.\n" - }, - "uid": { - "type": "integer", - "description": "The POSIX user ID used for all EFS operations by this user.\n" - } - }, - "type": "object", - "required": [ - "gid", - "uid" - ] - }, - "aws:transfer/WorkflowOnExceptionStep:WorkflowOnExceptionStep": { - "properties": { - "copyStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetails:WorkflowOnExceptionStepCopyStepDetails", - "willReplaceOnChanges": true - }, - "customStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCustomStepDetails:WorkflowOnExceptionStepCustomStepDetails", - "willReplaceOnChanges": true - }, - "decryptStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetails:WorkflowOnExceptionStepDecryptStepDetails", - "willReplaceOnChanges": true - }, - "deleteStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDeleteStepDetails:WorkflowOnExceptionStepDeleteStepDetails", - "willReplaceOnChanges": true - }, - "tagStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepTagStepDetails:WorkflowOnExceptionStepTagStepDetails", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:transfer/WorkflowOnExceptionStepCopyStepDetails:WorkflowOnExceptionStepCopyStepDetails": { - "properties": { - "destinationFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation", - "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", - "willReplaceOnChanges": true - }, - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "overwriteExisting": { - "type": "string", - "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation": { - "properties": { - "efsFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation", - "description": "Specifies the details for the EFS file being copied.\n", - "willReplaceOnChanges": true - }, - "s3FileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation", - "description": "Specifies the details for the S3 file being copied.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation": { - "properties": { - "fileSystemId": { - "type": "string", - "description": "The ID of the file system, assigned by Amazon EFS.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The pathname for the folder being used by a workflow.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation": { - "properties": { - "bucket": { - "type": "string", - "description": "Specifies the S3 bucket for the customer input file.\n", - "willReplaceOnChanges": true - }, - "key": { - "type": "string", - "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepCustomStepDetails:WorkflowOnExceptionStepCustomStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "target": { - "type": "string", - "description": "The ARN for the lambda function that is being called.\n", - "willReplaceOnChanges": true - }, - "timeoutSeconds": { - "type": "integer", - "description": "Timeout, in seconds, for the step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepDecryptStepDetails:WorkflowOnExceptionStepDecryptStepDetails": { - "properties": { - "destinationFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation", - "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", - "willReplaceOnChanges": true - }, - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "overwriteExisting": { - "type": "string", - "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "description": "The type of encryption used. Currently, this value must be `\"PGP\"`.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation": { - "properties": { - "efsFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation", - "description": "Specifies the details for the EFS file being copied.\n", - "willReplaceOnChanges": true - }, - "s3FileLocation": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation", - "description": "Specifies the details for the S3 file being copied.\n" - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation": { - "properties": { - "fileSystemId": { - "type": "string", - "description": "The ID of the file system, assigned by Amazon EFS.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The pathname for the folder being used by a workflow.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation": { - "properties": { - "bucket": { - "type": "string", - "description": "Specifies the S3 bucket for the customer input file.\n", - "willReplaceOnChanges": true - }, - "key": { - "type": "string", - "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepDeleteStepDetails:WorkflowOnExceptionStepDeleteStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepTagStepDetails:WorkflowOnExceptionStepTagStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepTagStepDetailsTag:WorkflowOnExceptionStepTagStepDetailsTag" - }, - "description": "Array that contains from 1 to 10 key/value pairs. See S3 Tags below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowOnExceptionStepTagStepDetailsTag:WorkflowOnExceptionStepTagStepDetailsTag": { - "properties": { - "key": { - "type": "string", - "willReplaceOnChanges": true - }, - "value": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "key", - "value" - ] - }, - "aws:transfer/WorkflowStep:WorkflowStep": { - "properties": { - "copyStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetails:WorkflowStepCopyStepDetails", - "willReplaceOnChanges": true - }, - "customStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowStepCustomStepDetails:WorkflowStepCustomStepDetails", - "willReplaceOnChanges": true - }, - "decryptStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetails:WorkflowStepDecryptStepDetails", - "willReplaceOnChanges": true - }, - "deleteStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowStepDeleteStepDetails:WorkflowStepDeleteStepDetails", - "willReplaceOnChanges": true - }, - "tagStepDetails": { - "$ref": "#/types/aws:transfer/WorkflowStepTagStepDetails:WorkflowStepTagStepDetails", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:transfer/WorkflowStepCopyStepDetails:WorkflowStepCopyStepDetails": { - "properties": { - "destinationFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocation", - "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", - "willReplaceOnChanges": true - }, - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "overwriteExisting": { - "type": "string", - "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocation": { - "properties": { - "efsFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation", - "description": "Specifies the details for the EFS file being copied.\n", - "willReplaceOnChanges": true - }, - "s3FileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation", - "description": "Specifies the details for the S3 file being copied.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation": { - "properties": { - "fileSystemId": { - "type": "string", - "description": "The ID of the file system, assigned by Amazon EFS.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The pathname for the folder being used by a workflow.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation": { - "properties": { - "bucket": { - "type": "string", - "description": "Specifies the S3 bucket for the customer input file.\n", - "willReplaceOnChanges": true - }, - "key": { - "type": "string", - "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepCustomStepDetails:WorkflowStepCustomStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "target": { - "type": "string", - "description": "The ARN for the lambda function that is being called.\n", - "willReplaceOnChanges": true - }, - "timeoutSeconds": { - "type": "integer", - "description": "Timeout, in seconds, for the step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepDecryptStepDetails:WorkflowStepDecryptStepDetails": { - "properties": { - "destinationFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocation", - "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", - "willReplaceOnChanges": true - }, - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "overwriteExisting": { - "type": "string", - "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "type": { - "type": "string", - "description": "The type of encryption used. Currently, this value must be `\"PGP\"`.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocation": { - "properties": { - "efsFileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation", - "description": "Specifies the details for the EFS file being copied.\n", - "willReplaceOnChanges": true - }, - "s3FileLocation": { - "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation", - "description": "Specifies the details for the S3 file being copied.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation": { - "properties": { - "fileSystemId": { - "type": "string", - "description": "The ID of the file system, assigned by Amazon EFS.\n", - "willReplaceOnChanges": true - }, - "path": { - "type": "string", - "description": "The pathname for the folder being used by a workflow.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation": { - "properties": { - "bucket": { - "type": "string", - "description": "Specifies the S3 bucket for the customer input file.\n", - "willReplaceOnChanges": true - }, - "key": { - "type": "string", - "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepDeleteStepDetails:WorkflowStepDeleteStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepTagStepDetails:WorkflowStepTagStepDetails": { - "properties": { - "name": { - "type": "string", - "description": "The name of the step, used as an identifier.\n", - "willReplaceOnChanges": true - }, - "sourceFileLocation": { - "type": "string", - "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", - "willReplaceOnChanges": true - }, - "tags": { - "type": "array", - "items": { - "$ref": "#/types/aws:transfer/WorkflowStepTagStepDetailsTag:WorkflowStepTagStepDetailsTag" - }, - "description": "Array that contains from 1 to 10 key/value pairs. See S3 Tags below.\n", - "willReplaceOnChanges": true - } - }, - "type": "object" - }, - "aws:transfer/WorkflowStepTagStepDetailsTag:WorkflowStepTagStepDetailsTag": { - "properties": { - "key": { - "type": "string", - "willReplaceOnChanges": true - }, - "value": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "key", - "value" - ] - }, - "aws:verifiedaccess/EndpointLoadBalancerOptions:EndpointLoadBalancerOptions": { - "properties": { - "loadBalancerArn": { - "type": "string", - "willReplaceOnChanges": true - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - }, - "subnetIds": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:verifiedaccess/EndpointNetworkInterfaceOptions:EndpointNetworkInterfaceOptions": { - "properties": { - "networkInterfaceId": { - "type": "string", - "willReplaceOnChanges": true - }, - "port": { - "type": "integer" - }, - "protocol": { - "type": "string" - } - }, - "type": "object" - }, - "aws:verifiedaccess/EndpointSseSpecification:EndpointSseSpecification": { - "properties": { - "customerManagedKeyEnabled": { - "type": "boolean" - }, - "kmsKeyArn": { - "type": "string" - } - }, - "type": "object" - }, - "aws:verifiedaccess/GroupSseConfiguration:GroupSseConfiguration": { - "properties": { - "customerManagedKeyEnabled": { - "type": "boolean" - }, - "kmsKeyArn": { - "type": "string", - "description": "ARN of the KMS key to use.\n" - } - }, - "type": "object" - }, - "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogs:InstanceLoggingConfigurationAccessLogs": { - "properties": { - "cloudwatchLogs": { - "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsCloudwatchLogs:InstanceLoggingConfigurationAccessLogsCloudwatchLogs", - "description": "A block that specifies configures sending Verified Access logs to CloudWatch Logs. Detailed below.\n" - }, - "includeTrustContext": { - "type": "boolean", - "description": "Include trust data sent by trust providers into the logs.\n" - }, - "kinesisDataFirehose": { - "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsKinesisDataFirehose:InstanceLoggingConfigurationAccessLogsKinesisDataFirehose", - "description": "A block that specifies configures sending Verified Access logs to Kinesis. Detailed below.\n" - }, - "logVersion": { - "type": "string", - "description": "The logging version to use. Refer to [VerifiedAccessLogOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VerifiedAccessLogOptions.html) for the allowed values.\n" - }, - "s3": { - "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsS3:InstanceLoggingConfigurationAccessLogsS3", - "description": "A block that specifies configures sending Verified Access logs to S3. Detailed below.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "includeTrustContext", - "logVersion" - ] - } - } - }, - "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsCloudwatchLogs:InstanceLoggingConfigurationAccessLogsCloudwatchLogs": { - "properties": { - "enabled": { - "type": "boolean", - "description": "Indicates whether logging is enabled.\n" - }, - "logGroup": { - "type": "string", - "description": "The name of the CloudWatch Logs Log Group.\n" - } - }, - "type": "object", - "required": [ - "enabled" - ] - }, - "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsKinesisDataFirehose:InstanceLoggingConfigurationAccessLogsKinesisDataFirehose": { - "properties": { - "deliveryStream": { - "type": "string", - "description": "The name of the delivery stream.\n" - }, - "enabled": { - "type": "boolean", - "description": "Indicates whether logging is enabled.\n" - } - }, - "type": "object", - "required": [ - "enabled" - ] - }, - "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsS3:InstanceLoggingConfigurationAccessLogsS3": { - "properties": { - "bucketName": { - "type": "string", - "description": "The name of S3 bucket.\n" - }, - "bucketOwner": { - "type": "string", - "description": "The ID of the AWS account that owns the Amazon S3 bucket.\n" - }, - "enabled": { - "type": "boolean", - "description": "Indicates whether logging is enabled.\n" - }, - "prefix": { - "type": "string", - "description": "The bucket prefix.\n" - } - }, - "type": "object", - "required": [ - "enabled" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "bucketOwner", - "enabled" - ] - } - } - }, - "aws:verifiedaccess/InstanceVerifiedAccessTrustProvider:InstanceVerifiedAccessTrustProvider": { - "properties": { - "description": { - "type": "string", - "description": "A description for the AWS Verified Access Instance.\n" - }, - "deviceTrustProviderType": { - "type": "string", - "description": "The type of device-based trust provider.\n" - }, - "trustProviderType": { - "type": "string", - "description": "The type of trust provider (user- or device-based).\n" - }, - "userTrustProviderType": { - "type": "string", - "description": "The type of user-based trust provider.\n" - }, - "verifiedAccessTrustProviderId": { - "type": "string", - "description": "The ID of the trust provider.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "description", - "deviceTrustProviderType", - "trustProviderType", - "userTrustProviderType", - "verifiedAccessTrustProviderId" - ] - } - } - }, - "aws:verifiedaccess/TrustProviderDeviceOptions:TrustProviderDeviceOptions": { - "properties": { - "tenantId": { - "type": "string" - } - }, - "type": "object" - }, - "aws:verifiedaccess/TrustProviderOidcOptions:TrustProviderOidcOptions": { - "properties": { - "authorizationEndpoint": { - "type": "string", - "willReplaceOnChanges": true - }, - "clientId": { - "type": "string", - "willReplaceOnChanges": true - }, - "clientSecret": { - "type": "string", - "secret": true - }, - "issuer": { - "type": "string", - "willReplaceOnChanges": true - }, - "scope": { - "type": "string" - }, - "tokenEndpoint": { - "type": "string", - "willReplaceOnChanges": true - }, - "userInfoEndpoint": { - "type": "string", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "clientSecret" - ] - }, - "aws:verifiedpermissions/PolicyDefinition:PolicyDefinition": { - "properties": { - "static": { - "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionStatic:PolicyDefinitionStatic", - "description": "The static policy statement. See Static below.\n" - }, - "templateLinked": { - "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinked:PolicyDefinitionTemplateLinked", - "description": "The template linked policy. See Template Linked below.\n" - } - }, - "type": "object" - }, - "aws:verifiedpermissions/PolicyDefinitionStatic:PolicyDefinitionStatic": { - "properties": { - "description": { - "type": "string", - "description": "The description of the static policy.\n" - }, - "statement": { - "type": "string", - "description": "The statement of the static policy.\n" - } - }, - "type": "object", - "required": [ - "statement" - ] - }, - "aws:verifiedpermissions/PolicyDefinitionTemplateLinked:PolicyDefinitionTemplateLinked": { - "properties": { - "policyTemplateId": { - "type": "string", - "description": "The ID of the template.\n" - }, - "principal": { - "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinkedPrincipal:PolicyDefinitionTemplateLinkedPrincipal", - "description": "The principal of the template linked policy.\n" - }, - "resource": { - "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinkedResource:PolicyDefinitionTemplateLinkedResource", - "description": "The resource of the template linked policy.\n" - } - }, - "type": "object", - "required": [ - "policyTemplateId" - ] - }, - "aws:verifiedpermissions/PolicyDefinitionTemplateLinkedPrincipal:PolicyDefinitionTemplateLinkedPrincipal": { - "properties": { - "entityId": { - "type": "string", - "description": "The entity ID of the principal.\n" - }, - "entityType": { - "type": "string", - "description": "The entity type of the principal.\n" - } - }, - "type": "object", - "required": [ - "entityId", - "entityType" - ] - }, - "aws:verifiedpermissions/PolicyDefinitionTemplateLinkedResource:PolicyDefinitionTemplateLinkedResource": { - "properties": { - "entityId": { - "type": "string", - "description": "The entity ID of the resource.\n" - }, - "entityType": { - "type": "string", - "description": "The entity type of the resource.\n" - } - }, - "type": "object", - "required": [ - "entityId", - "entityType" - ] - }, - "aws:verifiedpermissions/PolicyStoreValidationSettings:PolicyStoreValidationSettings": { - "properties": { - "mode": { - "type": "string", - "description": "The mode for the validation settings. Valid values: `OFF`, `STRICT`.\n\nThe following arguments are optional:\n" - } - }, - "type": "object", - "required": [ - "mode" - ] - }, - "aws:verifiedpermissions/SchemaDefinition:SchemaDefinition": { - "properties": { - "value": { - "type": "string", - "description": "A JSON string representation of the schema.\n" - } - }, - "type": "object", - "required": [ - "value" - ] - }, - "aws:verifiedpermissions/getPolicyStoreValidationSetting:getPolicyStoreValidationSetting": { - "properties": { - "mode": { - "type": "string" - } - }, - "type": "object", - "required": [ - "mode" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:vpc/EndpointServicePrivateDnsVerificationTimeouts:EndpointServicePrivateDnsVerificationTimeouts": { - "properties": { - "create": { - "type": "string", - "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" - } - }, - "type": "object" - }, - "aws:vpc/getSecurityGroupRuleFilter:getSecurityGroupRuleFilter": { - "properties": { - "name": { - "type": "string", - "description": "Name of the filter field. Valid values can be found in the EC2 [`DescribeSecurityGroupRules`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html) API Reference.\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:vpc/getSecurityGroupRulesFilter:getSecurityGroupRulesFilter": { - "properties": { - "name": { - "type": "string", - "description": "Name of the field to filter by, as defined by\n[the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html).\n" - }, - "values": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Set of values that are accepted for the given field.\nSecurity group rule IDs will be selected if any one of the given values match.\n" - } - }, - "type": "object", - "required": [ - "name", - "values" - ] - }, - "aws:vpclattice/ListenerDefaultAction:ListenerDefaultAction": { - "properties": { - "fixedResponse": { - "$ref": "#/types/aws:vpclattice/ListenerDefaultActionFixedResponse:ListenerDefaultActionFixedResponse" - }, - "forwards": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/ListenerDefaultActionForward:ListenerDefaultActionForward" - }, - "description": "Route requests to one or more target groups. See Forward blocks below.\n\n\u003e **NOTE:** You must specify exactly one of the following argument blocks: `fixed_response` or `forward`.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerDefaultActionFixedResponse:ListenerDefaultActionFixedResponse": { - "properties": { - "statusCode": { - "type": "integer", - "description": "Custom HTTP status code to return, e.g. a 404 response code. See [Listeners](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html) in the AWS documentation for a list of supported codes.\n" - } - }, - "type": "object", - "required": [ - "statusCode" - ] - }, - "aws:vpclattice/ListenerDefaultActionForward:ListenerDefaultActionForward": { - "properties": { - "targetGroups": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/ListenerDefaultActionForwardTargetGroup:ListenerDefaultActionForwardTargetGroup" - }, - "description": "One or more target group blocks.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerDefaultActionForwardTargetGroup:ListenerDefaultActionForwardTargetGroup": { - "properties": { - "targetGroupIdentifier": { - "type": "string" - }, - "weight": { - "type": "integer" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerRuleAction:ListenerRuleAction": { - "properties": { - "fixedResponse": { - "$ref": "#/types/aws:vpclattice/ListenerRuleActionFixedResponse:ListenerRuleActionFixedResponse", - "description": "Describes the rule action that returns a custom HTTP response.\n" - }, - "forward": { - "$ref": "#/types/aws:vpclattice/ListenerRuleActionForward:ListenerRuleActionForward", - "description": "The forward action. Traffic that matches the rule is forwarded to the specified target groups.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerRuleActionFixedResponse:ListenerRuleActionFixedResponse": { - "properties": { - "statusCode": { - "type": "integer", - "description": "The HTTP response code.\n" - } - }, - "type": "object", - "required": [ - "statusCode" - ] - }, - "aws:vpclattice/ListenerRuleActionForward:ListenerRuleActionForward": { - "properties": { - "targetGroups": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/ListenerRuleActionForwardTargetGroup:ListenerRuleActionForwardTargetGroup" - }, - "description": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1 with maximum number of 2. If only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.\n" - } - }, - "type": "object", - "required": [ - "targetGroups" - ] - }, - "aws:vpclattice/ListenerRuleActionForwardTargetGroup:ListenerRuleActionForwardTargetGroup": { - "properties": { - "targetGroupIdentifier": { - "type": "string" - }, - "weight": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "targetGroupIdentifier" - ] - }, - "aws:vpclattice/ListenerRuleMatch:ListenerRuleMatch": { - "properties": { - "httpMatch": { - "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatch:ListenerRuleMatchHttpMatch", - "description": "The HTTP criteria that a rule must match.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerRuleMatchHttpMatch:ListenerRuleMatchHttpMatch": { - "properties": { - "headerMatches": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatch:ListenerRuleMatchHttpMatchHeaderMatch" - }, - "description": "The header matches. Matches incoming requests with rule based on request header value before applying rule action.\n" - }, - "method": { - "type": "string", - "description": "The HTTP method type.\n" - }, - "pathMatch": { - "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchPathMatch:ListenerRuleMatchHttpMatchPathMatch", - "description": "The path match.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatch:ListenerRuleMatchHttpMatchHeaderMatch": { - "properties": { - "caseSensitive": { - "type": "boolean", - "description": "Indicates whether the match is case sensitive. Defaults to false.\n" - }, - "match": { - "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatchMatch:ListenerRuleMatchHttpMatchHeaderMatchMatch", - "description": "The header match type.\n" - }, - "name": { - "type": "string", - "description": "The name of the header.\n" - } - }, - "type": "object", - "required": [ - "match", - "name" - ] - }, - "aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatchMatch:ListenerRuleMatchHttpMatchHeaderMatchMatch": { - "properties": { - "contains": { - "type": "string", - "description": "Specifies a contains type match.\n" - }, - "exact": { - "type": "string", - "description": "Specifies an exact type match.\n" - }, - "prefix": { - "type": "string", - "description": "Specifies a prefix type match. Matches the value with the prefix.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ListenerRuleMatchHttpMatchPathMatch:ListenerRuleMatchHttpMatchPathMatch": { - "properties": { - "caseSensitive": { - "type": "boolean", - "description": "Indicates whether the match is case sensitive. Defaults to false.\n" - }, - "match": { - "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchPathMatchMatch:ListenerRuleMatchHttpMatchPathMatchMatch", - "description": "The header match type.\n" - } - }, - "type": "object", - "required": [ - "match" - ] - }, - "aws:vpclattice/ListenerRuleMatchHttpMatchPathMatchMatch:ListenerRuleMatchHttpMatchPathMatchMatch": { - "properties": { - "exact": { - "type": "string", - "description": "Specifies an exact type match.\n" - }, - "prefix": { - "type": "string", - "description": "Specifies a prefix type match. Matches the value with the prefix.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/ServiceDnsEntry:ServiceDnsEntry": { - "properties": { - "domainName": { - "type": "string" - }, - "hostedZoneId": { - "type": "string" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "domainName", - "hostedZoneId" - ] - } - } - }, - "aws:vpclattice/ServiceNetworkServiceAssociationDnsEntry:ServiceNetworkServiceAssociationDnsEntry": { - "properties": { - "domainName": { - "type": "string", - "description": "The domain name of the service.\n" - }, - "hostedZoneId": { - "type": "string", - "description": "The ID of the hosted zone.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "domainName", - "hostedZoneId" - ] - } - } - }, - "aws:vpclattice/TargetGroupAttachmentTarget:TargetGroupAttachmentTarget": { - "properties": { - "id": { - "type": "string", - "description": "The ID of the target. If the target type of the target group is INSTANCE, this is an instance ID. If the target type is IP , this is an IP address. If the target type is LAMBDA, this is the ARN of the Lambda function. If the target type is ALB, this is the ARN of the Application Load Balancer.\n", - "willReplaceOnChanges": true - }, - "port": { - "type": "integer", - "description": "This port is used for routing traffic to the target, and defaults to the target group port. However, you can override the default and specify a custom port.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "required": [ - "id" - ], - "language": { - "nodejs": { - "requiredOutputs": [ - "id", - "port" - ] - } - } - }, - "aws:vpclattice/TargetGroupConfig:TargetGroupConfig": { - "properties": { - "healthCheck": { - "$ref": "#/types/aws:vpclattice/TargetGroupConfigHealthCheck:TargetGroupConfigHealthCheck", - "description": "The health check configuration.\n" - }, - "ipAddressType": { - "type": "string", - "description": "The type of IP address used for the target group. Valid values: `IPV4` | `IPV6`.\n", - "willReplaceOnChanges": true - }, - "lambdaEventStructureVersion": { - "type": "string", - "description": "The version of the event structure that the Lambda function receives. Supported only if `type` is `LAMBDA`. Valid Values are `V1` | `V2`.\n", - "willReplaceOnChanges": true - }, - "port": { - "type": "integer", - "description": "The port on which the targets are listening.\n", - "willReplaceOnChanges": true - }, - "protocol": { - "type": "string", - "description": "The protocol to use for routing traffic to the targets. Valid Values are `HTTP` | `HTTPS`.\n", - "willReplaceOnChanges": true - }, - "protocolVersion": { - "type": "string", - "description": "The protocol version. Valid Values are `HTTP1` | `HTTP2` | `GRPC`. Default value is `HTTP1`.\n", - "willReplaceOnChanges": true - }, - "vpcIdentifier": { - "type": "string", - "description": "The ID of the VPC.\n", - "willReplaceOnChanges": true - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "ipAddressType", - "lambdaEventStructureVersion", - "port", - "protocol", - "protocolVersion" - ] - } - } - }, - "aws:vpclattice/TargetGroupConfigHealthCheck:TargetGroupConfigHealthCheck": { - "properties": { - "enabled": { - "type": "boolean", - "description": "Indicates whether health checking is enabled. Defaults to `true`.\n" - }, - "healthCheckIntervalSeconds": { - "type": "integer", - "description": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5–300 seconds. The default is 30 seconds.\n" - }, - "healthCheckTimeoutSeconds": { - "type": "integer", - "description": "The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1–120 seconds. The default is 5 seconds.\n* `healthy_threshold_count ` - (Optional) The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2–10. The default is 5.\n" - }, - "healthyThresholdCount": { - "type": "integer" - }, - "matcher": { - "$ref": "#/types/aws:vpclattice/TargetGroupConfigHealthCheckMatcher:TargetGroupConfigHealthCheckMatcher", - "description": "The codes to use when checking for a successful response from a target. These are called _Success codes_ in the console.\n" - }, - "path": { - "type": "string", - "description": "The destination for health checks on the targets. If the protocol version is HTTP/1.1 or HTTP/2, specify a valid URI (for example, /path?query). The default path is `/`. Health checks are not supported if the protocol version is gRPC, however, you can choose HTTP/1.1 or HTTP/2 and specify a valid URI.\n" - }, - "port": { - "type": "integer", - "description": "The port used when performing health checks on targets. The default setting is the port that a target receives traffic on.\n" - }, - "protocol": { - "type": "string", - "description": "The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS`.\n" - }, - "protocolVersion": { - "type": "string", - "description": "The protocol version used when performing health checks on targets. The possible protocol versions are `HTTP1` and `HTTP2`. The default is `HTTP1`.\n" - }, - "unhealthyThresholdCount": { - "type": "integer", - "description": "The number of consecutive failed health checks required before considering a target unhealthy. The range is 2–10. The default is 2.\n" - } - }, - "type": "object", - "language": { - "nodejs": { - "requiredOutputs": [ - "port", - "protocol" - ] - } - } - }, - "aws:vpclattice/TargetGroupConfigHealthCheckMatcher:TargetGroupConfigHealthCheckMatcher": { - "properties": { - "value": { - "type": "string", - "description": "The HTTP codes to use when checking for a successful response from a target.\n" - } - }, - "type": "object" - }, - "aws:vpclattice/getListenerDefaultAction:getListenerDefaultAction": { - "properties": { - "fixedResponses": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/getListenerDefaultActionFixedResponse:getListenerDefaultActionFixedResponse" - } - }, - "forwards": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/getListenerDefaultActionForward:getListenerDefaultActionForward" - } - } - }, - "type": "object", - "required": [ - "fixedResponses", - "forwards" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:vpclattice/getListenerDefaultActionFixedResponse:getListenerDefaultActionFixedResponse": { - "properties": { - "statusCode": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "statusCode" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:vpclattice/getListenerDefaultActionForward:getListenerDefaultActionForward": { - "properties": { - "targetGroups": { - "type": "array", - "items": { - "$ref": "#/types/aws:vpclattice/getListenerDefaultActionForwardTargetGroup:getListenerDefaultActionForwardTargetGroup" - } - } - }, - "type": "object", - "required": [ - "targetGroups" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:vpclattice/getListenerDefaultActionForwardTargetGroup:getListenerDefaultActionForwardTargetGroup": { - "properties": { - "targetGroupIdentifier": { - "type": "string" - }, - "weight": { - "type": "integer" - } - }, - "type": "object", - "required": [ - "targetGroupIdentifier", - "weight" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:vpclattice/getServiceDnsEntry:getServiceDnsEntry": { - "properties": { - "domainName": { - "type": "string" - }, - "hostedZoneId": { - "type": "string" - } - }, - "type": "object", - "required": [ - "domainName", - "hostedZoneId" - ], - "language": { - "nodejs": { - "requiredInputs": [] - } - } - }, - "aws:waf/ByteMatchSetByteMatchTuple:ByteMatchSetByteMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:waf/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch" - }, - "positionalConstraint": { - "type": "string" - }, - "targetString": { - "type": "string" - }, - "textTransformation": { - "type": "string" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "positionalConstraint", - "textTransformation" - ] - }, - "aws:waf/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/GeoMatchSetGeoMatchConstraint:GeoMatchSetGeoMatchConstraint": { - "properties": { - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type", - "value" - ] - }, - "aws:waf/IpSetIpSetDescriptor:IpSetIpSetDescriptor": { - "properties": { - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type", - "value" - ] - }, - "aws:waf/RateBasedRulePredicate:RateBasedRulePredicate": { - "properties": { - "dataId": { - "type": "string" - }, - "negated": { - "type": "boolean" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "dataId", - "negated", - "type" - ] - }, - "aws:waf/RegexMatchSetRegexMatchTuple:RegexMatchSetRegexMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:waf/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch", - "description": "The part of a web request that you want to search, such as a specified header or a query string.\n" - }, - "regexPatternSetId": { - "type": "string", - "description": "The ID of a Regex Pattern Set.\n" - }, - "textTransformation": { - "type": "string", - "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "regexPatternSetId", - "textTransformation" - ] - }, - "aws:waf/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/RuleGroupActivatedRule:RuleGroupActivatedRule": { - "properties": { - "action": { - "$ref": "#/types/aws:waf/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction" - }, - "priority": { - "type": "integer" - }, - "ruleId": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "action", - "priority", - "ruleId" - ] - }, - "aws:waf/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction": { - "properties": { - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/RulePredicate:RulePredicate": { - "properties": { - "dataId": { - "type": "string" - }, - "negated": { - "type": "boolean" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "dataId", - "negated", - "type" - ] - }, - "aws:waf/SizeConstraintSetSizeConstraint:SizeConstraintSetSizeConstraint": { - "properties": { - "comparisonOperator": { - "type": "string" - }, - "fieldToMatch": { - "$ref": "#/types/aws:waf/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch" - }, - "size": { - "type": "integer" - }, - "textTransformation": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparisonOperator", - "fieldToMatch", - "size", - "textTransformation" - ] - }, - "aws:waf/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch": { - "properties": { - "data": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/SqlInjectionMatchSetSqlInjectionMatchTuple:SqlInjectionMatchSetSqlInjectionMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:waf/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch", - "description": "Specifies where in a web request to look for snippets of malicious SQL code.\n" - }, - "textTransformation": { - "type": "string", - "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `field_to_match` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_SqlInjectionMatchTuple.html#WAF-Type-SqlInjectionMatchTuple-TextTransformation)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "textTransformation" - ] - }, - "aws:waf/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/WebAclDefaultAction:WebAclDefaultAction": { - "properties": { - "type": { - "type": "string", - "description": "Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the `rules`.\ne.g., `ALLOW` or `BLOCK`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/WebAclLoggingConfiguration:WebAclLoggingConfiguration": { - "properties": { - "logDestination": { - "type": "string", - "description": "Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream\n" - }, - "redactedFields": { - "$ref": "#/types/aws:waf/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields", - "description": "Configuration block containing parts of the request that you want redacted from the logs. Detailed below.\n" - } - }, - "type": "object", - "required": [ - "logDestination" - ] - }, - "aws:waf/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields": { - "properties": { - "fieldToMatches": { - "type": "array", - "items": { - "$ref": "#/types/aws:waf/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch" - }, - "description": "Set of configuration blocks for fields to redact. Detailed below.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatches" - ] - }, - "aws:waf/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/WebAclRule:WebAclRule": { - "properties": { - "action": { - "$ref": "#/types/aws:waf/WebAclRuleAction:WebAclRuleAction", - "description": "The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`.\n" - }, - "overrideAction": { - "$ref": "#/types/aws:waf/WebAclRuleOverrideAction:WebAclRuleOverrideAction", - "description": "Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`.\n" - }, - "priority": { - "type": "integer", - "description": "Specifies the order in which the rules in a WebACL are evaluated.\nRules with a lower value are evaluated before rules with a higher value.\n" - }, - "ruleId": { - "type": "string", - "description": "ID of the associated WAF (Global) rule (e.g., `aws.waf.Rule`). WAF (Regional) rules cannot be used.\n" - }, - "type": { - "type": "string", - "description": "The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.\n" - } - }, - "type": "object", - "required": [ - "priority", - "ruleId" - ] - }, - "aws:waf/WebAclRuleAction:WebAclRuleAction": { - "properties": { - "type": { - "type": "string", - "description": "valid values are: `BLOCK`, `ALLOW`, or `COUNT`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { - "properties": { - "type": { - "type": "string", - "description": "valid values are: `NONE` or `COUNT`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:waf/XssMatchSetXssMatchTuple:XssMatchSetXssMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:waf/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch", - "description": "Specifies where in a web request to look for cross-site scripting attacks.\n" - }, - "textTransformation": { - "type": "string", - "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `target_string` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_XssMatchTuple.html#WAF-Type-XssMatchTuple-TextTransformation)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "textTransformation" - ] - }, - "aws:waf/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/ByteMatchSetByteMatchTuple:ByteMatchSetByteMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafregional/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch", - "description": "Settings for the ByteMatchTuple. FieldToMatch documented below.\n" - }, - "positionalConstraint": { - "type": "string", - "description": "Within the portion of a web request that you want to search.\n" - }, - "targetString": { - "type": "string", - "description": "The value that you want AWS WAF to search for. The maximum length of the value is 50 bytes.\n" - }, - "textTransformation": { - "type": "string", - "description": "The formatting way for web request.\n\nFieldToMatch(field_to_match) support following:\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "positionalConstraint", - "textTransformation" - ] - }, - "aws:wafregional/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. If the value of Type is any other value, omit Data.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified string.\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/GeoMatchSetGeoMatchConstraint:GeoMatchSetGeoMatchConstraint": { - "properties": { - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type", - "value" - ] - }, - "aws:wafregional/IpSetIpSetDescriptor:IpSetIpSetDescriptor": { - "properties": { - "type": { - "type": "string" - }, - "value": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type", - "value" - ] - }, - "aws:wafregional/RateBasedRulePredicate:RateBasedRulePredicate": { - "properties": { - "dataId": { - "type": "string" - }, - "negated": { - "type": "boolean" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "dataId", - "negated", - "type" - ] - }, - "aws:wafregional/RegexMatchSetRegexMatchTuple:RegexMatchSetRegexMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafregional/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch", - "description": "The part of a web request that you want to search, such as a specified header or a query string.\n" - }, - "regexPatternSetId": { - "type": "string", - "description": "The ID of a Regex Pattern Set.\n" - }, - "textTransformation": { - "type": "string", - "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "regexPatternSetId", - "textTransformation" - ] - }, - "aws:wafregional/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/RuleGroupActivatedRule:RuleGroupActivatedRule": { - "properties": { - "action": { - "$ref": "#/types/aws:wafregional/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction" - }, - "priority": { - "type": "integer" - }, - "ruleId": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "action", - "priority", - "ruleId" - ] - }, - "aws:wafregional/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction": { - "properties": { - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/RulePredicate:RulePredicate": { - "properties": { - "dataId": { - "type": "string" - }, - "negated": { - "type": "boolean" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "dataId", - "negated", - "type" - ] - }, - "aws:wafregional/SizeConstraintSetSizeConstraint:SizeConstraintSetSizeConstraint": { - "properties": { - "comparisonOperator": { - "type": "string" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafregional/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch" - }, - "size": { - "type": "integer" - }, - "textTransformation": { - "type": "string" - } - }, - "type": "object", - "required": [ - "comparisonOperator", - "fieldToMatch", - "size", - "textTransformation" - ] - }, - "aws:wafregional/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch": { - "properties": { - "data": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTuple:SqlInjectionMatchSetSqlInjectionMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch", - "description": "Specifies where in a web request to look for snippets of malicious SQL code.\n" - }, - "textTransformation": { - "type": "string", - "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `field_to_match` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_SqlInjectionMatchTuple.html#WAF-Type-regional_SqlInjectionMatchTuple-TextTransformation)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "textTransformation" - ] - }, - "aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html)\nfor all supported values.\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/WebAclDefaultAction:WebAclDefaultAction": { - "properties": { - "type": { - "type": "string", - "description": "Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., `ALLOW`, `BLOCK` or `COUNT`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/WebAclLoggingConfiguration:WebAclLoggingConfiguration": { - "properties": { - "logDestination": { - "type": "string", - "description": "Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream\n" - }, - "redactedFields": { - "$ref": "#/types/aws:wafregional/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields", - "description": "Configuration block containing parts of the request that you want redacted from the logs. Detailed below.\n" - } - }, - "type": "object", - "required": [ - "logDestination" - ] - }, - "aws:wafregional/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields": { - "properties": { - "fieldToMatches": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafregional/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch" - }, - "description": "Set of configuration blocks for fields to redact. Detailed below.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatches" - ] - }, - "aws:wafregional/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/WebAclRule:WebAclRule": { - "properties": { - "action": { - "$ref": "#/types/aws:wafregional/WebAclRuleAction:WebAclRuleAction", - "description": "Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. Detailed below.\n" - }, - "overrideAction": { - "$ref": "#/types/aws:wafregional/WebAclRuleOverrideAction:WebAclRuleOverrideAction", - "description": "Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. Detailed below.\n" - }, - "priority": { - "type": "integer", - "description": "Specifies the order in which the rules in a WebACL are evaluated.\nRules with a lower value are evaluated before rules with a higher value.\n" - }, - "ruleId": { - "type": "string", - "description": "ID of the associated WAF (Regional) rule (e.g., `aws.wafregional.Rule`). WAF (Global) rules cannot be used.\n" - }, - "type": { - "type": "string", - "description": "The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.\n" - } - }, - "type": "object", - "required": [ - "priority", - "ruleId" - ] - }, - "aws:wafregional/WebAclRuleAction:WebAclRuleAction": { - "properties": { - "type": { - "type": "string", - "description": "Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for `action` are `ALLOW`, `BLOCK` or `COUNT`. Valid values for `override_action` are `COUNT` and `NONE`.\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { - "properties": { - "type": { - "type": "string" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafregional/XssMatchSetXssMatchTuple:XssMatchSetXssMatchTuple": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafregional/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch", - "description": "Specifies where in a web request to look for cross-site scripting attacks.\n" - }, - "textTransformation": { - "type": "string", - "description": "Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks.\n" - } - }, - "type": "object", - "required": [ - "fieldToMatch", - "textTransformation" - ] - }, - "aws:wafregional/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch": { - "properties": { - "data": { - "type": "string", - "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" - }, - "type": { - "type": "string", - "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" - } - }, - "type": "object", - "required": [ - "type" - ] - }, - "aws:wafv2/RegexPatternSetRegularExpression:RegexPatternSetRegularExpression": { - "properties": { - "regexString": { - "type": "string", - "description": "The string representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "regexString" - ] - }, - "aws:wafv2/RuleGroupCustomResponseBody:RuleGroupCustomResponseBody": { - "properties": { - "content": { - "type": "string", - "description": "The payload of the custom response.\n" - }, - "contentType": { - "type": "string", - "description": "The type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`.\n" - }, - "key": { - "type": "string", - "description": "A unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the Custom Response block.\n" - } - }, - "type": "object", - "required": [ - "content", - "contentType", - "key" - ] - }, - "aws:wafv2/RuleGroupRule:RuleGroupRule": { - "properties": { - "action": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleAction:RuleGroupRuleAction", - "description": "The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the `aws.wafv2.WebAcl` level can override the rule action setting. See Action below for details.\n" - }, - "captchaConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleCaptchaConfig:RuleGroupRuleCaptchaConfig", - "description": "Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details.\n" - }, - "name": { - "type": "string", - "description": "A friendly name of the rule.\n" - }, - "priority": { - "type": "integer", - "description": "If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first.\n" - }, - "ruleLabels": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleRuleLabel:RuleGroupRuleRuleLabel" - }, - "description": "Labels to apply to web requests that match the rule match statement. See Rule Label below for details.\n" - }, - "statement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement", - "description": "The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See Statement below for details.\n" - }, - "visibilityConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleVisibilityConfig:RuleGroupRuleVisibilityConfig", - "description": "Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "action", - "name", - "priority", - "statement", - "visibilityConfig" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleAction:RuleGroupRuleAction": { + "aws:securityhub/InsightFiltersFindingProviderFieldsRelatedFindingsProductArn:InsightFiltersFindingProviderFieldsRelatedFindingsProductArn": { "properties": { - "allow": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllow:RuleGroupRuleActionAllow", - "description": "Instructs AWS WAF to allow the web request. See Allow below for details.\n" - }, - "block": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlock:RuleGroupRuleActionBlock", - "description": "Instructs AWS WAF to block the web request. See Block below for details.\n" - }, - "captcha": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptcha:RuleGroupRuleActionCaptcha", - "description": "Instructs AWS WAF to run a `CAPTCHA` check against the web request. See Captcha below for details.\n" - }, - "challenge": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallenge:RuleGroupRuleActionChallenge", - "description": "Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See Challenge below for details.\n" + "comparison": { + "type": "string" }, - "count": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCount:RuleGroupRuleActionCount", - "description": "Instructs AWS WAF to count the web request and allow it. See Count below for details.\n" + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleActionAllow:RuleGroupRuleActionAllow": { + "aws:securityhub/InsightFiltersFindingProviderFieldsSeverityLabel:InsightFiltersFindingProviderFieldsSeverityLabel": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandling:RuleGroupRuleActionAllowCustomRequestHandling", - "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandling:RuleGroupRuleActionAllowCustomRequestHandling": { + "aws:securityhub/InsightFiltersFindingProviderFieldsSeverityOriginal:InsightFiltersFindingProviderFieldsSeverityOriginal": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader:RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "insertHeaders" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader:RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader": { + "aws:securityhub/InsightFiltersFindingProviderFieldsType:InsightFiltersFindingProviderFieldsType": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, "value": { "type": "string" @@ -145273,47 +135143,45 @@ }, "type": "object", "required": [ - "name", + "comparison", "value" ] }, - "aws:wafv2/RuleGroupRuleActionBlock:RuleGroupRuleActionBlock": { + "aws:securityhub/InsightFiltersFirstObservedAt:InsightFiltersFirstObservedAt": { "properties": { - "customResponse": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlockCustomResponse:RuleGroupRuleActionBlockCustomResponse", - "description": "Defines a custom response for the web request. See Custom Response below for details.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersFirstObservedAtDateRange:InsightFiltersFirstObservedAtDateRange" + }, + "end": { + "type": "string" + }, + "start": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleActionBlockCustomResponse:RuleGroupRuleActionBlockCustomResponse": { + "aws:securityhub/InsightFiltersFirstObservedAtDateRange:InsightFiltersFirstObservedAtDateRange": { "properties": { - "customResponseBodyKey": { + "unit": { "type": "string", - "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" }, - "responseCode": { + "value": { "type": "integer", - "description": "The HTTP status code to return to the client.\n" - }, - "responseHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlockCustomResponseResponseHeader:RuleGroupRuleActionBlockCustomResponseResponseHeader" - }, - "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details.\n" + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "responseCode" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleActionBlockCustomResponseResponseHeader:RuleGroupRuleActionBlockCustomResponseResponseHeader": { + "aws:securityhub/InsightFiltersGeneratorId:InsightFiltersGeneratorId": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, "value": { "type": "string" @@ -145321,79 +135189,72 @@ }, "type": "object", "required": [ - "name", + "comparison", "value" ] }, - "aws:wafv2/RuleGroupRuleActionCaptcha:RuleGroupRuleActionCaptcha": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandling:RuleGroupRuleActionCaptchaCustomRequestHandling", - "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandling:RuleGroupRuleActionCaptchaCustomRequestHandling": { + "aws:securityhub/InsightFiltersId:InsightFiltersId": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader:RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "insertHeaders" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader:RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader": { + "aws:securityhub/InsightFiltersKeyword:InsightFiltersKeyword": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" - }, "value": { - "type": "string" + "type": "string", + "description": "A value for the keyword.\n" } }, "type": "object", "required": [ - "name", "value" ] }, - "aws:wafv2/RuleGroupRuleActionChallenge:RuleGroupRuleActionChallenge": { + "aws:securityhub/InsightFiltersLastObservedAt:InsightFiltersLastObservedAt": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandling:RuleGroupRuleActionChallengeCustomRequestHandling", - "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersLastObservedAtDateRange:InsightFiltersLastObservedAtDateRange" + }, + "end": { + "type": "string" + }, + "start": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandling:RuleGroupRuleActionChallengeCustomRequestHandling": { + "aws:securityhub/InsightFiltersLastObservedAtDateRange:InsightFiltersLastObservedAtDateRange": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader:RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" + "unit": { + "type": "string", + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" + }, + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "insertHeaders" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader:RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader": { + "aws:securityhub/InsightFiltersMalwareName:InsightFiltersMalwareName": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, "value": { "type": "string" @@ -145401,39 +135262,44 @@ }, "type": "object", "required": [ - "name", + "comparison", "value" ] }, - "aws:wafv2/RuleGroupRuleActionCount:RuleGroupRuleActionCount": { + "aws:securityhub/InsightFiltersMalwarePath:InsightFiltersMalwarePath": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCountCustomRequestHandling:RuleGroupRuleActionCountCustomRequestHandling", - "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleActionCountCustomRequestHandling:RuleGroupRuleActionCountCustomRequestHandling": { + "aws:securityhub/InsightFiltersMalwareState:InsightFiltersMalwareState": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCountCustomRequestHandlingInsertHeader:RuleGroupRuleActionCountCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "insertHeaders" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleActionCountCustomRequestHandlingInsertHeader:RuleGroupRuleActionCountCustomRequestHandlingInsertHeader": { + "aws:securityhub/InsightFiltersMalwareType:InsightFiltersMalwareType": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, "value": { "type": "string" @@ -145441,5114 +135307,5023 @@ }, "type": "object", "required": [ - "name", + "comparison", "value" ] }, - "aws:wafv2/RuleGroupRuleCaptchaConfig:RuleGroupRuleCaptchaConfig": { + "aws:securityhub/InsightFiltersNetworkDestinationDomain:InsightFiltersNetworkDestinationDomain": { "properties": { - "immunityTimeProperty": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleCaptchaConfigImmunityTimeProperty:RuleGroupRuleCaptchaConfigImmunityTimeProperty", - "description": "Defines custom immunity time. See Immunity Time Property below for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleCaptchaConfigImmunityTimeProperty:RuleGroupRuleCaptchaConfigImmunityTimeProperty": { + "aws:securityhub/InsightFiltersNetworkDestinationIpv4:InsightFiltersNetworkDestinationIpv4": { "properties": { - "immunityTime": { - "type": "integer", - "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" + "cidr": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "cidr" + ] }, - "aws:wafv2/RuleGroupRuleRuleLabel:RuleGroupRuleRuleLabel": { + "aws:securityhub/InsightFiltersNetworkDestinationIpv6:InsightFiltersNetworkDestinationIpv6": { "properties": { - "name": { - "type": "string", - "description": "The label string.\n" + "cidr": { + "type": "string" } }, "type": "object", "required": [ - "name" + "cidr" ] }, - "aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement": { + "aws:securityhub/InsightFiltersNetworkDestinationPort:InsightFiltersNetworkDestinationPort": { "properties": { - "andStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementAndStatement:RuleGroupRuleStatementAndStatement", - "description": "A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details.\n" - }, - "byteMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatement:RuleGroupRuleStatementByteMatchStatement", - "description": "A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details.\n" - }, - "geoMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementGeoMatchStatement:RuleGroupRuleStatementGeoMatchStatement", - "description": "A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details.\n" - }, - "ipSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatement:RuleGroupRuleStatementIpSetReferenceStatement", - "description": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details.\n" - }, - "labelMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementLabelMatchStatement:RuleGroupRuleStatementLabelMatchStatement", - "description": "A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details.\n" - }, - "notStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementNotStatement:RuleGroupRuleStatementNotStatement", - "description": "A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details.\n" - }, - "orStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementOrStatement:RuleGroupRuleStatementOrStatement", - "description": "A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details.\n" - }, - "rateBasedStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatement:RuleGroupRuleStatementRateBasedStatement", - "description": "A rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See Rate Based Statement below for details.\n" - }, - "regexMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatement:RuleGroupRuleStatementRegexMatchStatement", - "description": "A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details.\n" - }, - "regexPatternSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRegexPatternSetReferenceStatement", - "description": "A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details.\n" - }, - "sizeConstraintStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement", - "description": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (\u003e) or less than (\u003c). See Size Constraint Statement below for more details.\n" + "eq": { + "type": "string" }, - "sqliMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatement:RuleGroupRuleStatementSqliMatchStatement", - "description": "An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details.\n" + "gte": { + "type": "string" }, - "xssMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatement:RuleGroupRuleStatementXssMatchStatement", - "description": "A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details.\n" + "lte": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementAndStatement:RuleGroupRuleStatementAndStatement": { + "aws:securityhub/InsightFiltersNetworkDirection:InsightFiltersNetworkDirection": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatement:RuleGroupRuleStatementByteMatchStatement": { + "aws:securityhub/InsightFiltersNetworkProtocol:InsightFiltersNetworkProtocol": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatch:RuleGroupRuleStatementByteMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "positionalConstraint": { - "type": "string", - "description": "The area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" - }, - "searchString": { - "type": "string", - "description": "A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" + "comparison": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementTextTransformation:RuleGroupRuleStatementByteMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "positionalConstraint", - "searchString", - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatch:RuleGroupRuleStatementByteMatchStatementFieldToMatch": { + "aws:securityhub/InsightFiltersNetworkSourceDomain:InsightFiltersNetworkSourceDomain": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchBody:RuleGroupRuleStatementByteMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod:RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "comparison": { + "type": "string" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "aws:securityhub/InsightFiltersNetworkSourceIpv4:InsightFiltersNetworkSourceIpv4": { + "properties": { + "cidr": { + "type": "string" + } + }, + "type": "object", + "required": [ + "cidr" + ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchBody:RuleGroupRuleStatementByteMatchStatementFieldToMatchBody": { + "aws:securityhub/InsightFiltersNetworkSourceIpv6:InsightFiltersNetworkSourceIpv6": { "properties": { - "oversizeHandling": { + "cidr": { "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "cidr" + ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies": { + "aws:securityhub/InsightFiltersNetworkSourceMac:InsightFiltersNetworkSourceMac": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "comparison": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:securityhub/InsightFiltersNetworkSourcePort:InsightFiltersNetworkSourcePort": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll" + "eq": { + "type": "string" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "gte": { + "type": "string" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "lte": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader": { + "aws:securityhub/InsightFiltersNoteText:InsightFiltersNoteText": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "comparison": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:securityhub/InsightFiltersNoteUpdatedAt:InsightFiltersNoteUpdatedAt": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersNoteUpdatedAtDateRange:InsightFiltersNoteUpdatedAtDateRange" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "end": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "start": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder": { + "aws:securityhub/InsightFiltersNoteUpdatedAtDateRange:InsightFiltersNoteUpdatedAtDateRange": { "properties": { - "oversizeHandling": { + "unit": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" + }, + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint": { + "aws:securityhub/InsightFiltersNoteUpdatedBy:InsightFiltersNoteUpdatedBy": { "properties": { - "fallbackBehavior": { + "comparison": { + "type": "string" + }, + "value": { "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody": { + "aws:securityhub/InsightFiltersProcessLaunchedAt:InsightFiltersProcessLaunchedAt": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersProcessLaunchedAtDateRange:InsightFiltersProcessLaunchedAtDateRange" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "end": { + "type": "string" }, - "matchScope": { + "start": { + "type": "string" + } + }, + "type": "object" + }, + "aws:securityhub/InsightFiltersProcessLaunchedAtDateRange:InsightFiltersProcessLaunchedAtDateRange": { + "properties": { + "unit": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:securityhub/InsightFiltersProcessName:InsightFiltersProcessName": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "comparison": { + "type": "string" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod:RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString": { + "aws:securityhub/InsightFiltersProcessParentPid:InsightFiltersProcessParentPid": { + "properties": { + "eq": { + "type": "string" + }, + "gte": { + "type": "string" + }, + "lte": { + "type": "string" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader": { + "aws:securityhub/InsightFiltersProcessPath:InsightFiltersProcessPath": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "name" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument": { + "aws:securityhub/InsightFiltersProcessPid:InsightFiltersProcessPid": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "eq": { + "type": "string" + }, + "gte": { + "type": "string" + }, + "lte": { + "type": "string" } }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath": { "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementByteMatchStatementTextTransformation:RuleGroupRuleStatementByteMatchStatementTextTransformation": { + "aws:securityhub/InsightFiltersProcessTerminatedAt:InsightFiltersProcessTerminatedAt": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersProcessTerminatedAtDateRange:InsightFiltersProcessTerminatedAtDateRange" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "end": { + "type": "string" + }, + "start": { + "type": "string" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementGeoMatchStatement:RuleGroupRuleStatementGeoMatchStatement": { + "aws:securityhub/InsightFiltersProcessTerminatedAtDateRange:InsightFiltersProcessTerminatedAtDateRange": { "properties": { - "countryCodes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" + "unit": { + "type": "string", + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig:RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig", - "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.\n" + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "countryCodes" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig:RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig": { + "aws:securityhub/InsightFiltersProductArn:InsightFiltersProductArn": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "comparison": { + "type": "string" }, - "headerName": { - "type": "string", - "description": "The name of the HTTP header to use for the IP address.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatement:RuleGroupRuleStatementIpSetReferenceStatement": { + "aws:securityhub/InsightFiltersProductField:InsightFiltersProductField": { "properties": { - "arn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" + "comparison": { + "type": "string" }, - "ipSetForwardedIpConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", - "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.\n" + "key": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "arn" + "comparison", + "key", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig": { + "aws:securityhub/InsightFiltersProductName:InsightFiltersProductName": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { - "type": "string", - "description": "The name of the HTTP header to use for the IP address.\n" + "comparison": { + "type": "string" }, - "position": { - "type": "string", - "description": "The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName", - "position" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementLabelMatchStatement:RuleGroupRuleStatementLabelMatchStatement": { + "aws:securityhub/InsightFiltersRecommendationText:InsightFiltersRecommendationText": { "properties": { - "key": { - "type": "string", - "description": "The string to match against.\n" + "comparison": { + "type": "string" }, - "scope": { - "type": "string", - "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "key", - "scope" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementNotStatement:RuleGroupRuleStatementNotStatement": { + "aws:securityhub/InsightFiltersRecordState:InsightFiltersRecordState": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementOrStatement:RuleGroupRuleStatementOrStatement": { + "aws:securityhub/InsightFiltersRelatedFindingsId:InsightFiltersRelatedFindingsId": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatement:RuleGroupRuleStatementRateBasedStatement": { + "aws:securityhub/InsightFiltersRelatedFindingsProductArn:InsightFiltersRelatedFindingsProductArn": { "properties": { - "aggregateKeyType": { - "type": "string", - "description": "Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP` or `IP`. Default: `IP`.\n" - }, - "customKeys": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKey:RuleGroupRuleStatementRateBasedStatementCustomKey" - }, - "description": "Aggregate the request counts using one or more web request components as the aggregate keys. See `custom_key` below for details.\n" - }, - "evaluationWindowSec": { - "type": "integer", - "description": "The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes).\n\n**NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.\n" - }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementForwardedIpConfig", - "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See Forwarded IP Config below for details.\n" - }, - "limit": { - "type": "integer", - "description": "The limit on requests per 5-minute period for a single originating IP address.\n" + "comparison": { + "type": "string" }, - "scopeDownStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatement", - "description": "An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details. If `aggregate_key_type` is set to `CONSTANT`, this block is required.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "limit" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKey:RuleGroupRuleStatementRateBasedStatementCustomKey": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn:InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn": { "properties": { - "cookie": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyCookie:RuleGroupRuleStatementRateBasedStatementCustomKeyCookie", - "description": "(Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details.\n" - }, - "forwardedIp": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp:RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp", - "description": "(Optional) Use the first IP address in an HTTP header as an aggregate key. See `forwarded_ip` below for details.\n" - }, - "header": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", - "description": "(Optional) Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details.\n" - }, - "httpMethod": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod:RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod", - "description": "(Optional) Use the request's HTTP method as an aggregate key. See RateLimit `http_method` below for details.\n" - }, - "ip": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", - "description": "(Optional) Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details.\n" - }, - "labelNamespace": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace:RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace", - "description": "(Optional) Use the specified label namespace as an aggregate key. See RateLimit `label_namespace` below for details.\n" - }, - "queryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument", - "description": "(Optional) Use the specified query argument as an aggregate key. See RateLimit `query_argument` below for details.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString", - "description": "(Optional) Use the request's query string as an aggregate key. See RateLimit `query_string` below for details.\n" + "comparison": { + "type": "string" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath:RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath", - "description": "(Optional) Use the request's URI path as an aggregate key. See RateLimit `uri_path` below for details.\n" + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyCookie:RuleGroupRuleStatementRateBasedStatementCustomKeyCookie": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceImageId:InsightFiltersResourceAwsEc2InstanceImageId": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "name", - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIpv4Address:InsightFiltersResourceAwsEc2InstanceIpv4Address": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "cidr": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "cidr" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp:RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceIpv6Address:InsightFiltersResourceAwsEc2InstanceIpv6Address": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" + "cidr": { + "type": "string" } }, "type": "object", "required": [ - "name", - "textTransformations" + "cidr" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceKeyName:InsightFiltersResourceAwsEc2InstanceKeyName": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "comparison": { + "type": "string" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod:RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAt:InsightFiltersResourceAwsEc2InstanceLaunchedAt": { + "properties": { + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange:InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange" + }, + "end": { + "type": "string" + }, + "start": { + "type": "string" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace:RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange:InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange": { "properties": { - "namespace": { + "unit": { "type": "string", - "description": "The namespace to use for aggregation\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" + }, + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "namespace" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceSubnetId:InsightFiltersResourceAwsEc2InstanceSubnetId": { "properties": { - "name": { - "type": "string", - "description": "A friendly name of the rule group.\n" + "comparison": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "name", - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceType:InsightFiltersResourceAwsEc2InstanceType": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "comparison": { + "type": "string" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString": { + "aws:securityhub/InsightFiltersResourceAwsEc2InstanceVpcId:InsightFiltersResourceAwsEc2InstanceVpcId": { "properties": { - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation": { + "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAt:InsightFiltersResourceAwsIamAccessKeyCreatedAt": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange:InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "end": { + "type": "string" + }, + "start": { + "type": "string" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath:RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath": { + "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange:InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange": { "properties": { - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" + "unit": { + "type": "string", + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" + }, + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "textTransformations" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation:RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation": { + "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyStatus:InsightFiltersResourceAwsIamAccessKeyStatus": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "comparison": { + "type": "string" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementForwardedIpConfig": { + "aws:securityhub/InsightFiltersResourceAwsIamAccessKeyUserName:InsightFiltersResourceAwsIamAccessKeyUserName": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "comparison": { + "type": "string" }, - "headerName": { - "type": "string", - "description": "The name of the HTTP header to use for the IP address.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatement": { + "aws:securityhub/InsightFiltersResourceAwsS3BucketOwnerId:InsightFiltersResourceAwsS3BucketOwnerId": { "properties": { - "andStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement" - }, - "byteMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement" - }, - "geoMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement" - }, - "ipSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement" - }, - "labelMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement" - }, - "notStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement" - }, - "orStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement" - }, - "regexMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement" - }, - "regexPatternSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement" - }, - "sizeConstraintStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement" - }, - "sqliMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement" + "comparison": { + "type": "string" }, - "xssMatchStatement": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement" + "value": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement": { + "aws:securityhub/InsightFiltersResourceAwsS3BucketOwnerName:InsightFiltersResourceAwsS3BucketOwnerName": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement": { + "aws:securityhub/InsightFiltersResourceContainerImageId:InsightFiltersResourceContainerImageId": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "positionalConstraint": { - "type": "string", - "description": "The area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" - }, - "searchString": { - "type": "string", - "description": "A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" + "comparison": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "positionalConstraint", - "searchString", - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch": { + "aws:securityhub/InsightFiltersResourceContainerImageName:InsightFiltersResourceContainerImageName": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "comparison": { + "type": "string" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody": { + "aws:securityhub/InsightFiltersResourceContainerLaunchedAt:InsightFiltersResourceContainerLaunchedAt": { "properties": { - "oversizeHandling": { + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersResourceContainerLaunchedAtDateRange:InsightFiltersResourceContainerLaunchedAtDateRange" + }, + "end": { + "type": "string" + }, + "start": { "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies": { + "aws:securityhub/InsightFiltersResourceContainerLaunchedAtDateRange:InsightFiltersResourceContainerLaunchedAtDateRange": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { + "unit": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:securityhub/InsightFiltersResourceContainerName:InsightFiltersResourceContainerName": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "comparison": { + "type": "string" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader": { + "aws:securityhub/InsightFiltersResourceDetailsOther:InsightFiltersResourceDetailsOther": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "comparison": { + "type": "string" }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "key": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "comparison", + "key", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:securityhub/InsightFiltersResourceId:InsightFiltersResourceId": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "comparison": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder": { + "aws:securityhub/InsightFiltersResourcePartition:InsightFiltersResourcePartition": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint": { + "aws:securityhub/InsightFiltersResourceRegion:InsightFiltersResourceRegion": { "properties": { - "fallbackBehavior": { + "comparison": { + "type": "string" + }, + "value": { "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody": { + "aws:securityhub/InsightFiltersResourceTag:InsightFiltersResourceTag": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "comparison": { + "type": "string" }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "key": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "comparison", + "key", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:securityhub/InsightFiltersResourceType:InsightFiltersResourceType": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "comparison": { + "type": "string" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader": { + "aws:securityhub/InsightFiltersSeverityLabel:InsightFiltersSeverityLabel": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "name" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument": { + "aws:securityhub/InsightFiltersSourceUrl:InsightFiltersSourceUrl": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "name" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorCategory:InsightFiltersThreatIntelIndicatorCategory": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "comparison": { + "type": "string" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAt:InsightFiltersThreatIntelIndicatorLastObservedAt": { "properties": { - "countryCodes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAtDateRange:InsightFiltersThreatIntelIndicatorLastObservedAtDateRange" }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig", - "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.\n" + "end": { + "type": "string" + }, + "start": { + "type": "string" } }, - "type": "object", - "required": [ - "countryCodes" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorLastObservedAtDateRange:InsightFiltersThreatIntelIndicatorLastObservedAtDateRange": { "properties": { - "fallbackBehavior": { + "unit": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" }, - "headerName": { - "type": "string", - "description": "The name of the HTTP header to use for the IP address.\n" + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "unit", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorSource:InsightFiltersThreatIntelIndicatorSource": { "properties": { - "arn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" + "comparison": { + "type": "string" }, - "ipSetForwardedIpConfig": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig", - "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "arn" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorSourceUrl:InsightFiltersThreatIntelIndicatorSourceUrl": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { - "type": "string", - "description": "The name of the HTTP header to use for the IP address.\n" + "comparison": { + "type": "string" }, - "position": { - "type": "string", - "description": "The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName", - "position" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorType:InsightFiltersThreatIntelIndicatorType": { "properties": { - "key": { - "type": "string", - "description": "The string to match against.\n" + "comparison": { + "type": "string" }, - "scope": { - "type": "string", - "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "key", - "scope" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement": { + "aws:securityhub/InsightFiltersThreatIntelIndicatorValue:InsightFiltersThreatIntelIndicatorValue": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement": { + "aws:securityhub/InsightFiltersTitle:InsightFiltersTitle": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" - }, - "description": "The statements to combine." + "comparison": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "statements" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement": { + "aws:securityhub/InsightFiltersType:InsightFiltersType": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "regexString": { - "type": "string", - "description": "The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details.\n" + "comparison": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "regexString", - "textTransformations" + "comparison", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch": { + "aws:securityhub/InsightFiltersUpdatedAt:InsightFiltersUpdatedAt": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "dateRange": { + "$ref": "#/types/aws:securityhub/InsightFiltersUpdatedAtDateRange:InsightFiltersUpdatedAtDateRange" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "end": { + "type": "string" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "start": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody": { + "aws:securityhub/InsightFiltersUpdatedAtDateRange:InsightFiltersUpdatedAtDateRange": { "properties": { - "oversizeHandling": { - "type": "string" + "unit": { + "type": "string", + "description": "A date range unit for the date filter. Valid values: `DAYS`.\n" + }, + "value": { + "type": "integer", + "description": "A date range value for the date filter, provided as an Integer.\n" } }, - "type": "object" + "type": "object", + "required": [ + "unit", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies": { + "aws:securityhub/InsightFiltersUserDefinedValue:InsightFiltersUserDefinedValue": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "comparison": { + "type": "string" }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "key": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "comparison", + "key", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:securityhub/InsightFiltersVerificationState:InsightFiltersVerificationState": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "comparison": { + "type": "string" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "comparison", + "value" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader": { + "aws:securityhub/InsightFiltersWorkflowStatus:InsightFiltersWorkflowStatus": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "comparison": { + "type": "string" }, - "oversizeHandling": { + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "comparison", + "value" + ] + }, + "aws:securityhub/OrganizationConfigurationOrganizationConfiguration:OrganizationConfigurationOrganizationConfiguration": { + "properties": { + "configurationType": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Indicates whether the organization uses local or central configuration. If using central configuration, `auto_enable` must be set to `false` and `auto_enable_standards` set to `NONE`. More information can be found in the [documentation for central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). Valid values: `LOCAL`, `CENTRAL`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "configurationType" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:securitylake/AwsLogSourceSource:AwsLogSourceSource": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { + "accounts": { "type": "array", "items": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "description": "Specify the AWS account information where you want to enable Security Lake.\nIf not specified, uses all accounts included in the Security Lake.\n" }, - "includedHeaders": { + "regions": { "type": "array", "items": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { + "description": "Specify the Regions where you want to enable Security Lake.\n" + }, + "sourceName": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The name for a AWS source. This must be a Regionally unique value. Valid values: `ROUTE53`, `VPC_FLOW`, `SH_FINDINGS`, `CLOUD_TRAIL_MGMT`, `LAMBDA_EXECUTION`, `S3_DATA`.\n" + }, + "sourceVersion": { + "type": "string", + "description": "The version for a AWS source.\nIf not specified, the version will be the default.\nThis must be a Regionally unique value.\n" } }, "type": "object", "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint": { - "properties": { - "fallbackBehavior": { - "type": "string" + "regions", + "sourceName" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "accounts", + "regions", + "sourceName", + "sourceVersion" + ] } - }, - "type": "object", - "required": [ - "fallbackBehavior" - ] + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody": { + "aws:securitylake/CustomLogSourceAttribute:CustomLogSourceAttribute": { "properties": { - "invalidFallbackBehavior": { + "crawlerArn": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": "The ARN of the AWS Glue crawler.\n" }, - "matchScope": { + "databaseArn": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The ARN of the AWS Glue database where results are written.\n" }, - "oversizeHandling": { + "tableArn": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The ARN of the AWS Glue table.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "crawlerArn", + "databaseArn", + "tableArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:securitylake/CustomLogSourceConfiguration:CustomLogSourceConfiguration": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "crawlerConfiguration": { + "$ref": "#/types/aws:securitylake/CustomLogSourceConfigurationCrawlerConfiguration:CustomLogSourceConfigurationCrawlerConfiguration", + "description": "The configuration for the Glue Crawler for the third-party custom source.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "providerIdentity": { + "$ref": "#/types/aws:securitylake/CustomLogSourceConfigurationProviderIdentity:CustomLogSourceConfigurationProviderIdentity", + "description": "The identity of the log provider for the third-party custom source.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader": { + "aws:securitylake/CustomLogSourceConfigurationCrawlerConfiguration:CustomLogSourceConfigurationCrawlerConfiguration": { "properties": { - "name": { + "roleArn": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler.\n" } }, "type": "object", "required": [ - "name" + "roleArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument": { + "aws:securitylake/CustomLogSourceConfigurationProviderIdentity:CustomLogSourceConfigurationProviderIdentity": { "properties": { - "name": { + "externalId": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The external ID used to estalish trust relationship with the AWS identity.\n" + }, + "principal": { + "type": "string", + "description": "The AWS identity principal.\n" } }, "type": "object", "required": [ - "name" + "externalId", + "principal" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation": { + "aws:securitylake/CustomLogSourceProviderDetail:CustomLogSourceProviderDetail": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "location": { + "type": "string", + "description": "The location of the partition in the Amazon S3 bucket for Security Lake.\n" }, - "type": { + "roleArn": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The ARN of the IAM role to be used by the entity putting logs into your custom source partition.\n" } }, "type": "object", "required": [ - "priority", - "type" + "location", + "roleArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement": { + "aws:securitylake/DataLakeConfiguration:DataLakeConfiguration": { "properties": { - "arn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "textTransformations": { + "encryptionConfigurations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation" + "$ref": "#/types/aws:securitylake/DataLakeConfigurationEncryptionConfiguration:DataLakeConfigurationEncryptionConfiguration" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "description": "Provides encryption details of Amazon Security Lake object.\n" + }, + "lifecycleConfiguration": { + "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfiguration:DataLakeConfigurationLifecycleConfiguration", + "description": "Provides lifecycle details of Amazon Security Lake object.\n" + }, + "region": { + "type": "string", + "description": "The AWS Regions where Security Lake is automatically enabled.\n" + }, + "replicationConfiguration": { + "$ref": "#/types/aws:securitylake/DataLakeConfigurationReplicationConfiguration:DataLakeConfigurationReplicationConfiguration", + "description": "Provides replication details of Amazon Security Lake object.\n" } }, "type": "object", "required": [ - "arn", - "textTransformations" + "region" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "encryptionConfigurations", + "region" + ] + } + } + }, + "aws:securitylake/DataLakeConfigurationEncryptionConfiguration:DataLakeConfigurationEncryptionConfiguration": { + "properties": { + "kmsKeyId": { + "type": "string", + "description": "The id of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object.\n" + } + }, + "type": "object", + "required": [ + "kmsKeyId" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch": { + "aws:securitylake/DataLakeConfigurationLifecycleConfiguration:DataLakeConfigurationLifecycleConfiguration": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" + "expiration": { + "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfigurationExpiration:DataLakeConfigurationLifecycleConfigurationExpiration", + "description": "Provides data expiration details of Amazon Security Lake object.\n" }, - "headers": { + "transitions": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader" + "$ref": "#/types/aws:securitylake/DataLakeConfigurationLifecycleConfigurationTransition:DataLakeConfigurationLifecycleConfigurationTransition" }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "description": "Provides data storage transition details of Amazon Security Lake object.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments": { + "aws:securitylake/DataLakeConfigurationLifecycleConfigurationExpiration:DataLakeConfigurationLifecycleConfigurationExpiration": { + "properties": { + "days": { + "type": "integer", + "description": "Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object.\n" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody": { + "aws:securitylake/DataLakeConfigurationLifecycleConfigurationTransition:DataLakeConfigurationLifecycleConfigurationTransition": { "properties": { - "oversizeHandling": { - "type": "string" + "days": { + "type": "integer", + "description": "Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object.\n" + }, + "storageClass": { + "type": "string", + "description": "The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies": { + "aws:securitylake/DataLakeConfigurationReplicationConfiguration:DataLakeConfigurationReplicationConfiguration": { "properties": { - "matchPatterns": { + "regions": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern" + "type": "string" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket.\n" }, - "oversizeHandling": { + "roleArn": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct.\n" } }, - "type": "object", - "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern": { + "aws:securitylake/DataLakeTimeouts:DataLakeTimeouts": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll" + "create": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "delete": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "update": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll": { + "aws:securitylake/SubscriberNotificationConfiguration:SubscriberNotificationConfiguration": { + "properties": { + "httpsNotificationConfiguration": { + "$ref": "#/types/aws:securitylake/SubscriberNotificationConfigurationHttpsNotificationConfiguration:SubscriberNotificationConfigurationHttpsNotificationConfiguration", + "description": "The configurations for HTTPS subscriber notification.\n" + }, + "sqsNotificationConfiguration": { + "$ref": "#/types/aws:securitylake/SubscriberNotificationConfigurationSqsNotificationConfiguration:SubscriberNotificationConfigurationSqsNotificationConfiguration", + "description": "The configurations for SQS subscriber notification.\nThere are no parameters within `sqs_notification_configuration`.\n" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader": { + "aws:securitylake/SubscriberNotificationConfigurationHttpsNotificationConfiguration:SubscriberNotificationConfigurationHttpsNotificationConfiguration": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "authorizationApiKeyName": { + "type": "string", + "description": "The API key name for the notification subscription.\n" }, - "matchScope": { + "authorizationApiKeyValue": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "The API key value for the notification subscription.\n", + "secret": true }, - "oversizeHandling": { + "endpoint": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The subscription endpoint in Security Lake.\nIf you prefer notification with an HTTPS endpoint, populate this field.\n" + }, + "httpMethod": { + "type": "string", + "description": "The HTTP method used for the notification subscription.\nValid values are `POST` and `PUT`.\n" + }, + "targetRoleArn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the EventBridge API destinations IAM role that you created.\nFor more information about ARNs and how to use them in policies, see Managing data access and AWS Managed Policies in the Amazon Security Lake User Guide.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "endpoint", + "targetRoleArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern": { + "aws:securitylake/SubscriberNotificationConfigurationSqsNotificationConfiguration:SubscriberNotificationConfigurationSqsNotificationConfiguration": { + "type": "object" + }, + "aws:securitylake/SubscriberSource:SubscriberSource": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "awsLogSourceResource": { + "$ref": "#/types/aws:securitylake/SubscriberSourceAwsLogSourceResource:SubscriberSourceAwsLogSourceResource", + "description": "Amazon Security Lake supports log and event collection for natively supported AWS services.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "customLogSourceResource": { + "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResource:SubscriberSourceCustomLogSourceResource", + "description": "Amazon Security Lake supports custom source types.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder": { + "aws:securitylake/SubscriberSourceAwsLogSourceResource:SubscriberSourceAwsLogSourceResource": { "properties": { - "oversizeHandling": { + "sourceName": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The name for a third-party custom source. This must be a Regionally unique value.\n" + }, + "sourceVersion": { + "type": "string", + "description": "The version for a third-party custom source. This must be a Regionally unique value.\n" } }, "type": "object", "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint": { - "properties": { - "fallbackBehavior": { - "type": "string" + "sourceName" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "sourceName", + "sourceVersion" + ] } - }, - "type": "object", - "required": [ - "fallbackBehavior" - ] + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody": { + "aws:securitylake/SubscriberSourceCustomLogSourceResource:SubscriberSourceCustomLogSourceResource": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "attributes": { + "type": "array", + "items": { + "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResourceAttribute:SubscriberSourceCustomLogSourceResourceAttribute" + }, + "description": "The attributes of a third-party custom source.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "providers": { + "type": "array", + "items": { + "$ref": "#/types/aws:securitylake/SubscriberSourceCustomLogSourceResourceProvider:SubscriberSourceCustomLogSourceResourceProvider" + } }, - "matchScope": { + "sourceName": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The name for a third-party custom source. This must be a Regionally unique value.\n" }, - "oversizeHandling": { + "sourceVersion": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The version for a third-party custom source. This must be a Regionally unique value.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "sourceName" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "attributes", + "providers", + "sourceName", + "sourceVersion" + ] } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString": { - "type": "object" + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader": { + "aws:securitylake/SubscriberSourceCustomLogSourceResourceAttribute:SubscriberSourceCustomLogSourceResourceAttribute": { "properties": { - "name": { + "crawlerArn": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The ARN of the AWS Glue crawler.\n" + }, + "databaseArn": { + "type": "string", + "description": "The ARN of the AWS Glue database where results are written.\n" + }, + "tableArn": { + "type": "string", + "description": "The ARN of the AWS Glue table.\n" } }, "type": "object", "required": [ - "name" + "crawlerArn", + "databaseArn", + "tableArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument": { + "aws:securitylake/SubscriberSourceCustomLogSourceResourceProvider:SubscriberSourceCustomLogSourceResourceProvider": { "properties": { - "name": { + "location": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The location of the partition in the Amazon S3 bucket for Security Lake.\n" + }, + "roleArn": { + "type": "string", + "description": "The ARN of the IAM role to be used by the entity putting logs into your custom source partition.\n" } }, "type": "object", "required": [ - "name" + "location", + "roleArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation": { + "aws:securitylake/SubscriberSubscriberIdentity:SubscriberSubscriberIdentity": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "externalId": { + "type": "string", + "description": "The AWS Regions where Security Lake is automatically enabled.\n" }, - "type": { + "principal": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "Provides encryption details of Amazon Security Lake object.\n" } }, "type": "object", "required": [ - "priority", - "type" + "externalId", + "principal" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement": { + "aws:securitylake/SubscriberTimeouts:SubscriberTimeouts": { "properties": { - "comparisonOperator": { + "create": { "type": "string", - "description": "The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" }, - "size": { - "type": "integer", - "description": "The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + "delete": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "update": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" } }, - "type": "object", - "required": [ - "comparisonOperator", - "size", - "textTransformations" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch": { + "aws:servicecatalog/ProductProvisioningArtifactParameters:ProductProvisioningArtifactParameters": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" + "description": { + "type": "string", + "description": "Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact.\n", + "willReplaceOnChanges": true }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "disableTemplateValidation": { + "type": "boolean", + "description": "Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid.\n", + "willReplaceOnChanges": true }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "name": { + "type": "string", + "description": "Name of the provisioning artifact (for example, `v1`, `v2beta`). No spaces are allowed.\n", + "willReplaceOnChanges": true }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "templatePhysicalId": { + "type": "string", + "description": "Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as `arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID]`.\n", + "willReplaceOnChanges": true }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "templateUrl": { + "type": "string", + "description": "Template source as URL of the CloudFormation template in Amazon S3.\n", + "willReplaceOnChanges": true }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "type": { + "type": "string", + "description": "Type of provisioning artifact. See [AWS Docs](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProvisioningArtifactProperties.html) for valid list of values.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody": { + "aws:servicecatalog/ProvisionedProductOutput:ProvisionedProductOutput": { "properties": { - "oversizeHandling": { - "type": "string" + "description": { + "type": "string", + "description": "The description of the output.\n" + }, + "key": { + "type": "string", + "description": "The output key.\n" + }, + "value": { + "type": "string", + "description": "The output value.\n" } }, - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "description", + "key", + "value" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies": { + "aws:servicecatalog/ProvisionedProductProvisioningParameter:ProvisionedProductProvisioningParameter": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { + "key": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "Parameter key.\n" }, - "oversizeHandling": { + "usePreviousValue": { + "type": "boolean", + "description": "Whether to ignore `value` and keep the previous parameter value. Ignored when initially provisioning a product.\n" + }, + "value": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "Parameter value.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "key" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern": { + "aws:servicecatalog/ProvisionedProductStackSetProvisioningPreferences:ProvisionedProductStackSetProvisioningPreferences": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { + "accounts": { "type": "array", "items": { "type": "string" - } + }, + "description": "One or more AWS accounts that will have access to the provisioned product. The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the `aws_servicecatalog_provisioning_parameters` data source. If no values are specified, the default value is all accounts from the STACKSET constraint.\n" }, - "includedCookies": { + "failureToleranceCount": { + "type": "integer", + "description": "Number of accounts, per region, for which this operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. You must specify either `failure_tolerance_count` or `failure_tolerance_percentage`, but not both. The default value is 0 if no value is specified.\n" + }, + "failureTolerancePercentage": { + "type": "integer", + "description": "Percentage of accounts, per region, for which this stack operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. You must specify either `failure_tolerance_count` or `failure_tolerance_percentage`, but not both.\n" + }, + "maxConcurrencyCount": { + "type": "integer", + "description": "Maximum number of accounts in which to perform this operation at one time. This is dependent on the value of `failure_tolerance_count`. `max_concurrency_count` is at most one more than the `failure_tolerance_count`. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `max_concurrency_count` or `max_concurrency_percentage`, but not both.\n" + }, + "maxConcurrencyPercentage": { + "type": "integer", + "description": "Maximum percentage of accounts in which to perform this operation at one time. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. This is true except in cases where rounding down would result is zero. In this case, AWS Service Catalog sets the number as 1 instead. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `max_concurrency_count` or `max_concurrency_percentage`, but not both.\n" + }, + "regions": { "type": "array", "items": { "type": "string" - } + }, + "description": "One or more AWS Regions where the provisioned product will be available. The specified regions should be within the list of regions from the STACKSET constraint. To get the list of regions in the STACKSET constraint, use the `aws_servicecatalog_provisioning_parameters` data source. If no values are specified, the default value is all regions from the STACKSET constraint.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader": { + "aws:servicecatalog/ServiceActionDefinition:ServiceActionDefinition": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "assumeRole": { + "type": "string", + "description": "ARN of the role that performs the self-service actions on your behalf. For example, `arn:aws:iam::12345678910:role/ActionRole`. To reuse the provisioned product launch role, set to `LAUNCH_ROLE`.\n" }, - "matchScope": { + "name": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Name of the SSM document. For example, `AWS-RestartEC2Instance`. If you are using a shared SSM document, you must provide the ARN instead of the name.\n" }, - "oversizeHandling": { + "parameters": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "List of parameters in JSON format. For example: `[{\\\"Name\\\":\\\"InstanceId\\\",\\\"Type\\\":\\\"TARGET\\\"}]` or `[{\\\"Name\\\":\\\"InstanceId\\\",\\\"Type\\\":\\\"TEXT_VALUE\\\"}]`.\n" + }, + "type": { + "type": "string", + "description": "Service action definition type. Valid value is `SSM_AUTOMATION`. Default is `SSM_AUTOMATION`.\n", + "willReplaceOnChanges": true + }, + "version": { + "type": "string", + "description": "SSM document version. For example, `1`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "name", + "version" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern": { + "aws:servicecatalog/getLaunchPathsSummary:getLaunchPathsSummary": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { + "constraintSummaries": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:servicecatalog/getLaunchPathsSummaryConstraintSummary:getLaunchPathsSummaryConstraintSummary" }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "description": "Block for constraints on the portfolio-product relationship. See details below.\n" }, - "includedHeaders": { - "type": "array", - "items": { + "name": { + "type": "string", + "description": "Name of the portfolio to which the path was assigned.\n" + }, + "pathId": { + "type": "string", + "description": "Identifier of the product path.\n" + }, + "tags": { + "type": "object", + "additionalProperties": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "description": "Tags associated with this product path.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "constraintSummaries", + "name", + "pathId", + "tags" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder": { + "aws:servicecatalog/getLaunchPathsSummaryConstraintSummary:getLaunchPathsSummaryConstraintSummary": { "properties": { - "oversizeHandling": { + "description": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Description of the constraint.\n" + }, + "type": { + "type": "string", + "description": "Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`.\n" } }, "type": "object", "required": [ - "oversizeHandling" - ] + "description", + "type" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint": { + "aws:servicecatalog/getPortfolioConstraintsDetail:getPortfolioConstraintsDetail": { "properties": { - "fallbackBehavior": { + "constraintId": { + "type": "string", + "description": "Identifier of the constraint.\n" + }, + "description": { + "type": "string", + "description": "Description of the constraint.\n" + }, + "owner": { "type": "string" + }, + "portfolioId": { + "type": "string", + "description": "Portfolio identifier.\n\nThe following arguments are optional:\n" + }, + "productId": { + "type": "string", + "description": "Product identifier.\n" + }, + "type": { + "type": "string", + "description": "Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`.\n" } }, "type": "object", "required": [ - "fallbackBehavior" - ] + "constraintId", + "description", + "owner", + "portfolioId", + "productId", + "type" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody": { + "aws:servicecatalog/getProvisioningArtifactsProvisioningArtifactDetail:getProvisioningArtifactsProvisioningArtifactDetail": { "properties": { - "invalidFallbackBehavior": { + "active": { + "type": "boolean", + "description": "Indicates whether the product version is active.\n" + }, + "createdTime": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "description": "The UTC time stamp of the creation time.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": { + "type": "string", + "description": "The description of the provisioning artifact.\n" }, - "matchScope": { + "guidance": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Information set by the administrator to provide guidance to end users about which provisioning artifacts to use.\n" }, - "oversizeHandling": { + "id": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The identifier of the provisioning artifact.\n" + }, + "name": { + "type": "string", + "description": "The name of the provisioning artifact.\n" + }, + "type": { + "type": "string", + "description": "The type of provisioning artifact.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" - ] + "active", + "createdTime", + "description", + "guidance", + "id", + "name", + "type" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern": { + "aws:servicediscovery/ServiceDnsConfig:ServiceDnsConfig": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { + "dnsRecords": { "type": "array", "items": { - "type": "string" - } + "$ref": "#/types/aws:servicediscovery/ServiceDnsConfigDnsRecord:ServiceDnsConfigDnsRecord" + }, + "description": "An array that contains one DnsRecord object for each resource record set.\n" + }, + "namespaceId": { + "type": "string", + "description": "The ID of the namespace to use for DNS configuration.\n", + "willReplaceOnChanges": true + }, + "routingPolicy": { + "type": "string", + "description": "The routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED\n", + "willReplaceOnChanges": true } }, - "type": "object" + "type": "object", + "required": [ + "dnsRecords", + "namespaceId" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" + "aws:servicediscovery/ServiceDnsConfigDnsRecord:ServiceDnsConfigDnsRecord": { + "properties": { + "ttl": { + "type": "integer", + "description": "The amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set.\n" + }, + "type": { + "type": "string", + "description": "The type of the resource, which indicates the value that Amazon Route 53 returns in response to DNS queries. Valid Values: A, AAAA, SRV, CNAME\n", + "willReplaceOnChanges": true + } + }, + "type": "object", + "required": [ + "ttl", + "type" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod": { + "aws:servicediscovery/ServiceHealthCheckConfig:ServiceHealthCheckConfig": { + "properties": { + "failureThreshold": { + "type": "integer", + "description": "The number of consecutive health checks. Maximum value of 10.\n" + }, + "resourcePath": { + "type": "string", + "description": "The path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /.\n" + }, + "type": { + "type": "string", + "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n", + "willReplaceOnChanges": true + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString": { + "aws:servicediscovery/ServiceHealthCheckCustomConfig:ServiceHealthCheckCustomConfig": { + "properties": { + "failureThreshold": { + "type": "integer", + "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n", + "willReplaceOnChanges": true + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader": { + "aws:servicediscovery/getServiceDnsConfig:getServiceDnsConfig": { "properties": { - "name": { + "dnsRecords": { + "type": "array", + "items": { + "$ref": "#/types/aws:servicediscovery/getServiceDnsConfigDnsRecord:getServiceDnsConfigDnsRecord" + }, + "description": "An array that contains one DnsRecord object for each resource record set.\n" + }, + "namespaceId": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "ID of the namespace that the service belongs to.\n" + }, + "routingPolicy": { + "type": "string", + "description": "Routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED\n" } }, "type": "object", "required": [ - "name" - ] + "dnsRecords", + "namespaceId", + "routingPolicy" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument": { + "aws:servicediscovery/getServiceDnsConfigDnsRecord:getServiceDnsConfigDnsRecord": { "properties": { - "name": { + "ttl": { + "type": "integer", + "description": "Amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set.\n" + }, + "type": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n" } }, "type": "object", "required": [ - "name" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath": { - "type": "object" + "ttl", + "type" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation": { + "aws:servicediscovery/getServiceHealthCheckConfig:getServiceHealthCheckConfig": { "properties": { - "priority": { + "failureThreshold": { "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n" + }, + "resourcePath": { + "type": "string", + "description": "Path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /.\n" }, "type": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP\n" } }, "type": "object", "required": [ - "priority", + "failureThreshold", + "resourcePath", "type" - ] + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement": { + "aws:servicediscovery/getServiceHealthCheckCustomConfig:getServiceHealthCheckCustomConfig": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "failureThreshold": { + "type": "integer", + "description": "The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10.\n" } }, "type": "object", "required": [ - "textTransformations" - ] + "failureThreshold" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch": { + "aws:servicequotas/ServiceQuotaUsageMetric:ServiceQuotaUsageMetric": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { + "metricDimensions": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader" + "$ref": "#/types/aws:servicequotas/ServiceQuotaUsageMetricMetricDimension:ServiceQuotaUsageMetricMetricDimension" }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "description": "The metric dimensions.\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "metricName": { + "type": "string", + "description": "The name of the metric.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "metricNamespace": { + "type": "string", + "description": "The namespace of the metric.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "metricStatisticRecommendation": { + "type": "string", + "description": "The metric statistic that AWS recommend you use when determining quota usage.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "metricDimensions", + "metricName", + "metricNamespace", + "metricStatisticRecommendation" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody": { + "aws:servicequotas/ServiceQuotaUsageMetricMetricDimension:ServiceQuotaUsageMetricMetricDimension": { "properties": { - "oversizeHandling": { + "class": { + "type": "string" + }, + "resource": { + "type": "string" + }, + "service": { + "type": "string" + }, + "type": { "type": "string" } }, - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "class", + "resource", + "service", + "type" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies": { + "aws:servicequotas/getServiceQuotaUsageMetric:getServiceQuotaUsageMetric": { "properties": { - "matchPatterns": { + "metricDimensions": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:servicequotas/getServiceQuotaUsageMetricMetricDimension:getServiceQuotaUsageMetricMetricDimension" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "description": "The metric dimensions.\n" }, - "matchScope": { + "metricName": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "The name of the metric.\n" }, - "oversizeHandling": { + "metricNamespace": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "The namespace of the metric.\n" + }, + "metricStatisticRecommendation": { + "type": "string", + "description": "The metric statistic that AWS recommend you use when determining quota usage.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "metricDimensions", + "metricName", + "metricNamespace", + "metricStatisticRecommendation" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:servicequotas/getServiceQuotaUsageMetricMetricDimension:getServiceQuotaUsageMetricMetricDimension": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll" + "class": { + "type": "string" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "resource": { + "type": "string" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "service": { + "type": "string" + }, + "type": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "class", + "resource", + "service", + "type" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader": { + "aws:servicequotas/getTemplatesTemplate:getTemplatesTemplate": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "globalQuota": { + "type": "boolean", + "description": "Indicates whether the quota is global.\n" }, - "matchScope": { + "quotaCode": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Quota identifier.\n" }, - "oversizeHandling": { + "quotaName": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Quota name.\n" + }, + "region": { + "type": "string", + "description": "AWS Region to which the quota increases apply.\n" + }, + "serviceCode": { + "type": "string", + "description": "(Required) Service identifier.\n" + }, + "serviceName": { + "type": "string", + "description": "Service name.\n" + }, + "unit": { + "type": "string", + "description": "Unit of measurement.\n" + }, + "value": { + "type": "number", + "description": "(Required) The new, increased value for the quota.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "globalQuota", + "quotaCode", + "quotaName", + "region", + "serviceCode", + "serviceName", + "unit", + "value" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + } }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder": { + "aws:ses/ConfigurationSetDeliveryOptions:ConfigurationSetDeliveryOptions": { "properties": { - "oversizeHandling": { + "tlsPolicy": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Whether messages that use the configuration set are required to use Transport Layer Security (TLS). If the value is `Require`, messages are only delivered if a TLS connection can be established. If the value is `Optional`, messages can be delivered in plain text if a TLS connection can't be established. Valid values: `Require` or `Optional`. Defaults to `Optional`.\n" } }, - "type": "object", - "required": [ - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint": { + "aws:ses/ConfigurationSetTrackingOptions:ConfigurationSetTrackingOptions": { "properties": { - "fallbackBehavior": { - "type": "string" + "customRedirectDomain": { + "type": "string", + "description": "Custom subdomain that is used to redirect email recipients to the Amazon SES event tracking domain.\n" } }, - "type": "object", - "required": [ - "fallbackBehavior" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody": { + "aws:ses/EventDestinationCloudwatchDestination:EventDestinationCloudwatchDestination": { "properties": { - "invalidFallbackBehavior": { + "defaultValue": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": "The default value for the event\n" }, - "matchScope": { + "dimensionName": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The name for the dimension\n" }, - "oversizeHandling": { + "valueSource": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The source for the value. May be any of `\"messageTag\"`, `\"emailHeader\"` or `\"linkTag\"`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "defaultValue", + "dimensionName", + "valueSource" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:ses/EventDestinationKinesisDestination:EventDestinationKinesisDestination": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "roleArn": { + "type": "string", + "description": "The ARN of the role that has permissions to access the Kinesis Stream\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "streamArn": { + "type": "string", + "description": "The ARN of the Kinesis Stream\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "roleArn", + "streamArn" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader": { + "aws:ses/EventDestinationSnsDestination:EventDestinationSnsDestination": { "properties": { - "name": { + "topicArn": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The ARN of the SNS topic\n" } }, "type": "object", "required": [ - "name" + "topicArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument": { + "aws:ses/ReceiptRuleAddHeaderAction:ReceiptRuleAddHeaderAction": { "properties": { - "name": { + "headerName": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The name of the header to add\n" + }, + "headerValue": { + "type": "string", + "description": "The value of the header to add\n" + }, + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" } }, "type": "object", "required": [ - "name" + "headerName", + "headerValue", + "position" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation": { + "aws:ses/ReceiptRuleBounceAction:ReceiptRuleBounceAction": { "properties": { - "priority": { + "message": { + "type": "string", + "description": "The message to send\n" + }, + "position": { "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "The position of the action in the receipt rule\n" }, - "type": { + "sender": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The email address of the sender\n" + }, + "smtpReplyCode": { + "type": "string", + "description": "The RFC 5321 SMTP reply code\n" + }, + "statusCode": { + "type": "string", + "description": "The RFC 3463 SMTP enhanced status code\n" + }, + "topicArn": { + "type": "string", + "description": "The ARN of an SNS topic to notify\n" } }, "type": "object", "required": [ - "priority", - "type" + "message", + "position", + "sender", + "smtpReplyCode" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement": { + "aws:ses/ReceiptRuleLambdaAction:ReceiptRuleLambdaAction": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "functionArn": { + "type": "string", + "description": "The ARN of the Lambda function to invoke\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "invocationType": { + "type": "string", + "description": "`Event` or `RequestResponse`\n" + }, + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" + }, + "topicArn": { + "type": "string", + "description": "The ARN of an SNS topic to notify\n" } }, "type": "object", "required": [ - "textTransformations" + "functionArn", + "position" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch": { + "aws:ses/ReceiptRuleS3Action:ReceiptRuleS3Action": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint" + "bucketName": { + "type": "string", + "description": "The name of the S3 bucket\n" }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" + "kmsKeyArn": { + "type": "string", + "description": "The ARN of the KMS key\n" }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "objectKeyPrefix": { + "type": "string", + "description": "The key prefix of the S3 bucket\n" }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "topicArn": { + "type": "string", + "description": "The ARN of an SNS topic to notify\n" + } + }, + "type": "object", + "required": [ + "bucketName", + "position" + ] + }, + "aws:ses/ReceiptRuleSnsAction:ReceiptRuleSnsAction": { + "properties": { + "encoding": { + "type": "string", + "description": "The encoding to use for the email within the Amazon SNS notification. Default value is `UTF-8`.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "topicArn": { + "type": "string", + "description": "The ARN of an SNS topic to notify\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "position", + "topicArn" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody": { + "aws:ses/ReceiptRuleStopAction:ReceiptRuleStopAction": { "properties": { - "oversizeHandling": { - "type": "string" + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" + }, + "scope": { + "type": "string", + "description": "The scope to apply. The only acceptable value is `RuleSet`.\n" + }, + "topicArn": { + "type": "string", + "description": "The ARN of an SNS topic to notify\n" } }, - "type": "object" + "type": "object", + "required": [ + "position", + "scope" + ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies": { + "aws:ses/ReceiptRuleWorkmailAction:ReceiptRuleWorkmailAction": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { + "organizationArn": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "The ARN of the WorkMail organization\n" }, - "oversizeHandling": { + "position": { + "type": "integer", + "description": "The position of the action in the receipt rule\n" + }, + "topicArn": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "The ARN of an SNS topic to notify\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "organizationArn", + "position" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:sesv2/AccountVdmAttributesDashboardAttributes:AccountVdmAttributesDashboardAttributes": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "engagementMetrics": { + "type": "string", + "description": "Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll": { + "aws:sesv2/AccountVdmAttributesGuardianAttributes:AccountVdmAttributesGuardianAttributes": { + "properties": { + "optimizedSharedDelivery": { + "type": "string", + "description": "Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`.\n" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader": { + "aws:sesv2/ConfigurationSetDeliveryOptions:ConfigurationSetDeliveryOptions": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "sendingPoolName": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "The name of the dedicated IP pool to associate with the configuration set.\n" }, - "oversizeHandling": { + "tlsPolicy": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). Valid values: `REQUIRE`, `OPTIONAL`.\n" } }, - "type": "object", - "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestination:ConfigurationSetEventDestinationEventDestination": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "cloudWatchDestination": { + "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestination:ConfigurationSetEventDestinationEventDestinationCloudWatchDestination", + "description": "An object that defines an Amazon CloudWatch destination for email events. See cloud_watch_destination below\n" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "enabled": { + "type": "boolean", + "description": "When the event destination is enabled, the specified event types are sent to the destinations. Default: `false`.\n" }, - "includedHeaders": { + "kinesisFirehoseDestination": { + "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination:ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination", + "description": "An object that defines an Amazon Kinesis Data Firehose destination for email events. See kinesis_firehose_destination below.\n" + }, + "matchingEventTypes": { "type": "array", "items": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "An array that specifies which events the Amazon SES API v2 should send to the destinations. Valid values: `SEND`, `REJECT`, `BOUNCE`, `COMPLAINT`, `DELIVERY`, `OPEN`, `CLICK`, `RENDERING_FAILURE`, `DELIVERY_DELAY`, `SUBSCRIPTION`.\n\nThe following arguments are optional:\n" + }, + "pinpointDestination": { + "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationPinpointDestination:ConfigurationSetEventDestinationEventDestinationPinpointDestination", + "description": "An object that defines an Amazon Pinpoint project destination for email events. See pinpoint_destination below.\n" + }, + "snsDestination": { + "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationSnsDestination:ConfigurationSetEventDestinationEventDestinationSnsDestination", + "description": "An object that defines an Amazon SNS destination for email events. See sns_destination below.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "matchingEventTypes" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestination:ConfigurationSetEventDestinationEventDestinationCloudWatchDestination": { "properties": { - "fallbackBehavior": { - "type": "string" + "dimensionConfigurations": { + "type": "array", + "items": { + "$ref": "#/types/aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration:ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration" + }, + "description": "An array of objects that define the dimensions to use when you send email events to Amazon CloudWatch. See dimension_configuration below.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "dimensionConfigurations" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration:ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration": { "properties": { - "invalidFallbackBehavior": { + "defaultDimensionValue": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": "The default value of the dimension that is published to Amazon CloudWatch if you don't provide the value of the dimension when you send an email.\n" }, - "matchScope": { + "dimensionName": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The name of an Amazon CloudWatch dimension associated with an email sending metric.\n" }, - "oversizeHandling": { + "dimensionValueSource": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The location where the Amazon SES API v2 finds the value of a dimension to publish to Amazon CloudWatch. Valid values: `MESSAGE_TAG`, `EMAIL_HEADER`, `LINK_TAG`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "defaultDimensionValue", + "dimensionName", + "dimensionValueSource" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination:ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "deliveryStreamArn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the Amazon Kinesis Data Firehose stream that the Amazon SES API v2 sends email events to.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader": { - "properties": { - "name": { + "iamRoleArn": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The Amazon Resource Name (ARN) of the IAM role that the Amazon SES API v2 uses to send email events to the Amazon Kinesis Data Firehose stream.\n" } }, "type": "object", "required": [ - "name" + "deliveryStreamArn", + "iamRoleArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestinationPinpointDestination:ConfigurationSetEventDestinationEventDestinationPinpointDestination": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "applicationArn": { + "type": "string" } }, "type": "object", "required": [ - "name" + "applicationArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation": { + "aws:sesv2/ConfigurationSetEventDestinationEventDestinationSnsDestination:ConfigurationSetEventDestinationEventDestinationSnsDestination": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "topicArn": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The Amazon Resource Name (ARN) of the Amazon SNS topic to publish email events to.\n" } }, "type": "object", "required": [ - "priority", - "type" + "topicArn" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatement:RuleGroupRuleStatementRegexMatchStatement": { + "aws:sesv2/ConfigurationSetReputationOptions:ConfigurationSetReputationOptions": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatch:RuleGroupRuleStatementRegexMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" - }, - "regexString": { + "lastFreshStart": { "type": "string", - "description": "The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details.\n" + "description": "The date and time (in Unix time) when the reputation metrics were last given a fresh start. When your account is given a fresh start, your reputation metrics are calculated starting from the date of the fresh start.\n" }, - "textTransformations": { + "reputationMetricsEnabled": { + "type": "boolean", + "description": "If `true`, tracking of reputation metrics is enabled for the configuration set. If `false`, tracking of reputation metrics is disabled for the configuration set.\n" + } + }, + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "lastFreshStart", + "reputationMetricsEnabled" + ] + } + } + }, + "aws:sesv2/ConfigurationSetSendingOptions:ConfigurationSetSendingOptions": { + "properties": { + "sendingEnabled": { + "type": "boolean", + "description": "If `true`, email sending is enabled for the configuration set. If `false`, email sending is disabled for the configuration set.\n" + } + }, + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "sendingEnabled" + ] + } + } + }, + "aws:sesv2/ConfigurationSetSuppressionOptions:ConfigurationSetSuppressionOptions": { + "properties": { + "suppressedReasons": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementTextTransformation:RuleGroupRuleStatementRegexMatchStatementTextTransformation" + "type": "string" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "description": "A list that contains the reasons that email addresses are automatically added to the suppression list for your account. Valid values: `BOUNCE`, `COMPLAINT`.\n" + } + }, + "type": "object" + }, + "aws:sesv2/ConfigurationSetTrackingOptions:ConfigurationSetTrackingOptions": { + "properties": { + "customRedirectDomain": { + "type": "string", + "description": "The domain to use for tracking open and click events.\n" } }, "type": "object", "required": [ - "regexString", - "textTransformations" + "customRedirectDomain" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatch:RuleGroupRuleStatementRegexMatchStatementFieldToMatch": { + "aws:sesv2/ConfigurationSetVdmOptions:ConfigurationSetVdmOptions": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody:RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "dashboardOptions": { + "$ref": "#/types/aws:sesv2/ConfigurationSetVdmOptionsDashboardOptions:ConfigurationSetVdmOptionsDashboardOptions", + "description": "Specifies additional settings for your VDM configuration as applicable to the Dashboard.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "guardianOptions": { + "$ref": "#/types/aws:sesv2/ConfigurationSetVdmOptionsGuardianOptions:ConfigurationSetVdmOptionsGuardianOptions", + "description": "Specifies additional settings for your VDM configuration as applicable to the Guardian.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments": { + "aws:sesv2/ConfigurationSetVdmOptionsDashboardOptions:ConfigurationSetVdmOptionsDashboardOptions": { + "properties": { + "engagementMetrics": { + "type": "string", + "description": "Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`.\n" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody:RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody": { + "aws:sesv2/ConfigurationSetVdmOptionsGuardianOptions:ConfigurationSetVdmOptionsGuardianOptions": { "properties": { - "oversizeHandling": { - "type": "string" + "optimizedSharedDelivery": { + "type": "string", + "description": "Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies": { + "aws:sesv2/ContactListTopic:ContactListTopic": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "defaultSubscriptionStatus": { + "type": "string", + "description": "Default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic.\n" }, - "matchScope": { + "description": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "Description of what the topic is about, which the contact will see.\n" }, - "oversizeHandling": { + "displayName": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "Name of the topic the contact will see.\n" + }, + "topicName": { + "type": "string", + "description": "Name of the topic.\n\nThe following arguments are optional:\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "defaultSubscriptionStatus", + "displayName", + "topicName" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:sesv2/EmailIdentityDkimSigningAttributes:EmailIdentityDkimSigningAttributes": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll" + "currentSigningKeyLength": { + "type": "string", + "description": "[Easy DKIM] The key length of the DKIM key pair in use.\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "domainSigningPrivateKey": { + "type": "string", + "description": "[Bring Your Own DKIM] A private key that's used to generate a DKIM signature. The private key must use 1024 or 2048-bit RSA encryption, and must be encoded using base64 encoding.\n\n\u003e **NOTE:** You have to delete the first and last lines ('-----BEGIN PRIVATE KEY-----' and '-----END PRIVATE KEY-----', respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks.\n", + "secret": true }, - "includedCookies": { + "domainSigningSelector": { + "type": "string", + "description": "[Bring Your Own DKIM] A string that's used to identify a public key in the DNS configuration for a domain.\n" + }, + "lastKeyGenerationTimestamp": { + "type": "string", + "description": "[Easy DKIM] The last time a key pair was generated for this identity.\n" + }, + "nextSigningKeyLength": { + "type": "string", + "description": "[Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. Valid values: `RSA_1024_BIT`, `RSA_2048_BIT`.\n" + }, + "signingAttributesOrigin": { + "type": "string", + "description": "A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM).\n" + }, + "status": { + "type": "string", + "description": "Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses.\n" + }, + "tokens": { "type": "array", "items": { "type": "string" - } + }, + "description": "If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "currentSigningKeyLength", + "lastKeyGenerationTimestamp", + "nextSigningKeyLength", + "signingAttributesOrigin", + "status", + "tokens" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader": { + "aws:sesv2/getConfigurationSetDeliveryOption:getConfigurationSetDeliveryOption": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "sendingPoolName": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "The name of the dedicated IP pool to associate with the configuration set.\n" }, - "oversizeHandling": { + "tlsPolicy": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS).\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "sendingPoolName", + "tlsPolicy" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:sesv2/getConfigurationSetReputationOption:getConfigurationSetReputationOption": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "lastFreshStart": { + "type": "string", + "description": "The date and time (in Unix time) when the reputation metrics were last given a fresh start.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "reputationMetricsEnabled": { + "type": "boolean", + "description": "Specifies whether tracking of reputation metrics is enabled.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "lastFreshStart", + "reputationMetricsEnabled" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder": { + "aws:sesv2/getConfigurationSetSendingOption:getConfigurationSetSendingOption": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "sendingEnabled": { + "type": "boolean", + "description": "Specifies whether email sending is enabled.\n" } }, "type": "object", "required": [ - "oversizeHandling" - ] + "sendingEnabled" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint": { + "aws:sesv2/getConfigurationSetSuppressionOption:getConfigurationSetSuppressionOption": { "properties": { - "fallbackBehavior": { - "type": "string" + "suppressedReasons": { + "type": "array", + "items": { + "type": "string" + }, + "description": "A list that contains the reasons that email addresses are automatically added to the suppression list for your account.\n" } }, "type": "object", "required": [ - "fallbackBehavior" - ] + "suppressedReasons" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody": { + "aws:sesv2/getConfigurationSetTrackingOption:getConfigurationSetTrackingOption": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" - }, - "oversizeHandling": { + "customRedirectDomain": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The domain to use for tracking open and click events.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" - ] + "customRedirectDomain" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:sesv2/getConfigurationSetVdmOption:getConfigurationSetVdmOption": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "dashboardOptions": { + "type": "array", + "items": { + "$ref": "#/types/aws:sesv2/getConfigurationSetVdmOptionDashboardOption:getConfigurationSetVdmOptionDashboardOption" + }, + "description": "Specifies additional settings for your VDM configuration as applicable to the Dashboard.\n" }, - "includedPaths": { + "guardianOptions": { "type": "array", "items": { - "type": "string" - } + "$ref": "#/types/aws:sesv2/getConfigurationSetVdmOptionGuardianOption:getConfigurationSetVdmOptionGuardianOption" + }, + "description": "Specifies additional settings for your VDM configuration as applicable to the Guardian.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod:RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "dashboardOptions", + "guardianOptions" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader": { + "aws:sesv2/getConfigurationSetVdmOptionDashboardOption:getConfigurationSetVdmOptionDashboardOption": { "properties": { - "name": { + "engagementMetrics": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Specifies the status of your VDM engagement metrics collection.\n" } }, "type": "object", "required": [ - "name" - ] + "engagementMetrics" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument": { + "aws:sesv2/getConfigurationSetVdmOptionGuardianOption:getConfigurationSetVdmOptionGuardianOption": { "properties": { - "name": { + "optimizedSharedDelivery": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Specifies the status of your VDM optimized shared delivery.\n" } }, "type": "object", "required": [ - "name" - ] - }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath": { - "type": "object" + "optimizedSharedDelivery" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexMatchStatementTextTransformation:RuleGroupRuleStatementRegexMatchStatementTextTransformation": { + "aws:sesv2/getDedicatedIpPoolDedicatedIp:getDedicatedIpPoolDedicatedIp": { "properties": { - "priority": { + "ip": { + "type": "string", + "description": "IPv4 address.\n" + }, + "warmupPercentage": { "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "Indicates how complete the dedicated IP warm-up process is. When this value equals `1`, the address has completed the warm-up process and is ready for use.\n" }, - "type": { + "warmupStatus": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The warm-up status of a dedicated IP address. Valid values: `IN_PROGRESS`, `DONE`.\n" } }, "type": "object", "required": [ - "priority", - "type" - ] + "ip", + "warmupPercentage", + "warmupStatus" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRegexPatternSetReferenceStatement": { + "aws:sesv2/getEmailIdentityDkimSigningAttribute:getEmailIdentityDkimSigningAttribute": { "properties": { - "arn": { + "currentSigningKeyLength": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" + "description": "[Easy DKIM] The key length of the DKIM key pair in use.\n" }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "domainSigningPrivateKey": { + "type": "string", + "secret": true }, - "textTransformations": { + "domainSigningSelector": { + "type": "string" + }, + "lastKeyGenerationTimestamp": { + "type": "string", + "description": "[Easy DKIM] The last time a key pair was generated for this identity.\n" + }, + "nextSigningKeyLength": { + "type": "string", + "description": "[Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day.\n" + }, + "signingAttributesOrigin": { + "type": "string", + "description": "A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM).\n" + }, + "status": { + "type": "string", + "description": "Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses.\n" + }, + "tokens": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation:RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation" + "type": "string" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "description": "If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key.\n" } }, "type": "object", "required": [ - "arn", - "textTransformations" - ] + "currentSigningKeyLength", + "domainSigningPrivateKey", + "domainSigningSelector", + "lastKeyGenerationTimestamp", + "nextSigningKeyLength", + "signingAttributesOrigin", + "status", + "tokens" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch": { + "aws:sfn/AliasRoutingConfiguration:AliasRoutingConfiguration": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "stateMachineVersionArn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the state machine version.\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "weight": { + "type": "integer", + "description": "Percentage of traffic routed to the state machine version.\n" + } + }, + "type": "object", + "required": [ + "stateMachineVersionArn", + "weight" + ] + }, + "aws:sfn/StateMachineLoggingConfiguration:StateMachineLoggingConfiguration": { + "properties": { + "includeExecutionData": { + "type": "boolean", + "description": "Determines whether execution data is included in your log. When set to `false`, data is excluded.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "level": { + "type": "string", + "description": "Defines which category of execution history events are logged. Valid values: `ALL`, `ERROR`, `FATAL`, `OFF`\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "logDestination": { + "type": "string", + "description": "Amazon Resource Name (ARN) of a CloudWatch log group. Make sure the State Machine has the correct IAM policies for logging. The ARN must end with `:*`\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody": { + "aws:sfn/StateMachineTracingConfiguration:StateMachineTracingConfiguration": { "properties": { - "oversizeHandling": { - "type": "string" + "enabled": { + "type": "boolean", + "description": "When set to `true`, AWS X-Ray tracing is enabled. Make sure the State Machine has the correct IAM policies for logging. See the [AWS Step Functions Developer Guide](https://docs.aws.amazon.com/step-functions/latest/dg/xray-iam.html) for details.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies": { + "aws:sfn/getAliasRoutingConfiguration:getAliasRoutingConfiguration": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "stateMachineVersionArn": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "weight": { + "type": "integer" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "stateMachineVersionArn", + "weight" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern": { + "aws:shield/ApplicationLayerAutomaticResponseTimeouts:ApplicationLayerAutomaticResponseTimeouts": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll" + "create": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "delete": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "update": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader": { + "aws:shield/DrtAccessLogBucketAssociationTimeouts:DrtAccessLogBucketAssociationTimeouts": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "create": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" }, - "oversizeHandling": { + "delete": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" } }, - "type": "object", - "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern": { + "aws:shield/DrtAccessRoleArnAssociationTimeouts:DrtAccessRoleArnAssociationTimeouts": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "create": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "delete": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "update": { + "type": "string", + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder": { + "aws:shield/ProactiveEngagementEmergencyContact:ProactiveEngagementEmergencyContact": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "contactNotes": { + "type": "string" + }, + "emailAddress": { + "type": "string" + }, + "phoneNumber": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" + "emailAddress" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint": { + "aws:signer/SigningJobDestination:SigningJobDestination": { "properties": { - "fallbackBehavior": { - "type": "string" + "s3": { + "$ref": "#/types/aws:signer/SigningJobDestinationS3:SigningJobDestinationS3", + "description": "A configuration block describing the S3 Destination object: See S3 Destination below for details.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "fallbackBehavior" + "s3" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody": { + "aws:signer/SigningJobDestinationS3:SigningJobDestinationS3": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { + "bucket": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "willReplaceOnChanges": true }, - "oversizeHandling": { + "prefix": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "bucket" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern": { + "aws:signer/SigningJobRevocationRecord:SigningJobRevocationRecord": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll" + "reason": { + "type": "string" }, - "includedPaths": { + "revokedAt": { + "type": "string" + }, + "revokedBy": { + "type": "string" + } + }, + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "reason", + "revokedAt", + "revokedBy" + ] + } + } + }, + "aws:signer/SigningJobSignedObject:SigningJobSignedObject": { + "properties": { + "s3s": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:signer/SigningJobSignedObjectS3:SigningJobSignedObjectS3" } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "s3s" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod": { - "type": "object" + "aws:signer/SigningJobSignedObjectS3:SigningJobSignedObjectS3": { + "properties": { + "bucket": { + "type": "string" + }, + "key": { + "type": "string" + } + }, + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "bucket", + "key" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString": { - "type": "object" + "aws:signer/SigningJobSource:SigningJobSource": { + "properties": { + "s3": { + "$ref": "#/types/aws:signer/SigningJobSourceS3:SigningJobSourceS3", + "description": "A configuration block describing the S3 Source object: See S3 Source below for details.\n", + "willReplaceOnChanges": true + } + }, + "type": "object", + "required": [ + "s3" + ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader": { + "aws:signer/SigningJobSourceS3:SigningJobSourceS3": { "properties": { - "name": { + "bucket": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "willReplaceOnChanges": true + }, + "key": { + "type": "string", + "willReplaceOnChanges": true + }, + "version": { + "type": "string", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "name" + "bucket", + "key", + "version" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument": { + "aws:signer/SigningProfileRevocationRecord:SigningProfileRevocationRecord": { "properties": { - "name": { + "revocationEffectiveFrom": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The time when revocation becomes effective.\n" + }, + "revokedAt": { + "type": "string", + "description": "The time when the signing profile was revoked.\n" + }, + "revokedBy": { + "type": "string", + "description": "The identity of the revoker.\n" + } + }, + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "revocationEffectiveFrom", + "revokedAt", + "revokedBy" + ] + } + } + }, + "aws:signer/SigningProfileSignatureValidityPeriod:SigningProfileSignatureValidityPeriod": { + "properties": { + "type": { + "type": "string", + "description": "The time unit for signature validity. Valid values: `DAYS`, `MONTHS`, `YEARS`.\n", + "willReplaceOnChanges": true + }, + "value": { + "type": "integer", + "description": "The numerical value of the time unit for signature validity.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "name" + "type", + "value" ] }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation:RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation": { + "aws:signer/SigningProfileSigningMaterial:SigningProfileSigningMaterial": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "certificateArn": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The Amazon Resource Name (ARN) of the certificates that is used to sign your code.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "priority", - "type" + "certificateArn" ] }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement": { + "aws:signer/getSigningJobRevocationRecord:getSigningJobRevocationRecord": { "properties": { - "comparisonOperator": { - "type": "string", - "description": "The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatch:RuleGroupRuleStatementSizeConstraintStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "reason": { + "type": "string" }, - "size": { - "type": "integer", - "description": "The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + "revokedAt": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementTextTransformation:RuleGroupRuleStatementSizeConstraintStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "revokedBy": { + "type": "string" } }, "type": "object", "required": [ - "comparisonOperator", - "size", - "textTransformations" - ] + "reason", + "revokedAt", + "revokedBy" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatch:RuleGroupRuleStatementSizeConstraintStatementFieldToMatch": { + "aws:signer/getSigningJobSignedObject:getSigningJobSignedObject": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { + "s3s": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "$ref": "#/types/aws:signer/getSigningJobSignedObjectS3:getSigningJobSignedObjectS3" + } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody": { - "properties": { - "oversizeHandling": { - "type": "string" + "type": "object", + "required": [ + "s3s" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies": { + "aws:signer/getSigningJobSignedObjectS3:getSigningJobSignedObjectS3": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "bucket": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "key": { + "type": "string" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "bucket", + "key" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern": { + "aws:signer/getSigningJobSource:getSigningJobSource": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { + "s3s": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:signer/getSigningJobSourceS3:getSigningJobSourceS3" } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "s3s" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader": { + "aws:signer/getSigningJobSourceS3:getSigningJobSourceS3": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "bucket": { + "type": "string" }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "key": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "version": { + "type": "string" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "bucket", + "key", + "version" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern": { + "aws:signer/getSigningProfileRevocationRecord:getSigningProfileRevocationRecord": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "revocationEffectiveFrom": { + "type": "string" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "revokedAt": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "revokedBy": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" - ] + "revocationEffectiveFrom", + "revokedAt", + "revokedBy" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint": { + "aws:signer/getSigningProfileSignatureValidityPeriod:getSigningProfileSignatureValidityPeriod": { "properties": { - "fallbackBehavior": { + "type": { "type": "string" + }, + "value": { + "type": "integer" } }, "type": "object", "required": [ - "fallbackBehavior" - ] + "type", + "value" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody": { + "aws:ssm/AssociationOutputLocation:AssociationOutputLocation": { "properties": { - "invalidFallbackBehavior": { + "s3BucketName": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": "The S3 bucket name.\n" }, - "matchScope": { + "s3KeyPrefix": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The S3 bucket prefix. Results stored in the root if not configured.\n" }, - "oversizeHandling": { + "s3Region": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The S3 bucket region.\n\nTargets specify what instance IDs or tags to apply the document to and has these keys:\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "s3BucketName" ] }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern": { + "aws:ssm/AssociationTarget:AssociationTarget": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll" + "key": { + "type": "string", + "description": "Either `InstanceIds` or `tag:Tag Name` to specify an EC2 tag.\n" }, - "includedPaths": { + "values": { "type": "array", "items": { "type": "string" - } + }, + "description": "A list of instance IDs or tag values. AWS currently limits this list size to one value.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "key", + "values" + ] }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader": { + "aws:ssm/ContactsRotationRecurrence:ContactsRotationRecurrence": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "dailySettings": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceDailySetting:ContactsRotationRecurrenceDailySetting" + } + }, + "monthlySettings": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceMonthlySetting:ContactsRotationRecurrenceMonthlySetting" + }, + "description": "(Optional) Information about on-call rotations that recur monthly. See Monthly Settings for more details.\n" + }, + "numberOfOnCalls": { + "type": "integer", + "description": "(Required) The number of contacts, or shift team members designated to be on call concurrently during a shift.\n" + }, + "recurrenceMultiplier": { + "type": "integer", + "description": "(Required) The number of days, weeks, or months a single rotation lasts.\n" + }, + "shiftCoverages": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverage:ContactsRotationRecurrenceShiftCoverage" + }, + "description": "(Optional) Information about the days of the week that the on-call rotation coverage includes. See Shift Coverages for more details.\n" + }, + "weeklySettings": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceWeeklySetting:ContactsRotationRecurrenceWeeklySetting" + }, + "description": "(Optional) Information about on-call rotations that recur weekly. See Weekly Settings for more details.\n" } }, "type": "object", "required": [ - "name" + "numberOfOnCalls", + "recurrenceMultiplier" ] }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument": { + "aws:ssm/ContactsRotationRecurrenceDailySetting:ContactsRotationRecurrenceDailySetting": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "hourOfDay": { + "type": "integer", + "description": "(Required) The hour of the day.\n" + }, + "minuteOfHour": { + "type": "integer", + "description": "(Required) The minutes of the hour.\n" } }, "type": "object", "required": [ - "name" + "hourOfDay", + "minuteOfHour" ] }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath:RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatementTextTransformation:RuleGroupRuleStatementSizeConstraintStatementTextTransformation": { + "aws:ssm/ContactsRotationRecurrenceMonthlySetting:ContactsRotationRecurrenceMonthlySetting": { "properties": { - "priority": { + "dayOfMonth": { "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "(Required) The day of the month when monthly recurring on-call rotations begin.\n" }, - "type": { - "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "handOffTime": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceMonthlySettingHandOffTime:ContactsRotationRecurrenceMonthlySettingHandOffTime", + "description": "(Required) The hand off time. See Hand Off Time for more details.\n" } }, "type": "object", "required": [ - "priority", - "type" + "dayOfMonth" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatement:RuleGroupRuleStatementSqliMatchStatement": { + "aws:ssm/ContactsRotationRecurrenceMonthlySettingHandOffTime:ContactsRotationRecurrenceMonthlySettingHandOffTime": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatch:RuleGroupRuleStatementSqliMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "hourOfDay": { + "type": "integer", + "description": "(Required) The hour of the day.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementTextTransformation:RuleGroupRuleStatementSqliMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "minuteOfHour": { + "type": "integer", + "description": "(Required) The minutes of the hour.\n" } }, "type": "object", "required": [ - "textTransformations" + "hourOfDay", + "minuteOfHour" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatch:RuleGroupRuleStatementSqliMatchStatementFieldToMatch": { + "aws:ssm/ContactsRotationRecurrenceShiftCoverage:ContactsRotationRecurrenceShiftCoverage": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody:RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" - }, - "headers": { + "coverageTimes": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader" + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTime:ContactsRotationRecurrenceShiftCoverageCoverageTime" }, - "description": "Inspect the request headers. See Headers below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod:RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "description": "(Required) Information about when an on-call shift begins and ends. See Coverage Times for more details.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "mapBlockKey": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "mapBlockKey" + ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody:RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody": { + "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTime:ContactsRotationRecurrenceShiftCoverageCoverageTime": { "properties": { - "oversizeHandling": { - "type": "string" + "end": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd:ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd", + "description": "(Required) The end time of the on-call shift. See Hand Off Time for more details.\n" + }, + "start": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeStart:ContactsRotationRecurrenceShiftCoverageCoverageTimeStart", + "description": "(Required) The start time of the on-call shift. See Hand Off Time for more details.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies": { + "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd:ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "hourOfDay": { + "type": "integer", + "description": "(Required) The hour of the day.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "minuteOfHour": { + "type": "integer", + "description": "(Required) The minutes of the hour.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "hourOfDay", + "minuteOfHour" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:ssm/ContactsRotationRecurrenceShiftCoverageCoverageTimeStart:ContactsRotationRecurrenceShiftCoverageCoverageTimeStart": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "hourOfDay": { + "type": "integer", + "description": "(Required) The hour of the day.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "minuteOfHour": { + "type": "integer", + "description": "(Required) The minutes of the hour.\n" } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "hourOfDay", + "minuteOfHour" + ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader": { + "aws:ssm/ContactsRotationRecurrenceWeeklySetting:ContactsRotationRecurrenceWeeklySetting": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "dayOfWeek": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "(Required) The day of the week when the shift coverage occurs.\n" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "handOffTime": { + "$ref": "#/types/aws:ssm/ContactsRotationRecurrenceWeeklySettingHandOffTime:ContactsRotationRecurrenceWeeklySettingHandOffTime", + "description": "(Required) The hand off time. See Hand Off Time for more details.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "dayOfWeek" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:ssm/ContactsRotationRecurrenceWeeklySettingHandOffTime:ContactsRotationRecurrenceWeeklySettingHandOffTime": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "hourOfDay": { + "type": "integer", + "description": "(Required) The hour of the day.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "minuteOfHour": { + "type": "integer", + "description": "(Required) The minutes of the hour.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "hourOfDay", + "minuteOfHour" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint": { + "aws:ssm/DocumentAttachmentsSource:DocumentAttachmentsSource": { "properties": { - "fallbackBehavior": { - "type": "string" + "key": { + "type": "string", + "description": "The key of a key-value pair that identifies the location of an attachment to the document. Valid values: `SourceUrl`, `S3FileUrl`, `AttachmentReference`.\n" + }, + "name": { + "type": "string", + "description": "The name of the document attachment file.\n" + }, + "values": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The value of a key-value pair that identifies the location of an attachment to the document. The argument format is a list of a single string that depends on the type of key you specify - see the [API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_AttachmentsSource.html) for details.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "key", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody": { + "aws:ssm/DocumentParameter:DocumentParameter": { "properties": { - "invalidFallbackBehavior": { + "defaultValue": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "description": "If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": { + "type": "string", + "description": "A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional.\n" }, - "matchScope": { + "name": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The name of the document.\n" }, - "oversizeHandling": { + "type": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The type of parameter. Valid values: `String`, `StringList`.\n" } }, "type": "object", - "required": [ - "matchPattern", - "matchScope" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "defaultValue", + "description", + "name", + "type" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:ssm/MaintenanceWindowTargetTarget:MaintenanceWindowTargetTarget": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "key": { + "type": "string" }, - "includedPaths": { + "values": { "type": "array", "items": { "type": "string" } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod:RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, "type": "object", "required": [ - "name" + "key", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument": { + "aws:ssm/MaintenanceWindowTaskTarget:MaintenanceWindowTaskTarget": { "properties": { - "name": { - "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "key": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } } }, "type": "object", "required": [ - "name" + "key", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParameters:MaintenanceWindowTaskTaskInvocationParameters": { + "properties": { + "automationParameters": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParameters:MaintenanceWindowTaskTaskInvocationParametersAutomationParameters", + "description": "The parameters for an AUTOMATION task type. Documented below.\n" + }, + "lambdaParameters": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersLambdaParameters:MaintenanceWindowTaskTaskInvocationParametersLambdaParameters", + "description": "The parameters for a LAMBDA task type. Documented below.\n" + }, + "runCommandParameters": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters:MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters", + "description": "The parameters for a RUN_COMMAND task type. Documented below.\n" + }, + "stepFunctionsParameters": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters:MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters", + "description": "The parameters for a STEP_FUNCTIONS task type. Documented below.\n" + } + }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementSqliMatchStatementTextTransformation:RuleGroupRuleStatementSqliMatchStatementTextTransformation": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParameters:MaintenanceWindowTaskTaskInvocationParametersAutomationParameters": { "properties": { - "priority": { - "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "documentVersion": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The version of an Automation document to use during task execution.\n" + }, + "parameters": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter:MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter" + }, + "description": "The parameters for the RUN_COMMAND task execution. Documented below.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatement:RuleGroupRuleStatementXssMatchStatement": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter:MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + "name": { + "type": "string", + "description": "The parameter name.\n" }, - "textTransformations": { + "values": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" + "type": "string" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" + "description": "The array of strings.\n" } }, "type": "object", "required": [ - "textTransformations" + "name", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersLambdaParameters:MaintenanceWindowTaskTaskInvocationParametersLambdaParameters": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" + "clientContext": { + "type": "string", + "description": "Pass client-specific information to the Lambda function that you are invoking.\n" }, - "body": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers.\n" + "payload": { + "type": "string", + "description": "JSON to provide to your Lambda function as input.\n", + "secret": true }, - "cookies": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See Cookies below for details.\n" + "qualifier": { + "type": "string", + "description": "Specify a Lambda function version or alias name.\n" + } + }, + "type": "object" + }, + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters:MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters": { + "properties": { + "cloudwatchConfig": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig", + "description": "Configuration options for sending command output to CloudWatch Logs. Documented below.\n" }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect the request headers. See Header Order below for details.\n" + "comment": { + "type": "string", + "description": "Information about the command(s) to execute.\n" }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See Headers below for details.\n" + "documentHash": { + "type": "string", + "description": "The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated.\n" }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint" + "documentHashType": { + "type": "string", + "description": "SHA-256 or SHA-1. SHA-1 hashes have been deprecated. Valid values: `Sha256` and `Sha1`\n" }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See JSON Body for details.\n" + "documentVersion": { + "type": "string" }, - "method": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod:RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "notificationConfig": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig", + "description": "Configurations for sending notifications about command status changes on a per-instance basis. Documented below.\n" }, - "queryString": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "outputS3Bucket": { + "type": "string", + "description": "The name of the Amazon S3 bucket.\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See Single Header below for details.\n" + "outputS3KeyPrefix": { + "type": "string", + "description": "The Amazon S3 bucket subfolder.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See Single Query Argument below for details.\n" + "parameters": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter" + }, + "description": "The parameters for the RUN_COMMAND task execution. Documented below.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "serviceRoleArn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks.\n" + }, + "timeoutSeconds": { + "type": "integer", + "description": "If this time is reached and the command has not already started executing, it doesn't run.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments:RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchBody": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig": { "properties": { - "oversizeHandling": { - "type": "string" + "cloudwatchLogGroupName": { + "type": "string", + "description": "The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName.\n" + }, + "cloudwatchOutputEnabled": { + "type": "boolean", + "description": "Enables Systems Manager to send command output to CloudWatch Logs.\n" } }, - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "cloudwatchLogGroupName" + ] + } + } }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig": { "properties": { - "matchPatterns": { + "notificationArn": { + "type": "string", + "description": "An Amazon Resource Name (ARN) for a Simple Notification Service (SNS) topic. Run Command pushes notifications about command status changes to this topic.\n" + }, + "notificationEvents": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern" + "type": "string" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "The different events for which you can receive notifications. Valid values: `All`, `InProgress`, `Success`, `TimedOut`, `Cancelled`, and `Failed`\n" }, - "oversizeHandling": { + "notificationType": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" + "description": "When specified with `Command`, receive notification when the status of a command changes. When specified with `Invocation`, for commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. Valid values: `Command` and `Invocation`\n" } }, - "type": "object", - "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter:MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll" + "name": { + "type": "string", + "description": "The parameter name.\n" }, - "excludedCookies": { + "values": { "type": "array", "items": { "type": "string" - } + }, + "description": "The array of strings.\n" + } + }, + "type": "object", + "required": [ + "name", + "values" + ] + }, + "aws:ssm/MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters:MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters": { + "properties": { + "input": { + "type": "string", + "description": "The inputs for the STEP_FUNCTION task.\n", + "secret": true }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "name": { + "type": "string", + "description": "The name of the STEP_FUNCTION task.\n" } }, "type": "object" }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "aws:ssm/ParameterType:ParameterType": { + "type": "string", + "enum": [ + { + "value": "String" + }, + { + "value": "StringList" + }, + { + "value": "SecureString" + } + ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader": { + "aws:ssm/PatchBaselineApprovalRule:PatchBaselineApprovalRule": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "approveAfterDays": { + "type": "integer", + "description": "Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approve_until_date`.\n" }, - "matchScope": { + "approveUntilDate": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`\n" }, - "oversizeHandling": { + "complianceLevel": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Compliance level for patches approved by this rule. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, and `UNSPECIFIED`. The default value is `UNSPECIFIED`.\n" + }, + "enableNonSecurity": { + "type": "boolean", + "description": "Boolean enabling the application of non-security updates. The default value is `false`. Valid for Linux instances only.\n" + }, + "patchFilters": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/PatchBaselineApprovalRulePatchFilter:PatchBaselineApprovalRulePatchFilter" + }, + "description": "Patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and the `operating_system` value can be found in the [SSM DescribePatchProperties API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html). Valid Values are exact values for the patch property given as the key, or a wildcard `*`, which matches all values. `PATCH_SET` defaults to `OS` if unspecified\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "patchFilters" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:ssm/PatchBaselineApprovalRulePatchFilter:PatchBaselineApprovalRulePatchFilter": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "key": { + "type": "string" }, - "includedHeaders": { + "values": { "type": "array", "items": { "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "key", + "values" + ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder": { + "aws:ssm/PatchBaselineGlobalFilter:PatchBaselineGlobalFilter": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "key": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "type": "string" + } } }, "type": "object", "required": [ - "oversizeHandling" + "key", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint": { + "aws:ssm/PatchBaselineSource:PatchBaselineSource": { "properties": { - "fallbackBehavior": { - "type": "string" + "configuration": { + "type": "string", + "description": "Value of the yum repo configuration. For information about other options available for your yum repository configuration, see the [`dnf.conf` documentation](https://man7.org/linux/man-pages/man5/dnf.conf.5.html)\n" + }, + "name": { + "type": "string", + "description": "Name specified to identify the patch source.\n" + }, + "products": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Specific operating system versions a patch repository applies to, such as `\"Ubuntu16.04\"`, `\"AmazonLinux2016.09\"`, `\"RedhatEnterpriseLinux7.2\"` or `\"Suse12.7\"`. For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html).\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "configuration", + "name", + "products" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody": { + "aws:ssm/ResourceDataSyncS3Destination:ResourceDataSyncS3Destination": { "properties": { - "invalidFallbackBehavior": { + "bucketName": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "description": "Name of S3 bucket where the aggregated data is stored.\n", + "willReplaceOnChanges": true }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "kmsKeyArn": { + "type": "string", + "description": "ARN of an encryption key for a destination in Amazon S3.\n", + "willReplaceOnChanges": true }, - "matchScope": { + "prefix": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Prefix for the bucket.\n", + "willReplaceOnChanges": true }, - "oversizeHandling": { + "region": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Region with the bucket targeted by the Resource Data Sync.\n", + "willReplaceOnChanges": true + }, + "syncFormat": { + "type": "string", + "description": "A supported sync format. Only JsonSerDe is currently supported. Defaults to JsonSerDe.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "bucketName", + "region" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:ssm/getContactsRotationRecurrence:getContactsRotationRecurrence": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "dailySettings": { + "type": "array", + "items": { + "$ref": "pulumi.json#/Any" + } + }, + "monthlySettings": { + "type": "array", + "items": { + "$ref": "pulumi.json#/Any" + } + }, + "numberOfOnCalls": { + "type": "integer" + }, + "recurrenceMultiplier": { + "type": "integer" }, - "includedPaths": { + "shiftCoverages": { "type": "array", "items": { - "type": "string" + "$ref": "pulumi.json#/Any" + } + }, + "weeklySettings": { + "type": "array", + "items": { + "$ref": "pulumi.json#/Any" } } }, - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod:RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString:RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "dailySettings", + "monthlySettings", + "numberOfOnCalls", + "recurrenceMultiplier", + "shiftCoverages", + "weeklySettings" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader": { + "aws:ssm/getInstancesFilter:getInstancesFilter": { "properties": { "name": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Name of the filter field. Valid values can be found in the [SSM InstanceInformationStringFilter API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_InstanceInformationStringFilter.html).\n" + }, + "values": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" } }, "type": "object", "required": [ - "name" + "name", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument": { + "aws:ssm/getMaintenanceWindowsFilter:getMaintenanceWindowsFilter": { "properties": { "name": { "type": "string", - "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Name of the filter field. Valid values can be found in the [SSM DescribeMaintenanceWindows API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeMaintenanceWindows.html#API_DescribeMaintenanceWindows_RequestSyntax).\n" + }, + "values": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" } }, "type": "object", "required": [ - "name" + "name", + "values" ] }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath:RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation": { + "aws:ssm/getPatchBaselineApprovalRule:getPatchBaselineApprovalRule": { "properties": { - "priority": { + "approveAfterDays": { "type": "integer", - "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline.\n" }, - "type": { + "approveUntilDate": { "type": "string", - "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" - } - }, - "type": "object", - "required": [ - "priority", - "type" - ] - }, - "aws:wafv2/RuleGroupRuleVisibilityConfig:RuleGroupRuleVisibilityConfig": { - "properties": { - "cloudwatchMetricsEnabled": { - "type": "boolean", - "description": "A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics).\n" + "description": "Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approve_after_days`\n" }, - "metricName": { + "complianceLevel": { "type": "string", - "description": "A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`.\n" + "description": "Compliance level for patches approved by this rule.\n" }, - "sampledRequestsEnabled": { + "enableNonSecurity": { "type": "boolean", - "description": "A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.\n" + "description": "Boolean enabling the application of non-security updates.\n" + }, + "patchFilters": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssm/getPatchBaselineApprovalRulePatchFilter:getPatchBaselineApprovalRulePatchFilter" + }, + "description": "Patch filter group that defines the criteria for the rule.\n" } }, "type": "object", "required": [ - "cloudwatchMetricsEnabled", - "metricName", - "sampledRequestsEnabled" - ] + "approveAfterDays", + "approveUntilDate", + "complianceLevel", + "enableNonSecurity", + "patchFilters" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/RuleGroupVisibilityConfig:RuleGroupVisibilityConfig": { + "aws:ssm/getPatchBaselineApprovalRulePatchFilter:getPatchBaselineApprovalRulePatchFilter": { "properties": { - "cloudwatchMetricsEnabled": { - "type": "boolean", - "description": "A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics).\n" - }, - "metricName": { + "key": { "type": "string", - "description": "A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`.\n" + "description": "Key for the filter.\n" }, - "sampledRequestsEnabled": { - "type": "boolean", - "description": "A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.\n" + "values": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Value for the filter.\n" } }, "type": "object", "required": [ - "cloudwatchMetricsEnabled", - "metricName", - "sampledRequestsEnabled" - ] + "key", + "values" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclAssociationConfig:WebAclAssociationConfig": { + "aws:ssm/getPatchBaselineGlobalFilter:getPatchBaselineGlobalFilter": { "properties": { - "requestBodies": { + "key": { + "type": "string", + "description": "Key for the filter.\n" + }, + "values": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBody:WebAclAssociationConfigRequestBody" + "type": "string" }, - "description": "Customizes the request body that your protected resource forward to AWS WAF for inspection. See `request_body` below for details.\n" + "description": "Value for the filter.\n" } }, - "type": "object" + "type": "object", + "required": [ + "key", + "values" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclAssociationConfigRequestBody:WebAclAssociationConfigRequestBody": { + "aws:ssm/getPatchBaselineSource:getPatchBaselineSource": { "properties": { - "apiGateways": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyApiGateway:WebAclAssociationConfigRequestBodyApiGateway" - }, - "description": "Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `api_gateway` below for details.\n" - }, - "appRunnerServices": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyAppRunnerService:WebAclAssociationConfigRequestBodyAppRunnerService" - }, - "description": "Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `app_runner_service` below for details.\n" - }, - "cloudfronts": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyCloudfront:WebAclAssociationConfigRequestBodyCloudfront" - }, - "description": "Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details.\n" + "configuration": { + "type": "string", + "description": "Value of the yum repo configuration.\n" }, - "cognitoUserPools": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyCognitoUserPool:WebAclAssociationConfigRequestBodyCognitoUserPool" - }, - "description": "Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognito_user_pool` below for details.\n" + "name": { + "type": "string", + "description": "Name specified to identify the patch source.\n" }, - "verifiedAccessInstances": { + "products": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyVerifiedAccessInstance:WebAclAssociationConfigRequestBodyVerifiedAccessInstance" + "type": "string" }, - "description": "Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verified_access_instance` below for details.\n" + "description": "Specific operating system versions a patch repository applies to.\n" } }, - "type": "object" + "type": "object", + "required": [ + "configuration", + "name", + "products" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclAssociationConfigRequestBodyApiGateway:WebAclAssociationConfigRequestBodyApiGateway": { + "aws:ssmcontacts/ContactChannelDeliveryAddress:ContactChannelDeliveryAddress": { "properties": { - "defaultSizeInspectionLimit": { + "simpleAddress": { "type": "string", - "description": "Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" + "description": "Details to engage this contact channel. The expected format depends on the contact channel type and is described in the [`ContactChannelAddress` section of the SSM Contacts API Reference](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_ContactChannelAddress.html).\n" } }, "type": "object", "required": [ - "defaultSizeInspectionLimit" + "simpleAddress" ] }, - "aws:wafv2/WebAclAssociationConfigRequestBodyAppRunnerService:WebAclAssociationConfigRequestBodyAppRunnerService": { + "aws:ssmcontacts/PlanStage:PlanStage": { "properties": { - "defaultSizeInspectionLimit": { - "type": "string", - "description": "Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" + "durationInMinutes": { + "type": "integer", + "description": "The time to wait until beginning the next stage. The duration can only be set to 0 if a target is specified.\n" + }, + "targets": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmcontacts/PlanStageTarget:PlanStageTarget" + }, + "description": "One or more configuration blocks for specifying the contacts or contact methods that the escalation plan or engagement plan is engaging. See Target below for more details.\n" } }, "type": "object", "required": [ - "defaultSizeInspectionLimit" + "durationInMinutes" ] }, - "aws:wafv2/WebAclAssociationConfigRequestBodyCloudfront:WebAclAssociationConfigRequestBodyCloudfront": { + "aws:ssmcontacts/PlanStageTarget:PlanStageTarget": { "properties": { - "defaultSizeInspectionLimit": { - "type": "string", - "description": "Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" + "channelTargetInfo": { + "$ref": "#/types/aws:ssmcontacts/PlanStageTargetChannelTargetInfo:PlanStageTargetChannelTargetInfo", + "description": "A configuration block for specifying information about the contact channel that Incident Manager engages. See Channel Target Info for more details.\n" + }, + "contactTargetInfo": { + "$ref": "#/types/aws:ssmcontacts/PlanStageTargetContactTargetInfo:PlanStageTargetContactTargetInfo", + "description": "A configuration block for specifying information about the contact that Incident Manager engages. See Contact Target Info for more details.\n" } }, - "type": "object", - "required": [ - "defaultSizeInspectionLimit" - ] + "type": "object" }, - "aws:wafv2/WebAclAssociationConfigRequestBodyCognitoUserPool:WebAclAssociationConfigRequestBodyCognitoUserPool": { + "aws:ssmcontacts/PlanStageTargetChannelTargetInfo:PlanStageTargetChannelTargetInfo": { "properties": { - "defaultSizeInspectionLimit": { + "contactChannelId": { "type": "string", - "description": "Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" + "description": "The Amazon Resource Name (ARN) of the contact channel.\n" + }, + "retryIntervalInMinutes": { + "type": "integer", + "description": "The number of minutes to wait before retrying to send engagement if the engagement initially failed.\n" } }, "type": "object", "required": [ - "defaultSizeInspectionLimit" + "contactChannelId" ] }, - "aws:wafv2/WebAclAssociationConfigRequestBodyVerifiedAccessInstance:WebAclAssociationConfigRequestBodyVerifiedAccessInstance": { + "aws:ssmcontacts/PlanStageTargetContactTargetInfo:PlanStageTargetContactTargetInfo": { "properties": { - "defaultSizeInspectionLimit": { + "contactId": { "type": "string", - "description": "Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" + "description": "The Amazon Resource Name (ARN) of the contact.\n" + }, + "isEssential": { + "type": "boolean", + "description": "A Boolean value determining if the contact's acknowledgement stops the progress of stages in the plan.\n" } }, "type": "object", "required": [ - "defaultSizeInspectionLimit" + "isEssential" ] }, - "aws:wafv2/WebAclCaptchaConfig:WebAclCaptchaConfig": { + "aws:ssmcontacts/getContactChannelDeliveryAddress:getContactChannelDeliveryAddress": { "properties": { - "immunityTimeProperty": { - "$ref": "#/types/aws:wafv2/WebAclCaptchaConfigImmunityTimeProperty:WebAclCaptchaConfigImmunityTimeProperty", - "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" + "simpleAddress": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclCaptchaConfigImmunityTimeProperty:WebAclCaptchaConfigImmunityTimeProperty": { - "properties": { - "immunityTime": { - "type": "integer", - "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" + "type": "object", + "required": [ + "simpleAddress" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclChallengeConfig:WebAclChallengeConfig": { + "aws:ssmcontacts/getPlanStage:getPlanStage": { "properties": { - "immunityTimeProperty": { - "$ref": "#/types/aws:wafv2/WebAclChallengeConfigImmunityTimeProperty:WebAclChallengeConfigImmunityTimeProperty", - "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" + "durationInMinutes": { + "type": "integer" + }, + "targets": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmcontacts/getPlanStageTarget:getPlanStageTarget" + } } }, - "type": "object" - }, - "aws:wafv2/WebAclChallengeConfigImmunityTimeProperty:WebAclChallengeConfigImmunityTimeProperty": { - "properties": { - "immunityTime": { - "type": "integer", - "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" + "type": "object", + "required": [ + "durationInMinutes", + "targets" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclCustomResponseBody:WebAclCustomResponseBody": { + "aws:ssmcontacts/getPlanStageTarget:getPlanStageTarget": { "properties": { - "content": { - "type": "string", - "description": "Payload of the custom response.\n" - }, - "contentType": { - "type": "string", - "description": "Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`.\n" + "channelTargetInfos": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmcontacts/getPlanStageTargetChannelTargetInfo:getPlanStageTargetChannelTargetInfo" + } }, - "key": { - "type": "string", - "description": "Unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the `custom_response` block.\n" + "contactTargetInfos": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmcontacts/getPlanStageTargetContactTargetInfo:getPlanStageTargetContactTargetInfo" + } } }, "type": "object", "required": [ - "content", - "contentType", - "key" - ] + "channelTargetInfos", + "contactTargetInfos" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclDefaultAction:WebAclDefaultAction": { + "aws:ssmcontacts/getPlanStageTargetChannelTargetInfo:getPlanStageTargetChannelTargetInfo": { "properties": { - "allow": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllow:WebAclDefaultActionAllow", - "description": "Specifies that AWS WAF should allow requests by default. See `allow` below for details.\n" + "contactChannelId": { + "type": "string" }, - "block": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlock:WebAclDefaultActionBlock", - "description": "Specifies that AWS WAF should block requests by default. See `block` below for details.\n" + "retryIntervalInMinutes": { + "type": "integer" } }, - "type": "object" - }, - "aws:wafv2/WebAclDefaultActionAllow:WebAclDefaultActionAllow": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllowCustomRequestHandling:WebAclDefaultActionAllowCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "type": "object", + "required": [ + "contactChannelId", + "retryIntervalInMinutes" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclDefaultActionAllowCustomRequestHandling:WebAclDefaultActionAllowCustomRequestHandling": { + "aws:ssmcontacts/getPlanStageTargetContactTargetInfo:getPlanStageTargetContactTargetInfo": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllowCustomRequestHandlingInsertHeader:WebAclDefaultActionAllowCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "contactId": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the contact or escalation plan.\n" + }, + "isEssential": { + "type": "boolean" } }, "type": "object", "required": [ - "insertHeaders" - ] + "contactId", + "isEssential" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclDefaultActionAllowCustomRequestHandlingInsertHeader:WebAclDefaultActionAllowCustomRequestHandlingInsertHeader": { + "aws:ssmincidents/ReplicationSetRegion:ReplicationSetRegion": { "properties": { + "kmsKeyArn": { + "type": "string", + "description": "The Amazon Resource name (ARN) of the customer managed key. If omitted, AWS manages the AWS KMS keys for you, using an AWS owned key, as indicated by a default value of `DefaultKey`.\n\nThe following arguments are optional:\n" + }, "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the Region, such as `ap-southeast-2`.\n" }, - "value": { + "status": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The current status of the Region.\n* Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED`\n" + }, + "statusMessage": { + "type": "string", + "description": "More information about the status of a Region.\n" } }, "type": "object", "required": [ - "name", - "value" - ] + "name" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "name", + "status", + "statusMessage" + ] + } + } }, - "aws:wafv2/WebAclDefaultActionBlock:WebAclDefaultActionBlock": { + "aws:ssmincidents/ResponsePlanAction:ResponsePlanAction": { "properties": { - "customResponse": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlockCustomResponse:WebAclDefaultActionBlockCustomResponse", - "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" + "ssmAutomations": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmincidents/ResponsePlanActionSsmAutomation:ResponsePlanActionSsmAutomation" + } } }, "type": "object" }, - "aws:wafv2/WebAclDefaultActionBlockCustomResponse:WebAclDefaultActionBlockCustomResponse": { + "aws:ssmincidents/ResponsePlanActionSsmAutomation:ResponsePlanActionSsmAutomation": { "properties": { - "customResponseBodyKey": { - "type": "string", - "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + "documentName": { + "type": "string" }, - "responseCode": { - "type": "integer", - "description": "The HTTP status code to return to the client.\n" + "documentVersion": { + "type": "string" }, - "responseHeaders": { + "dynamicParameters": { + "type": "object", + "additionalProperties": { + "type": "string" + } + }, + "parameters": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlockCustomResponseResponseHeader:WebAclDefaultActionBlockCustomResponseResponseHeader" - }, - "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" + "$ref": "#/types/aws:ssmincidents/ResponsePlanActionSsmAutomationParameter:ResponsePlanActionSsmAutomationParameter" + } + }, + "roleArn": { + "type": "string" + }, + "targetAccount": { + "type": "string" } }, "type": "object", "required": [ - "responseCode" + "documentName", + "roleArn" ] }, - "aws:wafv2/WebAclDefaultActionBlockCustomResponseResponseHeader:WebAclDefaultActionBlockCustomResponseResponseHeader": { + "aws:ssmincidents/ResponsePlanActionSsmAutomationParameter:ResponsePlanActionSsmAutomationParameter": { "properties": { "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the response plan.\n" }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" + "values": { + "type": "array", + "items": { + "type": "string" + } } }, "type": "object", "required": [ "name", - "value" + "values" ] }, - "aws:wafv2/WebAclLoggingConfigurationLoggingFilter:WebAclLoggingConfigurationLoggingFilter": { + "aws:ssmincidents/ResponsePlanIncidentTemplate:ResponsePlanIncidentTemplate": { "properties": { - "defaultBehavior": { + "dedupeString": { "type": "string", - "description": "Default handling for logs that don't match any of the specified filtering conditions. Valid values for `default_behavior` are `KEEP` or `DROP`.\n" + "description": "A string used to stop Incident Manager from creating multiple incident records for the same incident.\n" }, - "filters": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilter:WebAclLoggingConfigurationLoggingFilterFilter" + "impact": { + "type": "integer", + "description": "The impact value of a generated incident. The following values are supported:\n" + }, + "incidentTags": { + "type": "object", + "additionalProperties": { + "type": "string" }, - "description": "Filter(s) that you want to apply to the logs. See Filter below for more details.\n" - } - }, - "type": "object", - "required": [ - "defaultBehavior", - "filters" - ] - }, - "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilter:WebAclLoggingConfigurationLoggingFilterFilter": { - "properties": { - "behavior": { - "type": "string", - "description": "Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`.\n" + "description": "The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident.\n" }, - "conditions": { + "notificationTargets": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterCondition:WebAclLoggingConfigurationLoggingFilterFilterCondition" + "$ref": "#/types/aws:ssmincidents/ResponsePlanIncidentTemplateNotificationTarget:ResponsePlanIncidentTemplateNotificationTarget" }, - "description": "Match condition(s) for the filter. See Condition below for more details.\n" + "description": "The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notification_target` configuration block supports the following argument:\n" }, - "requirement": { + "summary": { "type": "string", - "description": "Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`.\n" - } - }, - "type": "object", - "required": [ - "behavior", - "conditions", - "requirement" - ] - }, - "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterCondition:WebAclLoggingConfigurationLoggingFilterFilterCondition": { - "properties": { - "actionCondition": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition", - "description": "Configuration for a single action condition. See Action Condition below for more details.\n" + "description": "The summary of an incident.\n" }, - "labelNameCondition": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition", - "description": "Condition for a single label name. See Label Name Condition below for more details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition": { - "properties": { - "action": { + "title": { "type": "string", - "description": "Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`.\n" + "description": "The title of a generated incident.\n" } }, "type": "object", "required": [ - "action" + "impact", + "title" ] }, - "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition": { + "aws:ssmincidents/ResponsePlanIncidentTemplateNotificationTarget:ResponsePlanIncidentTemplateNotificationTarget": { "properties": { - "labelName": { + "snsTopicArn": { "type": "string", - "description": "Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.\n" + "description": "The ARN of the Amazon SNS topic.\n\nThe following arguments are optional:\n" } }, "type": "object", "required": [ - "labelName" + "snsTopicArn" ] }, - "aws:wafv2/WebAclLoggingConfigurationRedactedField:WebAclLoggingConfigurationRedactedField": { + "aws:ssmincidents/ResponsePlanIntegration:ResponsePlanIntegration": { "properties": { - "method": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldMethod:WebAclLoggingConfigurationRedactedFieldMethod", - "description": "HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldQueryString:WebAclLoggingConfigurationRedactedFieldQueryString", - "description": "Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldSingleHeader:WebAclLoggingConfigurationRedactedFieldSingleHeader", - "description": "\"single_header\" refers to the redaction of a single header. For more information, please see the details below under Single Header.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldUriPath:WebAclLoggingConfigurationRedactedFieldUriPath", - "description": "Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`.\n" + "pagerduties": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssmincidents/ResponsePlanIntegrationPagerduty:ResponsePlanIntegrationPagerduty" + } } }, "type": "object" }, - "aws:wafv2/WebAclLoggingConfigurationRedactedFieldMethod:WebAclLoggingConfigurationRedactedFieldMethod": { - "type": "object" - }, - "aws:wafv2/WebAclLoggingConfigurationRedactedFieldQueryString:WebAclLoggingConfigurationRedactedFieldQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclLoggingConfigurationRedactedFieldSingleHeader:WebAclLoggingConfigurationRedactedFieldSingleHeader": { + "aws:ssmincidents/ResponsePlanIntegrationPagerduty:ResponsePlanIntegrationPagerduty": { "properties": { "name": { "type": "string", - "description": "Name of the query header to redact. This setting must be provided in lowercase characters.\n" + "description": "The name of the response plan.\n" + }, + "secretId": { + "type": "string" + }, + "serviceId": { + "type": "string" } }, "type": "object", "required": [ - "name" + "name", + "secretId", + "serviceId" ] }, - "aws:wafv2/WebAclLoggingConfigurationRedactedFieldUriPath:WebAclLoggingConfigurationRedactedFieldUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRule:WebAclRule": { + "aws:ssmincidents/getReplicationSetRegion:getReplicationSetRegion": { "properties": { - "action": { - "$ref": "#/types/aws:wafv2/WebAclRuleAction:WebAclRuleAction", - "description": "Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details.\n" - }, - "captchaConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleCaptchaConfig:WebAclRuleCaptchaConfig", - "description": "Specifies how AWS WAF should handle CAPTCHA evaluations. See `captcha_config` below for details.\n" + "kmsKeyArn": { + "type": "string", + "description": "The ARN of the AWS Key Management Service (AWS KMS) encryption key.\n" }, "name": { "type": "string", - "description": "Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup_\u003caccount-id\u003e_\u003cweb-acl-guid\u003e_.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors.\n" - }, - "overrideAction": { - "$ref": "#/types/aws:wafv2/WebAclRuleOverrideAction:WebAclRuleOverrideAction", - "description": "Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `rule_group_reference_statement` and `managed_rule_group_statement`. See `override_action` below for details.\n" - }, - "priority": { - "type": "integer", - "description": "If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first.\n" - }, - "ruleLabels": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleRuleLabel:WebAclRuleRuleLabel" - }, - "description": "Labels to apply to web requests that match the rule match statement. See `rule_label` below for details.\n" + "description": "The name of the Region.\n" }, - "statement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement", - "description": "The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See `statement` below for details.\n" + "status": { + "type": "string", + "description": "The current status of the Region.\n* Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED`\n" }, - "visibilityConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleVisibilityConfig:WebAclRuleVisibilityConfig", - "description": "Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibility_config` below for details.\n" + "statusMessage": { + "type": "string", + "description": "More information about the status of a Region.\n" } }, "type": "object", "required": [ + "kmsKeyArn", "name", - "priority", - "statement", - "visibilityConfig" - ] - }, - "aws:wafv2/WebAclRuleAction:WebAclRuleAction": { - "properties": { - "allow": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionAllow:WebAclRuleActionAllow", - "description": "Instructs AWS WAF to allow the web request. See `allow` below for details.\n" - }, - "block": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionBlock:WebAclRuleActionBlock", - "description": "Instructs AWS WAF to block the web request. See `block` below for details.\n" - }, - "captcha": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptcha:WebAclRuleActionCaptcha", - "description": "Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details.\n" - }, - "challenge": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionChallenge:WebAclRuleActionChallenge", - "description": "Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details.\n" - }, - "count": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCount:WebAclRuleActionCount", - "description": "Instructs AWS WAF to count the web request and allow it. See `count` below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleActionAllow:WebAclRuleActionAllow": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionAllowCustomRequestHandling:WebAclRuleActionAllowCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "status", + "statusMessage" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclRuleActionAllowCustomRequestHandling:WebAclRuleActionAllowCustomRequestHandling": { + "aws:ssmincidents/getResponsePlanAction:getResponsePlanAction": { "properties": { - "insertHeaders": { + "ssmAutomations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionAllowCustomRequestHandlingInsertHeader:WebAclRuleActionAllowCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:ssmincidents/getResponsePlanActionSsmAutomation:getResponsePlanActionSsmAutomation" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "description": "The Systems Manager automation document to start as the runbook at the beginning of the incident. The following values are supported:\n" } }, "type": "object", "required": [ - "insertHeaders" - ] + "ssmAutomations" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleActionAllowCustomRequestHandlingInsertHeader:WebAclRuleActionAllowCustomRequestHandlingInsertHeader": { + "aws:ssmincidents/getResponsePlanActionSsmAutomation:getResponsePlanActionSsmAutomation": { "properties": { - "name": { + "documentName": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The automation document's name.\n" }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" - } - }, - "type": "object", - "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleActionBlock:WebAclRuleActionBlock": { - "properties": { - "customResponse": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionBlockCustomResponse:WebAclRuleActionBlockCustomResponse", - "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleActionBlockCustomResponse:WebAclRuleActionBlockCustomResponse": { - "properties": { - "customResponseBodyKey": { + "documentVersion": { "type": "string", - "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + "description": "The version of the automation document to use at runtime.\n" }, - "responseCode": { - "type": "integer", - "description": "The HTTP status code to return to the client.\n" + "dynamicParameters": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "The key-value pair used to resolve dynamic parameter values when processing a Systems Manager Automation runbook.\n" }, - "responseHeaders": { + "parameters": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionBlockCustomResponseResponseHeader:WebAclRuleActionBlockCustomResponseResponseHeader" + "$ref": "#/types/aws:ssmincidents/getResponsePlanActionSsmAutomationParameter:getResponsePlanActionSsmAutomationParameter" }, - "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" + "description": "The key-value pair parameters used when the automation document runs. The following values are supported:\n" + }, + "roleArn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the role that the automation document assumes when it runs commands.\n" + }, + "targetAccount": { + "type": "string", + "description": "The account that runs the automation document. This can be in either the management account or an application account.\n" } }, "type": "object", "required": [ - "responseCode" - ] + "documentName", + "documentVersion", + "dynamicParameters", + "parameters", + "roleArn", + "targetAccount" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleActionBlockCustomResponseResponseHeader:WebAclRuleActionBlockCustomResponseResponseHeader": { + "aws:ssmincidents/getResponsePlanActionSsmAutomationParameter:getResponsePlanActionSsmAutomationParameter": { "properties": { "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the PagerDuty configuration.\n" }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" + "values": { + "type": "array", + "items": { + "type": "string" + }, + "description": "The values for the associated parameter name.\n" } }, "type": "object", "required": [ "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleActionCaptcha:WebAclRuleActionCaptcha": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandling:WebAclRuleActionCaptchaCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "values" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandling:WebAclRuleActionCaptchaCustomRequestHandling": { + "aws:ssmincidents/getResponsePlanIncidentTemplate:getResponsePlanIncidentTemplate": { "properties": { - "insertHeaders": { + "dedupeString": { + "type": "string", + "description": "A string used to stop Incident Manager from creating multiple incident records for the same incident.\n" + }, + "impact": { + "type": "integer", + "description": "The impact value of a generated incident. The following values are supported:\n" + }, + "incidentTags": { + "type": "object", + "additionalProperties": { + "type": "string" + }, + "description": "The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident.\n" + }, + "notificationTargets": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader:WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:ssmincidents/getResponsePlanIncidentTemplateNotificationTarget:getResponsePlanIncidentTemplateNotificationTarget" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "description": "The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notification_target` configuration block supports the following argument:\n" + }, + "summary": { + "type": "string", + "description": "The summary of an incident.\n" + }, + "title": { + "type": "string", + "description": "The title of a generated incident.\n" } }, "type": "object", "required": [ - "insertHeaders" - ] + "dedupeString", + "impact", + "incidentTags", + "notificationTargets", + "summary", + "title" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader:WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader": { + "aws:ssmincidents/getResponsePlanIncidentTemplateNotificationTarget:getResponsePlanIncidentTemplateNotificationTarget": { "properties": { - "name": { - "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" - }, - "value": { + "snsTopicArn": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The ARN of the Amazon SNS topic.\n" } }, "type": "object", "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleActionChallenge:WebAclRuleActionChallenge": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionChallengeCustomRequestHandling:WebAclRuleActionChallengeCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "snsTopicArn" + ], + "language": { + "nodejs": { + "requiredInputs": [] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclRuleActionChallengeCustomRequestHandling:WebAclRuleActionChallengeCustomRequestHandling": { + "aws:ssmincidents/getResponsePlanIntegration:getResponsePlanIntegration": { "properties": { - "insertHeaders": { + "pagerduties": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionChallengeCustomRequestHandlingInsertHeader:WebAclRuleActionChallengeCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:ssmincidents/getResponsePlanIntegrationPagerduty:getResponsePlanIntegrationPagerduty" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "description": "Details about the PagerDuty configuration for a response plan. The following values are supported:\n" } }, "type": "object", "required": [ - "insertHeaders" - ] + "pagerduties" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleActionChallengeCustomRequestHandlingInsertHeader:WebAclRuleActionChallengeCustomRequestHandlingInsertHeader": { + "aws:ssmincidents/getResponsePlanIntegrationPagerduty:getResponsePlanIntegrationPagerduty": { "properties": { "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the PagerDuty configuration.\n" }, - "value": { + "secretId": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The ID of the AWS Secrets Manager secret that stores your PagerDuty key \u0026mdash; either a General Access REST API Key or User Token REST API Key \u0026mdash; and other user credentials.\n" + }, + "serviceId": { + "type": "string", + "description": "The ID of the PagerDuty service that the response plan associates with an incident when it launches.\n" } }, "type": "object", "required": [ "name", - "value" - ] + "secretId", + "serviceId" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleActionCount:WebAclRuleActionCount": { + "aws:ssoadmin/ApplicationPortalOptions:ApplicationPortalOptions": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCountCustomRequestHandling:WebAclRuleActionCountCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "signInOptions": { + "$ref": "#/types/aws:ssoadmin/ApplicationPortalOptionsSignInOptions:ApplicationPortalOptionsSignInOptions", + "description": "Sign-in options for the access portal. See `sign_in_options` below.\n" + }, + "visibility": { + "type": "string", + "description": "Indicates whether this application is visible in the access portal. Valid values are `ENABLED` and `DISABLED`.\n" } }, - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "visibility" + ] + } + } }, - "aws:wafv2/WebAclRuleActionCountCustomRequestHandling:WebAclRuleActionCountCustomRequestHandling": { + "aws:ssoadmin/ApplicationPortalOptionsSignInOptions:ApplicationPortalOptionsSignInOptions": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleActionCountCustomRequestHandlingInsertHeader:WebAclRuleActionCountCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "applicationUrl": { + "type": "string", + "description": "URL that accepts authentication requests for an application.\n" + }, + "origin": { + "type": "string", + "description": "Determines how IAM Identity Center navigates the user to the target application.\nValid values are `APPLICATION` and `IDENTITY_CENTER`.\nIf `APPLICATION` is set, IAM Identity Center redirects the customer to the configured `application_url`.\nIf `IDENTITY_CENTER` is set, IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application.\n" } }, "type": "object", "required": [ - "insertHeaders" + "origin" ] }, - "aws:wafv2/WebAclRuleActionCountCustomRequestHandlingInsertHeader:WebAclRuleActionCountCustomRequestHandlingInsertHeader": { + "aws:ssoadmin/CustomerManagedPolicyAttachmentCustomerManagedPolicyReference:CustomerManagedPolicyAttachmentCustomerManagedPolicyReference": { "properties": { "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "Name of the customer managed IAM Policy to be attached.\n", + "willReplaceOnChanges": true }, - "value": { + "path": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "name", - "value" + "name" ] }, - "aws:wafv2/WebAclRuleCaptchaConfig:WebAclRuleCaptchaConfig": { + "aws:ssoadmin/InstanceAccessControlAttributesAttribute:InstanceAccessControlAttributesAttribute": { "properties": { - "immunityTimeProperty": { - "$ref": "#/types/aws:wafv2/WebAclRuleCaptchaConfigImmunityTimeProperty:WebAclRuleCaptchaConfigImmunityTimeProperty", - "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" + "key": { + "type": "string" + }, + "values": { + "type": "array", + "items": { + "$ref": "#/types/aws:ssoadmin/InstanceAccessControlAttributesAttributeValue:InstanceAccessControlAttributesAttributeValue" + } } }, - "type": "object" + "type": "object", + "required": [ + "key", + "values" + ] }, - "aws:wafv2/WebAclRuleCaptchaConfigImmunityTimeProperty:WebAclRuleCaptchaConfigImmunityTimeProperty": { + "aws:ssoadmin/InstanceAccessControlAttributesAttributeValue:InstanceAccessControlAttributesAttributeValue": { "properties": { - "immunityTime": { - "type": "integer", - "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" + "sources": { + "type": "array", + "items": { + "type": "string" + } } }, - "type": "object" + "type": "object", + "required": [ + "sources" + ] }, - "aws:wafv2/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { + "aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundary:PermissionsBoundaryAttachmentPermissionsBoundary": { "properties": { - "count": { - "$ref": "#/types/aws:wafv2/WebAclRuleOverrideActionCount:WebAclRuleOverrideActionCount", - "description": "Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`.\n" + "customerManagedPolicyReference": { + "$ref": "#/types/aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference:PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference", + "description": "Specifies the name and path of a customer managed policy. See below.\n", + "willReplaceOnChanges": true }, - "none": { - "$ref": "#/types/aws:wafv2/WebAclRuleOverrideActionNone:WebAclRuleOverrideActionNone", - "description": "Don't override the rule action setting. Configured as an empty block `{}`.\n" + "managedPolicyArn": { + "type": "string", + "description": "AWS-managed IAM policy ARN to use as the permissions boundary.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleOverrideActionCount:WebAclRuleOverrideActionCount": { - "type": "object" - }, - "aws:wafv2/WebAclRuleOverrideActionNone:WebAclRuleOverrideActionNone": { - "type": "object" - }, - "aws:wafv2/WebAclRuleRuleLabel:WebAclRuleRuleLabel": { + "aws:ssoadmin/PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference:PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference": { "properties": { "name": { "type": "string", - "description": "Label string.\n" + "description": "Name of the customer managed IAM Policy to be attached.\n", + "willReplaceOnChanges": true + }, + "path": { + "type": "string", + "description": "The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information.\n", + "willReplaceOnChanges": true } }, "type": "object", @@ -150556,3690 +140331,3457 @@ "name" ] }, - "aws:wafv2/WebAclRuleStatement:WebAclRuleStatement": { + "aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfiguration": { "properties": { - "andStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementAndStatement:WebAclRuleStatementAndStatement", - "description": "Logical rule statement used to combine other rule statements with AND logic. See `and_statement` below for details.\n" - }, - "byteMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatement:WebAclRuleStatementByteMatchStatement", - "description": "Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byte_match_statement` below for details.\n" - }, - "geoMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementGeoMatchStatement:WebAclRuleStatementGeoMatchStatement", - "description": "Rule statement used to identify web requests based on country of origin. See `geo_match_statement` below for details.\n" - }, - "ipSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatement:WebAclRuleStatementIpSetReferenceStatement", - "description": "Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ip_set_reference_statement` below for details.\n" - }, - "labelMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementLabelMatchStatement:WebAclRuleStatementLabelMatchStatement", - "description": "Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `label_match_statement` below for details.\n" - }, - "managedRuleGroupStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatement:WebAclRuleStatementManagedRuleGroupStatement", - "description": "Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managed_rule_group_statement` below for details.\n" - }, - "notStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementNotStatement:WebAclRuleStatementNotStatement", - "description": "Logical rule statement used to negate the results of another rule statement. See `not_statement` below for details.\n" - }, - "orStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementOrStatement:WebAclRuleStatementOrStatement", - "description": "Logical rule statement used to combine other rule statements with OR logic. See `or_statement` below for details.\n" - }, - "rateBasedStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatement:WebAclRuleStatementRateBasedStatement", - "description": "Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rate_based_statement` below for details.\n" - }, - "regexMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatement:WebAclRuleStatementRegexMatchStatement", - "description": "Rule statement used to search web request components for a match against a single regular expression. See `regex_match_statement` below for details.\n" - }, - "regexPatternSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement", - "description": "Rule statement used to search web request components for matches with regular expressions. See `regex_pattern_set_reference_statement` below for details.\n" - }, - "ruleGroupReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatement:WebAclRuleStatementRuleGroupReferenceStatement", - "description": "Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `rule_group_reference_statement` below for details.\n" - }, - "sizeConstraintStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatement:WebAclRuleStatementSizeConstraintStatement", - "description": "Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (\u003e) or less than (\u003c). See `size_constraint_statement` below for more details.\n" - }, - "sqliMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatement:WebAclRuleStatementSqliMatchStatement", - "description": "An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqli_match_statement` below for details.\n" - }, - "xssMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatement:WebAclRuleStatementXssMatchStatement", - "description": "Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xss_match_statement` below for details.\n" + "oidcJwtConfiguration": { + "$ref": "#/types/aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration", + "description": "A block that describes the settings for a trusted token issuer that works with OpenID Connect (OIDC) by using JSON Web Tokens (JWT). See Documented below below.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementAndStatement:WebAclRuleStatementAndStatement": { + "aws:ssoadmin/TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration:TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" - }, - "description": "The statements to combine." + "claimAttributePath": { + "type": "string", + "description": "Specifies the path of the source attribute in the JWT from the trusted token issuer.\n" + }, + "identityStoreAttributePath": { + "type": "string", + "description": "Specifies path of the destination attribute in a JWT from IAM Identity Center. The attribute mapped by this JMESPath expression is compared against the attribute mapped by `claim_attribute_path` when a trusted token issuer token is exchanged for an IAM Identity Center token.\n" + }, + "issuerUrl": { + "type": "string", + "description": "Specifies the URL that IAM Identity Center uses for OpenID Discovery. OpenID Discovery is used to obtain the information required to verify the tokens that the trusted token issuer generates.\n" + }, + "jwksRetrievalOption": { + "type": "string", + "description": "The method that the trusted token issuer can use to retrieve the JSON Web Key Set used to verify a JWT. Valid values are `OPEN_ID_DISCOVERY`\n" } }, "type": "object", "required": [ - "statements" + "claimAttributePath", + "identityStoreAttributePath", + "issuerUrl", + "jwksRetrievalOption" ] }, - "aws:wafv2/WebAclRuleStatementByteMatchStatement:WebAclRuleStatementByteMatchStatement": { + "aws:ssoadmin/getApplicationAssignmentsApplicationAssignment:getApplicationAssignmentsApplicationAssignment": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatch:WebAclRuleStatementByteMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "positionalConstraint": { + "applicationArn": { "type": "string", - "description": "Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" + "description": "ARN of the application.\n" }, - "searchString": { + "principalId": { "type": "string", - "description": "String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" + "description": "An identifier for an object in IAM Identity Center, such as a user or group.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementTextTransformation:WebAclRuleStatementByteMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "principalType": { + "type": "string", + "description": "Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`.\n" } }, "type": "object", "required": [ - "positionalConstraint", - "searchString", - "textTransformations" - ] + "applicationArn", + "principalId", + "principalType" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatch:WebAclRuleStatementByteMatchStatementFieldToMatch": { + "aws:ssoadmin/getApplicationPortalOption:getApplicationPortalOption": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementByteMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementByteMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { + "signInOptions": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementByteMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementByteMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementByteMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "$ref": "#/types/aws:ssoadmin/getApplicationPortalOptionSignInOption:getApplicationPortalOptionSignInOption" + } }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementByteMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "visibility": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "visibility" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementByteMatchStatementFieldToMatchBody": { + "aws:ssoadmin/getApplicationPortalOptionSignInOption:getApplicationPortalOptionSignInOption": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "applicationUrl": { + "type": "string" + }, + "origin": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "applicationUrl", + "origin" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementByteMatchStatementFieldToMatchCookies": { + "aws:ssoadmin/getApplicationProvidersApplicationProvider:getApplicationProvidersApplicationProvider": { "properties": { - "matchPatterns": { + "applicationProviderArn": { + "type": "string", + "description": "ARN of the application provider.\n" + }, + "displayDatas": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:ssoadmin/getApplicationProvidersApplicationProviderDisplayData:getApplicationProvidersApplicationProviderDisplayData" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "An object describing how IAM Identity Center represents the application provider in the portal. See `display_data` below.\n" }, - "oversizeHandling": { + "federationProtocol": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Protocol that the application provider uses to perform federation. Valid values are `SAML` and `OAUTH`.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "applicationProviderArn", + "federationProtocol" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:ssoadmin/getApplicationProvidersApplicationProviderDisplayData:getApplicationProvidersApplicationProviderDisplayData": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll" + "description": { + "type": "string", + "description": "Description of the application provider.\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "displayName": { + "type": "string", + "description": "Name of the application provider.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "iconUrl": { + "type": "string", + "description": "URL that points to an icon that represents the application provider.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "description", + "displayName", + "iconUrl" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementByteMatchStatementFieldToMatchHeader": { + "aws:ssoadmin/getPrincipalApplicationAssignmentsApplicationAssignment:getPrincipalApplicationAssignmentsApplicationAssignment": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "applicationArn": { + "type": "string", + "description": "ARN of the application.\n" }, - "matchScope": { + "principalId": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "An identifier for an object in IAM Identity Center, such as a user or group.\n" }, - "oversizeHandling": { + "principalType": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "applicationArn", + "principalId", + "principalType" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:storagegateway/FileSystemAssociationCacheAttributes:FileSystemAssociationCacheAttributes": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "cacheStaleTimeoutInSeconds": { + "type": "integer", + "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: `0` or `300` to `2592000` seconds (5 minutes to 30 days). Defaults to `0`\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder": { + "aws:storagegateway/GatewayGatewayNetworkInterface:GatewayGatewayNetworkInterface": { "properties": { - "oversizeHandling": { + "ipv4Address": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The Internet Protocol version 4 (IPv4) address of the interface.\n" } }, "type": "object", - "required": [ - "oversizeHandling" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "ipv4Address" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint": { + "aws:storagegateway/GatewayMaintenanceStartTime:GatewayMaintenanceStartTime": { "properties": { - "fallbackBehavior": { + "dayOfMonth": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "The day of the month component of the maintenance start time represented as an ordinal number from 1 to 28, where 1 represents the first day of the month and 28 represents the last day of the month.\n" + }, + "dayOfWeek": { + "type": "string", + "description": "The day of the week component of the maintenance start time week represented as an ordinal number from 0 to 6, where 0 represents Sunday and 6 Saturday.\n" + }, + "hourOfDay": { + "type": "integer", + "description": "The hour component of the maintenance start time represented as _hh_, where _hh_ is the hour (00 to 23). The hour of the day is in the time zone of the gateway.\n" + }, + "minuteOfHour": { + "type": "integer", + "description": "The minute component of the maintenance start time represented as _mm_, where _mm_ is the minute (00 to 59). The minute of the hour is in the time zone of the gateway.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "hourOfDay" ] }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody": { + "aws:storagegateway/GatewaySmbActiveDirectorySettings:GatewaySmbActiveDirectorySettings": { "properties": { - "invalidFallbackBehavior": { + "activeDirectoryStatus": { + "type": "string" + }, + "domainControllers": { + "type": "array", + "items": { + "type": "string" + }, + "description": "List of IPv4 addresses, NetBIOS names, or host names of your domain server.\nIf you need to specify the port number include it after the colon (“:”). For example, `mydc.mydomain.com:389`.\n" + }, + "domainName": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "description": "The name of the domain that you want the gateway to join.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "organizationalUnit": { + "type": "string", + "description": "The organizational unit (OU) is a container in an Active Directory that can hold users, groups,\ncomputers, and other OUs and this parameter specifies the OU that the gateway will join within the AD domain.\n" }, - "matchScope": { + "password": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The password of the user who has permission to add the gateway to the Active Directory domain.\n", + "secret": true }, - "oversizeHandling": { + "timeoutInSeconds": { + "type": "integer", + "description": "Specifies the time in seconds, in which the JoinDomain operation must complete. The default is `20` seconds.\n" + }, + "username": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The user name of user who has permission to add the gateway to the Active Directory domain.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" - ] + "domainName", + "password", + "username" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "activeDirectoryStatus", + "domainName", + "password", + "username" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:storagegateway/NfsFileShareCacheAttributes:NfsFileShareCacheAttributes": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "cacheStaleTimeoutInSeconds": { + "type": "integer", + "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days)\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementByteMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementByteMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader": { + "aws:storagegateway/NfsFileShareNfsFileShareDefaults:NfsFileShareNfsFileShareDefaults": { "properties": { - "name": { + "directoryMode": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The Unix directory mode in the string form \"nnnn\". Defaults to `\"0777\"`.\n" + }, + "fileMode": { + "type": "string", + "description": "The Unix file mode in the string form \"nnnn\". Defaults to `\"0666\"`.\n" + }, + "groupId": { + "type": "string", + "description": "The default group ID for the file share (unless the files have another group ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`.\n" + }, + "ownerId": { + "type": "string", + "description": "The default owner ID for the file share (unless the files have another owner ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`.\n" } }, - "type": "object", - "required": [ - "name" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument": { + "aws:storagegateway/SmbFileShareCacheAttributes:SmbFileShareCacheAttributes": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "cacheStaleTimeoutInSeconds": { + "type": "integer", + "description": "Refreshes a file share's cache by using Time To Live (TTL).\nTTL is the length of time since the last refresh after which access to the directory would cause the file gateway\nto first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days)\n" } }, - "type": "object", - "required": [ - "name" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementByteMatchStatementFieldToMatchUriPath": { + "aws:synthetics/CanaryArtifactConfig:CanaryArtifactConfig": { + "properties": { + "s3Encryption": { + "$ref": "#/types/aws:synthetics/CanaryArtifactConfigS3Encryption:CanaryArtifactConfigS3Encryption", + "description": "Configuration of the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3. See S3 Encryption.\n" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementByteMatchStatementTextTransformation:WebAclRuleStatementByteMatchStatementTextTransformation": { + "aws:synthetics/CanaryArtifactConfigS3Encryption:CanaryArtifactConfigS3Encryption": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "encryptionMode": { + "type": "string", + "description": "The encryption method to use for artifacts created by this canary. Valid values are: `SSE_S3` and `SSE_KMS`.\n" }, - "type": { + "kmsKeyArn": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The ARN of the customer-managed KMS key to use, if you specify `SSE_KMS` for `encryption_mode`.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementGeoMatchStatement:WebAclRuleStatementGeoMatchStatement": { + "aws:synthetics/CanaryRunConfig:CanaryRunConfig": { "properties": { - "countryCodes": { - "type": "array", - "items": { + "activeTracing": { + "type": "boolean", + "description": "Whether this canary is to use active AWS X-Ray tracing when it runs. You can enable active tracing only for canaries that use version syn-nodejs-2.0 or later for their canary runtime.\n" + }, + "environmentVariables": { + "type": "object", + "additionalProperties": { "type": "string" }, - "description": "Array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" + "description": "Map of environment variables that are accessible from the canary during execution. Please see [AWS Docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) for variables reserved for Lambda.\n" }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementGeoMatchStatementForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwarded_ip_config` below for details.\n" + "memoryInMb": { + "type": "integer", + "description": "Maximum amount of memory available to the canary while it is running, in MB. The value you specify must be a multiple of 64.\n" + }, + "timeoutInSeconds": { + "type": "integer", + "description": "Number of seconds the canary is allowed to run before it must stop. If you omit this field, the frequency of the canary is used, up to a maximum of 840 (14 minutes).\n" } }, "type": "object", - "required": [ - "countryCodes" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "memoryInMb" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementGeoMatchStatementForwardedIpConfig": { + "aws:synthetics/CanarySchedule:CanarySchedule": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "durationInSeconds": { + "type": "integer", + "description": "Duration in seconds, for the canary to continue making regular runs according to the schedule in the Expression value.\n" }, - "headerName": { + "expression": { "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" + "description": "Rate expression or cron expression that defines how often the canary is to run. For rate expression, the syntax is `rate(number unit)`. _unit_ can be `minute`, `minutes`, or `hour`. For cron expression, the syntax is `cron(expression)`. For more information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html).\n" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "expression" ] }, - "aws:wafv2/WebAclRuleStatementIpSetReferenceStatement:WebAclRuleStatementIpSetReferenceStatement": { + "aws:synthetics/CanaryTimeline:CanaryTimeline": { "properties": { - "arn": { + "created": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" + "description": "Date and time the canary was created.\n" }, - "ipSetForwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ip_set_forwarded_ip_config` below for more details.\n" - } - }, - "type": "object", - "required": [ - "arn" - ] - }, - "aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig": { - "properties": { - "fallbackBehavior": { + "lastModified": { "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Date and time the canary was most recently modified.\n" }, - "headerName": { + "lastStarted": { "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" + "description": "Date and time that the canary's most recent run started.\n" }, - "position": { + "lastStopped": { "type": "string", - "description": "Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" + "description": "Date and time that the canary's most recent run ended.\n" } }, "type": "object", - "required": [ - "fallbackBehavior", - "headerName", - "position" - ] - }, - "aws:wafv2/WebAclRuleStatementLabelMatchStatement:WebAclRuleStatementLabelMatchStatement": { - "properties": { - "key": { - "type": "string", - "description": "String to match against.\n" - }, - "scope": { - "type": "string", - "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" + "language": { + "nodejs": { + "requiredOutputs": [ + "created", + "lastModified", + "lastStarted", + "lastStopped" + ] } - }, - "type": "object", - "required": [ - "key", - "scope" - ] + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatement:WebAclRuleStatementManagedRuleGroupStatement": { + "aws:synthetics/CanaryVpcConfig:CanaryVpcConfig": { "properties": { - "managedRuleGroupConfigs": { + "securityGroupIds": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig" + "type": "string" }, - "description": "Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managed_rule_group_configs` for more details\n" - }, - "name": { - "type": "string", - "description": "Name of the managed rule group.\n" + "description": "IDs of the security groups for this canary.\n" }, - "ruleActionOverrides": { + "subnetIds": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride" + "type": "string" }, - "description": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `rule_action_override` below for details.\n" - }, - "scopeDownStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement", - "description": "Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details.\n" - }, - "vendorName": { - "type": "string", - "description": "Name of the managed rule group vendor.\n" + "description": "IDs of the subnets where this canary is to run.\n" }, - "version": { + "vpcId": { "type": "string", - "description": "Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.\n" + "description": "ID of the VPC where this canary is to run.\n" } }, "type": "object", - "required": [ - "name", - "vendorName" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "vpcId" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig": { + "aws:timestreamwrite/TableMagneticStoreWriteProperties:TableMagneticStoreWriteProperties": { "properties": { - "awsManagedRulesAcfpRuleSet": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet", - "description": "Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client.\n" - }, - "awsManagedRulesAtpRuleSet": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet", - "description": "Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client.\n" - }, - "awsManagedRulesBotControlRuleSet": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet", - "description": "Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `aws_managed_rules_bot_control_rule_set` for more details\n" - }, - "loginPath": { - "type": "string", - "description": "The path of the login endpoint for your application.\n" - }, - "passwordField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField", - "description": "Details about your login page password field. See `password_field` for more details.\n" - }, - "payloadType": { - "type": "string", - "description": "The payload type for your login endpoint, either JSON or form encoded.\n" + "enableMagneticStoreWrites": { + "type": "boolean", + "description": "A flag to enable magnetic store writes.\n" }, - "usernameField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField", - "description": "Details about your login page username field. See `username_field` for more details.\n" + "magneticStoreRejectedDataLocation": { + "$ref": "#/types/aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation", + "description": "The location to write error reports for records rejected asynchronously during magnetic store writes. See Magnetic Store Rejected Data Location below for more details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet": { + "aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation": { "properties": { - "creationPath": { + "s3Configuration": { + "$ref": "#/types/aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration", + "description": "Configuration of an S3 location to write error reports for records rejected, asynchronously, during magnetic store writes. See S3 Configuration below for more details.\n" + } + }, + "type": "object" + }, + "aws:timestreamwrite/TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration:TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration": { + "properties": { + "bucketName": { "type": "string", - "description": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests.\n" + "description": "Bucket name of the customer S3 bucket.\n" }, - "enableRegexInPath": { - "type": "boolean", - "description": "Whether or not to allow the use of regular expressions in the login page path.\n" + "encryptionOption": { + "type": "string", + "description": "Encryption option for the customer s3 location. Options are S3 server side encryption with an S3-managed key or KMS managed key. Valid values are `SSE_KMS` and `SSE_S3`.\n" }, - "registrationPagePath": { + "kmsKeyId": { "type": "string", - "description": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests.\n" + "description": "KMS key arn for the customer s3 location when encrypting with a KMS managed key.\n" }, - "requestInspection": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection", - "description": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `request_inspection` for more details.\n" + "objectKeyPrefix": { + "type": "string", + "description": "Object key prefix for the customer S3 location.\n" + } + }, + "type": "object" + }, + "aws:timestreamwrite/TableRetentionProperties:TableRetentionProperties": { + "properties": { + "magneticStoreRetentionPeriodInDays": { + "type": "integer", + "description": "The duration for which data must be stored in the magnetic store. Minimum value of 1. Maximum value of 73000.\n" }, - "responseInspection": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection", - "description": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `response_inspection` for more details.\n" + "memoryStoreRetentionPeriodInHours": { + "type": "integer", + "description": "The duration for which data must be stored in the memory store. Minimum value of 1. Maximum value of 8766.\n" } }, "type": "object", "required": [ - "creationPath", - "registrationPagePath", - "requestInspection" - ], + "magneticStoreRetentionPeriodInDays", + "memoryStoreRetentionPeriodInHours" + ] + }, + "aws:timestreamwrite/TableSchema:TableSchema": { + "properties": { + "compositePartitionKey": { + "$ref": "#/types/aws:timestreamwrite/TableSchemaCompositePartitionKey:TableSchemaCompositePartitionKey", + "description": "A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed. See Composite Partition Key below for more details.\n", + "willReplaceOnChanges": true + } + }, + "type": "object", "language": { "nodejs": { "requiredOutputs": [ - "creationPath", - "enableRegexInPath", - "registrationPagePath", - "requestInspection" + "compositePartitionKey" ] } } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection": { + "aws:timestreamwrite/TableSchemaCompositePartitionKey:TableSchemaCompositePartitionKey": { "properties": { - "addressFields": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields", - "description": "The names of the fields in the request payload that contain your customer's primary physical address. See `address_fields` for more details.\n" - }, - "emailField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField", - "description": "The name of the field in the request payload that contains your customer's email. See `email_field` for more details.\n" - }, - "passwordField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField", - "description": "Details about your login page password field. See `password_field` for more details.\n" - }, - "payloadType": { + "enforcementInRecord": { "type": "string", - "description": "The payload type for your login endpoint, either JSON or form encoded.\n" + "description": "The level of enforcement for the specification of a dimension key in ingested records. Valid values: `REQUIRED`, `OPTIONAL`.\n" }, - "phoneNumberFields": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields", - "description": "The names of the fields in the request payload that contain your customer's primary phone number. See `phone_number_fields` for more details.\n" + "name": { + "type": "string", + "description": "The name of the attribute used for a dimension key.\n", + "willReplaceOnChanges": true }, - "usernameField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField", - "description": "Details about your login page username field. See `username_field` for more details.\n" - } - }, - "type": "object", - "required": [ - "payloadType" - ] - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields": { - "properties": { - "identifiers": { - "type": "array", - "items": { - "type": "string" - } + "type": { + "type": "string", + "description": "The type of the partition key. Valid values: `DIMENSION`, `MEASURE`.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "identifiers" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField": { + "aws:transcribe/LanguageModelInputDataConfig:LanguageModelInputDataConfig": { "properties": { - "identifier": { + "dataAccessRoleArn": { "type": "string", - "description": "The name of the field in the request payload that contains your customer's email.\n" + "description": "IAM role with access to S3 bucket.\n", + "willReplaceOnChanges": true + }, + "s3Uri": { + "type": "string", + "description": "S3 URI where training data is located.\n", + "willReplaceOnChanges": true + }, + "tuningDataS3Uri": { + "type": "string", + "description": "S3 URI where tuning data is located.\n\nThe following arguments are optional:\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "identifier" - ] + "dataAccessRoleArn", + "s3Uri" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "dataAccessRoleArn", + "s3Uri", + "tuningDataS3Uri" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField": { + "aws:transfer/AccessHomeDirectoryMapping:AccessHomeDirectoryMapping": { "properties": { - "identifier": { + "entry": { "type": "string", - "description": "The name of the password field.\n" + "description": "Represents an entry and a target.\n" + }, + "target": { + "type": "string", + "description": "Represents the map target.\n" } }, "type": "object", "required": [ - "identifier" + "entry", + "target" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields": { + "aws:transfer/AccessPosixProfile:AccessPosixProfile": { "properties": { - "identifiers": { + "gid": { + "type": "integer", + "description": "The POSIX group ID used for all EFS operations by this user.\n" + }, + "secondaryGids": { "type": "array", "items": { - "type": "string" - } + "type": "integer" + }, + "description": "The secondary POSIX group IDs used for all EFS operations by this user.\n" + }, + "uid": { + "type": "integer", + "description": "The POSIX user ID used for all EFS operations by this user.\n" } }, "type": "object", "required": [ - "identifiers" + "gid", + "uid" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField": { + "aws:transfer/ConnectorAs2Config:ConnectorAs2Config": { "properties": { - "identifier": { - "type": "string", - "description": "The name of the username field.\n" + "compression": { + "type": "string" + }, + "encryptionAlgorithm": { + "type": "string" + }, + "localProfileId": { + "type": "string" + }, + "mdnResponse": { + "type": "string" + }, + "mdnSigningAlgorithm": { + "type": "string" + }, + "messageSubject": { + "type": "string" + }, + "partnerProfileId": { + "type": "string" + }, + "signingAlgorithm": { + "type": "string" } }, "type": "object", "required": [ - "identifier" + "compression", + "encryptionAlgorithm", + "localProfileId", + "mdnResponse", + "partnerProfileId", + "signingAlgorithm" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection": { + "aws:transfer/ConnectorSftpConfig:ConnectorSftpConfig": { "properties": { - "bodyContains": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains", - "description": "Configures inspection of the response body. See `body_contains` for more details.\n" - }, - "header": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader", - "description": "Configures inspection of the response header.See `header` for more details.\n" - }, - "json": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson", - "description": "Configures inspection of the response JSON. See `json` for more details.\n" + "trustedHostKeys": { + "type": "array", + "items": { + "type": "string" + } }, - "statusCode": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode", - "description": "Configures inspection of the response status code.See `status_code` for more details.\n" + "userSecretId": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains": { + "aws:transfer/ServerEndpointDetails:ServerEndpointDetails": { "properties": { - "failureStrings": { + "addressAllocationIds": { "type": "array", "items": { "type": "string" }, - "description": "Strings in the body of the response that indicate a failed login attempt.\n" + "description": "A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when `endpoint_type` is set to `VPC`.\n" }, - "successStrings": { + "securityGroupIds": { "type": "array", "items": { "type": "string" }, - "description": "Strings in the body of the response that indicate a successful login attempt.\n" - } - }, - "type": "object", - "required": [ - "failureStrings", - "successStrings" - ] - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader": { - "properties": { - "failureValues": { + "description": "A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when `endpoint_type` is set to `VPC`.\n" + }, + "subnetIds": { "type": "array", "items": { "type": "string" }, - "description": "Values in the response header with the specified name that indicate a failed login attempt.\n" + "description": "A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when `endpoint_type` is set to `VPC`.\n" }, - "name": { + "vpcEndpointId": { "type": "string", - "description": "The name of the header to use.\n" + "description": "The ID of the VPC endpoint. This property can only be used when `endpoint_type` is set to `VPC_ENDPOINT`\n" }, - "successValues": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Values in the response header with the specified name that indicate a successful login attempt.\n" + "vpcId": { + "type": "string", + "description": "The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpoint_type` is set to `VPC`.\n" } }, "type": "object", - "required": [ - "failureValues", - "name", - "successValues" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "securityGroupIds", + "vpcEndpointId" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson": { + "aws:transfer/ServerProtocolDetails:ServerProtocolDetails": { "properties": { - "failureValues": { + "as2Transports": { "type": "array", "items": { "type": "string" - } + }, + "description": "Indicates the transport method for the AS2 messages. Currently, only `HTTP` is supported.\n" }, - "identifier": { + "passiveIp": { "type": "string", - "description": "The identifier for the value to match against in the JSON.\n" + "description": "Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer.\n" }, - "successValues": { - "type": "array", - "items": { - "type": "string" - } + "setStatOption": { + "type": "string", + "description": "Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`.\n" + }, + "tlsSessionResumptionMode": { + "type": "string", + "description": "A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`.\n" } }, "type": "object", - "required": [ - "failureValues", - "identifier", - "successValues" - ] - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode": { - "properties": { - "failureCodes": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "Status codes in the response that indicate a failed login attempt.\n" - }, - "successCodes": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "Status codes in the response that indicate a successful login attempt.\n" + "language": { + "nodejs": { + "requiredOutputs": [ + "as2Transports", + "passiveIp", + "setStatOption", + "tlsSessionResumptionMode" + ] } - }, - "type": "object", - "required": [ - "failureCodes", - "successCodes" - ] + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet": { + "aws:transfer/ServerS3StorageOptions:ServerS3StorageOptions": { "properties": { - "enableRegexInPath": { - "type": "boolean", - "description": "Whether or not to allow the use of regular expressions in the login page path.\n" - }, - "loginPath": { + "directoryListingOptimization": { "type": "string", - "description": "The path of the login endpoint for your application.\n" - }, - "requestInspection": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection", - "description": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `request_inspection` for more details.\n" - }, - "responseInspection": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection", - "description": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `response_inspection` for more details.\n" + "description": "Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are `DISABLED`, `ENABLED`.\n\nBy default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details.\n" } }, "type": "object", - "required": [ - "loginPath" - ], "language": { "nodejs": { "requiredOutputs": [ - "enableRegexInPath", - "loginPath" + "directoryListingOptimization" ] } } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection": { + "aws:transfer/ServerWorkflowDetails:ServerWorkflowDetails": { "properties": { - "passwordField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField", - "description": "Details about your login page password field. See `password_field` for more details.\n" + "onPartialUpload": { + "$ref": "#/types/aws:transfer/ServerWorkflowDetailsOnPartialUpload:ServerWorkflowDetailsOnPartialUpload", + "description": "A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See `on_partial_upload` block below for details.\n" }, - "payloadType": { + "onUpload": { + "$ref": "#/types/aws:transfer/ServerWorkflowDetailsOnUpload:ServerWorkflowDetailsOnUpload", + "description": "A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See `on_upload` block below for details.\n" + } + }, + "type": "object" + }, + "aws:transfer/ServerWorkflowDetailsOnPartialUpload:ServerWorkflowDetailsOnPartialUpload": { + "properties": { + "executionRole": { "type": "string", - "description": "The payload type for your login endpoint, either JSON or form encoded.\n" + "description": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.\n" }, - "usernameField": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField", - "description": "Details about your login page username field. See `username_field` for more details.\n" + "workflowId": { + "type": "string", + "description": "A unique identifier for the workflow.\n" } }, "type": "object", "required": [ - "passwordField", - "payloadType", - "usernameField" + "executionRole", + "workflowId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField": { + "aws:transfer/ServerWorkflowDetailsOnUpload:ServerWorkflowDetailsOnUpload": { "properties": { - "identifier": { + "executionRole": { "type": "string", - "description": "The name of the password field.\n" + "description": "Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources.\n" + }, + "workflowId": { + "type": "string", + "description": "A unique identifier for the workflow.\n" } }, "type": "object", "required": [ - "identifier" + "executionRole", + "workflowId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField": { + "aws:transfer/UserHomeDirectoryMapping:UserHomeDirectoryMapping": { "properties": { - "identifier": { + "entry": { "type": "string", - "description": "The name of the username field.\n" + "description": "Represents an entry and a target.\n" + }, + "target": { + "type": "string", + "description": "Represents the map target.\n\nThe `Restricted` option is achieved using the following mapping:\n\n```\nhome_directory_mappings {\nentry = \"/\"\ntarget = \"/${aws_s3_bucket.foo.id}/$${Transfer:UserName}\"\n}\n```\n" } }, "type": "object", "required": [ - "identifier" + "entry", + "target" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection": { + "aws:transfer/UserPosixProfile:UserPosixProfile": { "properties": { - "bodyContains": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains", - "description": "Configures inspection of the response body. See `body_contains` for more details.\n" - }, - "header": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader", - "description": "Configures inspection of the response header.See `header` for more details.\n" - }, - "json": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson", - "description": "Configures inspection of the response JSON. See `json` for more details.\n" + "gid": { + "type": "integer", + "description": "The POSIX group ID used for all EFS operations by this user.\n" }, - "statusCode": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode", - "description": "Configures inspection of the response status code.See `status_code` for more details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains": { - "properties": { - "failureStrings": { + "secondaryGids": { "type": "array", "items": { - "type": "string" + "type": "integer" }, - "description": "Strings in the body of the response that indicate a failed login attempt.\n" + "description": "The secondary POSIX group IDs used for all EFS operations by this user.\n" }, - "successStrings": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Strings in the body of the response that indicate a successful login attempt.\n" + "uid": { + "type": "integer", + "description": "The POSIX user ID used for all EFS operations by this user.\n" } }, "type": "object", "required": [ - "failureStrings", - "successStrings" + "gid", + "uid" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader": { + "aws:transfer/WorkflowOnExceptionStep:WorkflowOnExceptionStep": { "properties": { - "failureValues": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Values in the response header with the specified name that indicate a failed login attempt.\n" + "copyStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetails:WorkflowOnExceptionStepCopyStepDetails", + "willReplaceOnChanges": true }, - "name": { - "type": "string", - "description": "The name of the header to use.\n" + "customStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCustomStepDetails:WorkflowOnExceptionStepCustomStepDetails", + "willReplaceOnChanges": true }, - "successValues": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Values in the response header with the specified name that indicate a successful login attempt.\n" + "decryptStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetails:WorkflowOnExceptionStepDecryptStepDetails", + "willReplaceOnChanges": true + }, + "deleteStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDeleteStepDetails:WorkflowOnExceptionStepDeleteStepDetails", + "willReplaceOnChanges": true + }, + "tagStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepTagStepDetails:WorkflowOnExceptionStepTagStepDetails", + "willReplaceOnChanges": true + }, + "type": { + "type": "string", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "failureValues", - "name", - "successValues" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson": { + "aws:transfer/WorkflowOnExceptionStepCopyStepDetails:WorkflowOnExceptionStepCopyStepDetails": { "properties": { - "failureValues": { - "type": "array", - "items": { - "type": "string" - } + "destinationFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation", + "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", + "willReplaceOnChanges": true }, - "identifier": { + "name": { "type": "string", - "description": "The identifier for the value to match against in the JSON.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true }, - "successValues": { - "type": "array", - "items": { - "type": "string" - } + "overwriteExisting": { + "type": "string", + "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "failureValues", - "identifier", - "successValues" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode": { + "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation": { "properties": { - "failureCodes": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "Status codes in the response that indicate a failed login attempt.\n" + "efsFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation", + "description": "Specifies the details for the EFS file being copied.\n", + "willReplaceOnChanges": true }, - "successCodes": { - "type": "array", - "items": { - "type": "integer" - }, - "description": "Status codes in the response that indicate a successful login attempt.\n" + "s3FileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation", + "description": "Specifies the details for the S3 file being copied.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "failureCodes", - "successCodes" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet": { + "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation": { "properties": { - "inspectionLevel": { + "fileSystemId": { "type": "string", - "description": "The inspection level to use for the Bot Control rule group.\n" + "description": "The ID of the file system, assigned by Amazon EFS.\n", + "willReplaceOnChanges": true + }, + "path": { + "type": "string", + "description": "The pathname for the folder being used by a workflow.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "inspectionLevel" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField": { + "aws:transfer/WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation": { "properties": { - "identifier": { + "bucket": { "type": "string", - "description": "The name of the password field.\n" + "description": "Specifies the S3 bucket for the customer input file.\n", + "willReplaceOnChanges": true + }, + "key": { + "type": "string", + "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "identifier" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField": { + "aws:transfer/WorkflowOnExceptionStepCustomStepDetails:WorkflowOnExceptionStepCustomStepDetails": { "properties": { - "identifier": { + "name": { "type": "string", - "description": "The name of the username field.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true + }, + "target": { + "type": "string", + "description": "The ARN for the lambda function that is being called.\n", + "willReplaceOnChanges": true + }, + "timeoutSeconds": { + "type": "integer", + "description": "Timeout, in seconds, for the step.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "identifier" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride": { + "aws:transfer/WorkflowOnExceptionStepDecryptStepDetails:WorkflowOnExceptionStepDecryptStepDetails": { "properties": { - "actionToUse": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse", - "description": "Override action to use, in place of the configured action of the rule in the rule group. See `action` for details.\n" + "destinationFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation", + "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", + "willReplaceOnChanges": true }, "name": { "type": "string", - "description": "Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true + }, + "overwriteExisting": { + "type": "string", + "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true + }, + "type": { + "type": "string", + "description": "The type of encryption used. Currently, this value must be `\"PGP\"`.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "actionToUse", - "name" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse": { + "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation": { "properties": { - "allow": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow" - }, - "block": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock" - }, - "captcha": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha" - }, - "challenge": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge" + "efsFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation", + "description": "Specifies the details for the EFS file being copied.\n", + "willReplaceOnChanges": true }, - "count": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount" + "s3FileLocation": { + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation", + "description": "Specifies the details for the S3 file being copied.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow": { + "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "fileSystemId": { + "type": "string", + "description": "The ID of the file system, assigned by Amazon EFS.\n", + "willReplaceOnChanges": true + }, + "path": { + "type": "string", + "description": "The pathname for the folder being used by a workflow.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling": { + "aws:transfer/WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "bucket": { + "type": "string", + "description": "Specifies the S3 bucket for the customer input file.\n", + "willReplaceOnChanges": true + }, + "key": { + "type": "string", + "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "insertHeaders" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader": { + "aws:transfer/WorkflowOnExceptionStepDeleteStepDetails:WorkflowOnExceptionStepDeleteStepDetails": { "properties": { "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true }, - "value": { + "sourceFileLocation": { "type": "string", - "description": "Value of the custom header.\n" - } - }, - "type": "object", - "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock": { - "properties": { - "customResponse": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse", - "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse": { + "aws:transfer/WorkflowOnExceptionStepTagStepDetails:WorkflowOnExceptionStepTagStepDetails": { "properties": { - "customResponseBodyKey": { + "name": { "type": "string", - "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true }, - "responseCode": { - "type": "integer", - "description": "The HTTP status code to return to the client.\n" + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true }, - "responseHeaders": { + "tags": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader" + "$ref": "#/types/aws:transfer/WorkflowOnExceptionStepTagStepDetailsTag:WorkflowOnExceptionStepTagStepDetailsTag" }, - "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" + "description": "Array that contains from 1 to 10 key/value pairs. See S3 Tags below.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "responseCode" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader": { + "aws:transfer/WorkflowOnExceptionStepTagStepDetailsTag:WorkflowOnExceptionStepTagStepDetailsTag": { "properties": { - "name": { + "key": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "willReplaceOnChanges": true }, "value": { "type": "string", - "description": "Value of the custom header.\n" + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "name", + "key", "value" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha": { + "aws:transfer/WorkflowStep:WorkflowStep": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "copyStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetails:WorkflowStepCopyStepDetails", + "willReplaceOnChanges": true + }, + "customStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowStepCustomStepDetails:WorkflowStepCustomStepDetails", + "willReplaceOnChanges": true + }, + "decryptStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetails:WorkflowStepDecryptStepDetails", + "willReplaceOnChanges": true + }, + "deleteStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowStepDeleteStepDetails:WorkflowStepDeleteStepDetails", + "willReplaceOnChanges": true + }, + "tagStepDetails": { + "$ref": "#/types/aws:transfer/WorkflowStepTagStepDetails:WorkflowStepTagStepDetails", + "willReplaceOnChanges": true + }, + "type": { + "type": "string", + "willReplaceOnChanges": true + } + }, + "type": "object", + "required": [ + "type" + ] + }, + "aws:transfer/WorkflowStepCopyStepDetails:WorkflowStepCopyStepDetails": { + "properties": { + "destinationFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocation", + "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", + "willReplaceOnChanges": true + }, + "name": { + "type": "string", + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true + }, + "overwriteExisting": { + "type": "string", + "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling": { + "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocation": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "efsFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation", + "description": "Specifies the details for the EFS file being copied.\n", + "willReplaceOnChanges": true + }, + "s3FileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation", + "description": "Specifies the details for the S3 file being copied.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "insertHeaders" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader": { + "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation": { "properties": { - "name": { + "fileSystemId": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The ID of the file system, assigned by Amazon EFS.\n", + "willReplaceOnChanges": true }, - "value": { + "path": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The pathname for the folder being used by a workflow.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "name", - "value" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge": { + "aws:transfer/WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "bucket": { + "type": "string", + "description": "Specifies the S3 bucket for the customer input file.\n", + "willReplaceOnChanges": true + }, + "key": { + "type": "string", + "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling": { + "aws:transfer/WorkflowStepCustomStepDetails:WorkflowStepCustomStepDetails": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "name": { + "type": "string", + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true + }, + "target": { + "type": "string", + "description": "The ARN for the lambda function that is being called.\n", + "willReplaceOnChanges": true + }, + "timeoutSeconds": { + "type": "integer", + "description": "Timeout, in seconds, for the step.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "insertHeaders" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader": { + "aws:transfer/WorkflowStepDecryptStepDetails:WorkflowStepDecryptStepDetails": { "properties": { + "destinationFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocation", + "description": "Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username.\n", + "willReplaceOnChanges": true + }, "name": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true }, - "value": { + "overwriteExisting": { "type": "string", - "description": "Value of the custom header.\n" + "description": "A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true + }, + "type": { + "type": "string", + "description": "The type of encryption used. Currently, this value must be `\"PGP\"`.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "name", - "value" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount": { + "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocation": { "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" + "efsFileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation", + "description": "Specifies the details for the EFS file being copied.\n", + "willReplaceOnChanges": true + }, + "s3FileLocation": { + "$ref": "#/types/aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation", + "description": "Specifies the details for the S3 file being copied.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling": { + "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation": { "properties": { - "insertHeaders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader" - }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "fileSystemId": { + "type": "string", + "description": "The ID of the file system, assigned by Amazon EFS.\n", + "willReplaceOnChanges": true + }, + "path": { + "type": "string", + "description": "The pathname for the folder being used by a workflow.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "insertHeaders" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader": { + "aws:transfer/WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation:WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation": { "properties": { - "name": { + "bucket": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "Specifies the S3 bucket for the customer input file.\n", + "willReplaceOnChanges": true }, - "value": { + "key": { "type": "string", - "description": "Value of the custom header.\n" + "description": "The name assigned to the file when it was created in S3. You use the object key to retrieve the object.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "name", - "value" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement": { + "aws:transfer/WorkflowStepDeleteStepDetails:WorkflowStepDeleteStepDetails": { "properties": { - "andStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement" - }, - "byteMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement" - }, - "geoMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement" - }, - "ipSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement" - }, - "labelMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement" - }, - "notStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement" - }, - "orStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement" - }, - "regexMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement" - }, - "regexPatternSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement" - }, - "sizeConstraintStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement" - }, - "sqliMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement" + "name": { + "type": "string", + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true }, - "xssMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement" + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement": { + "aws:transfer/WorkflowStepTagStepDetails:WorkflowStepTagStepDetails": { "properties": { - "statements": { + "name": { + "type": "string", + "description": "The name of the step, used as an identifier.\n", + "willReplaceOnChanges": true + }, + "sourceFileLocation": { + "type": "string", + "description": "Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step.\n", + "willReplaceOnChanges": true + }, + "tags": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "$ref": "#/types/aws:transfer/WorkflowStepTagStepDetailsTag:WorkflowStepTagStepDetailsTag" }, - "description": "The statements to combine." + "description": "Array that contains from 1 to 10 key/value pairs. See S3 Tags below.\n", + "willReplaceOnChanges": true } }, - "type": "object", - "required": [ - "statements" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement": { + "aws:transfer/WorkflowStepTagStepDetailsTag:WorkflowStepTagStepDetailsTag": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "positionalConstraint": { + "key": { "type": "string", - "description": "Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" + "willReplaceOnChanges": true }, - "searchString": { + "value": { "type": "string", - "description": "String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "positionalConstraint", - "searchString", - "textTransformations" + "key", + "value" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch": { + "aws:verifiedaccess/EndpointLoadBalancerOptions:EndpointLoadBalancerOptions": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" + "loadBalancerArn": { + "type": "string", + "willReplaceOnChanges": true }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" + "port": { + "type": "integer" }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" + "protocol": { + "type": "string" }, - "headers": { + "subnetIds": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "type": "string" + } + } + }, + "type": "object" + }, + "aws:verifiedaccess/EndpointNetworkInterfaceOptions:EndpointNetworkInterfaceOptions": { + "properties": { + "networkInterfaceId": { + "type": "string", + "willReplaceOnChanges": true }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "port": { + "type": "integer" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "protocol": { + "type": "string" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments": { + "aws:verifiedaccess/EndpointSseSpecification:EndpointSseSpecification": { + "properties": { + "customerManagedKeyEnabled": { + "type": "boolean" + }, + "kmsKeyArn": { + "type": "string" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody": { + "aws:verifiedaccess/GroupSseConfiguration:GroupSseConfiguration": { "properties": { - "oversizeHandling": { + "customerManagedKeyEnabled": { + "type": "boolean" + }, + "kmsKeyArn": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "ARN of the KMS key to use.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies": { + "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogs:InstanceLoggingConfigurationAccessLogs": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "cloudwatchLogs": { + "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsCloudwatchLogs:InstanceLoggingConfigurationAccessLogsCloudwatchLogs", + "description": "A block that specifies configures sending Verified Access logs to CloudWatch Logs. Detailed below.\n" }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "includeTrustContext": { + "type": "boolean", + "description": "Include trust data sent by trust providers into the logs.\n" }, - "oversizeHandling": { + "kinesisDataFirehose": { + "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsKinesisDataFirehose:InstanceLoggingConfigurationAccessLogsKinesisDataFirehose", + "description": "A block that specifies configures sending Verified Access logs to Kinesis. Detailed below.\n" + }, + "logVersion": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The logging version to use. Refer to [VerifiedAccessLogOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VerifiedAccessLogOptions.html) for the allowed values.\n" + }, + "s3": { + "$ref": "#/types/aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsS3:InstanceLoggingConfigurationAccessLogsS3", + "description": "A block that specifies configures sending Verified Access logs to S3. Detailed below.\n" } }, "type": "object", - "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "includeTrustContext", + "logVersion" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsCloudwatchLogs:InstanceLoggingConfigurationAccessLogsCloudwatchLogs": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "enabled": { + "type": "boolean", + "description": "Indicates whether logging is enabled.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "logGroup": { + "type": "string", + "description": "The name of the CloudWatch Logs Log Group.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "enabled" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader": { + "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsKinesisDataFirehose:InstanceLoggingConfigurationAccessLogsKinesisDataFirehose": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "deliveryStream": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "The name of the delivery stream.\n" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "enabled": { + "type": "boolean", + "description": "Indicates whether logging is enabled.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "enabled" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:verifiedaccess/InstanceLoggingConfigurationAccessLogsS3:InstanceLoggingConfigurationAccessLogsS3": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "bucketName": { + "type": "string", + "description": "The name of S3 bucket.\n" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "bucketOwner": { + "type": "string", + "description": "The ID of the AWS account that owns the Amazon S3 bucket.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "enabled": { + "type": "boolean", + "description": "Indicates whether logging is enabled.\n" + }, + "prefix": { + "type": "string", + "description": "The bucket prefix.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "enabled" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "bucketOwner", + "enabled" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder": { + "aws:verifiedaccess/InstanceVerifiedAccessTrustProvider:InstanceVerifiedAccessTrustProvider": { "properties": { - "oversizeHandling": { + "description": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "A description for the AWS Verified Access Instance.\n" + }, + "deviceTrustProviderType": { + "type": "string", + "description": "The type of device-based trust provider.\n" + }, + "trustProviderType": { + "type": "string", + "description": "The type of trust provider (user- or device-based).\n" + }, + "userTrustProviderType": { + "type": "string", + "description": "The type of user-based trust provider.\n" + }, + "verifiedAccessTrustProviderId": { + "type": "string", + "description": "The ID of the trust provider.\n" } }, "type": "object", - "required": [ - "oversizeHandling" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "description", + "deviceTrustProviderType", + "trustProviderType", + "userTrustProviderType", + "verifiedAccessTrustProviderId" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint": { + "aws:verifiedaccess/TrustProviderDeviceOptions:TrustProviderDeviceOptions": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "tenantId": { + "type": "string" } }, - "type": "object", - "required": [ - "fallbackBehavior" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody": { + "aws:verifiedaccess/TrustProviderOidcOptions:TrustProviderOidcOptions": { "properties": { - "invalidFallbackBehavior": { + "authorizationEndpoint": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "willReplaceOnChanges": true }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "clientId": { + "type": "string", + "willReplaceOnChanges": true }, - "matchScope": { + "clientSecret": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "secret": true }, - "oversizeHandling": { + "issuer": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "willReplaceOnChanges": true + }, + "scope": { + "type": "string" + }, + "tokenEndpoint": { + "type": "string", + "willReplaceOnChanges": true + }, + "userInfoEndpoint": { + "type": "string", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "clientSecret" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:verifiedpermissions/PolicyDefinition:PolicyDefinition": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "static": { + "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionStatic:PolicyDefinitionStatic", + "description": "The static policy statement. See Static below.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString": { + "templateLinked": { + "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinked:PolicyDefinitionTemplateLinked", + "description": "The template linked policy. See Template Linked below.\n" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader": { + "aws:verifiedpermissions/PolicyDefinitionStatic:PolicyDefinitionStatic": { "properties": { - "name": { + "description": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The description of the static policy.\n" + }, + "statement": { + "type": "string", + "description": "The statement of the static policy.\n" } }, "type": "object", "required": [ - "name" + "statement" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument": { + "aws:verifiedpermissions/PolicyDefinitionTemplateLinked:PolicyDefinitionTemplateLinked": { "properties": { - "name": { + "policyTemplateId": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The ID of the template.\n" + }, + "principal": { + "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinkedPrincipal:PolicyDefinitionTemplateLinkedPrincipal", + "description": "The principal of the template linked policy.\n" + }, + "resource": { + "$ref": "#/types/aws:verifiedpermissions/PolicyDefinitionTemplateLinkedResource:PolicyDefinitionTemplateLinkedResource", + "description": "The resource of the template linked policy.\n" } }, "type": "object", "required": [ - "name" + "policyTemplateId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation": { + "aws:verifiedpermissions/PolicyDefinitionTemplateLinkedPrincipal:PolicyDefinitionTemplateLinkedPrincipal": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "entityId": { + "type": "string", + "description": "The entity ID of the principal.\n" }, - "type": { + "entityType": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The entity type of the principal.\n" } }, "type": "object", "required": [ - "priority", - "type" + "entityId", + "entityType" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement": { + "aws:verifiedpermissions/PolicyDefinitionTemplateLinkedResource:PolicyDefinitionTemplateLinkedResource": { "properties": { - "countryCodes": { - "type": "array", - "items": { - "type": "string" - }, - "description": "Array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" + "entityId": { + "type": "string", + "description": "The entity ID of the resource.\n" }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwarded_ip_config` below for details.\n" + "entityType": { + "type": "string", + "description": "The entity type of the resource.\n" } }, "type": "object", "required": [ - "countryCodes" + "entityId", + "entityType" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig": { + "aws:verifiedpermissions/PolicyStoreValidationSettings:PolicyStoreValidationSettings": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { + "mode": { "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" + "description": "The mode for the validation settings. Valid values: `OFF`, `STRICT`.\n\nThe following arguments are optional:\n" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "mode" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement": { + "aws:verifiedpermissions/SchemaDefinition:SchemaDefinition": { "properties": { - "arn": { + "value": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" - }, - "ipSetForwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ip_set_forwarded_ip_config` below for more details.\n" + "description": "A JSON string representation of the schema.\n" } }, "type": "object", "required": [ - "arn" + "value" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig": { + "aws:verifiedpermissions/getPolicyStoreValidationSetting:getPolicyStoreValidationSetting": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { - "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" - }, - "position": { - "type": "string", - "description": "Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" + "mode": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName", - "position" - ] + "mode" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement": { + "aws:vpc/EndpointServicePrivateDnsVerificationTimeouts:EndpointServicePrivateDnsVerificationTimeouts": { "properties": { - "key": { - "type": "string", - "description": "String to match against.\n" - }, - "scope": { + "create": { "type": "string", - "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" + "description": "A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as \"30s\" or \"2h45m\". Valid time units are \"s\" (seconds), \"m\" (minutes), \"h\" (hours).\n" } }, - "type": "object", - "required": [ - "key", - "scope" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement": { + "aws:vpc/getSecurityGroupRuleFilter:getSecurityGroupRuleFilter": { "properties": { - "statements": { + "name": { + "type": "string", + "description": "Name of the filter field. Valid values can be found in the EC2 [`DescribeSecurityGroupRules`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html) API Reference.\n" + }, + "values": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "type": "string" }, - "description": "The statements to combine." + "description": "Set of values that are accepted for the given filter field. Results will be selected if any given value matches.\n" } }, "type": "object", "required": [ - "statements" + "name", + "values" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement": { + "aws:vpc/getSecurityGroupRulesFilter:getSecurityGroupRulesFilter": { "properties": { - "statements": { + "name": { + "type": "string", + "description": "Name of the field to filter by, as defined by\n[the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html).\n" + }, + "values": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "type": "string" }, - "description": "The statements to combine." + "description": "Set of values that are accepted for the given field.\nSecurity group rule IDs will be selected if any one of the given values match.\n" } }, "type": "object", "required": [ - "statements" + "name", + "values" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement": { + "aws:vpclattice/ListenerDefaultAction:ListenerDefaultAction": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "regexString": { - "type": "string", - "description": "String representing the regular expression. Minimum of `1` and maximum of `512` characters.\n" + "fixedResponse": { + "$ref": "#/types/aws:vpclattice/ListenerDefaultActionFixedResponse:ListenerDefaultActionFixedResponse" }, - "textTransformations": { + "forwards": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation" + "$ref": "#/types/aws:vpclattice/ListenerDefaultActionForward:ListenerDefaultActionForward" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "Route requests to one or more target groups. See Forward blocks below.\n\n\u003e **NOTE:** You must specify exactly one of the following argument blocks: `fixed_response` or `forward`.\n" + } + }, + "type": "object" + }, + "aws:vpclattice/ListenerDefaultActionFixedResponse:ListenerDefaultActionFixedResponse": { + "properties": { + "statusCode": { + "type": "integer", + "description": "Custom HTTP status code to return, e.g. a 404 response code. See [Listeners](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html) in the AWS documentation for a list of supported codes.\n" } }, "type": "object", "required": [ - "regexString", - "textTransformations" + "statusCode" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch": { + "aws:vpclattice/ListenerDefaultActionForward:ListenerDefaultActionForward": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { + "targetGroups": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader" + "$ref": "#/types/aws:vpclattice/ListenerDefaultActionForwardTargetGroup:ListenerDefaultActionForwardTargetGroup" }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "description": "One or more target group blocks.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments": { + "aws:vpclattice/ListenerDefaultActionForwardTargetGroup:ListenerDefaultActionForwardTargetGroup": { + "properties": { + "targetGroupIdentifier": { + "type": "string" + }, + "weight": { + "type": "integer" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody": { + "aws:vpclattice/ListenerRuleAction:ListenerRuleAction": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "fixedResponse": { + "$ref": "#/types/aws:vpclattice/ListenerRuleActionFixedResponse:ListenerRuleActionFixedResponse", + "description": "Describes the rule action that returns a custom HTTP response.\n" + }, + "forward": { + "$ref": "#/types/aws:vpclattice/ListenerRuleActionForward:ListenerRuleActionForward", + "description": "The forward action. Traffic that matches the rule is forwarded to the specified target groups.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies": { + "aws:vpclattice/ListenerRuleActionFixedResponse:ListenerRuleActionFixedResponse": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "statusCode": { + "type": "integer", + "description": "The HTTP response code.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "statusCode" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:vpclattice/ListenerRuleActionForward:ListenerRuleActionForward": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { + "targetGroups": { "type": "array", "items": { - "type": "string" - } + "$ref": "#/types/aws:vpclattice/ListenerRuleActionForwardTargetGroup:ListenerRuleActionForwardTargetGroup" + }, + "description": "The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic.\n\nThe default value is 1 with maximum number of 2. If only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "targetGroups" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader": { + "aws:vpclattice/ListenerRuleActionForwardTargetGroup:ListenerRuleActionForwardTargetGroup": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "targetGroupIdentifier": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "weight": { + "type": "integer" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "targetGroupIdentifier" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:vpclattice/ListenerRuleMatch:ListenerRuleMatch": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "httpMatch": { + "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatch:ListenerRuleMatchHttpMatch", + "description": "The HTTP criteria that a rule must match.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder": { + "aws:vpclattice/ListenerRuleMatchHttpMatch:ListenerRuleMatchHttpMatch": { "properties": { - "oversizeHandling": { + "headerMatches": { + "type": "array", + "items": { + "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatch:ListenerRuleMatchHttpMatchHeaderMatch" + }, + "description": "The header matches. Matches incoming requests with rule based on request header value before applying rule action.\n" + }, + "method": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The HTTP method type.\n" + }, + "pathMatch": { + "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchPathMatch:ListenerRuleMatchHttpMatchPathMatch", + "description": "The path match.\n" } }, - "type": "object", - "required": [ - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint": { + "aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatch:ListenerRuleMatchHttpMatchHeaderMatch": { "properties": { - "fallbackBehavior": { + "caseSensitive": { + "type": "boolean", + "description": "Indicates whether the match is case sensitive. Defaults to false.\n" + }, + "match": { + "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatchMatch:ListenerRuleMatchHttpMatchHeaderMatchMatch", + "description": "The header match type.\n" + }, + "name": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "The name of the header.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "match", + "name" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody": { + "aws:vpclattice/ListenerRuleMatchHttpMatchHeaderMatchMatch:ListenerRuleMatchHttpMatchHeaderMatchMatch": { "properties": { - "invalidFallbackBehavior": { + "contains": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "description": "Specifies a contains type match.\n" }, - "matchScope": { + "exact": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Specifies an exact type match.\n" }, - "oversizeHandling": { + "prefix": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Specifies a prefix type match. Matches the value with the prefix.\n" + } + }, + "type": "object" + }, + "aws:vpclattice/ListenerRuleMatchHttpMatchPathMatch:ListenerRuleMatchHttpMatchPathMatch": { + "properties": { + "caseSensitive": { + "type": "boolean", + "description": "Indicates whether the match is case sensitive. Defaults to false.\n" + }, + "match": { + "$ref": "#/types/aws:vpclattice/ListenerRuleMatchHttpMatchPathMatchMatch:ListenerRuleMatchHttpMatchPathMatchMatch", + "description": "The header match type.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "match" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:vpclattice/ListenerRuleMatchHttpMatchPathMatchMatch:ListenerRuleMatchHttpMatchPathMatchMatch": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "exact": { + "type": "string", + "description": "Specifies an exact type match.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "prefix": { + "type": "string", + "description": "Specifies a prefix type match. Matches the value with the prefix.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader": { + "aws:vpclattice/ServiceDnsEntry:ServiceDnsEntry": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "domainName": { + "type": "string" + }, + "hostedZoneId": { + "type": "string" } }, "type": "object", - "required": [ - "name" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "domainName", + "hostedZoneId" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument": { + "aws:vpclattice/ServiceNetworkServiceAssociationDnsEntry:ServiceNetworkServiceAssociationDnsEntry": { "properties": { - "name": { + "domainName": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The domain name of the service.\n" + }, + "hostedZoneId": { + "type": "string", + "description": "The ID of the hosted zone.\n" } }, "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath": { - "type": "object" + "language": { + "nodejs": { + "requiredOutputs": [ + "domainName", + "hostedZoneId" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation": { + "aws:vpclattice/TargetGroupAttachmentTarget:TargetGroupAttachmentTarget": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "id": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The ID of the target. If the target type of the target group is INSTANCE, this is an instance ID. If the target type is IP , this is an IP address. If the target type is LAMBDA, this is the ARN of the Lambda function. If the target type is ALB, this is the ARN of the Application Load Balancer.\n", + "willReplaceOnChanges": true + }, + "port": { + "type": "integer", + "description": "This port is used for routing traffic to the target, and defaults to the target group port. However, you can override the default and specify a custom port.\n", + "willReplaceOnChanges": true } }, "type": "object", "required": [ - "priority", - "type" - ] + "id" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "id", + "port" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement": { + "aws:vpclattice/TargetGroupConfig:TargetGroupConfig": { "properties": { - "arn": { + "healthCheck": { + "$ref": "#/types/aws:vpclattice/TargetGroupConfigHealthCheck:TargetGroupConfigHealthCheck", + "description": "The health check configuration.\n" + }, + "ipAddressType": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" + "description": "The type of IP address used for the target group. Valid values: `IPV4` | `IPV6`.\n", + "willReplaceOnChanges": true }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "lambdaEventStructureVersion": { + "type": "string", + "description": "The version of the event structure that the Lambda function receives. Supported only if `type` is `LAMBDA`. Valid Values are `V1` | `V2`.\n", + "willReplaceOnChanges": true }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "port": { + "type": "integer", + "description": "The port on which the targets are listening.\n", + "willReplaceOnChanges": true + }, + "protocol": { + "type": "string", + "description": "The protocol to use for routing traffic to the targets. Valid Values are `HTTP` | `HTTPS`.\n", + "willReplaceOnChanges": true + }, + "protocolVersion": { + "type": "string", + "description": "The protocol version. Valid Values are `HTTP1` | `HTTP2` | `GRPC`. Default value is `HTTP1`.\n", + "willReplaceOnChanges": true + }, + "vpcIdentifier": { + "type": "string", + "description": "The ID of the VPC.\n", + "willReplaceOnChanges": true } }, "type": "object", - "required": [ - "arn", - "textTransformations" - ] + "language": { + "nodejs": { + "requiredOutputs": [ + "ipAddressType", + "lambdaEventStructureVersion", + "port", + "protocol", + "protocolVersion" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch": { + "aws:vpclattice/TargetGroupConfigHealthCheck:TargetGroupConfigHealthCheck": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" + "enabled": { + "type": "boolean", + "description": "Indicates whether health checking is enabled. Defaults to `true`.\n" }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" + "healthCheckIntervalSeconds": { + "type": "integer", + "description": "The approximate amount of time, in seconds, between health checks of an individual target. The range is 5–300 seconds. The default is 30 seconds.\n" }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" + "healthCheckTimeoutSeconds": { + "type": "integer", + "description": "The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1–120 seconds. The default is 5 seconds.\n* `healthy_threshold_count ` - (Optional) The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2–10. The default is 5.\n" }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" + "healthyThresholdCount": { + "type": "integer" }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" + "matcher": { + "$ref": "#/types/aws:vpclattice/TargetGroupConfigHealthCheckMatcher:TargetGroupConfigHealthCheckMatcher", + "description": "The codes to use when checking for a successful response from a target. These are called _Success codes_ in the console.\n" }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "path": { + "type": "string", + "description": "The destination for health checks on the targets. If the protocol version is HTTP/1.1 or HTTP/2, specify a valid URI (for example, /path?query). The default path is `/`. Health checks are not supported if the protocol version is gRPC, however, you can choose HTTP/1.1 or HTTP/2 and specify a valid URI.\n" }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "port": { + "type": "integer", + "description": "The port used when performing health checks on targets. The default setting is the port that a target receives traffic on.\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "protocol": { + "type": "string", + "description": "The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS`.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "protocolVersion": { + "type": "string", + "description": "The protocol version used when performing health checks on targets. The possible protocol versions are `HTTP1` and `HTTP2`. The default is `HTTP1`.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "unhealthyThresholdCount": { + "type": "integer", + "description": "The number of consecutive failed health checks required before considering a target unhealthy. The range is 2–10. The default is 2.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "language": { + "nodejs": { + "requiredOutputs": [ + "port", + "protocol" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody": { + "aws:vpclattice/TargetGroupConfigHealthCheckMatcher:TargetGroupConfigHealthCheckMatcher": { "properties": { - "oversizeHandling": { + "value": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The HTTP codes to use when checking for a successful response from a target.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies": { + "aws:vpclattice/getListenerDefaultAction:getListenerDefaultAction": { "properties": { - "matchPatterns": { + "fixedResponses": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "$ref": "#/types/aws:vpclattice/getListenerDefaultActionFixedResponse:getListenerDefaultActionFixedResponse" + } }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "forwards": { + "type": "array", + "items": { + "$ref": "#/types/aws:vpclattice/getListenerDefaultActionForward:getListenerDefaultActionForward" + } } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] + "fixedResponses", + "forwards" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern": { + "aws:vpclattice/getListenerDefaultActionFixedResponse:getListenerDefaultActionFixedResponse": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { + "statusCode": { + "type": "integer" + } + }, + "type": "object", + "required": [ + "statusCode" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } + }, + "aws:vpclattice/getListenerDefaultActionForward:getListenerDefaultActionForward": { + "properties": { + "targetGroups": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:vpclattice/getListenerDefaultActionForwardTargetGroup:getListenerDefaultActionForwardTargetGroup" } } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "targetGroups" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader": { + "aws:vpclattice/getListenerDefaultActionForwardTargetGroup:getListenerDefaultActionForwardTargetGroup": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "targetGroupIdentifier": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "weight": { + "type": "integer" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "targetGroupIdentifier", + "weight" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern": { + "aws:vpclattice/getServiceDnsEntry:getServiceDnsEntry": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "domainName": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "hostedZoneId": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "domainName", + "hostedZoneId" + ], + "language": { + "nodejs": { + "requiredInputs": [] + } + } }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder": { + "aws:waf/ByteMatchSetByteMatchTuple:ByteMatchSetByteMatchTuple": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "fieldToMatch": { + "$ref": "#/types/aws:waf/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch" + }, + "positionalConstraint": { + "type": "string" + }, + "targetString": { + "type": "string" + }, + "textTransformation": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" + "fieldToMatch", + "positionalConstraint", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint": { + "aws:waf/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "data": { + "type": "string" + }, + "type": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody": { + "aws:waf/GeoMatchSetGeoMatchConstraint:GeoMatchSetGeoMatchConstraint": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "type": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "type", + "value" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern": { + "aws:waf/IpSetIpSetDescriptor:IpSetIpSetDescriptor": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll" + "type": { + "type": "string" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "type", + "value" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader": { + "aws:waf/RateBasedRulePredicate:RateBasedRulePredicate": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "dataId": { + "type": "string" + }, + "negated": { + "type": "boolean" + }, + "type": { + "type": "string" } }, "type": "object", "required": [ - "name" + "dataId", + "negated", + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument": { + "aws:waf/RegexMatchSetRegexMatchTuple:RegexMatchSetRegexMatchTuple": { "properties": { - "name": { + "fieldToMatch": { + "$ref": "#/types/aws:waf/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch", + "description": "The part of a web request that you want to search, such as a specified header or a query string.\n" + }, + "regexPatternSetId": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The ID of a Regex Pattern Set.\n" + }, + "textTransformation": { + "type": "string", + "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation)\nfor all supported values.\n" } }, "type": "object", "required": [ - "name" + "fieldToMatch", + "regexPatternSetId", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation": { + "aws:waf/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "data": { + "type": "string", + "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" }, "type": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html)\nfor all supported values.\n" } }, "type": "object", "required": [ - "priority", "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement": { + "aws:waf/RuleGroupActivatedRule:RuleGroupActivatedRule": { "properties": { - "comparisonOperator": { - "type": "string", - "description": "Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" + "action": { + "$ref": "#/types/aws:waf/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction" }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "priority": { + "type": "integer" }, - "size": { - "type": "integer", - "description": "Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + "ruleId": { + "type": "string" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "type": { + "type": "string" } }, "type": "object", "required": [ - "comparisonOperator", - "size", - "textTransformations" + "action", + "priority", + "ruleId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch": { + "aws:waf/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "type": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody": { + "aws:waf/RulePredicate:RulePredicate": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "dataId": { + "type": "string" + }, + "negated": { + "type": "boolean" + }, + "type": { + "type": "string" } }, - "type": "object" + "type": "object", + "required": [ + "dataId", + "negated", + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies": { + "aws:waf/SizeConstraintSetSizeConstraint:SizeConstraintSetSizeConstraint": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "comparisonOperator": { + "type": "string" }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "fieldToMatch": { + "$ref": "#/types/aws:waf/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "size": { + "type": "integer" + }, + "textTransformation": { + "type": "string" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "comparisonOperator", + "fieldToMatch", + "size", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern": { + "aws:waf/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "data": { + "type": "string" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "type": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader": { + "aws:waf/SqlInjectionMatchSetSqlInjectionMatchTuple:SqlInjectionMatchSetSqlInjectionMatchTuple": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "fieldToMatch": { + "$ref": "#/types/aws:waf/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch", + "description": "Specifies where in a web request to look for snippets of malicious SQL code.\n" }, - "oversizeHandling": { + "textTransformation": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `field_to_match` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_SqlInjectionMatchTuple.html#WAF-Type-SqlInjectionMatchTuple-TextTransformation)\nfor all supported values.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "fieldToMatch", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern": { + "aws:waf/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "data": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "type": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint": { + "aws:waf/WebAclDefaultAction:WebAclDefaultAction": { "properties": { - "fallbackBehavior": { + "type": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the `rules`.\ne.g., `ALLOW` or `BLOCK`\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody": { + "aws:waf/WebAclLoggingConfiguration:WebAclLoggingConfiguration": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { + "logDestination": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream\n" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "redactedFields": { + "$ref": "#/types/aws:waf/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields", + "description": "Configuration block containing parts of the request that you want redacted from the logs. Detailed below.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "logDestination" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern": { + "aws:waf/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { + "fieldToMatches": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "$ref": "#/types/aws:waf/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch" + }, + "description": "Set of configuration blocks for fields to redact. Detailed below.\n" } }, "type": "object", "required": [ - "name" + "fieldToMatches" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument": { + "aws:waf/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch": { "properties": { - "name": { + "data": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" + }, + "type": { + "type": "string", + "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" } }, "type": "object", "required": [ - "name" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation": { + "aws:waf/WebAclRule:WebAclRule": { "properties": { + "action": { + "$ref": "#/types/aws:waf/WebAclRuleAction:WebAclRuleAction", + "description": "The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`.\n" + }, + "overrideAction": { + "$ref": "#/types/aws:waf/WebAclRuleOverrideAction:WebAclRuleOverrideAction", + "description": "Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`.\n" + }, "priority": { "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "Specifies the order in which the rules in a WebACL are evaluated.\nRules with a lower value are evaluated before rules with a higher value.\n" + }, + "ruleId": { + "type": "string", + "description": "ID of the associated WAF (Global) rule (e.g., `aws.waf.Rule`). WAF (Regional) rules cannot be used.\n" }, "type": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.\n" } }, "type": "object", "required": [ "priority", - "type" + "ruleId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement": { + "aws:waf/WebAclRuleAction:WebAclRuleAction": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "type": { + "type": "string", + "description": "valid values are: `BLOCK`, `ALLOW`, or `COUNT`\n" } }, "type": "object", "required": [ - "textTransformations" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch": { + "aws:waf/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" - }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "type": { + "type": "string", + "description": "valid values are: `NONE` or `COUNT`\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody": { + "aws:waf/XssMatchSetXssMatchTuple:XssMatchSetXssMatchTuple": { "properties": { - "oversizeHandling": { + "fieldToMatch": { + "$ref": "#/types/aws:waf/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch", + "description": "Specifies where in a web request to look for cross-site scripting attacks.\n" + }, + "textTransformation": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `target_string` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_XssMatchTuple.html#WAF-Type-XssMatchTuple-TextTransformation)\nfor all supported values.\n" } }, - "type": "object" + "type": "object", + "required": [ + "fieldToMatch", + "textTransformation" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies": { + "aws:waf/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "data": { + "type": "string" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "type": { + "type": "string" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:wafregional/ByteMatchSetByteMatchTuple:ByteMatchSetByteMatchTuple": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll" + "fieldToMatch": { + "$ref": "#/types/aws:wafregional/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch", + "description": "Settings for the ByteMatchTuple. FieldToMatch documented below.\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "positionalConstraint": { + "type": "string", + "description": "Within the portion of a web request that you want to search.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "targetString": { + "type": "string", + "description": "The value that you want AWS WAF to search for. The maximum length of the value is 50 bytes.\n" + }, + "textTransformation": { + "type": "string", + "description": "The formatting way for web request.\n\nFieldToMatch(field_to_match) support following:\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "fieldToMatch", + "positionalConstraint", + "textTransformation" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader": { + "aws:wafregional/ByteMatchSetByteMatchTupleFieldToMatch:ByteMatchSetByteMatchTupleFieldToMatch": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "data": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. If the value of Type is any other value, omit Data.\n" }, - "oversizeHandling": { + "type": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The part of the web request that you want AWS WAF to search for a specified string.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafregional/GeoMatchSetGeoMatchConstraint:GeoMatchSetGeoMatchConstraint": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "type": { + "type": "string" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "value": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "type", + "value" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder": { + "aws:wafregional/IpSetIpSetDescriptor:IpSetIpSetDescriptor": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "type": { + "type": "string" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "oversizeHandling" + "type", + "value" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafregional/RateBasedRulePredicate:RateBasedRulePredicate": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "dataId": { + "type": "string" + }, + "negated": { + "type": "boolean" + }, + "type": { + "type": "string" } }, "type": "object", "required": [ - "fallbackBehavior" + "dataId", + "negated", + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody": { + "aws:wafregional/RegexMatchSetRegexMatchTuple:RegexMatchSetRegexMatchTuple": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "fieldToMatch": { + "$ref": "#/types/aws:wafregional/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch", + "description": "The part of a web request that you want to search, such as a specified header or a query string.\n" }, - "matchScope": { + "regexPatternSetId": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The ID of a Regex Pattern Set.\n" }, - "oversizeHandling": { + "textTransformation": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation)\nfor all supported values.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "fieldToMatch", + "regexPatternSetId", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafregional/RegexMatchSetRegexMatchTupleFieldToMatch:RegexMatchSetRegexMatchTupleFieldToMatch": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "data": { + "type": "string", + "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "type": { + "type": "string", + "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html)\nfor all supported values.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader": { + "aws:wafregional/RuleGroupActivatedRule:RuleGroupActivatedRule": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "action": { + "$ref": "#/types/aws:wafregional/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction" + }, + "priority": { + "type": "integer" + }, + "ruleId": { + "type": "string" + }, + "type": { + "type": "string" } }, "type": "object", "required": [ - "name" + "action", + "priority", + "ruleId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafregional/RuleGroupActivatedRuleAction:RuleGroupActivatedRuleAction": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "type": { + "type": "string" } }, "type": "object", "required": [ - "name" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation": { + "aws:wafregional/RulePredicate:RulePredicate": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "dataId": { + "type": "string" + }, + "negated": { + "type": "boolean" }, "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "type": "string" } }, "type": "object", "required": [ - "priority", + "dataId", + "negated", "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement": { + "aws:wafregional/SizeConstraintSetSizeConstraint:SizeConstraintSetSizeConstraint": { "properties": { + "comparisonOperator": { + "type": "string" + }, "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "$ref": "#/types/aws:wafregional/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "size": { + "type": "integer" + }, + "textTransformation": { + "type": "string" } }, "type": "object", "required": [ - "textTransformations" + "comparisonOperator", + "fieldToMatch", + "size", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch": { + "aws:wafregional/SizeConstraintSetSizeConstraintFieldToMatch:SizeConstraintSetSizeConstraintFieldToMatch": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "data": { + "type": "string" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "type": { + "type": "string" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody": { + "aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTuple:SqlInjectionMatchSetSqlInjectionMatchTuple": { "properties": { - "oversizeHandling": { + "fieldToMatch": { + "$ref": "#/types/aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch", + "description": "Specifies where in a web request to look for snippets of malicious SQL code.\n" + }, + "textTransformation": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF.\nIf you specify a transformation, AWS WAF performs the transformation on `field_to_match` before inspecting a request for a match.\ne.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`.\nSee [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_SqlInjectionMatchTuple.html#WAF-Type-regional_SqlInjectionMatchTuple-TextTransformation)\nfor all supported values.\n" } }, - "type": "object" + "type": "object", + "required": [ + "fieldToMatch", + "textTransformation" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies": { + "aws:wafregional/SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch:SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { + "data": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`.\nIf `type` is any other value, omit this field.\n" }, - "oversizeHandling": { + "type": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The part of the web request that you want AWS WAF to search for a specified string.\ne.g., `HEADER`, `METHOD` or `BODY`.\nSee [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html)\nfor all supported values.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:wafregional/WebAclDefaultAction:WebAclDefaultAction": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } + "type": { + "type": "string", + "description": "Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., `ALLOW`, `BLOCK` or `COUNT`\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader": { + "aws:wafregional/WebAclLoggingConfiguration:WebAclLoggingConfiguration": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "logDestination": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream\n" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "redactedFields": { + "$ref": "#/types/aws:wafregional/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields", + "description": "Configuration block containing parts of the request that you want redacted from the logs. Detailed below.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "logDestination" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafregional/WebAclLoggingConfigurationRedactedFields:WebAclLoggingConfigurationRedactedFields": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { + "fieldToMatches": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafregional/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Set of configuration blocks for fields to redact. Detailed below.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "fieldToMatches" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafregional/WebAclLoggingConfigurationRedactedFieldsFieldToMatch:WebAclLoggingConfigurationRedactedFieldsFieldToMatch": { "properties": { - "fallbackBehavior": { + "data": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" + }, + "type": { + "type": "string", + "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody": { + "aws:wafregional/WebAclRule:WebAclRule": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "action": { + "$ref": "#/types/aws:wafregional/WebAclRuleAction:WebAclRuleAction", + "description": "Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. Detailed below.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "overrideAction": { + "$ref": "#/types/aws:wafregional/WebAclRuleOverrideAction:WebAclRuleOverrideAction", + "description": "Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. Detailed below.\n" }, - "matchScope": { + "priority": { + "type": "integer", + "description": "Specifies the order in which the rules in a WebACL are evaluated.\nRules with a lower value are evaluated before rules with a higher value.\n" + }, + "ruleId": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "ID of the associated WAF (Regional) rule (e.g., `aws.wafregional.Rule`). WAF (Global) rules cannot be used.\n" }, - "oversizeHandling": { + "type": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "priority", + "ruleId" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafregional/WebAclRuleAction:WebAclRuleAction": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "type": { + "type": "string", + "description": "Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for `action` are `ALLOW`, `BLOCK` or `COUNT`. Valid values for `override_action` are `COUNT` and `NONE`.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString": { - "type": "object" + "type": "object", + "required": [ + "type" + ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader": { + "aws:wafregional/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "type": { + "type": "string" } }, "type": "object", "required": [ - "name" + "type" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafregional/XssMatchSetXssMatchTuple:XssMatchSetXssMatchTuple": { "properties": { - "name": { + "fieldToMatch": { + "$ref": "#/types/aws:wafregional/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch", + "description": "Specifies where in a web request to look for cross-site scripting attacks.\n" + }, + "textTransformation": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks.\n" } }, "type": "object", "required": [ - "name" + "fieldToMatch", + "textTransformation" ] }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation:WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation": { + "aws:wafregional/XssMatchSetXssMatchTupleFieldToMatch:XssMatchSetXssMatchTupleFieldToMatch": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "data": { + "type": "string", + "description": "When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`.\n" }, "type": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD`\n" } }, "type": "object", "required": [ - "priority", "type" ] }, - "aws:wafv2/WebAclRuleStatementNotStatement:WebAclRuleStatementNotStatement": { + "aws:wafv2/RegexPatternSetRegularExpression:RegexPatternSetRegularExpression": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" - }, - "description": "The statements to combine." + "regexString": { + "type": "string", + "description": "The string representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information.\n" } }, "type": "object", "required": [ - "statements" + "regexString" ] }, - "aws:wafv2/WebAclRuleStatementOrStatement:WebAclRuleStatementOrStatement": { + "aws:wafv2/RuleGroupCustomResponseBody:RuleGroupCustomResponseBody": { "properties": { - "statements": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" - }, - "description": "The statements to combine." + "content": { + "type": "string", + "description": "The payload of the custom response.\n" + }, + "contentType": { + "type": "string", + "description": "The type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`.\n" + }, + "key": { + "type": "string", + "description": "A unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the Custom Response block.\n" } }, "type": "object", "required": [ - "statements" + "content", + "contentType", + "key" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatement:WebAclRuleStatementRateBasedStatement": { + "aws:wafv2/RuleGroupRule:RuleGroupRule": { "properties": { - "aggregateKeyType": { + "action": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleAction:RuleGroupRuleAction", + "description": "The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the `aws.wafv2.WebAcl` level can override the rule action setting. See Action below for details.\n" + }, + "captchaConfig": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleCaptchaConfig:RuleGroupRuleCaptchaConfig", + "description": "Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details.\n" + }, + "name": { "type": "string", - "description": "Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`.\n" + "description": "A friendly name of the rule.\n" }, - "customKeys": { + "priority": { + "type": "integer", + "description": "If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first.\n" + }, + "ruleLabels": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKey:WebAclRuleStatementRateBasedStatementCustomKey" + "$ref": "#/types/aws:wafv2/RuleGroupRuleRuleLabel:RuleGroupRuleRuleLabel" }, - "description": "Aggregate the request counts using one or more web request components as the aggregate keys. See `custom_key` below for details.\n" - }, - "evaluationWindowSec": { - "type": "integer", - "description": "The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes).\n\n**NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.\n" - }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementForwardedIpConfig:WebAclRuleStatementRateBasedStatementForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See `forwarded_ip_config` below for details.\n" + "description": "Labels to apply to web requests that match the rule match statement. See Rule Label below for details.\n" }, - "limit": { - "type": "integer", - "description": "Limit on requests per 5-minute period for a single originating IP address.\n" + "statement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement", + "description": "The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See Statement below for details.\n" }, - "scopeDownStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatement:WebAclRuleStatementRateBasedStatementScopeDownStatement", - "description": "Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregate_key_type` is set to `CONSTANT`, this block is required.\n" + "visibilityConfig": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleVisibilityConfig:RuleGroupRuleVisibilityConfig", + "description": "Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details.\n" } }, "type": "object", "required": [ - "limit" + "action", + "name", + "priority", + "statement", + "visibilityConfig" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKey:WebAclRuleStatementRateBasedStatementCustomKey": { + "aws:wafv2/RuleGroupRuleAction:RuleGroupRuleAction": { "properties": { - "cookie": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookie:WebAclRuleStatementRateBasedStatementCustomKeyCookie", - "description": "Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details.\n" - }, - "forwardedIp": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp:WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp", - "description": "Use the first IP address in an HTTP header as an aggregate key. See `forwarded_ip` below for details.\n" - }, - "header": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader", - "description": "Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details.\n" - }, - "httpMethod": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod:WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod", - "description": "Use the request's HTTP method as an aggregate key. See RateLimit `http_method` below for details.\n" - }, - "ip": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", - "description": "Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details.\n" + "allow": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllow:RuleGroupRuleActionAllow", + "description": "Instructs AWS WAF to allow the web request. See Allow below for details.\n" }, - "labelNamespace": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace:WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace", - "description": "Use the specified label namespace as an aggregate key. See RateLimit `label_namespace` below for details.\n" + "block": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlock:RuleGroupRuleActionBlock", + "description": "Instructs AWS WAF to block the web request. See Block below for details.\n" }, - "queryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument", - "description": "Use the specified query argument as an aggregate key. See RateLimit `query_argument` below for details.\n" + "captcha": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptcha:RuleGroupRuleActionCaptcha", + "description": "Instructs AWS WAF to run a `CAPTCHA` check against the web request. See Captcha below for details.\n" }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryString:WebAclRuleStatementRateBasedStatementCustomKeyQueryString", - "description": "Use the request's query string as an aggregate key. See RateLimit `query_string` below for details.\n" + "challenge": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallenge:RuleGroupRuleActionChallenge", + "description": "Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See Challenge below for details.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyUriPath:WebAclRuleStatementRateBasedStatementCustomKeyUriPath", - "description": "Use the request's URI path as an aggregate key. See RateLimit `uri_path` below for details.\n" + "count": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCount:RuleGroupRuleActionCount", + "description": "Instructs AWS WAF to count the web request and allow it. See Count below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookie:WebAclRuleStatementRateBasedStatementCustomKeyCookie": { + "aws:wafv2/RuleGroupRuleActionAllow:RuleGroupRuleActionAllow": { "properties": { - "name": { - "type": "string", - "description": "The name of the cookie to use.\n" - }, - "textTransformations": { + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandling:RuleGroupRuleActionAllowCustomRequestHandling", + "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + } + }, + "type": "object" + }, + "aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandling:RuleGroupRuleActionAllowCustomRequestHandling": { + "properties": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader:RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" } }, "type": "object", "required": [ - "name", - "textTransformations" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation": { + "aws:wafv2/RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader:RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "name": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "A friendly name of the rule group.\n" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp:WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp": { + "aws:wafv2/RuleGroupRuleActionBlock:RuleGroupRuleActionBlock": { + "properties": { + "customResponse": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlockCustomResponse:RuleGroupRuleActionBlockCustomResponse", + "description": "Defines a custom response for the web request. See Custom Response below for details.\n" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader": { + "aws:wafv2/RuleGroupRuleActionBlockCustomResponse:RuleGroupRuleActionBlockCustomResponse": { "properties": { - "name": { + "customResponseBodyKey": { "type": "string", - "description": "The name of the header to use.\n" + "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" }, - "textTransformations": { + "responseCode": { + "type": "integer", + "description": "The HTTP status code to return to the client.\n" + }, + "responseHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionBlockCustomResponseResponseHeader:RuleGroupRuleActionBlockCustomResponseResponseHeader" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" + "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details.\n" } }, "type": "object", "required": [ - "name", - "textTransformations" + "responseCode" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation": { + "aws:wafv2/RuleGroupRuleActionBlockCustomResponseResponseHeader:RuleGroupRuleActionBlockCustomResponseResponseHeader": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "name": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "A friendly name of the rule group.\n" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod:WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp": { + "aws:wafv2/RuleGroupRuleActionCaptcha:RuleGroupRuleActionCaptcha": { + "properties": { + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandling:RuleGroupRuleActionCaptchaCustomRequestHandling", + "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace:WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace": { + "aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandling:RuleGroupRuleActionCaptchaCustomRequestHandling": { "properties": { - "namespace": { - "type": "string", - "description": "The namespace to use for aggregation\n" + "insertHeaders": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader:RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader" + }, + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" } }, "type": "object", "required": [ - "namespace" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument": { + "aws:wafv2/RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader:RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader": { "properties": { "name": { "type": "string", - "description": "The name of the query argument to use.\n" + "description": "A friendly name of the rule group.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" + "value": { + "type": "string" } }, "type": "object", "required": [ "name", - "textTransformations" + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation": { + "aws:wafv2/RuleGroupRuleActionChallenge:RuleGroupRuleActionChallenge": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandling:RuleGroupRuleActionChallengeCustomRequestHandling", + "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryString:WebAclRuleStatementRateBasedStatementCustomKeyQueryString": { + "aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandling:RuleGroupRuleActionChallengeCustomRequestHandling": { "properties": { - "textTransformations": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader:RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" } }, "type": "object", "required": [ - "textTransformations" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation": { + "aws:wafv2/RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader:RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "name": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "A friendly name of the rule group.\n" + }, + "value": { + "type": "string" } }, "type": "object", "required": [ - "priority", - "type" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyUriPath:WebAclRuleStatementRateBasedStatementCustomKeyUriPath": { + "aws:wafv2/RuleGroupRuleActionCount:RuleGroupRuleActionCount": { "properties": { - "textTransformations": { + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCountCustomRequestHandling:RuleGroupRuleActionCountCustomRequestHandling", + "description": "Defines custom handling for the web request. See Custom Request Handling below for details.\n" + } + }, + "type": "object" + }, + "aws:wafv2/RuleGroupRuleActionCountCustomRequestHandling:RuleGroupRuleActionCountCustomRequestHandling": { + "properties": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleActionCountCustomRequestHandlingInsertHeader:RuleGroupRuleActionCountCustomRequestHandlingInsertHeader" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details.\n" } }, "type": "object", "required": [ - "textTransformations" + "insertHeaders" + ] + }, + "aws:wafv2/RuleGroupRuleActionCountCustomRequestHandlingInsertHeader:RuleGroupRuleActionCountCustomRequestHandlingInsertHeader": { + "properties": { + "name": { + "type": "string", + "description": "A friendly name of the rule group.\n" + }, + "value": { + "type": "string" + } + }, + "type": "object", + "required": [ + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation:WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation": { + "aws:wafv2/RuleGroupRuleCaptchaConfig:RuleGroupRuleCaptchaConfig": { + "properties": { + "immunityTimeProperty": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleCaptchaConfigImmunityTimeProperty:RuleGroupRuleCaptchaConfigImmunityTimeProperty", + "description": "Defines custom immunity time. See Immunity Time Property below for details.\n" + } + }, + "type": "object" + }, + "aws:wafv2/RuleGroupRuleCaptchaConfigImmunityTimeProperty:RuleGroupRuleCaptchaConfigImmunityTimeProperty": { "properties": { - "priority": { + "immunityTime": { "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementForwardedIpConfig:WebAclRuleStatementRateBasedStatementForwardedIpConfig": { + "aws:wafv2/RuleGroupRuleRuleLabel:RuleGroupRuleRuleLabel": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { + "name": { "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" + "description": "The label string.\n" } }, "type": "object", "required": [ - "fallbackBehavior", - "headerName" + "name" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatement:WebAclRuleStatementRateBasedStatementScopeDownStatement": { + "aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement": { "properties": { "andStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementAndStatement:RuleGroupRuleStatementAndStatement", + "description": "A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details.\n" }, "byteMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatement:RuleGroupRuleStatementByteMatchStatement", + "description": "A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details.\n" }, "geoMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementGeoMatchStatement:RuleGroupRuleStatementGeoMatchStatement", + "description": "A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details.\n" }, "ipSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatement:RuleGroupRuleStatementIpSetReferenceStatement", + "description": "A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details.\n" }, "labelMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementLabelMatchStatement:RuleGroupRuleStatementLabelMatchStatement", + "description": "A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details.\n" }, "notStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementNotStatement:RuleGroupRuleStatementNotStatement", + "description": "A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details.\n" }, "orStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementOrStatement:RuleGroupRuleStatementOrStatement", + "description": "A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details.\n" + }, + "rateBasedStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatement:RuleGroupRuleStatementRateBasedStatement", + "description": "A rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See Rate Based Statement below for details.\n" }, "regexMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatement:RuleGroupRuleStatementRegexMatchStatement", + "description": "A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details.\n" }, "regexPatternSetReferenceStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRegexPatternSetReferenceStatement", + "description": "A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details.\n" }, "sizeConstraintStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement", + "description": "A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (\u003e) or less than (\u003c). See Size Constraint Statement below for more details.\n" }, "sqliMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement", + "description": "An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details.\n" }, "xssMatchStatement": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement", + "description": "A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement": { + "aws:wafv2/RuleGroupRuleStatementAndStatement:RuleGroupRuleStatementAndStatement": { "properties": { "statements": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" }, - "description": "The statements to combine." + "description": "The statements to combine with `AND` logic. You can use any statements that can be nested. See Statement above for details.\n" } }, "type": "object", @@ -154247,26 +143789,26 @@ "statements" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement": { + "aws:wafv2/RuleGroupRuleStatementByteMatchStatement:RuleGroupRuleStatementByteMatchStatement": { "properties": { "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch", + "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" }, "positionalConstraint": { "type": "string", - "description": "Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" + "description": "The area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" }, "searchString": { "type": "string", - "description": "String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" + "description": "A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" }, "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" } }, "type": "object", @@ -154276,511 +143818,411 @@ "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch": { + "aws:wafv2/RuleGroupRuleStatementGeoMatchStatement:RuleGroupRuleStatementGeoMatchStatement": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { + "countryCodes": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader" + "type": "string" }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "description": "An array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "forwardedIpConfig": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "countryCodes" + ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody": { + "aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatement:RuleGroupRuleStatementIpSetReferenceStatement": { "properties": { - "oversizeHandling": { + "arn": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" + }, + "ipSetForwardedIpConfig": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details.\n" } }, - "type": "object" + "type": "object", + "required": [ + "arn" + ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies": { + "aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "fallbackBehavior": { + "type": "string", + "description": "The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" }, - "matchScope": { + "headerName": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "The name of the HTTP header to use for the IP address.\n" }, - "oversizeHandling": { + "position": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "fallbackBehavior", + "headerName", + "position" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader": { + "aws:wafv2/RuleGroupRuleStatementLabelMatchStatement:RuleGroupRuleStatementLabelMatchStatement": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "key": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "The string to match against.\n" }, - "oversizeHandling": { + "scope": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "key", + "scope" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/RuleGroupRuleStatementNotStatement:RuleGroupRuleStatementNotStatement": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { + "statements": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "The statement to negate. You can use any statement that can be nested. See Statement above for details.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "statements" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/RuleGroupRuleStatementOrStatement:RuleGroupRuleStatementOrStatement": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "statements": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement" + }, + "description": "The statements to combine with `OR` logic. You can use any statements that can be nested. See Statement above for details.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "statements" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/RuleGroupRuleStatementRateBasedStatement:RuleGroupRuleStatementRateBasedStatement": { "properties": { - "invalidFallbackBehavior": { + "aggregateKeyType": { "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "description": "Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP` or `IP`. Default: `IP`.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "customKeys": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKey:RuleGroupRuleStatementRateBasedStatementCustomKey" + }, + "description": "Aggregate the request counts using one or more web request components as the aggregate keys. See `custom_key` below for details.\n" }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "evaluationWindowSec": { + "type": "integer", + "description": "The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes).\n\n**NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "forwardedIpConfig": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See Forwarded IP Config below for details.\n" + }, + "limit": { + "type": "integer", + "description": "The limit on requests per 5-minute period for a single originating IP address.\n" + }, + "scopeDownStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatement", + "description": "An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details. If `aggregate_key_type` is set to `CONSTANT`, this block is required.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "limit" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKey:RuleGroupRuleStatementRateBasedStatementCustomKey": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "cookie": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", + "description": "(Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "forwardedIp": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", + "description": "(Optional) Use the first IP address in an HTTP header as an aggregate key. See `forwarded_ip` below for details.\n" + }, + "header": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", + "description": "(Optional) Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details.\n" + }, + "httpMethod": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", + "description": "(Optional) Use the request's HTTP method as an aggregate key. See RateLimit `http_method` below for details.\n" + }, + "ip": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", + "description": "(Optional) Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details.\n" + }, + "labelNamespace": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace:RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace", + "description": "(Optional) Use the specified label namespace as an aggregate key. See RateLimit `label_namespace` below for details.\n" + }, + "queryArgument": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", + "description": "(Optional) Use the specified query argument as an aggregate key. See RateLimit `query_argument` below for details.\n" + }, + "queryString": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", + "description": "(Optional) Use the request's query string as an aggregate key. See RateLimit `query_string` below for details.\n" + }, + "uriPath": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader", + "description": "(Optional) Use the request's URI path as an aggregate key. See RateLimit `uri_path` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyHeader:RuleGroupRuleStatementRateBasedStatementCustomKeyHeader": { "properties": { "name": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation": { - "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "A friendly name of the rule group.\n" }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" - } - }, - "type": "object", - "required": [ - "priority", - "type" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement": { - "properties": { - "countryCodes": { + "textTransformations": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" }, - "description": "Array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" - }, - "forwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwarded_ip_config` below for details.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details.\n" } }, "type": "object", "required": [ - "countryCodes" + "name", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig:WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig": { - "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" - }, - "headerName": { - "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" - } - }, - "type": "object", - "required": [ - "fallbackBehavior", - "headerName" - ] + "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp": { + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement": { + "aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace:RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace": { "properties": { - "arn": { + "namespace": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" - }, - "ipSetForwardedIpConfig": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig", - "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ip_set_forwarded_ip_config` below for more details.\n" + "description": "The namespace to use for aggregation\n" } }, "type": "object", "required": [ - "arn" + "namespace" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig": { + "aws:wafv2/RuleGroupRuleStatementRateBasedStatementScopeDownStatement:RuleGroupRuleStatementRateBasedStatementScopeDownStatement": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" + "andStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementAndStatement:RuleGroupRuleStatementAndStatement" }, - "headerName": { - "type": "string", - "description": "Name of the HTTP header to use for the IP address.\n" + "byteMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementByteMatchStatement:RuleGroupRuleStatementByteMatchStatement" }, - "position": { - "type": "string", - "description": "Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" + "geoMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementGeoMatchStatement:RuleGroupRuleStatementGeoMatchStatement" + }, + "ipSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementIpSetReferenceStatement:RuleGroupRuleStatementIpSetReferenceStatement" + }, + "labelMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementLabelMatchStatement:RuleGroupRuleStatementLabelMatchStatement" + }, + "notStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementNotStatement:RuleGroupRuleStatementNotStatement" + }, + "orStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementOrStatement:RuleGroupRuleStatementOrStatement" + }, + "regexMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexMatchStatement:RuleGroupRuleStatementRegexMatchStatement" + }, + "regexPatternSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRegexPatternSetReferenceStatement" + }, + "sizeConstraintStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement" + }, + "sqliMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement" + }, + "xssMatchStatement": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement" } }, - "type": "object", - "required": [ - "fallbackBehavior", - "headerName", - "position" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement": { + "aws:wafv2/RuleGroupRuleStatementRegexMatchStatement:RuleGroupRuleStatementRegexMatchStatement": { "properties": { - "key": { - "type": "string", - "description": "String to match against.\n" + "fieldToMatch": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch", + "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" }, - "scope": { + "regexString": { "type": "string", - "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" - } - }, - "type": "object", - "required": [ - "key", - "scope" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement": { - "properties": { - "statements": { + "description": "The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details.\n" + }, + "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" }, - "description": "The statements to combine." + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" } }, "type": "object", "required": [ - "statements" + "regexString", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement": { + "aws:wafv2/RuleGroupRuleStatementRegexPatternSetReferenceStatement:RuleGroupRuleStatementRegexPatternSetReferenceStatement": { "properties": { - "statements": { + "arn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" + }, + "fieldToMatch": { + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch", + "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" + }, + "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" }, - "description": "The statements to combine." + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" } }, "type": "object", "required": [ - "statements" + "arn", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement": { + "aws:wafv2/RuleGroupRuleStatementSizeConstraintStatement:RuleGroupRuleStatementSizeConstraintStatement": { "properties": { + "comparisonOperator": { + "type": "string", + "description": "The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" + }, "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch", + "description": "The part of a web request that you want AWS WAF to inspect. See Field to Match below for details.\n" }, - "regexString": { - "type": "string", - "description": "String representing the regular expression. Minimum of `1` and maximum of `512` characters.\n" + "size": { + "type": "integer", + "description": "The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" }, "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection.\nAt least one required.\nSee Text Transformation below for details.\n" } }, "type": "object", "required": [ - "regexString", + "comparisonOperator", + "size", "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatch:RuleGroupRuleStatementXssMatchStatementFieldToMatch": { "properties": { "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect all query arguments.\n" }, "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchBody", + "description": "Inspect the request body, which immediately follows the request headers.\n" }, "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies", + "description": "Inspect the cookies in the web request. See Cookies below for details.\n" }, "headerOrders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader" }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" + "description": "Inspect the request headers. See Header Order below for details.\n" }, "headers": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader" }, - "description": "Inspect the request headers. See `headers` below for details.\n" + "description": "Inspect the request headers. See Headers below for details.\n" }, "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint" }, "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody", + "description": "Inspect the request body as JSON. See JSON Body for details.\n" }, "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" }, "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" }, "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader", + "description": "Inspect a single header. See Single Header below for details.\n" }, "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader", + "description": "Inspect a single query argument. See Single Query Argument below for details.\n" }, "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchBody": { "properties": { "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "type": "string" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies": { "properties": { "matchPatterns": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern" }, "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" }, @@ -154790,7 +144232,7 @@ }, "oversizeHandling": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`\n" } }, "type": "object", @@ -154800,10 +144242,10 @@ "oversizeHandling" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp" }, "excludedCookies": { "type": "array", @@ -154820,13 +144262,10 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader": { "properties": { "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern", "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" }, "matchScope": { @@ -154845,10 +144284,10 @@ "oversizeHandling" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp", "description": "An empty configuration block that is used for inspecting all headers.\n" }, "excludedHeaders": { @@ -154868,26 +144307,10 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint:RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint": { "properties": { "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "type": "string" } }, "type": "object", @@ -154895,14 +144318,14 @@ "fallbackBehavior" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody": { "properties": { "invalidFallbackBehavior": { "type": "string", "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" }, "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern", + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern", "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" }, "matchScope": { @@ -154920,10 +144343,10 @@ "matchScope" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "$ref": "#/types/aws:wafv2/RuleGroupRuleStatementRateBasedStatementCustomKeyIp:RuleGroupRuleStatementRateBasedStatementCustomKeyIp" }, "includedPaths": { "type": "array", @@ -154934,32 +144357,11 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader:RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader": { "properties": { "name": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The name of the query header to inspect. This setting must be provided as lower case characters.\n" } }, "type": "object", @@ -154967,18 +144369,15 @@ "name" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation": { + "aws:wafv2/RuleGroupRuleStatementXssMatchStatementTextTransformation:RuleGroupRuleStatementXssMatchStatementTextTransformation": { "properties": { "priority": { "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" }, "type": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" } }, "type": "object", @@ -154987,1190 +144386,773 @@ "type" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement": { + "aws:wafv2/RuleGroupRuleVisibilityConfig:RuleGroupRuleVisibilityConfig": { "properties": { - "arn": { - "type": "string", - "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" + "cloudwatchMetricsEnabled": { + "type": "boolean", + "description": "A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics).\n" }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "metricName": { + "type": "string", + "description": "A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "sampledRequestsEnabled": { + "type": "boolean", + "description": "A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.\n" } }, "type": "object", "required": [ - "arn", - "textTransformations" + "cloudwatchMetricsEnabled", + "metricName", + "sampledRequestsEnabled" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch": { + "aws:wafv2/RuleGroupVisibilityConfig:RuleGroupVisibilityConfig": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "cloudwatchMetricsEnabled": { + "type": "boolean", + "description": "A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics).\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "metricName": { + "type": "string", + "description": "A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "sampledRequestsEnabled": { + "type": "boolean", + "description": "A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "cloudwatchMetricsEnabled", + "metricName", + "sampledRequestsEnabled" + ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody": { + "aws:wafv2/WebAclAssociationConfig:WebAclAssociationConfig": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "requestBodies": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBody:WebAclAssociationConfigRequestBody" + }, + "description": "Customizes the request body that your protected resource forward to AWS WAF for inspection. See `request_body` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies": { + "aws:wafv2/WebAclAssociationConfigRequestBody:WebAclAssociationConfigRequestBody": { "properties": { - "matchPatterns": { + "apiGateways": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyApiGateway:WebAclAssociationConfigRequestBodyApiGateway" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "description": "Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `api_gateway` below for details.\n" }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "appRunnerServices": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyAppRunnerService:WebAclAssociationConfigRequestBodyAppRunnerService" + }, + "description": "Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `app_runner_service` below for details.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" - } - }, - "type": "object", - "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll" + "cloudfronts": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyCloudfront:WebAclAssociationConfigRequestBodyCloudfront" + }, + "description": "Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details.\n" }, - "excludedCookies": { + "cognitoUserPools": { "type": "array", "items": { - "type": "string" - } + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyCognitoUserPool:WebAclAssociationConfigRequestBodyCognitoUserPool" + }, + "description": "Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognito_user_pool` below for details.\n" }, - "includedCookies": { + "verifiedAccessInstances": { "type": "array", "items": { - "type": "string" - } + "$ref": "#/types/aws:wafv2/WebAclAssociationConfigRequestBodyVerifiedAccessInstance:WebAclAssociationConfigRequestBodyVerifiedAccessInstance" + }, + "description": "Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verified_access_instance` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader": { + "aws:wafv2/WebAclAssociationConfigRequestBodyApiGateway:WebAclAssociationConfigRequestBodyApiGateway": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" - }, - "oversizeHandling": { + "defaultSizeInspectionLimit": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "defaultSizeInspectionLimit" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclAssociationConfigRequestBodyAppRunnerService:WebAclAssociationConfigRequestBodyAppRunnerService": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "defaultSizeInspectionLimit": { + "type": "string", + "description": "Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" + "type": "object", + "required": [ + "defaultSizeInspectionLimit" + ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder": { + "aws:wafv2/WebAclAssociationConfigRequestBodyCloudfront:WebAclAssociationConfigRequestBodyCloudfront": { "properties": { - "oversizeHandling": { + "defaultSizeInspectionLimit": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "defaultSizeInspectionLimit" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/WebAclAssociationConfigRequestBodyCognitoUserPool:WebAclAssociationConfigRequestBodyCognitoUserPool": { "properties": { - "fallbackBehavior": { + "defaultSizeInspectionLimit": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "defaultSizeInspectionLimit" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclAssociationConfigRequestBodyVerifiedAccessInstance:WebAclAssociationConfigRequestBodyVerifiedAccessInstance": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" - }, - "oversizeHandling": { + "defaultSizeInspectionLimit": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "defaultSizeInspectionLimit" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/WebAclCaptchaConfig:WebAclCaptchaConfig": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "immunityTimeProperty": { + "$ref": "#/types/aws:wafv2/WebAclCaptchaConfigImmunityTimeProperty:WebAclCaptchaConfigImmunityTimeProperty", + "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader": { + "aws:wafv2/WebAclCaptchaConfigImmunityTimeProperty:WebAclCaptchaConfigImmunityTimeProperty": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "immunityTime": { + "type": "integer", + "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" } }, - "type": "object", - "required": [ - "name" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclChallengeConfig:WebAclChallengeConfig": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "immunityTimeProperty": { + "$ref": "#/types/aws:wafv2/WebAclChallengeConfigImmunityTimeProperty:WebAclChallengeConfigImmunityTimeProperty", + "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" } }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation": { + "aws:wafv2/WebAclChallengeConfigImmunityTimeProperty:WebAclChallengeConfigImmunityTimeProperty": { "properties": { - "priority": { + "immunityTime": { "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement": { + "aws:wafv2/WebAclCustomResponseBody:WebAclCustomResponseBody": { "properties": { - "comparisonOperator": { + "content": { "type": "string", - "description": "Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "description": "Payload of the custom response.\n" }, - "size": { - "type": "integer", - "description": "Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + "contentType": { + "type": "string", + "description": "Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "key": { + "type": "string", + "description": "Unique key identifying the custom response body. This is referenced by the `custom_response_body_key` argument in the `custom_response` block.\n" } }, "type": "object", "required": [ - "comparisonOperator", - "size", - "textTransformations" + "content", + "contentType", + "key" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch": { + "aws:wafv2/WebAclDefaultAction:WebAclDefaultAction": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "allow": { + "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllow:WebAclDefaultActionAllow", + "description": "Specifies that AWS WAF should allow requests by default. See `allow` below for details.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "block": { + "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlock:WebAclDefaultActionBlock", + "description": "Specifies that AWS WAF should block requests by default. See `block` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody": { + "aws:wafv2/WebAclDefaultActionAllow:WebAclDefaultActionAllow": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllowCustomRequestHandling:WebAclDefaultActionAllowCustomRequestHandling", + "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies": { + "aws:wafv2/WebAclDefaultActionAllowCustomRequestHandling:WebAclDefaultActionAllowCustomRequestHandling": { "properties": { - "matchPatterns": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:wafv2/WebAclDefaultActionAllowCustomRequestHandlingInsertHeader:WebAclDefaultActionAllowCustomRequestHandlingInsertHeader" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader": { + "aws:wafv2/WebAclDefaultActionAllowCustomRequestHandlingInsertHeader:WebAclDefaultActionAllowCustomRequestHandlingInsertHeader": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "name": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" }, - "oversizeHandling": { + "value": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclDefaultActionBlock:WebAclDefaultActionBlock": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "customResponse": { + "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlockCustomResponse:WebAclDefaultActionBlockCustomResponse", + "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder": { + "aws:wafv2/WebAclDefaultActionBlockCustomResponse:WebAclDefaultActionBlockCustomResponse": { "properties": { - "oversizeHandling": { + "customResponseBodyKey": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + }, + "responseCode": { + "type": "integer", + "description": "The HTTP status code to return to the client.\n" + }, + "responseHeaders": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclDefaultActionBlockCustomResponseResponseHeader:WebAclDefaultActionBlockCustomResponseResponseHeader" + }, + "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "responseCode" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/WebAclDefaultActionBlockCustomResponseResponseHeader:WebAclDefaultActionBlockCustomResponseResponseHeader": { "properties": { - "fallbackBehavior": { + "name": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + }, + "value": { + "type": "string", + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclLoggingConfigurationLoggingFilter:WebAclLoggingConfigurationLoggingFilter": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { + "defaultBehavior": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Default handling for logs that don't match any of the specified filtering conditions. Valid values for `default_behavior` are `KEEP` or `DROP`.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "filters": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilter:WebAclLoggingConfigurationLoggingFilterFilter" + }, + "description": "Filter(s) that you want to apply to the logs. See Filter below for more details.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "defaultBehavior", + "filters" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilter:WebAclLoggingConfigurationLoggingFilterFilter": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll" + "behavior": { + "type": "string", + "description": "Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`.\n" }, - "includedPaths": { + "conditions": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader": { - "properties": { - "name": { + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterCondition:WebAclLoggingConfigurationLoggingFilterFilterCondition" + }, + "description": "Match condition(s) for the filter. See Condition below for more details.\n" + }, + "requirement": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`.\n" } }, "type": "object", "required": [ - "name" + "behavior", + "conditions", + "requirement" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterCondition:WebAclLoggingConfigurationLoggingFilterFilterCondition": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "actionCondition": { + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition", + "description": "Configuration for a single action condition. See Action Condition below for more details.\n" + }, + "labelNameCondition": { + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition", + "description": "Condition for a single label name. See Label Name Condition below for more details.\n" } }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation": { + "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "action": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`.\n" } }, "type": "object", "required": [ - "priority", - "type" + "action" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement": { + "aws:wafv2/WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition:WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "labelName": { + "type": "string", + "description": "Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label.\n" } }, "type": "object", "required": [ - "textTransformations" + "labelName" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch": { + "aws:wafv2/WebAclLoggingConfigurationRedactedField:WebAclLoggingConfigurationRedactedField": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldMethod:WebAclLoggingConfigurationRedactedFieldMethod", + "description": "HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform.\n" }, "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldQueryString:WebAclLoggingConfigurationRedactedFieldQueryString", + "description": "Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any.\n" }, "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldSingleHeader:WebAclLoggingConfigurationRedactedFieldSingleHeader", + "description": "\"single_header\" refers to the redaction of a single header. For more information, please see the details below under Single Header.\n" }, "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "$ref": "#/types/aws:wafv2/WebAclLoggingConfigurationRedactedFieldUriPath:WebAclLoggingConfigurationRedactedFieldUriPath", + "description": "Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments": { + "aws:wafv2/WebAclLoggingConfigurationRedactedFieldMethod:WebAclLoggingConfigurationRedactedFieldMethod": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" - } - }, + "aws:wafv2/WebAclLoggingConfigurationRedactedFieldQueryString:WebAclLoggingConfigurationRedactedFieldQueryString": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies": { + "aws:wafv2/WebAclLoggingConfigurationRedactedFieldSingleHeader:WebAclLoggingConfigurationRedactedFieldSingleHeader": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" - }, - "oversizeHandling": { + "name": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Name of the query header to redact. This setting must be provided in lowercase characters.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "name" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern": { + "aws:wafv2/WebAclLoggingConfigurationRedactedFieldUriPath:WebAclLoggingConfigurationRedactedFieldUriPath": { + "type": "object" + }, + "aws:wafv2/WebAclRule:WebAclRule": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll" + "action": { + "$ref": "#/types/aws:wafv2/WebAclRuleAction:WebAclRuleAction", + "description": "Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details.\n" }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "captchaConfig": { + "$ref": "#/types/aws:wafv2/WebAclRuleCaptchaConfig:WebAclRuleCaptchaConfig", + "description": "Specifies how AWS WAF should handle CAPTCHA evaluations. See `captcha_config` below for details.\n" }, - "includedCookies": { + "name": { + "type": "string", + "description": "Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup_\u003caccount-id\u003e_\u003cweb-acl-guid\u003e_.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors.\n" + }, + "overrideAction": { + "$ref": "#/types/aws:wafv2/WebAclRuleOverrideAction:WebAclRuleOverrideAction", + "description": "Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `rule_group_reference_statement` and `managed_rule_group_statement`. See `override_action` below for details.\n" + }, + "priority": { + "type": "integer", + "description": "If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first.\n" + }, + "ruleLabels": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader": { - "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "$ref": "#/types/aws:wafv2/WebAclRuleRuleLabel:WebAclRuleRuleLabel" + }, + "description": "Labels to apply to web requests that match the rule match statement. See `rule_label` below for details.\n" }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "statement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement", + "description": "The AWS WAF processing statement for the rule, for example `byte_match_statement` or `geo_match_statement`. See `statement` below for details.\n" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "visibilityConfig": { + "$ref": "#/types/aws:wafv2/WebAclRuleVisibilityConfig:WebAclRuleVisibilityConfig", + "description": "Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibility_config` below for details.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "name", + "priority", + "statement", + "visibilityConfig" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclRuleAction:WebAclRuleAction": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "allow": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionAllow:WebAclRuleActionAllow", + "description": "Instructs AWS WAF to allow the web request. See `allow` below for details.\n" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "block": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionBlock:WebAclRuleActionBlock", + "description": "Instructs AWS WAF to block the web request. See `block` below for details.\n" }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "captcha": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptcha:WebAclRuleActionCaptcha", + "description": "Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details.\n" + }, + "challenge": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionChallenge:WebAclRuleActionChallenge", + "description": "Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details.\n" + }, + "count": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionCount:WebAclRuleActionCount", + "description": "Instructs AWS WAF to count the web request and allow it. See `count` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder": { + "aws:wafv2/WebAclRuleActionAllow:WebAclRuleActionAllow": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionAllowCustomRequestHandling:WebAclRuleActionAllowCustomRequestHandling", + "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, - "type": "object", - "required": [ - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/WebAclRuleActionAllowCustomRequestHandling:WebAclRuleActionAllowCustomRequestHandling": { "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "insertHeaders": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionAllowCustomRequestHandlingInsertHeader:WebAclRuleActionAllowCustomRequestHandlingInsertHeader" + }, + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclRuleActionAllowCustomRequestHandlingInsertHeader:WebAclRuleActionAllowCustomRequestHandlingInsertHeader": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { + "name": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" }, - "oversizeHandling": { + "value": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/WebAclRuleActionBlock:WebAclRuleActionBlock": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "customResponse": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionBlockCustomResponse:WebAclRuleActionBlockCustomResponse", + "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader": { + "aws:wafv2/WebAclRuleActionBlockCustomResponse:WebAclRuleActionBlockCustomResponse": { "properties": { - "name": { + "customResponseBodyKey": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `custom_response_body` block of this resource.\n" + }, + "responseCode": { + "type": "integer", + "description": "The HTTP status code to return to the client.\n" + }, + "responseHeaders": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionBlockCustomResponseResponseHeader:WebAclRuleActionBlockCustomResponseResponseHeader" + }, + "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" } }, "type": "object", "required": [ - "name" + "responseCode" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleActionBlockCustomResponseResponseHeader:WebAclRuleActionBlockCustomResponseResponseHeader": { "properties": { "name": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + }, + "value": { + "type": "string", + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "name" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation": { + "aws:wafv2/WebAclRuleActionCaptcha:WebAclRuleActionCaptcha": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandling:WebAclRuleActionCaptchaCustomRequestHandling", + "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, - "type": "object", - "required": [ - "priority", - "type" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement": { + "aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandling:WebAclRuleActionCaptchaCustomRequestHandling": { "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "textTransformations": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation" + "$ref": "#/types/aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader:WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } }, "type": "object", "required": [ - "textTransformations" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch": { + "aws:wafv2/WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader:WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "name": { + "type": "string", + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "value": { + "type": "string", + "description": "Value of the custom header.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "name", + "value" + ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody": { + "aws:wafv2/WebAclRuleActionChallenge:WebAclRuleActionChallenge": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionChallengeCustomRequestHandling:WebAclRuleActionChallengeCustomRequestHandling", + "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies": { + "aws:wafv2/WebAclRuleActionChallengeCustomRequestHandling:WebAclRuleActionChallengeCustomRequestHandling": { "properties": { - "matchPatterns": { + "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:wafv2/WebAclRuleActionChallengeCustomRequestHandlingInsertHeader:WebAclRuleActionChallengeCustomRequestHandlingInsertHeader" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader": { + "aws:wafv2/WebAclRuleActionChallengeCustomRequestHandlingInsertHeader:WebAclRuleActionChallengeCustomRequestHandlingInsertHeader": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "name": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" }, - "oversizeHandling": { + "value": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclRuleActionCount:WebAclRuleActionCount": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" - }, - "includedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" + "customRequestHandling": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionCountCustomRequestHandling:WebAclRuleActionCountCustomRequestHandling", + "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder": { + "aws:wafv2/WebAclRuleActionCountCustomRequestHandling:WebAclRuleActionCountCustomRequestHandling": { "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "insertHeaders": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclRuleActionCountCustomRequestHandlingInsertHeader:WebAclRuleActionCountCustomRequestHandlingInsertHeader" + }, + "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/WebAclRuleActionCountCustomRequestHandlingInsertHeader:WebAclRuleActionCountCustomRequestHandlingInsertHeader": { "properties": { - "fallbackBehavior": { + "name": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + }, + "value": { + "type": "string", + "description": "Value of the custom header.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "name", + "value" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclRuleCaptchaConfig:WebAclRuleCaptchaConfig": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "immunityTimeProperty": { + "$ref": "#/types/aws:wafv2/WebAclRuleCaptchaConfigImmunityTimeProperty:WebAclRuleCaptchaConfigImmunityTimeProperty", + "description": "Defines custom immunity time. See `immunity_time_property` below for details.\n" } }, - "type": "object", - "required": [ - "matchPattern", - "matchScope" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/WebAclRuleCaptchaConfigImmunityTimeProperty:WebAclRuleCaptchaConfigImmunityTimeProperty": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "immunityTime": { + "type": "integer", + "description": "The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll": { + "aws:wafv2/WebAclRuleOverrideAction:WebAclRuleOverrideAction": { + "properties": { + "count": { + "$ref": "#/types/aws:wafv2/WebAclRuleOverrideActionCount:WebAclRuleOverrideActionCount", + "description": "Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`.\n" + }, + "none": { + "$ref": "#/types/aws:wafv2/WebAclRuleOverrideActionNone:WebAclRuleOverrideActionNone", + "description": "Don't override the rule action setting. Configured as an empty block `{}`.\n" + } + }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod": { + "aws:wafv2/WebAclRuleOverrideActionCount:WebAclRuleOverrideActionCount": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString": { + "aws:wafv2/WebAclRuleOverrideActionNone:WebAclRuleOverrideActionNone": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader": { + "aws:wafv2/WebAclRuleRuleLabel:WebAclRuleRuleLabel": { "properties": { "name": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "Label string.\n" } }, "type": "object", @@ -156178,675 +145160,574 @@ "name" ] }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleStatement:WebAclRuleStatement": { "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "andStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementAndStatement:WebAclRuleStatementAndStatement", + "description": "Logical rule statement used to combine other rule statements with AND logic. See `and_statement` below for details.\n" + }, + "byteMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatement:WebAclRuleStatementByteMatchStatement", + "description": "Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byte_match_statement` below for details.\n" + }, + "geoMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementGeoMatchStatement:WebAclRuleStatementGeoMatchStatement", + "description": "Rule statement used to identify web requests based on country of origin. See `geo_match_statement` below for details.\n" + }, + "ipSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatement:WebAclRuleStatementIpSetReferenceStatement", + "description": "Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ip_set_reference_statement` below for details.\n" + }, + "labelMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementLabelMatchStatement:WebAclRuleStatementLabelMatchStatement", + "description": "Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `label_match_statement` below for details.\n" + }, + "managedRuleGroupStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatement:WebAclRuleStatementManagedRuleGroupStatement", + "description": "Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managed_rule_group_statement` below for details.\n" + }, + "notStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementNotStatement:WebAclRuleStatementNotStatement", + "description": "Logical rule statement used to negate the results of another rule statement. See `not_statement` below for details.\n" + }, + "orStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementOrStatement:WebAclRuleStatementOrStatement", + "description": "Logical rule statement used to combine other rule statements with OR logic. See `or_statement` below for details.\n" + }, + "rateBasedStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatement:WebAclRuleStatementRateBasedStatement", + "description": "Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rate_based_statement` below for details.\n" + }, + "regexMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatement:WebAclRuleStatementRegexMatchStatement", + "description": "Rule statement used to search web request components for a match against a single regular expression. See `regex_match_statement` below for details.\n" + }, + "regexPatternSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement", + "description": "Rule statement used to search web request components for matches with regular expressions. See `regex_pattern_set_reference_statement` below for details.\n" + }, + "ruleGroupReferenceStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatement:WebAclRuleStatementRuleGroupReferenceStatement", + "description": "Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `rule_group_reference_statement` below for details.\n" + }, + "sizeConstraintStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatement:WebAclRuleStatementSizeConstraintStatement", + "description": "Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (\u003e) or less than (\u003c). See `size_constraint_statement` below for more details.\n" + }, + "sqliMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement", + "description": "An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqli_match_statement` below for details.\n" + }, + "xssMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement", + "description": "Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xss_match_statement` below for details.\n" } }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation:WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation": { + "aws:wafv2/WebAclRuleStatementAndStatement:WebAclRuleStatementAndStatement": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "statements": { + "type": "array", + "items": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" + }, + "description": "Statements to combine with `AND` logic. You can use any statements that can be nested. See `statement` above for details.\n" } }, "type": "object", "required": [ - "priority", - "type" + "statements" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatement:WebAclRuleStatementRegexMatchStatement": { + "aws:wafv2/WebAclRuleStatementByteMatchStatement:WebAclRuleStatementByteMatchStatement": { "properties": { "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementRegexMatchStatementFieldToMatch", - "description": "The part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatch:WebAclRuleStatementXssMatchStatementFieldToMatch", + "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" }, - "regexString": { + "positionalConstraint": { "type": "string", - "description": "String representing the regular expression. Minimum of `1` and maximum of `512` characters.\n" + "description": "Area within the portion of a web request that you want AWS WAF to search for `search_string`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information.\n" + }, + "searchString": { + "type": "string", + "description": "String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `field_to_match`. The maximum length of the value is 50 bytes.\n" }, "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementTextTransformation:WebAclRuleStatementRegexMatchStatementTextTransformation" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" }, "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" } }, "type": "object", "required": [ - "regexString", + "positionalConstraint", + "searchString", "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatch:WebAclRuleStatementRegexMatchStatementFieldToMatch": { + "aws:wafv2/WebAclRuleStatementGeoMatchStatement:WebAclRuleStatementGeoMatchStatement": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementRegexMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementRegexMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { + "countryCodes": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementRegexMatchStatementFieldToMatchHeader" + "type": "string" }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementRegexMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "description": "Array of two-character country codes, for example, [ \"US\", \"CN\" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "forwardedIpConfig": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwarded_ip_config` below for details.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" + "type": "object", + "required": [ + "countryCodes" + ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchBody:WebAclRuleStatementRegexMatchStatementFieldToMatchBody": { + "aws:wafv2/WebAclRuleStatementIpSetReferenceStatement:WebAclRuleStatementIpSetReferenceStatement": { "properties": { - "oversizeHandling": { + "arn": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "The Amazon Resource Name (ARN) of the IP Set that this statement references.\n" + }, + "ipSetForwardedIpConfig": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ip_set_forwarded_ip_config` below for more details.\n" } }, - "type": "object" + "type": "object", + "required": [ + "arn" + ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookies:WebAclRuleStatementRegexMatchStatementFieldToMatchCookies": { + "aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "fallbackBehavior": { + "type": "string", + "description": "Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`.\n" }, - "matchScope": { + "headerName": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "Name of the HTTP header to use for the IP address.\n" }, - "oversizeHandling": { + "position": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "fallbackBehavior", + "headerName", + "position" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeader:WebAclRuleStatementRegexMatchStatementFieldToMatchHeader": { + "aws:wafv2/WebAclRuleStatementLabelMatchStatement:WebAclRuleStatementLabelMatchStatement": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { + "key": { "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "description": "String to match against.\n" }, - "oversizeHandling": { + "scope": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "key", + "scope" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatement:WebAclRuleStatementManagedRuleGroupStatement": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { + "managedRuleGroupConfigs": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig" }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "description": "Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managed_rule_group_configs` for more details\n" }, - "includedHeaders": { + "name": { + "type": "string", + "description": "Name of the managed rule group.\n" + }, + "ruleActionOverrides": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { + "description": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `rule_action_override` below for details.\n" + }, + "scopeDownStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatement:WebAclRuleStatementRateBasedStatementScopeDownStatement", + "description": "Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details.\n" + }, + "vendorName": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint": { - "properties": { - "fallbackBehavior": { + "description": "Name of the managed rule group vendor.\n" + }, + "version": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "name", + "vendorName" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" + "awsManagedRulesAcfpRuleSet": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet", + "description": "Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client.\n" }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "awsManagedRulesAtpRuleSet": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet", + "description": "Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client.\n" }, - "matchScope": { + "awsManagedRulesBotControlRuleSet": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet", + "description": "Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `aws_managed_rules_bot_control_rule_set` for more details\n" + }, + "loginPath": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The path of the login endpoint for your application.\n" }, - "oversizeHandling": { + "passwordField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField", + "description": "Details about your login page password field. See `password_field` for more details.\n" + }, + "payloadType": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" - } - }, - "type": "object", - "required": [ - "matchPattern", - "matchScope" - ] - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "description": "The payload type for your login endpoint, either JSON or form encoded.\n" }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } + "usernameField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField", + "description": "Details about your login page username field. See `username_field` for more details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchMethod:WebAclRuleStatementRegexMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString:WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet": { "properties": { - "name": { + "creationPath": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests.\n" + }, + "enableRegexInPath": { + "type": "boolean", + "description": "Whether or not to allow the use of regular expressions in the login page path.\n" + }, + "registrationPagePath": { + "type": "string", + "description": "The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests.\n" + }, + "requestInspection": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection", + "description": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `request_inspection` for more details.\n" + }, + "responseInspection": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection", + "description": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `response_inspection` for more details.\n" } }, "type": "object", "required": [ - "name" - ] + "creationPath", + "registrationPagePath", + "requestInspection" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "creationPath", + "enableRegexInPath", + "registrationPagePath", + "requestInspection" + ] + } + } }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection": { "properties": { - "name": { + "addressFields": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields", + "description": "The names of the fields in the request payload that contain your customer's primary physical address. See `address_fields` for more details.\n" + }, + "emailField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField", + "description": "The name of the field in the request payload that contains your customer's email. See `email_field` for more details.\n" + }, + "passwordField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField", + "description": "Details about your login page password field. See `password_field` for more details.\n" + }, + "payloadType": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The payload type for your login endpoint, either JSON or form encoded.\n" + }, + "phoneNumberFields": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields", + "description": "The names of the fields in the request payload that contain your customer's primary phone number. See `phone_number_fields` for more details.\n" + }, + "usernameField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField", + "description": "Details about your login page username field. See `username_field` for more details.\n" } }, "type": "object", "required": [ - "name" + "payloadType" ] }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath:WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexMatchStatementTextTransformation:WebAclRuleStatementRegexMatchStatementTextTransformation": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "identifiers": { + "type": "array", + "items": { + "type": "string" + } } }, "type": "object", "required": [ - "priority", - "type" + "identifiers" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField": { "properties": { - "arn": { + "identifier": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" - }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" - }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "The name of the field in the request payload that contains your customer's email.\n" } }, "type": "object", "required": [ - "arn", - "textTransformations" + "identifier" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" - }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" - }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" - }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" - }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" - }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" - }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" - }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "enableRegexInPath": { + "type": "boolean", + "description": "Whether or not to allow the use of regular expressions in the login page path.\n" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "loginPath": { + "type": "string", + "description": "The path of the login endpoint for your application.\n" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "requestInspection": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection", + "description": "The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `request_inspection` for more details.\n" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "responseInspection": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection", + "description": "The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `response_inspection` for more details.\n" } }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "type": "object", + "required": [ + "loginPath" + ], + "language": { + "nodejs": { + "requiredOutputs": [ + "enableRegexInPath", + "loginPath" + ] } - }, - "type": "object" + } }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" + "passwordField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField", + "description": "Details about your login page password field. See `password_field` for more details.\n" }, - "matchScope": { + "payloadType": { "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "description": "The payload type for your login endpoint, either JSON or form encoded.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "usernameField": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField", + "description": "Details about your login page username field. See `username_field` for more details.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "passwordField", + "payloadType", + "usernameField" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "bodyContains": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains", + "description": "Configures inspection of the response body. See `body_contains` for more details.\n" }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader": { - "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" + "header": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader", + "description": "Configures inspection of the response header.See `header` for more details.\n" }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" + "json": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson", + "description": "Configures inspection of the response JSON. See `json` for more details.\n" }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "statusCode": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode", + "description": "Configures inspection of the response status code.See `status_code` for more details.\n" } }, - "type": "object", - "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] + "type": "object" }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { + "failureStrings": { "type": "array", "items": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "description": "Strings in the body of the response that indicate a failed login attempt.\n" }, - "includedHeaders": { + "successStrings": { "type": "array", "items": { "type": "string" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "description": "Strings in the body of the response that indicate a successful login attempt.\n" } }, "type": "object", "required": [ - "oversizeHandling" + "failureStrings", + "successStrings" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader": { "properties": { - "fallbackBehavior": { + "failureValues": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Values in the response header with the specified name that indicate a failed login attempt.\n" + }, + "name": { "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "The name of the header to use.\n" + }, + "successValues": { + "type": "array", + "items": { + "type": "string" + }, + "description": "Values in the response header with the specified name that indicate a successful login attempt.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "failureValues", + "name", + "successValues" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" + "failureValues": { + "type": "array", + "items": { + "type": "string" + } }, - "matchScope": { + "identifier": { "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" + "description": "The identifier for the value to match against in the JSON.\n" }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "successValues": { + "type": "array", + "items": { + "type": "string" + } } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "failureValues", + "identifier", + "successValues" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll" + "failureCodes": { + "type": "array", + "items": { + "type": "integer" + }, + "description": "Status codes in the response that indicate a failed login attempt.\n" }, - "includedPaths": { + "successCodes": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "type": "integer" + }, + "description": "Status codes in the response that indicate a successful login attempt.\n" } }, "type": "object", "required": [ - "name" + "failureCodes", + "successCodes" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet": { "properties": { - "name": { + "inspectionLevel": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The inspection level to use for the Bot Control rule group.\n" } }, "type": "object", "required": [ - "name" + "inspectionLevel" ] }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath:WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation:WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField": { "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { + "identifier": { "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" + "description": "The name of the password field.\n" } }, "type": "object", "required": [ - "priority", - "type" + "identifier" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatement:WebAclRuleStatementRuleGroupReferenceStatement": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField:WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField": { "properties": { - "arn": { + "identifier": { "type": "string", - "description": "The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource.\n" - }, - "ruleActionOverrides": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride" - }, - "description": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `rule_action_override` below for details.\n" + "description": "The name of the username field.\n" } }, "type": "object", "required": [ - "arn" + "identifier" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride": { "properties": { "actionToUse": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse", "description": "Override action to use, in place of the configured action of the rule in the rule group. See `action` for details.\n" }, "name": { @@ -156860,41 +145741,41 @@ "name" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse": { "properties": { "allow": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow" }, "block": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock" }, "captcha": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow" }, "challenge": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow" }, "count": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow": { "properties": { "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling", "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling": { "properties": { "insertHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader" }, "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" } @@ -156904,33 +145785,16 @@ "insertHeaders" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" - }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" - } - }, - "type": "object", - "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock": { "properties": { "customResponse": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse", "description": "Defines a custom response for the web request. See `custom_response` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse": { "properties": { "customResponseBodyKey": { "type": "string", @@ -156943,7 +145807,7 @@ "responseHeaders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader" }, "description": "The `response_header` blocks used to define the HTTP response headers added to the response. See `response_header` below for details.\n" } @@ -156953,7 +145817,7 @@ "responseCode" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader": { + "aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader": { "properties": { "name": { "type": "string", @@ -156970,749 +145834,309 @@ "value" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling": { + "aws:wafv2/WebAclRuleStatementNotStatement:WebAclRuleStatementNotStatement": { "properties": { - "insertHeaders": { + "statements": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" - } - }, - "type": "object", - "required": [ - "insertHeaders" - ] - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" - }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" + "description": "Statement to negate. You can use any statement that can be nested. See `statement` above for details.\n" } }, "type": "object", "required": [ - "name", - "value" + "statements" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling": { + "aws:wafv2/WebAclRuleStatementOrStatement:WebAclRuleStatementOrStatement": { "properties": { - "insertHeaders": { + "statements": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:wafv2/WebAclRuleStatement:WebAclRuleStatement" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" + "description": "Statements to combine with `OR` logic. You can use any statements that can be nested. See `statement` above for details.\n" } }, "type": "object", "required": [ - "insertHeaders" + "statements" ] }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader": { + "aws:wafv2/WebAclRuleStatementRateBasedStatement:WebAclRuleStatementRateBasedStatement": { "properties": { - "name": { + "aggregateKeyType": { "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`.\n" }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" - } - }, - "type": "object", - "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount": { - "properties": { - "customRequestHandling": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling", - "description": "Defines custom handling for the web request. See `custom_request_handling` below for details.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling": { - "properties": { - "insertHeaders": { + "customKeys": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKey:WebAclRuleStatementRateBasedStatementCustomKey" }, - "description": "The `insert_header` blocks used to define HTTP headers added to the request. See `insert_header` below for details.\n" - } - }, - "type": "object", - "required": [ - "insertHeaders" - ] - }, - "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader:WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`.\n" + "description": "Aggregate the request counts using one or more web request components as the aggregate keys. See `custom_key` below for details.\n" }, - "value": { - "type": "string", - "description": "Value of the custom header.\n" - } - }, - "type": "object", - "required": [ - "name", - "value" - ] - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatement:WebAclRuleStatementSizeConstraintStatement": { - "properties": { - "comparisonOperator": { - "type": "string", - "description": "Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" + "evaluationWindowSec": { + "type": "integer", + "description": "The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes).\n\n**NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds.\n" }, - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementSizeConstraintStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "forwardedIpConfig": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig:WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig", + "description": "Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregate_key_type` is set to `FORWARDED_IP`, this block is required. See `forwarded_ip_config` below for details.\n" }, - "size": { + "limit": { "type": "integer", - "description": "Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + "description": "Limit on requests per 5-minute period for a single originating IP address.\n" }, - "textTransformations": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementSizeConstraintStatementTextTransformation" - }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "scopeDownStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatement:WebAclRuleStatementRateBasedStatementScopeDownStatement", + "description": "Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregate_key_type` is set to `CONSTANT`, this block is required.\n" } }, "type": "object", "required": [ - "comparisonOperator", - "size", - "textTransformations" + "limit" ] }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatch:WebAclRuleStatementSizeConstraintStatementFieldToMatch": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKey:WebAclRuleStatementRateBasedStatementCustomKey": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" - }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementSizeConstraintStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" + "cookie": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookie:WebAclRuleStatementRateBasedStatementCustomKeyCookie", + "description": "Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details.\n" }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" + "forwardedIp": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", + "description": "Use the first IP address in an HTTP header as an aggregate key. See `forwarded_ip` below for details.\n" }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" + "header": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader", + "description": "Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details.\n" }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" + "httpMethod": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", + "description": "Use the request's HTTP method as an aggregate key. See RateLimit `http_method` below for details.\n" }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" + "ip": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", + "description": "Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details.\n" }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" + "labelNamespace": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace:WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace", + "description": "Use the specified label namespace as an aggregate key. See RateLimit `label_namespace` below for details.\n" }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "queryArgument": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument", + "description": "Use the specified query argument as an aggregate key. See RateLimit `query_argument` below for details.\n" }, "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" - }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" - }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader", + "description": "Use the request's query string as an aggregate key. See RateLimit `query_string` below for details.\n" }, "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader", + "description": "Use the request's URI path as an aggregate key. See RateLimit `uri_path` below for details.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments:WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchBody:WebAclRuleStatementSizeConstraintStatementFieldToMatchBody": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyCookie:WebAclRuleStatementRateBasedStatementCustomKeyCookie": { "properties": { - "oversizeHandling": { + "name": { "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies": { - "properties": { - "matchPatterns": { + "description": "The name of the cookie to use.\n" + }, + "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" } }, "type": "object", "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" + "name", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } - }, - "includedCookies": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyHeader:WebAclRuleStatementRateBasedStatementCustomKeyHeader": { "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" - }, - "oversizeHandling": { + "name": { "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" - }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "description": "The name of the header to use.\n" }, - "includedHeaders": { + "textTransformations": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder:WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint": { - "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" - } - }, - "type": "object", - "required": [ - "fallbackBehavior" - ] - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody": { - "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" - }, - "oversizeHandling": { - "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope" + "name", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll" - }, - "includedPaths": { - "type": "array", - "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod:WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString:WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp": { "type": "object" }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader:WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace:WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace": { "properties": { - "name": { + "namespace": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "description": "The namespace to use for aggregation\n" } }, "type": "object", "required": [ - "name" + "namespace" ] }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument:WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument": { "properties": { "name": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath:WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSizeConstraintStatementTextTransformation:WebAclRuleStatementSizeConstraintStatementTextTransformation": { - "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" - }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" - } - }, - "type": "object", - "required": [ - "priority", - "type" - ] - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatement:WebAclRuleStatementSqliMatchStatement": { - "properties": { - "fieldToMatch": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementSqliMatchStatementFieldToMatch", - "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" + "description": "The name of the query argument to use.\n" }, "textTransformations": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementTextTransformation:WebAclRuleStatementSqliMatchStatementTextTransformation" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" }, - "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `text_transformation` above for details.\n" } }, "type": "object", "required": [ + "name", "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatch:WebAclRuleStatementSqliMatchStatementFieldToMatch": { + "aws:wafv2/WebAclRuleStatementRateBasedStatementScopeDownStatement:WebAclRuleStatementRateBasedStatementScopeDownStatement": { "properties": { - "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments", - "description": "Inspect all query arguments.\n" + "andStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementAndStatement:WebAclRuleStatementAndStatement" }, - "body": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementSqliMatchStatementFieldToMatchBody", - "description": "Inspect the request body, which immediately follows the request headers. See `body` below for details.\n" + "byteMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementByteMatchStatement:WebAclRuleStatementByteMatchStatement" }, - "cookies": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementSqliMatchStatementFieldToMatchCookies", - "description": "Inspect the cookies in the web request. See `cookies` below for details.\n" + "geoMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementGeoMatchStatement:WebAclRuleStatementGeoMatchStatement" }, - "headerOrders": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder" - }, - "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" + "ipSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementIpSetReferenceStatement:WebAclRuleStatementIpSetReferenceStatement" }, - "headers": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementSqliMatchStatementFieldToMatchHeader" - }, - "description": "Inspect the request headers. See `headers` below for details.\n" + "labelMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementLabelMatchStatement:WebAclRuleStatementLabelMatchStatement" }, - "ja3Fingerprint": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint", - "description": "Inspect the JA3 fingerprint. See `ja3_fingerprint` below for details.\n" + "notStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementNotStatement:WebAclRuleStatementNotStatement" }, - "jsonBody": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody", - "description": "Inspect the request body as JSON. See `json_body` for details.\n" + "orStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementOrStatement:WebAclRuleStatementOrStatement" }, - "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementSqliMatchStatementFieldToMatchMethod", - "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" + "regexMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexMatchStatement:WebAclRuleStatementRegexMatchStatement" }, - "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString", - "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" + "regexPatternSetReferenceStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement" }, - "singleHeader": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader", - "description": "Inspect a single header. See `single_header` below for details.\n" + "sizeConstraintStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementSizeConstraintStatement:WebAclRuleStatementSizeConstraintStatement" }, - "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument", - "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" + "sqliMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement" }, - "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath", - "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchBody:WebAclRuleStatementSqliMatchStatementFieldToMatchBody": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" + "xssMatchStatement": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookies:WebAclRuleStatementSqliMatchStatementFieldToMatchCookies": { + "aws:wafv2/WebAclRuleStatementRegexMatchStatement:WebAclRuleStatementRegexMatchStatement": { "properties": { - "matchPatterns": { - "type": "array", - "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern" - }, - "description": "The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `included_cookies` or `excluded_cookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html)\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE`\n" + "fieldToMatch": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatch:WebAclRuleStatementXssMatchStatementFieldToMatch", + "description": "The part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" }, - "oversizeHandling": { + "regexString": { "type": "string", - "description": "What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`.\n" - } - }, - "type": "object", - "required": [ - "matchPatterns", - "matchScope", - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll" - }, - "excludedCookies": { - "type": "array", - "items": { - "type": "string" - } + "description": "String representing the regular expression. Minimum of `1` and maximum of `512` characters.\n" }, - "includedCookies": { + "textTransformations": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeader:WebAclRuleStatementSqliMatchStatementFieldToMatchHeader": { - "properties": { - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern", - "description": "The filter to use to identify the subset of headers to inspect in a web request. The `match_pattern` block supports only one of the following arguments:\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`.\n" - }, - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" + }, + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" } }, "type": "object", "required": [ - "matchPattern", - "matchScope", - "oversizeHandling" + "regexString", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern": { + "aws:wafv2/WebAclRuleStatementRegexPatternSetReferenceStatement:WebAclRuleStatementRegexPatternSetReferenceStatement": { "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll", - "description": "An empty configuration block that is used for inspecting all headers.\n" + "arn": { + "type": "string", + "description": "The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references.\n" }, - "excludedHeaders": { - "type": "array", - "items": { - "type": "string" - }, - "description": "An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values.\n" + "fieldToMatch": { + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatch:WebAclRuleStatementXssMatchStatementFieldToMatch", + "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" }, - "includedHeaders": { + "textTransformations": { "type": "array", "items": { - "type": "string" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation" }, - "description": "An array of strings that will be used for inspecting headers that have a key that matches one of the provided values.\n" - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "oversizeHandling" - ] - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint": { - "properties": { - "fallbackBehavior": { - "type": "string", - "description": "The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`.\n" + "description": "Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `text_transformation` below for details.\n" } }, "type": "object", "required": [ - "fallbackBehavior" + "arn", + "textTransformations" ] }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody": { + "aws:wafv2/WebAclRuleStatementRuleGroupReferenceStatement:WebAclRuleStatementRuleGroupReferenceStatement": { "properties": { - "invalidFallbackBehavior": { - "type": "string", - "description": "What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`.\n" - }, - "matchPattern": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern", - "description": "The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `included_paths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details.\n" - }, - "matchScope": { - "type": "string", - "description": "The parts of the JSON to match against using the `match_pattern`. Valid values are `ALL`, `KEY` and `VALUE`.\n" - }, - "oversizeHandling": { + "arn": { "type": "string", - "description": "What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`.\n" - } - }, - "type": "object", - "required": [ - "matchPattern", - "matchScope" - ] - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern": { - "properties": { - "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "description": "The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource.\n" }, - "includedPaths": { + "ruleActionOverrides": { "type": "array", "items": { - "type": "string" - } - } - }, - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchMethod:WebAclRuleStatementSqliMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString:WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride:WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride" + }, + "description": "Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `rule_action_override` below for details.\n" } }, "type": "object", "required": [ - "name" + "arn" ] }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument": { + "aws:wafv2/WebAclRuleStatementSizeConstraintStatement:WebAclRuleStatementSizeConstraintStatement": { "properties": { - "name": { + "comparisonOperator": { "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath:WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementSqliMatchStatementTextTransformation:WebAclRuleStatementSqliMatchStatementTextTransformation": { - "properties": { - "priority": { - "type": "integer", - "description": "Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.\n" + "description": "Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`.\n" }, - "type": { - "type": "string", - "description": "Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details.\n" - } - }, - "type": "object", - "required": [ - "priority", - "type" - ] - }, - "aws:wafv2/WebAclRuleStatementXssMatchStatement:WebAclRuleStatementXssMatchStatement": { - "properties": { "fieldToMatch": { "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatch:WebAclRuleStatementXssMatchStatementFieldToMatch", "description": "Part of a web request that you want AWS WAF to inspect. See `field_to_match` below for details.\n" }, + "size": { + "type": "integer", + "description": "Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive.\n" + }, "textTransformations": { "type": "array", "items": { @@ -157723,13 +146147,15 @@ }, "type": "object", "required": [ + "comparisonOperator", + "size", "textTransformations" ] }, "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatch:WebAclRuleStatementXssMatchStatementFieldToMatch": { "properties": { "allQueryArguments": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect all query arguments.\n" }, "body": { @@ -157743,7 +146169,7 @@ "headerOrders": { "type": "array", "items": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementXssMatchStatementFieldToMatchHeader" }, "description": "Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `header_order` below for details.\n" }, @@ -157763,11 +146189,11 @@ "description": "Inspect the request body as JSON. See `json_body` for details.\n" }, "method": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementXssMatchStatementFieldToMatchMethod", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform.\n" }, "queryString": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementXssMatchStatementFieldToMatchQueryString", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the query string. This is the part of a URL that appears after a `?` character, if any.\n" }, "singleHeader": { @@ -157775,19 +146201,16 @@ "description": "Inspect a single header. See `single_header` below for details.\n" }, "singleQueryArgument": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader", "description": "Inspect a single query argument. See `single_query_argument` below for details.\n" }, "uriPath": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementXssMatchStatementFieldToMatchUriPath", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", "description": "Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`.\n" } }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments:WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments": { - "type": "object" - }, "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchBody:WebAclRuleStatementXssMatchStatementFieldToMatchBody": { "properties": { "oversizeHandling": { @@ -157825,7 +146248,7 @@ "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern:WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp" }, "excludedCookies": { "type": "array", @@ -157842,9 +146265,6 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll": { - "type": "object" - }, "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeader:WebAclRuleStatementXssMatchStatementFieldToMatchHeader": { "properties": { "matchPattern": { @@ -157870,7 +146290,7 @@ "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern:WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll", + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp", "description": "An empty configuration block that is used for inspecting all headers.\n" }, "excludedHeaders": { @@ -157890,21 +146310,6 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder:WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder": { - "properties": { - "oversizeHandling": { - "type": "string", - "description": "Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information.\n" - } - }, - "type": "object", - "required": [ - "oversizeHandling" - ] - }, "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint:WebAclRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint": { "properties": { "fallbackBehavior": { @@ -157945,7 +146350,7 @@ "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern:WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern": { "properties": { "all": { - "$ref": "#/types/aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll" + "$ref": "#/types/aws:wafv2/WebAclRuleStatementRateBasedStatementCustomKeyIp:WebAclRuleStatementRateBasedStatementCustomKeyIp" }, "includedPaths": { "type": "array", @@ -157956,15 +146361,6 @@ }, "type": "object" }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll:WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchMethod:WebAclRuleStatementXssMatchStatementFieldToMatchMethod": { - "type": "object" - }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchQueryString:WebAclRuleStatementXssMatchStatementFieldToMatchQueryString": { - "type": "object" - }, "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader:WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader": { "properties": { "name": { @@ -157977,21 +146373,6 @@ "name" ] }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument:WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument": { - "properties": { - "name": { - "type": "string", - "description": "Name of the query header to inspect. This setting must be provided as lower case characters.\n" - } - }, - "type": "object", - "required": [ - "name" - ] - }, - "aws:wafv2/WebAclRuleStatementXssMatchStatementFieldToMatchUriPath:WebAclRuleStatementXssMatchStatementFieldToMatchUriPath": { - "type": "object" - }, "aws:wafv2/WebAclRuleStatementXssMatchStatementTextTransformation:WebAclRuleStatementXssMatchStatementTextTransformation": { "properties": { "priority": { diff --git a/provider/cmd/pulumi-tfgen-aws/wafv2.go b/provider/cmd/pulumi-tfgen-aws/wafv2.go index 05b24fc39d8..3a6ef5b5f49 100644 --- a/provider/cmd/pulumi-tfgen-aws/wafv2.go +++ b/provider/cmd/pulumi-tfgen-aws/wafv2.go @@ -3,11 +3,10 @@ package main import ( - "fmt" - "strings" + "context" + "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/tfgen/unrec" "github.com/pulumi/pulumi/pkg/v3/codegen/schema" - "github.com/pulumi/pulumi/sdk/v3/go/common/util/contract" ) // WafV2 has two problematic resources with massive schemas. @@ -19,79 +18,7 @@ import ( // to find all references to all Statement types and replace those // references with a reference to the single top-level Statement types. func replaceWafV2TypesWithRecursive(pulumiPackageSpec *schema.PackageSpec) { - rootStatementTypes := []string{"RuleGroupRuleStatement", "WebAclRuleStatement"} - - // We'll collect all referenced types that we replace with the root - // type, so that we could remove all of elided types and their children. - var elidedRefs []string - for tok, ts := range pulumiPackageSpec.Types { - // Skip everything except WafV2 types. - if !strings.Contains(tok, ":wafv2/") { - continue - } - // The recursive structures look like these currently: - // RuleStatement has a few properties like - // AndStatement, OrStatement, NotStatement, all of separate types. - // Each of those types has a property `statements` that point - // to the next layer of statement types, but should actually point - // to the top one recursively. - // So, we find all the `statements` properties (continue if not found). - var oldRef string - if prop, has := ts.Properties["statements"]; has { - contract.Assertf(prop.TypeSpec.Items != nil, "statements property must be an array") - oldRef = prop.TypeSpec.Items.Ref - } else { - continue - } - // Add the currently referenced type to the list to be elided. - // Example of a reference: - // #/types/aws:wafv2/RuleGroupRuleStatement:RuleGroupRuleStatement - refType := strings.Split(oldRef, ":")[2] - elidedRefs = append(elidedRefs, refType) - // Get the current type name. - typeName := strings.Split(tok, ":")[2] - for _, rule := range rootStatementTypes { - if !strings.HasPrefix(typeName, rule) { - continue - } - // Build a reference to the root RuleStatement type and replace the property. - ref := fmt.Sprintf("#/types/aws:wafv2/%s:%[1]s", rule) - ts.Properties["statements"] = schema.PropertySpec{ - Description: "The statements to combine.", - TypeSpec: schema.TypeSpec{ - Type: "array", - Items: &schema.TypeSpec{ - Ref: ref, - }, - }, - } - } - } - - // We collected a list of types `elidedRefs` that used to be referenced - // by other types, but aren't anymore because we replaced them with - // top-level references. - // We want to remove all those types from the schema, and also we want - // to remove all their subtypes. TF types are unidirectional, and our - // naming is very predictable, so all the subtypes' names start with - // the parent type name. - // Loop through all types again and collect the ones that start with - // one of the elided reference type. - var elidedTypes []string - for tok := range pulumiPackageSpec.Types { - if !strings.Contains(tok, "wafv2") { - continue - } - for _, ref := range elidedRefs { - if strings.Contains(tok, ref) { - elidedTypes = append(elidedTypes, tok) - break - } - } - } - - // Now remove all elided types from the schema. - for _, tok := range elidedTypes { - delete(pulumiPackageSpec.Types, tok) + if err := unrec.SimplifyRecursiveTypes(context.Background(), pulumiPackageSpec); err != nil { + panic(err) } } diff --git a/provider/go.mod b/provider/go.mod index 2feb914d0ad..504060a56d6 100644 --- a/provider/go.mod +++ b/provider/go.mod @@ -12,8 +12,8 @@ require ( github.com/hashicorp/terraform-provider-aws v1.60.1-0.20220923175450-ca71523cdc36 github.com/mitchellh/go-homedir v1.1.0 github.com/pulumi/providertest v0.0.11 - github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0 - github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0 + github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a + github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a github.com/pulumi/pulumi/pkg/v3 v3.121.0 github.com/pulumi/pulumi/sdk/v3 v3.121.0 github.com/stretchr/testify v1.9.0 diff --git a/provider/go.sum b/provider/go.sum index 2838ebfbb84..cfa5f10b168 100644 --- a/provider/go.sum +++ b/provider/go.sum @@ -2331,10 +2331,10 @@ github.com/pulumi/providertest v0.0.11 h1:mg8MQ7Cq7+9XlHIkBD+aCqQO4mwAJEISngZgVd github.com/pulumi/providertest v0.0.11/go.mod h1:HsxjVsytcMIuNj19w1lT2W0QXY0oReXl1+h6eD2JXP8= github.com/pulumi/pulumi-java/pkg v0.11.0 h1:Jw9gBvyfmfOMq/EkYDm9+zGPxsDAA8jfeMpHmtZ+1oA= github.com/pulumi/pulumi-java/pkg v0.11.0/go.mod h1:sXAk25P47AQVQL6ilAbFmRNgZykC7og/+87ihnqzFTc= -github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0 h1:0+A+ZkoZWy5EOd4zcnM7tjoQ4V1jV/koR8YvWJ8TK/E= -github.com/pulumi/pulumi-terraform-bridge/pf v0.38.0/go.mod h1:JGOlvwSWY+jEt1V9sI/L8HAP9DBr74aXD10oi5nUJaI= -github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0 h1:Zv6OPQdkGERufe2Mq9D92xbTm5mg3uhllh0ryrcrrds= -github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.0/go.mod h1:a7t2qe4smtB7HlbHlelQxjJQn8DFNB3Gbe5Ot2W7GZU= +github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a h1:/qeuaUIEyEBh24KbALt0gk+9BzpxxrQxYt8f3RH2o/4= +github.com/pulumi/pulumi-terraform-bridge/pf v0.38.1-0.20240627164523-242339028d5a/go.mod h1:JGOlvwSWY+jEt1V9sI/L8HAP9DBr74aXD10oi5nUJaI= +github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a h1:aJqL7JhQWc8FN6CZ2fGyIBDBbJ0olMrnxWK8FzYIpYg= +github.com/pulumi/pulumi-terraform-bridge/v3 v3.85.1-0.20240627164523-242339028d5a/go.mod h1:a7t2qe4smtB7HlbHlelQxjJQn8DFNB3Gbe5Ot2W7GZU= github.com/pulumi/pulumi-terraform-bridge/x/muxer v0.0.8 h1:mav2tSitA9BPJPLLahKgepHyYsMzwaTm4cvp0dcTMYw= github.com/pulumi/pulumi-terraform-bridge/x/muxer v0.0.8/go.mod h1:qUYk2c9i/yqMGNj9/bQyXpS39BxNDSXYjVN1njnq0zY= github.com/pulumi/pulumi-yaml v1.8.0 h1:bhmidiCMMuzsJao5FE0UR69iF3WVKPCFrRkzjotFNn4= diff --git a/sdk/nodejs/types/input.ts b/sdk/nodejs/types/input.ts index d463808d73a..d53f8935dbe 100644 --- a/sdk/nodejs/types/input.ts +++ b/sdk/nodejs/types/input.ts @@ -69975,16 +69975,16 @@ export namespace wafv2 { /** * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details. */ - sqliMatchStatement?: pulumi.Input; + sqliMatchStatement?: pulumi.Input; /** * A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details. */ - xssMatchStatement?: pulumi.Input; + xssMatchStatement?: pulumi.Input; } export interface RuleGroupRuleStatementAndStatement { /** - * The statements to combine. + * The statements to combine with `AND` logic. You can use any statements that can be nested. See Statement above for details. */ statements: pulumi.Input[]>; } @@ -69993,7 +69993,7 @@ export namespace wafv2 { /** * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - fieldToMatch?: pulumi.Input; + fieldToMatch?: pulumi.Input; /** * The area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. */ @@ -70007,191 +70007,7 @@ export namespace wafv2 { * At least one required. * See Text Transformation below for details. */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementByteMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; + textTransformations: pulumi.Input[]>; } export interface RuleGroupRuleStatementGeoMatchStatement { @@ -70202,18 +70018,7 @@ export namespace wafv2 { /** * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details. */ - forwardedIpConfig?: pulumi.Input; - } - - export interface RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig { - /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * The name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; + forwardedIpConfig?: pulumi.Input; } export interface RuleGroupRuleStatementIpSetReferenceStatement { @@ -70255,14 +70060,14 @@ export namespace wafv2 { export interface RuleGroupRuleStatementNotStatement { /** - * The statements to combine. + * The statement to negate. You can use any statement that can be nested. See Statement above for details. */ statements: pulumi.Input[]>; } export interface RuleGroupRuleStatementOrStatement { /** - * The statements to combine. + * The statements to combine with `OR` logic. You can use any statements that can be nested. See Statement above for details. */ statements: pulumi.Input[]>; } @@ -70285,7 +70090,7 @@ export namespace wafv2 { /** * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See Forwarded IP Config below for details. */ - forwardedIpConfig?: pulumi.Input; + forwardedIpConfig?: pulumi.Input; /** * The limit on requests per 5-minute period for a single originating IP address. */ @@ -70300,11 +70105,11 @@ export namespace wafv2 { /** * (Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. */ - cookie?: pulumi.Input; + cookie?: pulumi.Input; /** * (Optional) Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. */ - forwardedIp?: pulumi.Input; + forwardedIp?: pulumi.Input; /** * (Optional) Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. */ @@ -70312,7 +70117,7 @@ export namespace wafv2 { /** * (Optional) Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. */ - httpMethod?: pulumi.Input; + httpMethod?: pulumi.Input; /** * (Optional) Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. */ @@ -70324,18 +70129,18 @@ export namespace wafv2 { /** * (Optional) Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. */ - queryArgument?: pulumi.Input; + queryArgument?: pulumi.Input; /** * (Optional) Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. */ - queryString?: pulumi.Input; + queryString?: pulumi.Input; /** * (Optional) Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. */ - uriPath?: pulumi.Input; + uriPath?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyCookie { + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeader { /** * A friendly name of the rule group. */ @@ -70343,230 +70148,146 @@ export namespace wafv2 { /** * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. */ - textTransformations: pulumi.Input[]>; + textTransformations: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyIp { + } + + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace { /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The namespace to use for aggregation */ - type: pulumi.Input; + namespace: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp { + export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatement { + andStatement?: pulumi.Input; + byteMatchStatement?: pulumi.Input; + geoMatchStatement?: pulumi.Input; + ipSetReferenceStatement?: pulumi.Input; + labelMatchStatement?: pulumi.Input; + notStatement?: pulumi.Input; + orStatement?: pulumi.Input; + regexMatchStatement?: pulumi.Input; + regexPatternSetReferenceStatement?: pulumi.Input; + sizeConstraintStatement?: pulumi.Input; + sqliMatchStatement?: pulumi.Input; + xssMatchStatement?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeader { + export interface RuleGroupRuleStatementRegexMatchStatement { /** - * A friendly name of the rule group. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - name: pulumi.Input; + fieldToMatch?: pulumi.Input; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. + */ + regexString: pulumi.Input; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. */ - textTransformations: pulumi.Input[]>; + textTransformations: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation { + export interface RuleGroupRuleStatementRegexPatternSetReferenceStatement { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. */ - priority: pulumi.Input; + arn: pulumi.Input; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyIp { - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace { + fieldToMatch?: pulumi.Input; /** - * The namespace to use for aggregation + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. */ - namespace: pulumi.Input; + textTransformations: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument { + export interface RuleGroupRuleStatementSizeConstraintStatement { /** - * A friendly name of the rule group. + * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. */ - name: pulumi.Input; + comparisonOperator: pulumi.Input; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation { + fieldToMatch?: pulumi.Input; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. */ - priority: pulumi.Input; + size: pulumi.Input; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. */ - type: pulumi.Input; + textTransformations: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatch { /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + * Inspect all query arguments. */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation { + allQueryArguments?: pulumi.Input; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Inspect the request body, which immediately follows the request headers. */ - priority: pulumi.Input; + body?: pulumi.Input; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Inspect the cookies in the web request. See Cookies below for details. */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath { - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementForwardedIpConfig { - /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * The name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatement { - andStatement?: pulumi.Input; - byteMatchStatement?: pulumi.Input; - geoMatchStatement?: pulumi.Input; - ipSetReferenceStatement?: pulumi.Input; - labelMatchStatement?: pulumi.Input; - notStatement?: pulumi.Input; - orStatement?: pulumi.Input; - regexMatchStatement?: pulumi.Input; - regexPatternSetReferenceStatement?: pulumi.Input; - sizeConstraintStatement?: pulumi.Input; - sqliMatchStatement?: pulumi.Input; - xssMatchStatement?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * The area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. - */ - positionalConstraint: pulumi.Input; - /** - * A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. - */ - searchString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; + cookies?: pulumi.Input; /** * Inspect the request headers. See Header Order below for details. */ - headerOrders?: pulumi.Input[]>; + headerOrders?: pulumi.Input[]>; /** * Inspect the request headers. See Headers below for details. */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; + headers?: pulumi.Input[]>; + ja3Fingerprint?: pulumi.Input; /** * Inspect the request body as JSON. See JSON Body for details. */ - jsonBody?: pulumi.Input; + jsonBody?: pulumi.Input; /** * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. */ - method?: pulumi.Input; + method?: pulumi.Input; /** * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. */ - queryString?: pulumi.Input; + queryString?: pulumi.Input; /** * Inspect a single header. See Single Header below for details. */ - singleHeader?: pulumi.Input; + singleHeader?: pulumi.Input; /** * Inspect a single query argument. See Single Query Argument below for details. */ - singleQueryArgument?: pulumi.Input; + singleQueryArgument?: pulumi.Input; /** * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. */ - uriPath?: pulumi.Input; + uriPath?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchBody { oversizeHandling?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies { /** * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) */ - matchPatterns: pulumi.Input[]>; + matchPatterns: pulumi.Input[]>; /** * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` */ @@ -70577,20 +70298,17 @@ export namespace wafv2 { oversizeHandling: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { + all?: pulumi.Input; excludedCookies?: pulumi.Input[]>; includedCookies?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader { /** * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: */ - matchPattern: pulumi.Input; + matchPattern: pulumi.Input; /** * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. */ @@ -70601,11 +70319,11 @@ export namespace wafv2 { oversizeHandling: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern { /** * An empty configuration block that is used for inspecting all headers. */ - all?: pulumi.Input; + all?: pulumi.Input; /** * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. */ @@ -70616,21 +70334,11 @@ export namespace wafv2 { includedHeaders?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { fallbackBehavior: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody { /** * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. */ @@ -70638,7 +70346,7 @@ export namespace wafv2 { /** * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. */ - matchPattern: pulumi.Input; + matchPattern: pulumi.Input; /** * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. */ @@ -70649,38 +70357,19 @@ export namespace wafv2 { oversizeHandling?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { + all?: pulumi.Input; includedPaths?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader { /** * The name of the query header to inspect. This setting must be provided as lower case characters. */ name: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation { + export interface RuleGroupRuleStatementXssMatchStatementTextTransformation { /** * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. */ @@ -70691,7329 +70380,1164 @@ export namespace wafv2 { type: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement { + export interface RuleGroupRuleVisibilityConfig { /** - * An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). */ - countryCodes: pulumi.Input[]>; + cloudwatchMetricsEnabled: pulumi.Input; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details. + * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. + */ + metricName: pulumi.Input; + /** + * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. */ - forwardedIpConfig?: pulumi.Input; + sampledRequestsEnabled: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { + export interface RuleGroupVisibilityConfig { /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). */ - fallbackBehavior: pulumi.Input; + cloudwatchMetricsEnabled: pulumi.Input; /** - * The name of the HTTP header to use for the IP address. + * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. */ - headerName: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement { + metricName: pulumi.Input; /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. + * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. */ - arn: pulumi.Input; + sampledRequestsEnabled: pulumi.Input; + } + + export interface WebAclAssociationConfig { /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details. + * Customizes the request body that your protected resource forward to AWS WAF for inspection. See `requestBody` below for details. */ - ipSetForwardedIpConfig?: pulumi.Input; + requestBodies?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { + export interface WebAclAssociationConfigRequestBody { /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `apiGateway` below for details. */ - fallbackBehavior: pulumi.Input; + apiGateways?: pulumi.Input[]>; /** - * The name of the HTTP header to use for the IP address. + * Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `appRunnerService` below for details. */ - headerName: pulumi.Input; + appRunnerServices?: pulumi.Input[]>; /** - * The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details. */ - position: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement { + cloudfronts?: pulumi.Input[]>; /** - * The string to match against. + * Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognitoUserPool` below for details. */ - key: pulumi.Input; + cognitoUserPools?: pulumi.Input[]>; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verifiedAccessInstance` below for details. */ - scope: pulumi.Input; + verifiedAccessInstances?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement { + export interface WebAclAssociationConfigRequestBodyApiGateway { /** - * The statements to combine. + * Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - statements: pulumi.Input[]>; + defaultSizeInspectionLimit: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement { + export interface WebAclAssociationConfigRequestBodyAppRunnerService { /** - * The statements to combine. + * Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - statements: pulumi.Input[]>; + defaultSizeInspectionLimit: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. - */ - regexString: pulumi.Input; + export interface WebAclAssociationConfigRequestBodyCloudfront { /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - textTransformations: pulumi.Input[]>; + defaultSizeInspectionLimit: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch { + export interface WebAclAssociationConfigRequestBodyCognitoUserPool { /** - * Inspect all query arguments. + * Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - allQueryArguments?: pulumi.Input; + defaultSizeInspectionLimit: pulumi.Input; + } + + export interface WebAclAssociationConfigRequestBodyVerifiedAccessInstance { /** - * Inspect the request body, which immediately follows the request headers. + * Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - body?: pulumi.Input; + defaultSizeInspectionLimit: pulumi.Input; + } + + export interface WebAclCaptchaConfig { /** - * Inspect the cookies in the web request. See Cookies below for details. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - cookies?: pulumi.Input; + immunityTimeProperty?: pulumi.Input; + } + + export interface WebAclCaptchaConfigImmunityTimeProperty { /** - * Inspect the request headers. See Header Order below for details. + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. */ - headerOrders?: pulumi.Input[]>; + immunityTime?: pulumi.Input; + } + + export interface WebAclChallengeConfig { /** - * Inspect the request headers. See Headers below for details. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; + immunityTimeProperty?: pulumi.Input; + } + + export interface WebAclChallengeConfigImmunityTimeProperty { /** - * Inspect the request body as JSON. See JSON Body for details. + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. */ - jsonBody?: pulumi.Input; + immunityTime?: pulumi.Input; + } + + export interface WebAclCustomResponseBody { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Payload of the custom response. */ - method?: pulumi.Input; + content: pulumi.Input; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. */ - queryString?: pulumi.Input; + contentType: pulumi.Input; /** - * Inspect a single header. See Single Header below for details. + * Unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the `customResponse` block. */ - singleHeader?: pulumi.Input; + key: pulumi.Input; + } + + export interface WebAclDefaultAction { /** - * Inspect a single query argument. See Single Query Argument below for details. + * Specifies that AWS WAF should allow requests by default. See `allow` below for details. */ - singleQueryArgument?: pulumi.Input; + allow?: pulumi.Input; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Specifies that AWS WAF should block requests by default. See `block` below for details. */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { + block?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; + export interface WebAclDefaultActionAllow { + /** + * Defines custom handling for the web request. See `customRequestHandling` below for details. + */ + customRequestHandling?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { + export interface WebAclDefaultActionAllowCustomRequestHandling { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - matchPatterns: pulumi.Input[]>; + insertHeaders: pulumi.Input[]>; + } + + export interface WebAclDefaultActionAllowCustomRequestHandlingInsertHeader { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - matchScope: pulumi.Input; + name: pulumi.Input; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * Value of the custom header. */ - oversizeHandling: pulumi.Input; + value: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; + export interface WebAclDefaultActionBlock { + /** + * Defines a custom response for the web request. See `customResponse` below for details. + */ + customResponse?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface WebAclDefaultActionBlockCustomResponse { + /** + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + */ + customResponseBodyKey?: pulumi.Input; + /** + * The HTTP status code to return to the client. + */ + responseCode: pulumi.Input; + /** + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + */ + responseHeaders?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { + export interface WebAclDefaultActionBlockCustomResponseResponseHeader { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - matchPattern: pulumi.Input; + name: pulumi.Input; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Value of the custom header. */ - matchScope: pulumi.Input; + value: pulumi.Input; + } + + export interface WebAclLoggingConfigurationLoggingFilter { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Default handling for logs that don't match any of the specified filtering conditions. Valid values for `defaultBehavior` are `KEEP` or `DROP`. */ - oversizeHandling: pulumi.Input; + defaultBehavior: pulumi.Input; + /** + * Filter(s) that you want to apply to the logs. See Filter below for more details. + */ + filters: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { + export interface WebAclLoggingConfigurationLoggingFilterFilter { /** - * An empty configuration block that is used for inspecting all headers. + * Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`. */ - all?: pulumi.Input; + behavior: pulumi.Input; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Match condition(s) for the filter. See Condition below for more details. */ - excludedHeaders?: pulumi.Input[]>; + conditions: pulumi.Input[]>; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`. */ - includedHeaders?: pulumi.Input[]>; + requirement: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface WebAclLoggingConfigurationLoggingFilterFilterCondition { + /** + * Configuration for a single action condition. See Action Condition below for more details. + */ + actionCondition?: pulumi.Input; + /** + * Condition for a single label name. See Label Name Condition below for more details. + */ + labelNameCondition?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { + export interface WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`. */ - oversizeHandling: pulumi.Input; + action: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; + export interface WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition { + /** + * Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label. + */ + labelName: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { + export interface WebAclLoggingConfigurationRedactedField { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform. */ - invalidFallbackBehavior?: pulumi.Input; + method?: pulumi.Input; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any. */ - matchPattern: pulumi.Input; + queryString?: pulumi.Input; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * "singleHeader" refers to the redaction of a single header. For more information, please see the details below under Single Header. */ - matchScope: pulumi.Input; + singleHeader?: pulumi.Input; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`. */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { + uriPath?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { + export interface WebAclLoggingConfigurationRedactedFieldMethod { } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; + export interface WebAclLoggingConfigurationRedactedFieldQueryString { } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + export interface WebAclLoggingConfigurationRedactedFieldSingleHeader { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Name of the query header to redact. This setting must be provided in lowercase characters. */ name: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { + export interface WebAclLoggingConfigurationRedactedFieldUriPath { } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; + export interface WebAclRule { /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details. */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement { + action?: pulumi.Input; /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + * Specifies how AWS WAF should handle CAPTCHA evaluations. See `captchaConfig` below for details. */ - arn: pulumi.Input; + captchaConfig?: pulumi.Input; /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup___.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors. */ - fieldToMatch?: pulumi.Input; + name: pulumi.Input; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `ruleGroupReferenceStatement` and `managedRuleGroupStatement`. See `overrideAction` below for details. */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { + overrideAction?: pulumi.Input; /** - * Inspect all query arguments. + * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. */ - allQueryArguments?: pulumi.Input; + priority: pulumi.Input; /** - * Inspect the request body, which immediately follows the request headers. + * Labels to apply to web requests that match the rule match statement. See `ruleLabel` below for details. */ - body?: pulumi.Input; + ruleLabels?: pulumi.Input[]>; /** - * Inspect the cookies in the web request. See Cookies below for details. + * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See `statement` below for details. */ - cookies?: pulumi.Input; + statement: pulumi.Input; /** - * Inspect the request headers. See Header Order below for details. + * Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibilityConfig` below for details. */ - headerOrders?: pulumi.Input[]>; + visibilityConfig: pulumi.Input; + } + + export interface WebAclRuleAction { /** - * Inspect the request headers. See Headers below for details. + * Instructs AWS WAF to allow the web request. See `allow` below for details. */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; + allow?: pulumi.Input; /** - * Inspect the request body as JSON. See JSON Body for details. + * Instructs AWS WAF to block the web request. See `block` below for details. */ - jsonBody?: pulumi.Input; + block?: pulumi.Input; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details. */ - method?: pulumi.Input; + captcha?: pulumi.Input; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details. */ - queryString?: pulumi.Input; + challenge?: pulumi.Input; /** - * Inspect a single header. See Single Header below for details. + * Instructs AWS WAF to count the web request and allow it. See `count` below for details. */ - singleHeader?: pulumi.Input; + count?: pulumi.Input; + } + + export interface WebAclRuleActionAllow { /** - * Inspect a single query argument. See Single Query Argument below for details. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - singleQueryArgument?: pulumi.Input; + customRequestHandling?: pulumi.Input; + } + + export interface WebAclRuleActionAllowCustomRequestHandling { /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - uriPath?: pulumi.Input; + insertHeaders: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { + export interface WebAclRuleActionAllowCustomRequestHandlingInsertHeader { + /** + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + */ + name: pulumi.Input; + /** + * Value of the custom header. + */ + value: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; + export interface WebAclRuleActionBlock { + /** + * Defines a custom response for the web request. See `customResponse` below for details. + */ + customResponse?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { + export interface WebAclRuleActionBlockCustomResponse { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - matchPatterns: pulumi.Input[]>; + customResponseBodyKey?: pulumi.Input; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The HTTP status code to return to the client. */ - matchScope: pulumi.Input; + responseCode: pulumi.Input; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + responseHeaders?: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { + export interface WebAclRuleActionBlockCustomResponseResponseHeader { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - matchPattern: pulumi.Input; + name: pulumi.Input; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Value of the custom header. */ - matchScope: pulumi.Input; + value: pulumi.Input; + } + + export interface WebAclRuleActionCaptcha { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - oversizeHandling: pulumi.Input; + customRequestHandling?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { + export interface WebAclRuleActionCaptchaCustomRequestHandling { /** - * An empty configuration block that is used for inspecting all headers. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - all?: pulumi.Input; + insertHeaders: pulumi.Input[]>; + } + + export interface WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - excludedHeaders?: pulumi.Input[]>; + name: pulumi.Input; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Value of the custom header. */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { + value: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { + export interface WebAclRuleActionChallenge { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - oversizeHandling: pulumi.Input; + customRequestHandling?: pulumi.Input; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; + export interface WebAclRuleActionChallengeCustomRequestHandling { + /** + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + */ + insertHeaders: pulumi.Input[]>; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + export interface WebAclRuleActionChallengeCustomRequestHandlingInsertHeader { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - invalidFallbackBehavior?: pulumi.Input; + name: pulumi.Input; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Value of the custom header. */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement { - /** - * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. - */ - comparisonOperator: pulumi.Input; - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. - */ - size: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. - */ - regexString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRegexMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. - */ - arn: pulumi.Input; - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatement { - /** - * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. - */ - comparisonOperator: pulumi.Input; - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. - */ - size: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementSqliMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: pulumi.Input[]>; - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchBody { - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementXssMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface RuleGroupRuleVisibilityConfig { - /** - * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). - */ - cloudwatchMetricsEnabled: pulumi.Input; - /** - * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. - */ - metricName: pulumi.Input; - /** - * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. - */ - sampledRequestsEnabled: pulumi.Input; - } - - export interface RuleGroupVisibilityConfig { - /** - * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). - */ - cloudwatchMetricsEnabled: pulumi.Input; - /** - * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. - */ - metricName: pulumi.Input; - /** - * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. - */ - sampledRequestsEnabled: pulumi.Input; - } - - export interface WebAclAssociationConfig { - /** - * Customizes the request body that your protected resource forward to AWS WAF for inspection. See `requestBody` below for details. - */ - requestBodies?: pulumi.Input[]>; - } - - export interface WebAclAssociationConfigRequestBody { - /** - * Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `apiGateway` below for details. - */ - apiGateways?: pulumi.Input[]>; - /** - * Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `appRunnerService` below for details. - */ - appRunnerServices?: pulumi.Input[]>; - /** - * Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details. - */ - cloudfronts?: pulumi.Input[]>; - /** - * Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognitoUserPool` below for details. - */ - cognitoUserPools?: pulumi.Input[]>; - /** - * Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verifiedAccessInstance` below for details. - */ - verifiedAccessInstances?: pulumi.Input[]>; - } - - export interface WebAclAssociationConfigRequestBodyApiGateway { - /** - * Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: pulumi.Input; - } - - export interface WebAclAssociationConfigRequestBodyAppRunnerService { - /** - * Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: pulumi.Input; - } - - export interface WebAclAssociationConfigRequestBodyCloudfront { - /** - * Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: pulumi.Input; - } - - export interface WebAclAssociationConfigRequestBodyCognitoUserPool { - /** - * Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: pulumi.Input; - } - - export interface WebAclAssociationConfigRequestBodyVerifiedAccessInstance { - /** - * Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: pulumi.Input; - } - - export interface WebAclCaptchaConfig { - /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. - */ - immunityTimeProperty?: pulumi.Input; - } - - export interface WebAclCaptchaConfigImmunityTimeProperty { - /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. - */ - immunityTime?: pulumi.Input; - } - - export interface WebAclChallengeConfig { - /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. - */ - immunityTimeProperty?: pulumi.Input; - } - - export interface WebAclChallengeConfigImmunityTimeProperty { - /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. - */ - immunityTime?: pulumi.Input; - } - - export interface WebAclCustomResponseBody { - /** - * Payload of the custom response. - */ - content: pulumi.Input; - /** - * Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. - */ - contentType: pulumi.Input; - /** - * Unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the `customResponse` block. - */ - key: pulumi.Input; - } - - export interface WebAclDefaultAction { - /** - * Specifies that AWS WAF should allow requests by default. See `allow` below for details. - */ - allow?: pulumi.Input; - /** - * Specifies that AWS WAF should block requests by default. See `block` below for details. - */ - block?: pulumi.Input; - } - - export interface WebAclDefaultActionAllow { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclDefaultActionAllowCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclDefaultActionAllowCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclDefaultActionBlock { - /** - * Defines a custom response for the web request. See `customResponse` below for details. - */ - customResponse?: pulumi.Input; - } - - export interface WebAclDefaultActionBlockCustomResponse { - /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. - */ - customResponseBodyKey?: pulumi.Input; - /** - * The HTTP status code to return to the client. - */ - responseCode: pulumi.Input; - /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. - */ - responseHeaders?: pulumi.Input[]>; - } - - export interface WebAclDefaultActionBlockCustomResponseResponseHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclLoggingConfigurationLoggingFilter { - /** - * Default handling for logs that don't match any of the specified filtering conditions. Valid values for `defaultBehavior` are `KEEP` or `DROP`. - */ - defaultBehavior: pulumi.Input; - /** - * Filter(s) that you want to apply to the logs. See Filter below for more details. - */ - filters: pulumi.Input[]>; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilter { - /** - * Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`. - */ - behavior: pulumi.Input; - /** - * Match condition(s) for the filter. See Condition below for more details. - */ - conditions: pulumi.Input[]>; - /** - * Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`. - */ - requirement: pulumi.Input; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilterCondition { - /** - * Configuration for a single action condition. See Action Condition below for more details. - */ - actionCondition?: pulumi.Input; - /** - * Condition for a single label name. See Label Name Condition below for more details. - */ - labelNameCondition?: pulumi.Input; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition { - /** - * Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`. - */ - action: pulumi.Input; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition { - /** - * Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label. - */ - labelName: pulumi.Input; - } - - export interface WebAclLoggingConfigurationRedactedField { - /** - * HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * "singleHeader" refers to the redaction of a single header. For more information, please see the details below under Single Header. - */ - singleHeader?: pulumi.Input; - /** - * Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclLoggingConfigurationRedactedFieldMethod { - } - - export interface WebAclLoggingConfigurationRedactedFieldQueryString { - } - - export interface WebAclLoggingConfigurationRedactedFieldSingleHeader { - /** - * Name of the query header to redact. This setting must be provided in lowercase characters. - */ - name: pulumi.Input; - } - - export interface WebAclLoggingConfigurationRedactedFieldUriPath { - } - - export interface WebAclRule { - /** - * Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details. - */ - action?: pulumi.Input; - /** - * Specifies how AWS WAF should handle CAPTCHA evaluations. See `captchaConfig` below for details. - */ - captchaConfig?: pulumi.Input; - /** - * Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup___.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors. - */ - name: pulumi.Input; - /** - * Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `ruleGroupReferenceStatement` and `managedRuleGroupStatement`. See `overrideAction` below for details. - */ - overrideAction?: pulumi.Input; - /** - * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. - */ - priority: pulumi.Input; - /** - * Labels to apply to web requests that match the rule match statement. See `ruleLabel` below for details. - */ - ruleLabels?: pulumi.Input[]>; - /** - * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See `statement` below for details. - */ - statement: pulumi.Input; - /** - * Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibilityConfig` below for details. - */ - visibilityConfig: pulumi.Input; - } - - export interface WebAclRuleAction { - /** - * Instructs AWS WAF to allow the web request. See `allow` below for details. - */ - allow?: pulumi.Input; - /** - * Instructs AWS WAF to block the web request. See `block` below for details. - */ - block?: pulumi.Input; - /** - * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details. - */ - captcha?: pulumi.Input; - /** - * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details. - */ - challenge?: pulumi.Input; - /** - * Instructs AWS WAF to count the web request and allow it. See `count` below for details. - */ - count?: pulumi.Input; - } - - export interface WebAclRuleActionAllow { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleActionAllowCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleActionAllowCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleActionBlock { - /** - * Defines a custom response for the web request. See `customResponse` below for details. - */ - customResponse?: pulumi.Input; - } - - export interface WebAclRuleActionBlockCustomResponse { - /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. - */ - customResponseBodyKey?: pulumi.Input; - /** - * The HTTP status code to return to the client. - */ - responseCode: pulumi.Input; - /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. - */ - responseHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleActionBlockCustomResponseResponseHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleActionCaptcha { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleActionCaptchaCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleActionChallenge { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleActionChallengeCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleActionChallengeCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleActionCount { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleActionCountCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleActionCountCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleCaptchaConfig { - /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. - */ - immunityTimeProperty?: pulumi.Input; - } - - export interface WebAclRuleCaptchaConfigImmunityTimeProperty { - /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. - */ - immunityTime?: pulumi.Input; - } - - export interface WebAclRuleOverrideAction { - /** - * Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`. - */ - count?: pulumi.Input; - /** - * Don't override the rule action setting. Configured as an empty block `{}`. - */ - none?: pulumi.Input; - } - - export interface WebAclRuleOverrideActionCount { - } - - export interface WebAclRuleOverrideActionNone { - } - - export interface WebAclRuleRuleLabel { - /** - * Label string. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatement { - /** - * Logical rule statement used to combine other rule statements with AND logic. See `andStatement` below for details. - */ - andStatement?: pulumi.Input; - /** - * Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byteMatchStatement` below for details. - */ - byteMatchStatement?: pulumi.Input; - /** - * Rule statement used to identify web requests based on country of origin. See `geoMatchStatement` below for details. - */ - geoMatchStatement?: pulumi.Input; - /** - * Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ipSetReferenceStatement` below for details. - */ - ipSetReferenceStatement?: pulumi.Input; - /** - * Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `labelMatchStatement` below for details. - */ - labelMatchStatement?: pulumi.Input; - /** - * Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managedRuleGroupStatement` below for details. - */ - managedRuleGroupStatement?: pulumi.Input; - /** - * Logical rule statement used to negate the results of another rule statement. See `notStatement` below for details. - */ - notStatement?: pulumi.Input; - /** - * Logical rule statement used to combine other rule statements with OR logic. See `orStatement` below for details. - */ - orStatement?: pulumi.Input; - /** - * Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rateBasedStatement` below for details. - */ - rateBasedStatement?: pulumi.Input; - /** - * Rule statement used to search web request components for a match against a single regular expression. See `regexMatchStatement` below for details. - */ - regexMatchStatement?: pulumi.Input; - /** - * Rule statement used to search web request components for matches with regular expressions. See `regexPatternSetReferenceStatement` below for details. - */ - regexPatternSetReferenceStatement?: pulumi.Input; - /** - * Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `ruleGroupReferenceStatement` below for details. - */ - ruleGroupReferenceStatement?: pulumi.Input; - /** - * Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See `sizeConstraintStatement` below for more details. - */ - sizeConstraintStatement?: pulumi.Input; - /** - * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqliMatchStatement` below for details. - */ - sqliMatchStatement?: pulumi.Input; - /** - * Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xssMatchStatement` below for details. - */ - xssMatchStatement?: pulumi.Input; - } - - export interface WebAclRuleStatementAndStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementByteMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. - */ - positionalConstraint: pulumi.Input; - /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. - */ - searchString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementByteMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementGeoMatchStatement { - /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. - */ - countryCodes: pulumi.Input[]>; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. - */ - forwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementGeoMatchStatementForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - } - - export interface WebAclRuleStatementIpSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. - */ - arn: pulumi.Input; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. - */ - ipSetForwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. - */ - position: pulumi.Input; - } - - export interface WebAclRuleStatementLabelMatchStatement { - /** - * String to match against. - */ - key: pulumi.Input; - /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. - */ - scope: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatement { - /** - * Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managedRuleGroupConfigs` for more details - */ - managedRuleGroupConfigs?: pulumi.Input[]>; - /** - * Name of the managed rule group. - */ - name: pulumi.Input; - /** - * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. - */ - ruleActionOverrides?: pulumi.Input[]>; - /** - * Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. - */ - scopeDownStatement?: pulumi.Input; - /** - * Name of the managed rule group vendor. - */ - vendorName: pulumi.Input; - /** - * Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything. - */ - version?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig { - /** - * Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client. - */ - awsManagedRulesAcfpRuleSet?: pulumi.Input; - /** - * Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client. - */ - awsManagedRulesAtpRuleSet?: pulumi.Input; - /** - * Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `awsManagedRulesBotControlRuleSet` for more details - */ - awsManagedRulesBotControlRuleSet?: pulumi.Input; - /** - * The path of the login endpoint for your application. - */ - loginPath?: pulumi.Input; - /** - * Details about your login page password field. See `passwordField` for more details. - */ - passwordField?: pulumi.Input; - /** - * The payload type for your login endpoint, either JSON or form encoded. - */ - payloadType?: pulumi.Input; - /** - * Details about your login page username field. See `usernameField` for more details. - */ - usernameField?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet { - /** - * The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests. - */ - creationPath: pulumi.Input; - /** - * Whether or not to allow the use of regular expressions in the login page path. - */ - enableRegexInPath?: pulumi.Input; - /** - * The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests. - */ - registrationPagePath: pulumi.Input; - /** - * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. - */ - requestInspection: pulumi.Input; - /** - * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. - */ - responseInspection?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection { - /** - * The names of the fields in the request payload that contain your customer's primary physical address. See `addressFields` for more details. - */ - addressFields?: pulumi.Input; - /** - * The name of the field in the request payload that contains your customer's email. See `emailField` for more details. - */ - emailField?: pulumi.Input; - /** - * Details about your login page password field. See `passwordField` for more details. - */ - passwordField?: pulumi.Input; - /** - * The payload type for your login endpoint, either JSON or form encoded. - */ - payloadType: pulumi.Input; - /** - * The names of the fields in the request payload that contain your customer's primary phone number. See `phoneNumberFields` for more details. - */ - phoneNumberFields?: pulumi.Input; - /** - * Details about your login page username field. See `usernameField` for more details. - */ - usernameField?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields { - identifiers: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField { - /** - * The name of the field in the request payload that contains your customer's email. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField { - /** - * The name of the password field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields { - identifiers: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField { - /** - * The name of the username field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection { - /** - * Configures inspection of the response body. See `bodyContains` for more details. - */ - bodyContains?: pulumi.Input; - /** - * Configures inspection of the response header.See `header` for more details. - */ - header?: pulumi.Input; - /** - * Configures inspection of the response JSON. See `json` for more details. - */ - json?: pulumi.Input; - /** - * Configures inspection of the response status code.See `statusCode` for more details. - */ - statusCode?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains { - /** - * Strings in the body of the response that indicate a failed login attempt. - */ - failureStrings: pulumi.Input[]>; - /** - * Strings in the body of the response that indicate a successful login attempt. - */ - successStrings: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader { - /** - * Values in the response header with the specified name that indicate a failed login attempt. - */ - failureValues: pulumi.Input[]>; - /** - * The name of the header to use. - */ - name: pulumi.Input; - /** - * Values in the response header with the specified name that indicate a successful login attempt. - */ - successValues: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson { - failureValues: pulumi.Input[]>; - /** - * The identifier for the value to match against in the JSON. - */ - identifier: pulumi.Input; - successValues: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode { - /** - * Status codes in the response that indicate a failed login attempt. - */ - failureCodes: pulumi.Input[]>; - /** - * Status codes in the response that indicate a successful login attempt. - */ - successCodes: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet { - /** - * Whether or not to allow the use of regular expressions in the login page path. - */ - enableRegexInPath?: pulumi.Input; - /** - * The path of the login endpoint for your application. - */ - loginPath: pulumi.Input; - /** - * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. - */ - requestInspection?: pulumi.Input; - /** - * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. - */ - responseInspection?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection { - /** - * Details about your login page password field. See `passwordField` for more details. - */ - passwordField: pulumi.Input; - /** - * The payload type for your login endpoint, either JSON or form encoded. - */ - payloadType: pulumi.Input; - /** - * Details about your login page username field. See `usernameField` for more details. - */ - usernameField: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField { - /** - * The name of the password field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField { - /** - * The name of the username field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection { - /** - * Configures inspection of the response body. See `bodyContains` for more details. - */ - bodyContains?: pulumi.Input; - /** - * Configures inspection of the response header.See `header` for more details. - */ - header?: pulumi.Input; - /** - * Configures inspection of the response JSON. See `json` for more details. - */ - json?: pulumi.Input; - /** - * Configures inspection of the response status code.See `statusCode` for more details. - */ - statusCode?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains { - /** - * Strings in the body of the response that indicate a failed login attempt. - */ - failureStrings: pulumi.Input[]>; - /** - * Strings in the body of the response that indicate a successful login attempt. - */ - successStrings: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader { - /** - * Values in the response header with the specified name that indicate a failed login attempt. - */ - failureValues: pulumi.Input[]>; - /** - * The name of the header to use. - */ - name: pulumi.Input; - /** - * Values in the response header with the specified name that indicate a successful login attempt. - */ - successValues: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson { - failureValues: pulumi.Input[]>; - /** - * The identifier for the value to match against in the JSON. - */ - identifier: pulumi.Input; - successValues: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode { - /** - * Status codes in the response that indicate a failed login attempt. - */ - failureCodes: pulumi.Input[]>; - /** - * Status codes in the response that indicate a successful login attempt. - */ - successCodes: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet { - /** - * The inspection level to use for the Bot Control rule group. - */ - inspectionLevel: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField { - /** - * The name of the password field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField { - /** - * The name of the username field. - */ - identifier: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride { - /** - * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. - */ - actionToUse: pulumi.Input; - /** - * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse { - allow?: pulumi.Input; - block?: pulumi.Input; - captcha?: pulumi.Input; - challenge?: pulumi.Input; - count?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock { - /** - * Defines a custom response for the web request. See `customResponse` below for details. - */ - customResponse?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse { - /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. - */ - customResponseBodyKey?: pulumi.Input; - /** - * The HTTP status code to return to the client. - */ - responseCode: pulumi.Input; - /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. - */ - responseHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; - /** - * Value of the custom header. - */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement { - andStatement?: pulumi.Input; - byteMatchStatement?: pulumi.Input; - geoMatchStatement?: pulumi.Input; - ipSetReferenceStatement?: pulumi.Input; - labelMatchStatement?: pulumi.Input; - notStatement?: pulumi.Input; - orStatement?: pulumi.Input; - regexMatchStatement?: pulumi.Input; - regexPatternSetReferenceStatement?: pulumi.Input; - sizeConstraintStatement?: pulumi.Input; - sqliMatchStatement?: pulumi.Input; - xssMatchStatement?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. - */ - positionalConstraint: pulumi.Input; - /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. - */ - searchString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement { - /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. - */ - countryCodes: pulumi.Input[]>; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. - */ - forwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. - */ - arn: pulumi.Input; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. - */ - ipSetForwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. - */ - position: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement { - /** - * String to match against. - */ - key: pulumi.Input; - /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. - */ - scope: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. - */ - regexString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. - */ - arn: pulumi.Input; - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement { - /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. - */ - comparisonOperator: pulumi.Input; - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. - */ - size: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementNotStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementOrStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatement { - /** - * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`. - */ - aggregateKeyType?: pulumi.Input; - /** - * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. - */ - customKeys?: pulumi.Input[]>; - /** - * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). - * - * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. - */ - evaluationWindowSec?: pulumi.Input; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See `forwardedIpConfig` below for details. - */ - forwardedIpConfig?: pulumi.Input; - /** - * Limit on requests per 5-minute period for a single originating IP address. - */ - limit: pulumi.Input; - /** - * Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. - */ - scopeDownStatement?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKey { - /** - * Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. - */ - cookie?: pulumi.Input; - /** - * Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. - */ - forwardedIp?: pulumi.Input; - /** - * Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. - */ - header?: pulumi.Input; - /** - * Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. - */ - httpMethod?: pulumi.Input; - /** - * Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. - */ - ip?: pulumi.Input; - /** - * Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. - */ - labelNamespace?: pulumi.Input; - /** - * Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. - */ - queryArgument?: pulumi.Input; - /** - * Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. - */ - queryString?: pulumi.Input; - /** - * Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyCookie { - /** - * The name of the cookie to use. - */ - name: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp { - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyHeader { - /** - * The name of the header to use. - */ - name: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod { - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyIp { - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace { - /** - * The namespace to use for aggregation - */ - namespace: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument { - /** - * The name of the query argument to use. - */ - name: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryString { - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyUriPath { - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatement { - andStatement?: pulumi.Input; - byteMatchStatement?: pulumi.Input; - geoMatchStatement?: pulumi.Input; - ipSetReferenceStatement?: pulumi.Input; - labelMatchStatement?: pulumi.Input; - notStatement?: pulumi.Input; - orStatement?: pulumi.Input; - regexMatchStatement?: pulumi.Input; - regexPatternSetReferenceStatement?: pulumi.Input; - sizeConstraintStatement?: pulumi.Input; - sqliMatchStatement?: pulumi.Input; - xssMatchStatement?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. - */ - positionalConstraint: pulumi.Input; - /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. - */ - searchString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement { - /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. - */ - countryCodes: pulumi.Input[]>; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. - */ - forwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. - */ - arn: pulumi.Input; - /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. - */ - ipSetForwardedIpConfig?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - /** - * Name of the HTTP header to use for the IP address. - */ - headerName: pulumi.Input; - /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. - */ - position: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement { - /** - * String to match against. - */ - key: pulumi.Input; - /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. - */ - scope: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement { - /** - * The statements to combine. - */ - statements: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. - */ - regexString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. - */ - arn: pulumi.Input; - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement { - /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. - */ - comparisonOperator: pulumi.Input; - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. - */ - size: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. - */ - regexString: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: pulumi.Input; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: pulumi.Input; + value: pulumi.Input; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: pulumi.Input; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: pulumi.Input; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: pulumi.Input; + export interface WebAclRuleActionCount { /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString { + customRequestHandling?: pulumi.Input; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader { + export interface WebAclRuleActionCountCustomRequestHandling { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - name: pulumi.Input; + insertHeaders: pulumi.Input[]>; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + export interface WebAclRuleActionCountCustomRequestHandlingInsertHeader { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ name: pulumi.Input; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRegexMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: pulumi.Input; - /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. - */ - arn: pulumi.Input; - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: pulumi.Input; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: pulumi.Input; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: pulumi.Input; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: pulumi.Input; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: pulumi.Input[]>; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: pulumi.Input[]>; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: pulumi.Input; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: pulumi.Input; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: pulumi.Input; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: pulumi.Input; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: pulumi.Input; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: pulumi.Input; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Value of the custom header. */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { + value: pulumi.Input; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody { + export interface WebAclRuleCaptchaConfig { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - oversizeHandling?: pulumi.Input; + immunityTimeProperty?: pulumi.Input; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: pulumi.Input[]>; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: pulumi.Input; + export interface WebAclRuleCaptchaConfigImmunityTimeProperty { /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + immunityTime?: pulumi.Input; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: pulumi.Input; + export interface WebAclRuleOverrideAction { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`. */ - matchScope: pulumi.Input; + count?: pulumi.Input; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Don't override the rule action setting. Configured as an empty block `{}`. */ - oversizeHandling: pulumi.Input; + none?: pulumi.Input; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: pulumi.Input[]>; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: pulumi.Input[]>; + export interface WebAclRuleOverrideActionCount { } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { + export interface WebAclRuleOverrideActionNone { } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { + export interface WebAclRuleRuleLabel { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Label string. */ - oversizeHandling: pulumi.Input; + name: pulumi.Input; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { + export interface WebAclRuleStatement { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Logical rule statement used to combine other rule statements with AND logic. See `andStatement` below for details. */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + andStatement?: pulumi.Input; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byteMatchStatement` below for details. */ - invalidFallbackBehavior?: pulumi.Input; + byteMatchStatement?: pulumi.Input; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Rule statement used to identify web requests based on country of origin. See `geoMatchStatement` below for details. */ - matchPattern: pulumi.Input; + geoMatchStatement?: pulumi.Input; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ipSetReferenceStatement` below for details. */ - matchScope: pulumi.Input; + ipSetReferenceStatement?: pulumi.Input; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `labelMatchStatement` below for details. */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { + labelMatchStatement?: pulumi.Input; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managedRuleGroupStatement` below for details. */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + managedRuleGroupStatement?: pulumi.Input; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Logical rule statement used to negate the results of another rule statement. See `notStatement` below for details. */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation { + notStatement?: pulumi.Input; /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Logical rule statement used to combine other rule statements with OR logic. See `orStatement` below for details. */ - priority: pulumi.Input; + orStatement?: pulumi.Input; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rateBasedStatement` below for details. */ - type: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatement { + rateBasedStatement?: pulumi.Input; /** - * The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource. + * Rule statement used to search web request components for a match against a single regular expression. See `regexMatchStatement` below for details. */ - arn: pulumi.Input; + regexMatchStatement?: pulumi.Input; /** - * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. + * Rule statement used to search web request components for matches with regular expressions. See `regexPatternSetReferenceStatement` below for details. */ - ruleActionOverrides?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride { + regexPatternSetReferenceStatement?: pulumi.Input; /** - * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. + * Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `ruleGroupReferenceStatement` below for details. */ - actionToUse: pulumi.Input; + ruleGroupReferenceStatement?: pulumi.Input; /** - * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. + * Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See `sizeConstraintStatement` below for more details. */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse { - allow?: pulumi.Input; - block?: pulumi.Input; - captcha?: pulumi.Input; - challenge?: pulumi.Input; - count?: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow { + sizeConstraintStatement?: pulumi.Input; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqliMatchStatement` below for details. */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { + sqliMatchStatement?: pulumi.Input; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xssMatchStatement` below for details. */ - insertHeaders: pulumi.Input[]>; + xssMatchStatement?: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: pulumi.Input; + export interface WebAclRuleStatementAndStatement { /** - * Value of the custom header. + * Statements to combine with `AND` logic. You can use any statements that can be nested. See `statement` above for details. */ - value: pulumi.Input; + statements: pulumi.Input[]>; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock { + export interface WebAclRuleStatementByteMatchStatement { /** - * Defines a custom response for the web request. See `customResponse` below for details. + * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ - customResponse?: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse { + fieldToMatch?: pulumi.Input; /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. */ - customResponseBodyKey?: pulumi.Input; + positionalConstraint: pulumi.Input; /** - * The HTTP status code to return to the client. + * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. */ - responseCode: pulumi.Input; + searchString: pulumi.Input; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. */ - responseHeaders?: pulumi.Input[]>; + textTransformations: pulumi.Input[]>; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { + export interface WebAclRuleStatementGeoMatchStatement { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. */ - name: pulumi.Input; + countryCodes: pulumi.Input[]>; /** - * Value of the custom header. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. */ - value: pulumi.Input; + forwardedIpConfig?: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha { + export interface WebAclRuleStatementIpSetReferenceStatement { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The Amazon Resource Name (ARN) of the IP Set that this statement references. */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling { + arn: pulumi.Input; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. */ - insertHeaders: pulumi.Input[]>; + ipSetForwardedIpConfig?: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. */ - name: pulumi.Input; + fallbackBehavior: pulumi.Input; /** - * Value of the custom header. + * Name of the HTTP header to use for the IP address. */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge { + headerName: pulumi.Input; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. */ - customRequestHandling?: pulumi.Input; + position: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling { + export interface WebAclRuleStatementLabelMatchStatement { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * String to match against. + */ + key: pulumi.Input; + /** + * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. */ - insertHeaders: pulumi.Input[]>; + scope: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementManagedRuleGroupStatement { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managedRuleGroupConfigs` for more details + */ + managedRuleGroupConfigs?: pulumi.Input[]>; + /** + * Name of the managed rule group. */ name: pulumi.Input; /** - * Value of the custom header. + * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount { + ruleActionOverrides?: pulumi.Input[]>; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. */ - customRequestHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling { + scopeDownStatement?: pulumi.Input; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Name of the managed rule group vendor. + */ + vendorName: pulumi.Input; + /** + * Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything. */ - insertHeaders: pulumi.Input[]>; + version?: pulumi.Input; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client. */ - name: pulumi.Input; + awsManagedRulesAcfpRuleSet?: pulumi.Input; /** - * Value of the custom header. + * Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client. */ - value: pulumi.Input; - } - - export interface WebAclRuleStatementSizeConstraintStatement { + awsManagedRulesAtpRuleSet?: pulumi.Input; /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `awsManagedRulesBotControlRuleSet` for more details */ - comparisonOperator: pulumi.Input; + awsManagedRulesBotControlRuleSet?: pulumi.Input; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The path of the login endpoint for your application. */ - fieldToMatch?: pulumi.Input; + loginPath?: pulumi.Input; /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * Details about your login page password field. See `passwordField` for more details. */ - size: pulumi.Input; + passwordField?: pulumi.Input; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The payload type for your login endpoint, either JSON or form encoded. */ - textTransformations: pulumi.Input[]>; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatch { + payloadType?: pulumi.Input; /** - * Inspect all query arguments. + * Details about your login page username field. See `usernameField` for more details. */ - allQueryArguments?: pulumi.Input; + usernameField?: pulumi.Input; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet { /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests. */ - body?: pulumi.Input; + creationPath: pulumi.Input; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Whether or not to allow the use of regular expressions in the login page path. */ - cookies?: pulumi.Input; + enableRegexInPath?: pulumi.Input; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests. */ - headerOrders?: pulumi.Input[]>; + registrationPagePath: pulumi.Input; /** - * Inspect the request headers. See `headers` below for details. + * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. */ - headers?: pulumi.Input[]>; + requestInspection: pulumi.Input; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. */ - ja3Fingerprint?: pulumi.Input; + responseInspection?: pulumi.Input; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * The names of the fields in the request payload that contain your customer's primary physical address. See `addressFields` for more details. */ - jsonBody?: pulumi.Input; + addressFields?: pulumi.Input; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The name of the field in the request payload that contains your customer's email. See `emailField` for more details. */ - method?: pulumi.Input; + emailField?: pulumi.Input; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Details about your login page password field. See `passwordField` for more details. */ - queryString?: pulumi.Input; + passwordField?: pulumi.Input; /** - * Inspect a single header. See `singleHeader` below for details. + * The payload type for your login endpoint, either JSON or form encoded. */ - singleHeader?: pulumi.Input; + payloadType: pulumi.Input; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The names of the fields in the request payload that contain your customer's primary phone number. See `phoneNumberFields` for more details. */ - singleQueryArgument?: pulumi.Input; + phoneNumberFields?: pulumi.Input; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Details about your login page username field. See `usernameField` for more details. */ - uriPath?: pulumi.Input; + usernameField?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields { + identifiers: pulumi.Input[]>; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchBody { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The name of the field in the request payload that contains your customer's email. */ - oversizeHandling?: pulumi.Input; + identifier: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Whether or not to allow the use of regular expressions in the login page path. */ - matchPatterns: pulumi.Input[]>; + enableRegexInPath?: pulumi.Input; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The path of the login endpoint for your application. */ - matchScope: pulumi.Input; + loginPath: pulumi.Input; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { + requestInspection?: pulumi.Input; + /** + * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. + */ + responseInspection?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Details about your login page password field. See `passwordField` for more details. */ - matchPattern: pulumi.Input; + passwordField: pulumi.Input; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The payload type for your login endpoint, either JSON or form encoded. */ - matchScope: pulumi.Input; + payloadType: pulumi.Input; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Details about your login page username field. See `usernameField` for more details. */ - oversizeHandling: pulumi.Input; + usernameField: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection { /** - * An empty configuration block that is used for inspecting all headers. + * Configures inspection of the response body. See `bodyContains` for more details. */ - all?: pulumi.Input; + bodyContains?: pulumi.Input; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Configures inspection of the response header.See `header` for more details. */ - excludedHeaders?: pulumi.Input[]>; + header?: pulumi.Input; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Configures inspection of the response JSON. See `json` for more details. */ - includedHeaders?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { + json?: pulumi.Input; + /** + * Configures inspection of the response status code.See `statusCode` for more details. + */ + statusCode?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Strings in the body of the response that indicate a failed login attempt. */ - oversizeHandling: pulumi.Input; + failureStrings: pulumi.Input[]>; + /** + * Strings in the body of the response that indicate a successful login attempt. + */ + successStrings: pulumi.Input[]>; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Values in the response header with the specified name that indicate a failed login attempt. */ - fallbackBehavior: pulumi.Input; + failureValues: pulumi.Input[]>; + /** + * The name of the header to use. + */ + name: pulumi.Input; + /** + * Values in the response header with the specified name that indicate a successful login attempt. + */ + successValues: pulumi.Input[]>; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson { + failureValues: pulumi.Input[]>; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The identifier for the value to match against in the JSON. */ - invalidFallbackBehavior?: pulumi.Input; + identifier: pulumi.Input; + successValues: pulumi.Input[]>; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Status codes in the response that indicate a failed login attempt. */ - matchPattern: pulumi.Input; + failureCodes: pulumi.Input[]>; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Status codes in the response that indicate a successful login attempt. */ - matchScope: pulumi.Input; + successCodes: pulumi.Input[]>; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet { /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The inspection level to use for the Bot Control rule group. */ - oversizeHandling?: pulumi.Input; + inspectionLevel: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField { + /** + * The name of the password field. + */ + identifier: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField { + /** + * The name of the username field. + */ + identifier: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride { + /** + * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. + */ + actionToUse: pulumi.Input; + /** + * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. + */ + name: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse { + allow?: pulumi.Input; + block?: pulumi.Input; + captcha?: pulumi.Input; + challenge?: pulumi.Input; + count?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - name: pulumi.Input; + customRequestHandling?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - name: pulumi.Input; + insertHeaders: pulumi.Input[]>; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock { + /** + * Defines a custom response for the web request. See `customResponse` below for details. + */ + customResponse?: pulumi.Input; } - export interface WebAclRuleStatementSizeConstraintStatementTextTransformation { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - priority: pulumi.Input; + customResponseBodyKey?: pulumi.Input; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The HTTP status code to return to the client. */ - type: pulumi.Input; + responseCode: pulumi.Input; + /** + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + */ + responseHeaders?: pulumi.Input[]>; } - export interface WebAclRuleStatementSqliMatchStatement { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - fieldToMatch?: pulumi.Input; + name: pulumi.Input; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Value of the custom header. */ - textTransformations: pulumi.Input[]>; + value: pulumi.Input; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatch { + export interface WebAclRuleStatementNotStatement { /** - * Inspect all query arguments. + * Statement to negate. You can use any statement that can be nested. See `statement` above for details. */ - allQueryArguments?: pulumi.Input; + statements: pulumi.Input[]>; + } + + export interface WebAclRuleStatementOrStatement { /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Statements to combine with `OR` logic. You can use any statements that can be nested. See `statement` above for details. */ - body?: pulumi.Input; + statements: pulumi.Input[]>; + } + + export interface WebAclRuleStatementRateBasedStatement { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`. */ - cookies?: pulumi.Input; + aggregateKeyType?: pulumi.Input; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. */ - headerOrders?: pulumi.Input[]>; + customKeys?: pulumi.Input[]>; /** - * Inspect the request headers. See `headers` below for details. + * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). + * + * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. */ - headers?: pulumi.Input[]>; + evaluationWindowSec?: pulumi.Input; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See `forwardedIpConfig` below for details. */ - ja3Fingerprint?: pulumi.Input; + forwardedIpConfig?: pulumi.Input; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Limit on requests per 5-minute period for a single originating IP address. */ - jsonBody?: pulumi.Input; + limit: pulumi.Input; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. */ - method?: pulumi.Input; + scopeDownStatement?: pulumi.Input; + } + + export interface WebAclRuleStatementRateBasedStatementCustomKey { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. */ - queryString?: pulumi.Input; + cookie?: pulumi.Input; /** - * Inspect a single header. See `singleHeader` below for details. + * Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. */ - singleHeader?: pulumi.Input; + forwardedIp?: pulumi.Input; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. */ - singleQueryArgument?: pulumi.Input; + header?: pulumi.Input; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchBody { + httpMethod?: pulumi.Input; /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookies { + ip?: pulumi.Input; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. */ - matchPatterns: pulumi.Input[]>; + labelNamespace?: pulumi.Input; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. */ - matchScope: pulumi.Input; + queryArgument?: pulumi.Input; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. */ - oversizeHandling: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; - excludedCookies?: pulumi.Input[]>; - includedCookies?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeader { + queryString?: pulumi.Input; /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. */ - matchPattern: pulumi.Input; + uriPath?: pulumi.Input; + } + + export interface WebAclRuleStatementRateBasedStatementCustomKeyCookie { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The name of the cookie to use. */ - matchScope: pulumi.Input; + name: pulumi.Input; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. */ - oversizeHandling: pulumi.Input; + textTransformations: pulumi.Input[]>; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: pulumi.Input; + export interface WebAclRuleStatementRateBasedStatementCustomKeyHeader { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The name of the header to use. */ - excludedHeaders?: pulumi.Input[]>; + name: pulumi.Input; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. */ - includedHeaders?: pulumi.Input[]>; + textTransformations: pulumi.Input[]>; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface WebAclRuleStatementRateBasedStatementCustomKeyIp { } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder { + export interface WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The namespace to use for aggregation */ - oversizeHandling: pulumi.Input; + namespace: pulumi.Input; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint { + export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * The name of the query argument to use. */ - fallbackBehavior: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody { + name: pulumi.Input; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. */ - invalidFallbackBehavior?: pulumi.Input; + textTransformations: pulumi.Input[]>; + } + + export interface WebAclRuleStatementRateBasedStatementScopeDownStatement { + andStatement?: pulumi.Input; + byteMatchStatement?: pulumi.Input; + geoMatchStatement?: pulumi.Input; + ipSetReferenceStatement?: pulumi.Input; + labelMatchStatement?: pulumi.Input; + notStatement?: pulumi.Input; + orStatement?: pulumi.Input; + regexMatchStatement?: pulumi.Input; + regexPatternSetReferenceStatement?: pulumi.Input; + sizeConstraintStatement?: pulumi.Input; + sqliMatchStatement?: pulumi.Input; + xssMatchStatement?: pulumi.Input; + } + + export interface WebAclRuleStatementRegexMatchStatement { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ - matchPattern: pulumi.Input; + fieldToMatch?: pulumi.Input; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * String representing the regular expression. Minimum of `1` and maximum of `512` characters. */ - matchScope: pulumi.Input; + regexString: pulumi.Input; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. */ - oversizeHandling?: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; - includedPaths?: pulumi.Input[]>; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString { + textTransformations: pulumi.Input[]>; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader { + export interface WebAclRuleStatementRegexPatternSetReferenceStatement { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument { + arn: pulumi.Input; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath { + fieldToMatch?: pulumi.Input; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + */ + textTransformations: pulumi.Input[]>; } - export interface WebAclRuleStatementSqliMatchStatementTextTransformation { + export interface WebAclRuleStatementRuleGroupReferenceStatement { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource. */ - priority: pulumi.Input; + arn: pulumi.Input; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. */ - type: pulumi.Input; + ruleActionOverrides?: pulumi.Input[]>; } - export interface WebAclRuleStatementXssMatchStatement { + export interface WebAclRuleStatementSizeConstraintStatement { + /** + * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + */ + comparisonOperator: pulumi.Input; /** * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ fieldToMatch?: pulumi.Input; + /** + * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + */ + size: pulumi.Input; /** * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. */ @@ -78024,7 +71548,7 @@ export namespace wafv2 { /** * Inspect all query arguments. */ - allQueryArguments?: pulumi.Input; + allQueryArguments?: pulumi.Input; /** * Inspect the request body, which immediately follows the request headers. See `body` below for details. */ @@ -78036,7 +71560,7 @@ export namespace wafv2 { /** * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. */ - headerOrders?: pulumi.Input[]>; + headerOrders?: pulumi.Input[]>; /** * Inspect the request headers. See `headers` below for details. */ @@ -78052,11 +71576,11 @@ export namespace wafv2 { /** * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. */ - method?: pulumi.Input; + method?: pulumi.Input; /** * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. */ - queryString?: pulumi.Input; + queryString?: pulumi.Input; /** * Inspect a single header. See `singleHeader` below for details. */ @@ -78064,14 +71588,11 @@ export namespace wafv2 { /** * Inspect a single query argument. See `singleQueryArgument` below for details. */ - singleQueryArgument?: pulumi.Input; + singleQueryArgument?: pulumi.Input; /** * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. */ - uriPath?: pulumi.Input; - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments { + uriPath?: pulumi.Input; } export interface WebAclRuleStatementXssMatchStatementFieldToMatchBody { @@ -78097,14 +71618,11 @@ export namespace wafv2 { } export interface WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: pulumi.Input; + all?: pulumi.Input; excludedCookies?: pulumi.Input[]>; includedCookies?: pulumi.Input[]>; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeader { /** * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: @@ -78124,7 +71642,7 @@ export namespace wafv2 { /** * An empty configuration block that is used for inspecting all headers. */ - all?: pulumi.Input; + all?: pulumi.Input; /** * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. */ @@ -78135,16 +71653,6 @@ export namespace wafv2 { includedHeaders?: pulumi.Input[]>; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: pulumi.Input; - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { /** * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. @@ -78172,19 +71680,10 @@ export namespace wafv2 { } export interface WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: pulumi.Input; + all?: pulumi.Input; includedPaths?: pulumi.Input[]>; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchQueryString { - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader { /** * Name of the query header to inspect. This setting must be provided as lower case characters. @@ -78192,16 +71691,6 @@ export namespace wafv2 { name: pulumi.Input; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: pulumi.Input; - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchUriPath { - } - export interface WebAclRuleStatementXssMatchStatementTextTransformation { /** * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. diff --git a/sdk/nodejs/types/output.ts b/sdk/nodejs/types/output.ts index dc32a8a38f0..d9d12de6a35 100644 --- a/sdk/nodejs/types/output.ts +++ b/sdk/nodejs/types/output.ts @@ -18850,2873 +18850,2852 @@ export namespace costexplorer { /** * Return results that match both `Dimension` objects. */ - ands: outputs.costexplorer.GetCostCategoryRuleRuleAnd[]; + ands: outputs.costexplorer.GetCostCategoryRuleRule[]; /** * Configuration block for the filter that's based on `CostCategory` values. See below. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleCostCategory[]; + costCategories: outputs.costexplorer.GetCostCategoryRuleRuleTag[]; /** * Configuration block for the specific `Dimension` to use for `Expression`. See below. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleDimension[]; + dimensions: outputs.costexplorer.GetCostCategoryRuleRuleTag[]; /** * Return results that do not match the `Dimension` object. */ - nots: outputs.costexplorer.GetCostCategoryRuleRuleNot[]; + nots: outputs.costexplorer.GetCostCategoryRuleRule[]; /** * Return results that match either `Dimension` object. */ - ors: outputs.costexplorer.GetCostCategoryRuleRuleOr[]; + ors: outputs.costexplorer.GetCostCategoryRuleRule[]; /** * Configuration block for the specific `Tag` to use for `Expression`. See below. */ tags: outputs.costexplorer.GetCostCategoryRuleRuleTag[]; } - export interface GetCostCategoryRuleRuleAnd { - /** - * Return results that match both `Dimension` objects. - */ - ands: outputs.costexplorer.GetCostCategoryRuleRuleAndAnd[]; - /** - * Configuration block for the filter that's based on `CostCategory` values. See below. - */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleAndCostCategory[]; - /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. - */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleAndDimension[]; + export interface GetCostCategoryRuleRuleTag { /** - * Return results that do not match the `Dimension` object. + * Key for the tag. */ - nots: outputs.costexplorer.GetCostCategoryRuleRuleAndNot[]; + key: string; /** - * Return results that match either `Dimension` object. + * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - ors: outputs.costexplorer.GetCostCategoryRuleRuleAndOr[]; + matchOptions: string[]; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Parameter values. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleAndTag[]; + values: string[]; } - export interface GetCostCategoryRuleRuleAndAnd { + export interface GetCostCategorySplitChargeRule { /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Method that's used to define how to split your source costs across your targets. Valid values are `FIXED`, `PROPORTIONAL`, `EVEN` */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleAndAndCostCategory[]; + method: string; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Configuration block for the parameters for a split charge method. This is only required for the `FIXED` method. See below. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleAndAndDimension[]; + parameters: outputs.costexplorer.GetCostCategorySplitChargeRuleParameter[]; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Cost Category value that you want to split. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleAndAndTag[]; - } - - export interface GetCostCategoryRuleRuleAndAndCostCategory { + source: string; /** - * Key for the tag. + * Cost Category values that you want to split costs across. These values can't be used as a source in other split charge rules. */ - key: string; + targets: string[]; + } + + export interface GetCostCategorySplitChargeRuleParameter { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Parameter type. */ - matchOptions: string[]; + type: string; /** * Parameter values. */ values: string[]; } - export interface GetCostCategoryRuleRuleAndAndDimension { + export interface GetTagsFilter { /** - * Key for the tag. + * Return results that match both `Dimension` objects. */ - key: string; + ands?: outputs.costexplorer.GetTagsFilterAnd[]; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Configuration block for the filter that's based on `CostCategory` values. See `costCategory` block below for details. */ - matchOptions: string[]; + costCategory?: outputs.costexplorer.GetTagsFilterCostCategory; /** - * Parameter values. + * Configuration block for the specific `Dimension` to use for `Expression`. See `dimension` block below for details. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleAndAndTag { + dimension?: outputs.costexplorer.GetTagsFilterDimension; /** - * Key for the tag. + * Return results that match both `Dimension` object. */ - key: string; + not?: outputs.costexplorer.GetTagsFilterNot; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Return results that match both `Dimension` object. */ - matchOptions: string[]; + ors?: outputs.costexplorer.GetTagsFilterOr[]; /** - * Parameter values. + * Tags that match your request. */ - values: string[]; + tags?: outputs.costexplorer.GetTagsFilterTags; } - export interface GetCostCategoryRuleRuleAndCostCategory { + export interface GetTagsFilterAnd { + costCategory?: outputs.costexplorer.GetTagsFilterAndCostCategory; + dimension?: outputs.costexplorer.GetTagsFilterAndDimension; /** - * Key for the tag. + * Tags that match your request. */ - key: string; + tags?: outputs.costexplorer.GetTagsFilterAndTags; + } + + export interface GetTagsFilterAndCostCategory { + /** + * Unique name of the Cost Category. + */ + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndDimension { + export interface GetTagsFilterAndDimension { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; + } + + export interface GetTagsFilterAndTags { + key?: string; + matchOptions?: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndNot { + export interface GetTagsFilterCostCategory { /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Unique name of the Cost Category. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleAndNotCostCategory[]; + key?: string; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleAndNotDimension[]; + matchOptions?: string[]; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Specific value of the Cost Category. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleAndNotTag[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndNotCostCategory { + export interface GetTagsFilterDimension { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; + } + + export interface GetTagsFilterNot { + costCategory?: outputs.costexplorer.GetTagsFilterNotCostCategory; + dimension?: outputs.costexplorer.GetTagsFilterNotDimension; + /** + * Tags that match your request. + */ + tags?: outputs.costexplorer.GetTagsFilterNotTags; } - export interface GetCostCategoryRuleRuleAndNotDimension { + export interface GetTagsFilterNotCostCategory { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndNotTag { + export interface GetTagsFilterNotDimension { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndOr { - /** - * Configuration block for the filter that's based on `CostCategory` values. See below. - */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleAndOrCostCategory[]; - /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. - */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleAndOrDimension[]; + export interface GetTagsFilterNotTags { + key?: string; + matchOptions?: string[]; + values?: string[]; + } + + export interface GetTagsFilterOr { + costCategory?: outputs.costexplorer.GetTagsFilterOrCostCategory; + dimension?: outputs.costexplorer.GetTagsFilterOrDimension; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Tags that match your request. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleAndOrTag[]; + tags?: outputs.costexplorer.GetTagsFilterOrTags; } - export interface GetCostCategoryRuleRuleAndOrCostCategory { + export interface GetTagsFilterOrCostCategory { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndOrDimension { + export interface GetTagsFilterOrDimension { /** - * Key for the tag. + * Unique name of the Cost Category. */ - key: string; + key?: string; /** * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. */ - matchOptions: string[]; + matchOptions?: string[]; /** - * Parameter values. + * Specific value of the Cost Category. */ - values: string[]; + values?: string[]; + } + + export interface GetTagsFilterOrTags { + key?: string; + matchOptions?: string[]; + values?: string[]; + } + + export interface GetTagsFilterTags { + key?: string; + matchOptions?: string[]; + values?: string[]; } - export interface GetCostCategoryRuleRuleAndOrTag { + export interface GetTagsSortBy { /** - * Key for the tag. + * key that's used to sort the data. Valid values are: `BlendedCost`, `UnblendedCost`, `AmortizedCost`, `NetAmortizedCost`, `NetUnblendedCost`, `UsageQuantity`, `NormalizedUsageAmount`. */ - key: string; + key?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * order that's used to sort the data. Valid values are: `ASCENDING`, `DESCENDING`. */ - matchOptions: string[]; + sortOrder?: string; + } + + export interface GetTagsTimePeriod { /** - * Parameter values. + * Beginning of the time period. */ - values: string[]; + end: string; + /** + * End of the time period. + */ + start: string; } - export interface GetCostCategoryRuleRuleAndTag { +} + +export namespace customerprofiles { + export interface DomainMatching { /** - * Key for the tag. + * A block that specifies the configuration about the auto-merging process. Documented below. */ - key: string; + autoMerging: outputs.customerprofiles.DomainMatchingAutoMerging; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The flag that enables the matching process of duplicate profiles. */ - matchOptions: string[]; + enabled: boolean; /** - * Parameter values. + * A block that specifies the configuration for exporting Identity Resolution results. Documented below. */ - values: string[]; + exportingConfig?: outputs.customerprofiles.DomainMatchingExportingConfig; + /** + * A block that specifies the day and time when you want to start the Identity Resolution Job every week. Documented below. + */ + jobSchedule?: outputs.customerprofiles.DomainMatchingJobSchedule; } - export interface GetCostCategoryRuleRuleCostCategory { + export interface DomainMatchingAutoMerging { /** - * Key for the tag. + * A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below. */ - key: string; + conflictResolution?: outputs.customerprofiles.DomainMatchingAutoMergingConflictResolution; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * A block that specifies a list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged. Documented below. + * * `minAllowedConfidenceScoreForMerging ` - (Optional) A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means higher similarity required to merge profiles. */ - matchOptions: string[]; + consolidation?: outputs.customerprofiles.DomainMatchingAutoMergingConsolidation; /** - * Parameter values. + * The flag that enables the auto-merging of duplicate profiles. */ - values: string[]; + enabled: boolean; + minAllowedConfidenceScoreForMerging?: number; } - export interface GetCostCategoryRuleRuleDimension { + export interface DomainMatchingAutoMergingConflictResolution { /** - * Key for the tag. + * How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE` */ - key: string; + conflictResolvingModel: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`. */ - matchOptions: string[]; + sourceName?: string; + } + + export interface DomainMatchingAutoMergingConsolidation { /** - * Parameter values. + * A list of matching criteria. */ - values: string[]; + matchingAttributesLists: string[][]; + } + + export interface DomainMatchingExportingConfig { + s3Exporting?: outputs.customerprofiles.DomainMatchingExportingConfigS3Exporting; + } + + export interface DomainMatchingExportingConfigS3Exporting { + s3BucketName: string; + s3KeyName?: string; } - export interface GetCostCategoryRuleRuleNot { + export interface DomainMatchingJobSchedule { /** - * Return results that match both `Dimension` objects. + * The day when the Identity Resolution Job should run every week. */ - ands: outputs.costexplorer.GetCostCategoryRuleRuleNotAnd[]; + dayOfTheWeek: string; /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * The time when the Identity Resolution Job should run every week. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleNotCostCategory[]; + time: string; + } + + export interface DomainRuleBasedMatching { /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * A block that configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles. Documented below. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleNotDimension[]; + attributeTypesSelector?: outputs.customerprofiles.DomainRuleBasedMatchingAttributeTypesSelector; /** - * Return results that do not match the `Dimension` object. + * A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below. */ - nots: outputs.costexplorer.GetCostCategoryRuleRuleNotNot[]; + conflictResolution?: outputs.customerprofiles.DomainRuleBasedMatchingConflictResolution; /** - * Return results that match either `Dimension` object. + * The flag that enables the rule-based matching process of duplicate profiles. */ - ors: outputs.costexplorer.GetCostCategoryRuleRuleNotOr[]; + enabled: boolean; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * A block that specifies the configuration for exporting Identity Resolution results. Documented below. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleNotTag[]; - } - - export interface GetCostCategoryRuleRuleNotAnd { + exportingConfig?: outputs.customerprofiles.DomainRuleBasedMatchingExportingConfig; /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * A block that configures how the rule-based matching process should match profiles. You can have up to 15 `rule` in the `natchingRules`. Documented below. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleNotAndCostCategory[]; + matchingRules?: outputs.customerprofiles.DomainRuleBasedMatchingMatchingRule[]; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Indicates the maximum allowed rule level for matching. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleNotAndDimension[]; + maxAllowedRuleLevelForMatching?: number; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Indicates the maximum allowed rule level for merging. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleNotAndTag[]; + maxAllowedRuleLevelForMerging?: number; + status: string; } - export interface GetCostCategoryRuleRuleNotAndCostCategory { + export interface DomainRuleBasedMatchingAttributeTypesSelector { /** - * Key for the tag. + * The `Address` type. You can choose from `Address`, `BusinessAddress`, `MaillingAddress`, and `ShippingAddress`. */ - key: string; + addresses?: string[]; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Configures the `AttributeMatchingModel`, you can either choose `ONE_TO_ONE` or `MANY_TO_MANY`. */ - matchOptions: string[]; + attributeMatchingModel: string; /** - * Parameter values. + * The `Email` type. You can choose from `EmailAddress`, `BusinessEmailAddress` and `PersonalEmailAddress`. */ - values: string[]; + emailAddresses?: string[]; + /** + * The `PhoneNumber` type. You can choose from `PhoneNumber`, `HomePhoneNumber`, and `MobilePhoneNumber`. + */ + phoneNumbers?: string[]; } - export interface GetCostCategoryRuleRuleNotAndDimension { + export interface DomainRuleBasedMatchingConflictResolution { /** - * Key for the tag. + * How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE` */ - key: string; + conflictResolvingModel: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`. */ - matchOptions: string[]; + sourceName?: string; + } + + export interface DomainRuleBasedMatchingExportingConfig { + s3Exporting?: outputs.customerprofiles.DomainRuleBasedMatchingExportingConfigS3Exporting; + } + + export interface DomainRuleBasedMatchingExportingConfigS3Exporting { + s3BucketName: string; + s3KeyName?: string; + } + + export interface DomainRuleBasedMatchingMatchingRule { /** - * Parameter values. + * A single rule level of the `matchRules`. Configures how the rule-based matching process should match profiles. */ - values: string[]; + rules: string[]; } - export interface GetCostCategoryRuleRuleNotAndTag { + export interface ProfileAddress { /** - * Key for the tag. + * The first line of a customer address. */ - key: string; + address1?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The second line of a customer address. */ - matchOptions: string[]; + address2?: string; /** - * Parameter values. + * The third line of a customer address. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleNotCostCategory { + address3?: string; /** - * Key for the tag. + * The fourth line of a customer address. */ - key: string; + address4?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The city in which a customer lives. */ - matchOptions: string[]; + city?: string; /** - * Parameter values. + * The country in which a customer lives. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleNotDimension { + country?: string; /** - * Key for the tag. + * The county in which a customer lives. */ - key: string; + county?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The postal code of a customer address. */ - matchOptions: string[]; + postalCode?: string; /** - * Parameter values. + * The province in which a customer lives. */ - values: string[]; + province?: string; + /** + * The state in which a customer lives. + */ + state?: string; + } + + export interface ProfileBillingAddress { + address1?: string; + address2?: string; + address3?: string; + address4?: string; + city?: string; + country?: string; + county?: string; + postalCode?: string; + province?: string; + state?: string; + } + + export interface ProfileMailingAddress { + address1?: string; + address2?: string; + address3?: string; + address4?: string; + city?: string; + country?: string; + county?: string; + postalCode?: string; + province?: string; + state?: string; + } + + export interface ProfileShippingAddress { + address1?: string; + address2?: string; + address3?: string; + address4?: string; + city?: string; + country?: string; + county?: string; + postalCode?: string; + province?: string; + state?: string; } - export interface GetCostCategoryRuleRuleNotNot { +} + +export namespace datapipeline { + export interface GetPipelineDefinitionParameterObject { + attributes: outputs.datapipeline.GetPipelineDefinitionParameterObjectAttribute[]; /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * ID of the object. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleNotNotCostCategory[]; + id: string; + } + + export interface GetPipelineDefinitionParameterObjectAttribute { /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Field identifier. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleNotNotDimension[]; + key: string; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Field value, expressed as a String. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleNotNotTag[]; + stringValue: string; } - export interface GetCostCategoryRuleRuleNotNotCostCategory { - /** - * Key for the tag. - */ - key: string; + export interface GetPipelineDefinitionParameterValue { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * ID of the object. */ - matchOptions: string[]; + id: string; /** - * Parameter values. + * Field value, expressed as a String. */ - values: string[]; + stringValue: string; } - export interface GetCostCategoryRuleRuleNotNotDimension { + export interface GetPipelineDefinitionPipelineObject { /** - * Key for the tag. + * Key-value pairs that define the properties of the object. See below */ - key: string; + fields?: outputs.datapipeline.GetPipelineDefinitionPipelineObjectField[]; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * ID of the object. */ - matchOptions: string[]; + id: string; /** - * Parameter values. + * ARN of the storage connector. */ - values: string[]; + name: string; } - export interface GetCostCategoryRuleRuleNotNotTag { + export interface GetPipelineDefinitionPipelineObjectField { /** - * Key for the tag. + * Field identifier. */ key: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Field value, expressed as the identifier of another object */ - matchOptions: string[]; + refValue: string; /** - * Parameter values. + * Field value, expressed as a String. */ - values: string[]; + stringValue: string; } - export interface GetCostCategoryRuleRuleNotOr { + export interface PipelineDefinitionParameterObject { /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Configuration block for attributes of the parameter object. See below */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleNotOrCostCategory[]; + attributes?: outputs.datapipeline.PipelineDefinitionParameterObjectAttribute[]; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * ID of the parameter object. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleNotOrDimension[]; - /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. - */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleNotOrTag[]; + id: string; } - export interface GetCostCategoryRuleRuleNotOrCostCategory { + export interface PipelineDefinitionParameterObjectAttribute { /** - * Key for the tag. + * Field identifier. */ key: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. - */ - matchOptions: string[]; - /** - * Parameter values. + * Field value, expressed as a String. */ - values: string[]; + stringValue: string; } - export interface GetCostCategoryRuleRuleNotOrDimension { - /** - * Key for the tag. - */ - key: string; + export interface PipelineDefinitionParameterValue { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * ID of the parameter value. */ - matchOptions: string[]; + id: string; /** - * Parameter values. + * Field value, expressed as a String. */ - values: string[]; + stringValue: string; } - export interface GetCostCategoryRuleRuleNotOrTag { + export interface PipelineDefinitionPipelineObject { /** - * Key for the tag. + * Configuration block for Key-value pairs that define the properties of the object. See below */ - key: string; + fields?: outputs.datapipeline.PipelineDefinitionPipelineObjectField[]; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * ID of the object. */ - matchOptions: string[]; + id: string; /** - * Parameter values. + * ARN of the storage connector. */ - values: string[]; + name: string; } - export interface GetCostCategoryRuleRuleNotTag { + export interface PipelineDefinitionPipelineObjectField { /** - * Key for the tag. + * Field identifier. */ key: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Field value, expressed as the identifier of another object */ - matchOptions: string[]; + refValue?: string; /** - * Parameter values. + * Field value, expressed as a String. */ - values: string[]; + stringValue?: string; } - export interface GetCostCategoryRuleRuleOr { +} + +export namespace datasync { + export interface EfsLocationEc2Config { /** - * Return results that match both `Dimension` objects. + * List of Amazon Resource Names (ARNs) of the EC2 Security Groups that are associated with the EFS Mount Target. */ - ands: outputs.costexplorer.GetCostCategoryRuleRuleOrAnd[]; + securityGroupArns: string[]; /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Amazon Resource Name (ARN) of the EC2 Subnet that is associated with the EFS Mount Target. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleOrCostCategory[]; + subnetArn: string; + } + + export interface FsxOpenZfsFileSystemProtocol { /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system. See below. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleOrDimension[]; + nfs: outputs.datasync.FsxOpenZfsFileSystemProtocolNfs; + } + + export interface FsxOpenZfsFileSystemProtocolNfs { /** - * Return results that do not match the `Dimension` object. + * Represents the mount options that are available for DataSync to access an NFS location. See below. */ - nots: outputs.costexplorer.GetCostCategoryRuleRuleOrNot[]; + mountOptions: outputs.datasync.FsxOpenZfsFileSystemProtocolNfsMountOptions; + } + + export interface FsxOpenZfsFileSystemProtocolNfsMountOptions { /** - * Return results that match either `Dimension` object. + * The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC` */ - ors: outputs.costexplorer.GetCostCategoryRuleRuleOrOr[]; + version?: string; + } + + export interface LocationAzureBlobSasConfiguration { /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * A SAS token that provides permissions to access your Azure Blob Storage. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleOrTag[]; + token: string; } - export interface GetCostCategoryRuleRuleOrAnd { + export interface LocationFsxOntapFileSystemProtocol { /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Network File System (NFS) protocol that DataSync uses to access your FSx ONTAP file system. See NFS below. */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleOrAndCostCategory[]; + nfs?: outputs.datasync.LocationFsxOntapFileSystemProtocolNfs; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Server Message Block (SMB) protocol that DataSync uses to access your FSx ONTAP file system. See [SMB] (#smb) below. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleOrAndDimension[]; + smb?: outputs.datasync.LocationFsxOntapFileSystemProtocolSmb; + } + + export interface LocationFsxOntapFileSystemProtocolNfs { /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Mount options that are available for DataSync to access an NFS location. See NFS Mount Options below. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleOrAndTag[]; + mountOptions: outputs.datasync.LocationFsxOntapFileSystemProtocolNfsMountOptions; + } + + export interface LocationFsxOntapFileSystemProtocolNfsMountOptions { + version?: string; } - export interface GetCostCategoryRuleRuleOrAndCostCategory { + export interface LocationFsxOntapFileSystemProtocolSmb { /** - * Key for the tag. + * Fully qualified domain name of the Microsoft Active Directory (AD) that your storage virtual machine belongs to. */ - key: string; + domain?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Mount options that are available for DataSync to access an SMB location. See SMB Mount Options below. */ - matchOptions: string[]; + mountOptions: outputs.datasync.LocationFsxOntapFileSystemProtocolSmbMountOptions; /** - * Parameter values. + * Password of a user who has permission to access your SVM. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleOrAndDimension { + password: string; /** - * Key for the tag. + * Username that can mount the location and access the files, folders, and metadata that you need in the SVM. */ - key: string; + user: string; + } + + export interface LocationFsxOntapFileSystemProtocolSmbMountOptions { + version?: string; + } + + export interface LocationHdfsNameNode { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The hostname of the NameNode in the HDFS cluster. This value is the IP address or Domain Name Service (DNS) name of the NameNode. An agent that's installed on-premises uses this hostname to communicate with the NameNode in the network. */ - matchOptions: string[]; + hostname: string; /** - * Parameter values. + * The port that the NameNode uses to listen to client requests. */ - values: string[]; + port: number; } - export interface GetCostCategoryRuleRuleOrAndTag { - /** - * Key for the tag. - */ - key: string; + export interface LocationHdfsQopConfiguration { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your dfs.data.transfer.protection setting in the hdfs-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`. */ - matchOptions: string[]; + dataTransferProtection: string; /** - * Parameter values. + * The RPC protection setting configured on the HDFS cluster. This setting corresponds to your hadoop.rpc.protection setting in your core-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`. */ - values: string[]; + rpcProtection: string; } - export interface GetCostCategoryRuleRuleOrCostCategory { + export interface LocationSmbMountOptions { /** - * Key for the tag. + * The specific SMB version that you want DataSync to use for mounting your SMB share. Valid values: `AUTOMATIC`, `SMB2`, and `SMB3`. Default: `AUTOMATIC` */ - key: string; + version?: string; + } + + export interface NfsLocationMountOptions { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC` */ - matchOptions: string[]; + version?: string; + } + + export interface NfsLocationOnPremConfig { /** - * Parameter values. + * List of Amazon Resource Names (ARNs) of the DataSync Agents used to connect to the NFS server. */ - values: string[]; + agentArns: string[]; } - export interface GetCostCategoryRuleRuleOrDimension { + export interface S3LocationS3Config { /** - * Key for the tag. + * ARN of the IAM Role used to connect to the S3 Bucket. */ - key: string; + bucketAccessRoleArn: string; + } + + export interface TaskExcludes { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`. */ - matchOptions: string[]; + filterType?: string; /** - * Parameter values. + * A single filter string that consists of the patterns to exclude. The patterns are delimited by "|" (that is, a pipe), for example: `/folder1|/folder2` */ - values: string[]; + value?: string; } - export interface GetCostCategoryRuleRuleOrNot { - /** - * Configuration block for the filter that's based on `CostCategory` values. See below. - */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleOrNotCostCategory[]; + export interface TaskIncludes { /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleOrNotDimension[]; + filterType?: string; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * A single filter string that consists of the patterns to include. The patterns are delimited by "|" (that is, a pipe), for example: `/folder1|/folder2` */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleOrNotTag[]; + value?: string; } - export interface GetCostCategoryRuleRuleOrNotCostCategory { + export interface TaskOptions { /** - * Key for the tag. + * A file metadata that shows the last time a file was accessed (that is when the file was read or written to). If set to `BEST_EFFORT`, the DataSync Task attempts to preserve the original (that is, the version before sync `PREPARING` phase) `atime` attribute on all source files. Valid values: `BEST_EFFORT`, `NONE`. Default: `BEST_EFFORT`. */ - key: string; + atime?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Limits the bandwidth utilized. For example, to set a maximum of 1 MB, set this value to `1048576`. Value values: `-1` or greater. Default: `-1` (unlimited). */ - matchOptions: string[]; + bytesPerSecond?: number; /** - * Parameter values. + * Group identifier of the file's owners. Valid values: `BOTH`, `INT_VALUE`, `NAME`, `NONE`. Default: `INT_VALUE` (preserve integer value of the ID). */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleOrNotDimension { + gid?: string; /** - * Key for the tag. + * Determines the type of logs that DataSync publishes to a log stream in the Amazon CloudWatch log group that you provide. Valid values: `OFF`, `BASIC`, `TRANSFER`. Default: `OFF`. */ - key: string; + logLevel?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * A file metadata that indicates the last time a file was modified (written to) before the sync `PREPARING` phase. Value values: `NONE`, `PRESERVE`. Default: `PRESERVE`. */ - matchOptions: string[]; + mtime?: string; /** - * Parameter values. + * Specifies whether object tags are maintained when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the NONE value. Valid values: `PRESERVE`, `NONE`. Default value: `PRESERVE`. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleOrNotTag { + objectTags?: string; /** - * Key for the tag. + * Determines whether files at the destination should be overwritten or preserved when copying files. Valid values: `ALWAYS`, `NEVER`. Default: `ALWAYS`. */ - key: string; + overwriteMode?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Determines which users or groups can access a file for a specific purpose such as reading, writing, or execution of the file. Valid values: `NONE`, `PRESERVE`. Default: `PRESERVE`. */ - matchOptions: string[]; + posixPermissions?: string; /** - * Parameter values. + * Whether files deleted in the source should be removed or preserved in the destination file system. Valid values: `PRESERVE`, `REMOVE`. Default: `PRESERVE`. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleOrOr { + preserveDeletedFiles?: string; /** - * Configuration block for the filter that's based on `CostCategory` values. See below. + * Whether the DataSync Task should preserve the metadata of block and character devices in the source files system, and recreate the files with that device name and metadata on the destination. The DataSync Task can’t sync the actual contents of such devices, because many of the devices are non-terminal and don’t return an end of file (EOF) marker. Valid values: `NONE`, `PRESERVE`. Default: `NONE` (ignore special devices). */ - costCategories: outputs.costexplorer.GetCostCategoryRuleRuleOrOrCostCategory[]; + preserveDevices?: string; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See below. + * Determines which components of the SMB security descriptor are copied from source to destination objects. This value is only used for transfers between SMB and Amazon FSx for Windows File Server locations, or between two Amazon FSx for Windows File Server locations. Valid values: `NONE`, `OWNER_DACL`, `OWNER_DACL_SACL`. Default: `OWNER_DACL`. */ - dimensions: outputs.costexplorer.GetCostCategoryRuleRuleOrOrDimension[]; + securityDescriptorCopyFlags: string; /** - * Configuration block for the specific `Tag` to use for `Expression`. See below. + * Determines whether tasks should be queued before executing the tasks. Valid values: `ENABLED`, `DISABLED`. Default `ENABLED`. */ - tags: outputs.costexplorer.GetCostCategoryRuleRuleOrOrTag[]; - } - - export interface GetCostCategoryRuleRuleOrOrCostCategory { + taskQueueing?: string; /** - * Key for the tag. + * Determines whether DataSync transfers only the data and metadata that differ between the source and the destination location, or whether DataSync transfers all the content from the source, without comparing to the destination location. Valid values: `CHANGED`, `ALL`. Default: `CHANGED` */ - key: string; + transferMode?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * User identifier of the file's owners. Valid values: `BOTH`, `INT_VALUE`, `NAME`, `NONE`. Default: `INT_VALUE` (preserve integer value of the ID). */ - matchOptions: string[]; + uid?: string; /** - * Parameter values. + * Whether a data integrity verification should be performed at the end of a task execution after all data and metadata have been transferred. Valid values: `NONE`, `POINT_IN_TIME_CONSISTENT`, `ONLY_FILES_TRANSFERRED`. Default: `POINT_IN_TIME_CONSISTENT`. */ - values: string[]; + verifyMode?: string; } - export interface GetCostCategoryRuleRuleOrOrDimension { + export interface TaskSchedule { /** - * Key for the tag. + * Specifies the schedule you want your task to use for repeated executions. For more information, see [Schedule Expressions for Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html). */ - key: string; + scheduleExpression: string; + } + + export interface TaskTaskReportConfig { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Specifies the type of task report you'd like. Valid values: `SUMMARY_ONLY` and `STANDARD`. */ - matchOptions: string[]; + outputType?: string; /** - * Parameter values. + * Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. */ - values: string[]; - } - - export interface GetCostCategoryRuleRuleOrOrTag { + reportLevel?: string; /** - * Key for the tag. + * Configuration block containing the configuration of the reporting level for aspects of your task report. See `reportOverrides` below. */ - key: string; + reportOverrides?: outputs.datasync.TaskTaskReportConfigReportOverrides; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Configuration block containing the configuration for the Amazon S3 bucket where DataSync uploads your task report. See `s3Destination` below. */ - matchOptions: string[]; + s3Destination: outputs.datasync.TaskTaskReportConfigS3Destination; /** - * Parameter values. + * Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you enable versioning on your bucket. Keep in mind that setting this to INCLUDE can increase the duration of your task execution. Valid values: `INCLUDE` and `NONE`. */ - values: string[]; + s3ObjectVersioning?: string; } - export interface GetCostCategoryRuleRuleOrTag { + export interface TaskTaskReportConfigReportOverrides { /** - * Key for the tag. + * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you configure your task to delete data in the destination that isn't in the source. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. */ - key: string; + deletedOverride?: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. */ - matchOptions: string[]; + skippedOverride?: string; /** - * Parameter values. + * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. */ - values: string[]; + transferredOverride?: string; + /** + * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify at the end of your transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. + * + * > **NOTE:** If any `reportOverrides` are set to the same value as `task_report_config.report_level`, they will always be flagged as changed. Only set overrides to a value that differs from `task_report_config.report_level`. + */ + verifiedOverride?: string; } - export interface GetCostCategoryRuleRuleTag { + export interface TaskTaskReportConfigS3Destination { /** - * Key for the tag. + * Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. */ - key: string; + bucketAccessRoleArn: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Specifies the ARN of the S3 bucket where DataSync uploads your report. */ - matchOptions: string[]; + s3BucketArn: string; /** - * Parameter values. + * Specifies a bucket prefix for your report. */ - values: string[]; + subdirectory?: string; } - export interface GetCostCategorySplitChargeRule { +} + +export namespace datazone { + export interface DomainSingleSignOn { + type: string; + userAssignment?: string; + } + + export interface DomainTimeouts { /** - * Method that's used to define how to split your source costs across your targets. Valid values are `FIXED`, `PROPORTIONAL`, `EVEN` + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - method: string; + create?: string; /** - * Configuration block for the parameters for a split charge method. This is only required for the `FIXED` method. See below. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - parameters: outputs.costexplorer.GetCostCategorySplitChargeRuleParameter[]; + delete?: string; + } + +} + +export namespace dax { + export interface ClusterNode { + address: string; + availabilityZone: string; + id: string; /** - * Cost Category value that you want to split. + * The port used by the configuration endpoint */ - source: string; + port: number; + } + + export interface ClusterServerSideEncryption { /** - * Cost Category values that you want to split costs across. These values can't be used as a source in other split charge rules. + * Whether to enable encryption at rest. Defaults to `false`. */ - targets: string[]; + enabled?: boolean; } - export interface GetCostCategorySplitChargeRuleParameter { + export interface ParameterGroupParameter { /** - * Parameter type. + * The name of the parameter. */ - type: string; + name: string; /** - * Parameter values. + * The value for the parameter. */ - values: string[]; + value: string; } - export interface GetTagsFilter { +} + +export namespace devicefarm { + export interface DevicePoolRule { /** - * Return results that match both `Dimension` objects. + * The rule's stringified attribute. Valid values are: `APPIUM_VERSION`, `ARN`, `AVAILABILITY`, `FLEET_TYPE`, `FORM_FACTOR`, `INSTANCE_ARN`, `INSTANCE_LABELS`, `MANUFACTURER`, `MODEL`, `OS_VERSION`, `PLATFORM`, `REMOTE_ACCESS_ENABLED`, `REMOTE_DEBUG_ENABLED`. */ - ands?: outputs.costexplorer.GetTagsFilterAnd[]; + attribute?: string; /** - * Configuration block for the filter that's based on `CostCategory` values. See `costCategory` block below for details. + * Specifies how Device Farm compares the rule's attribute to the value. For the operators that are supported by each attribute. Valid values are: `EQUALS`, `NOT_IN`, `IN`, `GREATER_THAN`, `GREATER_THAN_OR_EQUALS`, `LESS_THAN`, `LESS_THAN_OR_EQUALS`, `CONTAINS`. */ - costCategory?: outputs.costexplorer.GetTagsFilterCostCategory; + operator?: string; /** - * Configuration block for the specific `Dimension` to use for `Expression`. See `dimension` block below for details. + * The rule's value. */ - dimension?: outputs.costexplorer.GetTagsFilterDimension; + value?: string; + } + + export interface TestGridProjectVpcConfig { /** - * Return results that match both `Dimension` object. + * A list of VPC security group IDs in your Amazon VPC. */ - not?: outputs.costexplorer.GetTagsFilterNot; + securityGroupIds: string[]; /** - * Return results that match both `Dimension` object. + * A list of VPC subnet IDs in your Amazon VPC. */ - ors?: outputs.costexplorer.GetTagsFilterOr[]; + subnetIds: string[]; /** - * Tags that match your request. + * The ID of the Amazon VPC. */ - tags?: outputs.costexplorer.GetTagsFilterTags; + vpcId: string; } - export interface GetTagsFilterAnd { - costCategory?: outputs.costexplorer.GetTagsFilterAndCostCategory; - dimension?: outputs.costexplorer.GetTagsFilterAndDimension; +} + +export namespace devopsguru { + export interface EventSourcesConfigEventSource { /** - * Tags that match your request. + * Stores whether DevOps Guru is configured to consume recommendations which are generated from AWS CodeGuru Profiler. See `amazonCodeGuruProfiler` below. */ - tags?: outputs.costexplorer.GetTagsFilterAndTags; + amazonCodeGuruProfilers?: outputs.devopsguru.EventSourcesConfigEventSourceAmazonCodeGuruProfiler[]; } - export interface GetTagsFilterAndCostCategory { - /** - * Unique name of the Cost Category. - */ - key?: string; - /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. - */ - matchOptions?: string[]; + export interface EventSourcesConfigEventSourceAmazonCodeGuruProfiler { /** - * Specific value of the Cost Category. + * Status of the CodeGuru Profiler integration. Valid values are `ENABLED` and `DISABLED`. */ - values?: string[]; + status: string; } - export interface GetTagsFilterAndDimension { - /** - * Unique name of the Cost Category. - */ - key?: string; + export interface GetNotificationChannelFilter { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Events to receive notifications for. */ - matchOptions?: string[]; + messageTypes: string[]; /** - * Specific value of the Cost Category. + * Severity levels to receive notifications for. */ - values?: string[]; + severities: string[]; } - export interface GetTagsFilterAndTags { - key?: string; - matchOptions?: string[]; - values?: string[]; + export interface GetNotificationChannelSn { + /** + * Amazon Resource Name (ARN) of an Amazon Simple Notification Service topic. + */ + topicArn: string; } - export interface GetTagsFilterCostCategory { + export interface GetResourceCollectionCloudformation { /** - * Unique name of the Cost Category. + * Array of the names of the AWS CloudFormation stacks. */ - key?: string; + stackNames: string[]; + } + + export interface GetResourceCollectionTag { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * An AWS tag key that is used to identify the AWS resources that DevOps Guru analyzes. */ - matchOptions?: string[]; + appBoundaryKey: string; /** - * Specific value of the Cost Category. + * Array of tag values. */ - values?: string[]; + tagValues: string[]; } - export interface GetTagsFilterDimension { - /** - * Unique name of the Cost Category. - */ - key?: string; + export interface NotificationChannelFilters { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Events to receive notifications for. Valid values are `NEW_INSIGHT`, `CLOSED_INSIGHT`, `NEW_ASSOCIATION`, `SEVERITY_UPGRADED`, and `NEW_RECOMMENDATION`. */ - matchOptions?: string[]; + messageTypes?: string[]; /** - * Specific value of the Cost Category. + * Severity levels to receive notifications for. Valid values are `LOW`, `MEDIUM`, and `HIGH`. */ - values?: string[]; + severities?: string[]; } - export interface GetTagsFilterNot { - costCategory?: outputs.costexplorer.GetTagsFilterNotCostCategory; - dimension?: outputs.costexplorer.GetTagsFilterNotDimension; + export interface NotificationChannelSns { /** - * Tags that match your request. + * Amazon Resource Name (ARN) of an Amazon Simple Notification Service topic. */ - tags?: outputs.costexplorer.GetTagsFilterNotTags; + topicArn: string; } - export interface GetTagsFilterNotCostCategory { + export interface ResourceCollectionCloudformation { /** - * Unique name of the Cost Category. + * Array of the names of the AWS CloudFormation stacks. If `type` is `AWS_SERVICE` (all acccount resources) this array should be a single item containing a wildcard (`"*"`). */ - key?: string; + stackNames: string[]; + } + + export interface ResourceCollectionTags { /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * An AWS tag key that is used to identify the AWS resources that DevOps Guru analyzes. All AWS resources in your account and Region tagged with this key make up your DevOps Guru application and analysis boundary. The key must begin with the prefix `DevOps-Guru-`. Any casing can be used for the prefix, but the associated tags __must use the same casing__ in their tag key. */ - matchOptions?: string[]; + appBoundaryKey: string; /** - * Specific value of the Cost Category. + * Array of tag values. These can be used to further filter for specific resources within the application boundary. To analyze all resources tagged with the `appBoundaryKey` regardless of the corresponding tag value, this array should be a single item containing a wildcard (`"*"`). */ - values?: string[]; + tagValues: string[]; } - export interface GetTagsFilterNotDimension { + export interface ServiceIntegrationKmsServerSideEncryption { /** - * Unique name of the Cost Category. + * KMS key ID. This value can be a key ID, key ARN, alias name, or alias ARN. */ - key?: string; + kmsKeyId: string; /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. + * Specifies whether KMS integration is enabled. Valid values are `DISABLED` and `ENABLED`. */ - matchOptions?: string[]; + optInStatus: string; /** - * Specific value of the Cost Category. + * Type of KMS key used. Valid values are `CUSTOMER_MANAGED_KEY` and `AWS_OWNED_KMS_KEY`. */ - values?: string[]; - } - - export interface GetTagsFilterNotTags { - key?: string; - matchOptions?: string[]; - values?: string[]; + type: string; } - export interface GetTagsFilterOr { - costCategory?: outputs.costexplorer.GetTagsFilterOrCostCategory; - dimension?: outputs.costexplorer.GetTagsFilterOrDimension; + export interface ServiceIntegrationLogsAnomalyDetection { /** - * Tags that match your request. + * Specifies if DevOps Guru is configured to perform log anomaly detection on CloudWatch log groups. Valid values are `DISABLED` and `ENABLED`. */ - tags?: outputs.costexplorer.GetTagsFilterOrTags; + optInStatus: string; } - export interface GetTagsFilterOrCostCategory { - /** - * Unique name of the Cost Category. - */ - key?: string; - /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. - */ - matchOptions?: string[]; + export interface ServiceIntegrationOpsCenter { /** - * Specific value of the Cost Category. + * Specifies if DevOps Guru is enabled to create an AWS Systems Manager OpsItem for each created insight. Valid values are `DISABLED` and `ENABLED`. */ - values?: string[]; + optInStatus: string; } - export interface GetTagsFilterOrDimension { - /** - * Unique name of the Cost Category. - */ - key?: string; - /** - * Match options that you can use to filter your results. MatchOptions is only applicable for actions related to cost category. The default values for MatchOptions is `EQUALS` and `CASE_SENSITIVE`. Valid values are: `EQUALS`, `ABSENT`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CASE_SENSITIVE`, `CASE_INSENSITIVE`. - */ - matchOptions?: string[]; +} + +export namespace directconnect { + export interface GetRouterConfigurationRouter { /** - * Specific value of the Cost Category. + * Router platform */ - values?: string[]; - } - - export interface GetTagsFilterOrTags { - key?: string; - matchOptions?: string[]; - values?: string[]; - } - - export interface GetTagsFilterTags { - key?: string; - matchOptions?: string[]; - values?: string[]; - } - - export interface GetTagsSortBy { + platform: string; /** - * key that's used to sort the data. Valid values are: `BlendedCost`, `UnblendedCost`, `AmortizedCost`, `NetAmortizedCost`, `NetUnblendedCost`, `UsageQuantity`, `NormalizedUsageAmount`. + * ID of the Router Type. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124` + * + * There is currently no AWS API to retrieve the full list of `routerTypeIdentifier` values. Here is a list of known `RouterType` objects that can be used: + * + * ```json + * { + * "routerTypes": [ + * {"platform":"2900 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-2900SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"3700 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-3700SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"7200 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-7200SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"Nexus 7000 Series Switches","routerTypeIdentifier":"CiscoSystemsInc-Nexus7000SeriesSwitches-NXOS51","software":"NX-OS 5.1+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-switch-cisco-nexus-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"Nexus 9K+ Series Switches","routerTypeIdentifier":"CiscoSystemsInc-Nexus9KSeriesSwitches-NXOS93","software":"NX-OS 9.3+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-switch-cisco-nexus-generic.xslt","xsltTemplateNameForMacSec":"customer-switch-cisco-nexus-generic-macsec.xslt"}, + * {"platform":"M/MX Series Routers","routerTypeIdentifier":"JuniperNetworksInc-MMXSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":"customer-router-juniper-generic-macsec.xslt"}, + * {"platform":"SRX Series Routers","routerTypeIdentifier":"JuniperNetworksInc-SRXSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"T Series Routers","routerTypeIdentifier":"JuniperNetworksInc-TSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":""}, + * {"platform":"PA-3000+ and 5000+ series","routerTypeIdentifier":"PaloAltoNetworks-PA3000and5000series-PANOS803","software":"PAN-OS 8.0.3+","vendor":"Palo Alto Networks","xsltTemplateName":"customer-router-palo-alto-generic.xslt","xsltTemplateNameForMacSec":""}] + * } + * ``` */ - key?: string; + routerTypeIdentifier: string; /** - * order that's used to sort the data. Valid values are: `ASCENDING`, `DESCENDING`. + * Router operating system */ - sortOrder?: string; - } - - export interface GetTagsTimePeriod { + software: string; /** - * Beginning of the time period. + * Router vendor */ - end: string; + vendor: string; /** - * End of the time period. + * Router XSLT Template Name */ - start: string; + xsltTemplateName: string; + xsltTemplateNameForMacSec: string; } } -export namespace customerprofiles { - export interface DomainMatching { +export namespace directoryservice { + export interface DirectoryConnectSettings { + availabilityZones: string[]; /** - * A block that specifies the configuration about the auto-merging process. Documented below. + * The IP addresses of the AD Connector servers. */ - autoMerging: outputs.customerprofiles.DomainMatchingAutoMerging; + connectIps: string[]; /** - * The flag that enables the matching process of duplicate profiles. + * The DNS IP addresses of the domain to connect to. */ - enabled: boolean; + customerDnsIps: string[]; /** - * A block that specifies the configuration for exporting Identity Resolution results. Documented below. + * The username corresponding to the password provided. */ - exportingConfig?: outputs.customerprofiles.DomainMatchingExportingConfig; + customerUsername: string; /** - * A block that specifies the day and time when you want to start the Identity Resolution Job every week. Documented below. + * The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs). */ - jobSchedule?: outputs.customerprofiles.DomainMatchingJobSchedule; - } - - export interface DomainMatchingAutoMerging { + subnetIds: string[]; /** - * A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below. + * The identifier of the VPC that the directory is in. */ - conflictResolution?: outputs.customerprofiles.DomainMatchingAutoMergingConflictResolution; + vpcId: string; + } + + export interface DirectoryVpcSettings { + availabilityZones: string[]; /** - * A block that specifies a list of matching attributes that represent matching criteria. If two profiles meet at least one of the requirements in the matching attributes list, they will be merged. Documented below. - * * `minAllowedConfidenceScoreForMerging ` - (Optional) A number between 0 and 1 that represents the minimum confidence score required for profiles within a matching group to be merged during the auto-merge process. A higher score means higher similarity required to merge profiles. + * The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs). */ - consolidation?: outputs.customerprofiles.DomainMatchingAutoMergingConsolidation; + subnetIds: string[]; /** - * The flag that enables the auto-merging of duplicate profiles. + * The identifier of the VPC that the directory is in. */ - enabled: boolean; - minAllowedConfidenceScoreForMerging?: number; + vpcId: string; } - export interface DomainMatchingAutoMergingConflictResolution { + export interface GetDirectoryConnectSetting { + availabilityZones: string[]; /** - * How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE` + * IP addresses of the AD Connector servers. */ - conflictResolvingModel: string; + connectIps: string[]; /** - * The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`. + * DNS IP addresses of the domain to connect to. */ - sourceName?: string; - } - - export interface DomainMatchingAutoMergingConsolidation { + customerDnsIps: string[]; /** - * A list of matching criteria. + * Username corresponding to the password provided. */ - matchingAttributesLists: string[][]; - } - - export interface DomainMatchingExportingConfig { - s3Exporting?: outputs.customerprofiles.DomainMatchingExportingConfigS3Exporting; - } - - export interface DomainMatchingExportingConfigS3Exporting { - s3BucketName: string; - s3KeyName?: string; - } - - export interface DomainMatchingJobSchedule { + customerUsername: string; /** - * The day when the Identity Resolution Job should run every week. + * Identifiers of the subnets for the connector servers (2 subnets in 2 different AZs). */ - dayOfTheWeek: string; + subnetIds: string[]; /** - * The time when the Identity Resolution Job should run every week. + * ID of the VPC that the connector is in. */ - time: string; + vpcId: string; } - export interface DomainRuleBasedMatching { + export interface GetDirectoryRadiusSetting { /** - * A block that configures information about the `AttributeTypesSelector` where the rule-based identity resolution uses to match profiles. Documented below. + * The protocol specified for your RADIUS endpoints. */ - attributeTypesSelector?: outputs.customerprofiles.DomainRuleBasedMatchingAttributeTypesSelector; + authenticationProtocol: string; /** - * A block that specifies how the auto-merging process should resolve conflicts between different profiles. Documented below. + * Display label. */ - conflictResolution?: outputs.customerprofiles.DomainRuleBasedMatchingConflictResolution; + displayLabel: string; /** - * The flag that enables the rule-based matching process of duplicate profiles. + * Port that your RADIUS server is using for communications. */ - enabled: boolean; + radiusPort: number; /** - * A block that specifies the configuration for exporting Identity Resolution results. Documented below. + * Maximum number of times that communication with the RADIUS server is attempted. */ - exportingConfig?: outputs.customerprofiles.DomainRuleBasedMatchingExportingConfig; + radiusRetries: number; /** - * A block that configures how the rule-based matching process should match profiles. You can have up to 15 `rule` in the `natchingRules`. Documented below. + * Set of strings that contains the fully qualified domain name (FQDN) or IP addresses of the RADIUS server endpoints, or the FQDN or IP addresses of your RADIUS server load balancer. */ - matchingRules?: outputs.customerprofiles.DomainRuleBasedMatchingMatchingRule[]; + radiusServers: string[]; /** - * Indicates the maximum allowed rule level for matching. + * Amount of time, in seconds, to wait for the RADIUS server to respond. */ - maxAllowedRuleLevelForMatching?: number; + radiusTimeout: number; /** - * Indicates the maximum allowed rule level for merging. + * Not currently used. */ - maxAllowedRuleLevelForMerging?: number; - status: string; + useSameUsername: boolean; } - export interface DomainRuleBasedMatchingAttributeTypesSelector { + export interface GetDirectoryVpcSetting { + availabilityZones: string[]; /** - * The `Address` type. You can choose from `Address`, `BusinessAddress`, `MaillingAddress`, and `ShippingAddress`. + * Identifiers of the subnets for the connector servers (2 subnets in 2 different AZs). */ - addresses?: string[]; + subnetIds: string[]; /** - * Configures the `AttributeMatchingModel`, you can either choose `ONE_TO_ONE` or `MANY_TO_MANY`. + * ID of the VPC that the connector is in. */ - attributeMatchingModel: string; + vpcId: string; + } + + export interface ServiceRegionVpcSettings { /** - * The `Email` type. You can choose from `EmailAddress`, `BusinessEmailAddress` and `PersonalEmailAddress`. + * The identifiers of the subnets for the directory servers. */ - emailAddresses?: string[]; + subnetIds: string[]; /** - * The `PhoneNumber` type. You can choose from `PhoneNumber`, `HomePhoneNumber`, and `MobilePhoneNumber`. + * The identifier of the VPC in which to create the directory. */ - phoneNumbers?: string[]; + vpcId: string; } - export interface DomainRuleBasedMatchingConflictResolution { + export interface SharedDirectoryTarget { /** - * How the auto-merging process should resolve conflicts between different profiles. Valid values are `RECENCY` and `SOURCE` + * Identifier of the directory consumer account. */ - conflictResolvingModel: string; + id: string; /** - * The `ObjectType` name that is used to resolve profile merging conflicts when choosing `SOURCE` as the `ConflictResolvingModel`. + * Type of identifier to be used in the `id` field. Valid value is `ACCOUNT`. Default is `ACCOUNT`. */ - sourceName?: string; + type?: string; } - export interface DomainRuleBasedMatchingExportingConfig { - s3Exporting?: outputs.customerprofiles.DomainRuleBasedMatchingExportingConfigS3Exporting; +} + +export namespace dlm { + export interface LifecyclePolicyPolicyDetails { + action?: outputs.dlm.LifecyclePolicyPolicyDetailsAction; + eventSource?: outputs.dlm.LifecyclePolicyPolicyDetailsEventSource; + parameters?: outputs.dlm.LifecyclePolicyPolicyDetailsParameters; + policyType?: string; + resourceLocations: string; + resourceTypes?: string[]; + schedules?: outputs.dlm.LifecyclePolicyPolicyDetailsSchedule[]; + targetTags?: {[key: string]: string}; } - export interface DomainRuleBasedMatchingExportingConfigS3Exporting { - s3BucketName: string; - s3KeyName?: string; + export interface LifecyclePolicyPolicyDetailsAction { + crossRegionCopies: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopy[]; + name: string; } - export interface DomainRuleBasedMatchingMatchingRule { - /** - * A single rule level of the `matchRules`. Configures how the rule-based matching process should match profiles. - */ - rules: string[]; + export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopy { + encryptionConfiguration: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopyEncryptionConfiguration; + retainRule?: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopyRetainRule; + target: string; } - export interface ProfileAddress { - /** - * The first line of a customer address. - */ - address1?: string; - /** - * The second line of a customer address. - */ - address2?: string; - /** - * The third line of a customer address. - */ - address3?: string; - /** - * The fourth line of a customer address. - */ - address4?: string; - /** - * The city in which a customer lives. - */ - city?: string; - /** - * The country in which a customer lives. - */ - country?: string; - /** - * The county in which a customer lives. - */ - county?: string; - /** - * The postal code of a customer address. - */ - postalCode?: string; - /** - * The province in which a customer lives. - */ - province?: string; - /** - * The state in which a customer lives. - */ - state?: string; + export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopyEncryptionConfiguration { + cmkArn?: string; + encrypted?: boolean; } - export interface ProfileBillingAddress { - address1?: string; - address2?: string; - address3?: string; - address4?: string; - city?: string; - country?: string; - county?: string; - postalCode?: string; - province?: string; - state?: string; + export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopyRetainRule { + interval: number; + intervalUnit: string; } - export interface ProfileMailingAddress { - address1?: string; - address2?: string; - address3?: string; - address4?: string; - city?: string; - country?: string; - county?: string; - postalCode?: string; - province?: string; - state?: string; + export interface LifecyclePolicyPolicyDetailsEventSource { + parameters: outputs.dlm.LifecyclePolicyPolicyDetailsEventSourceParameters; + type: string; } - export interface ProfileShippingAddress { - address1?: string; - address2?: string; - address3?: string; - address4?: string; - city?: string; - country?: string; - county?: string; - postalCode?: string; - province?: string; - state?: string; + export interface LifecyclePolicyPolicyDetailsEventSourceParameters { + descriptionRegex: string; + eventType: string; + snapshotOwners: string[]; + } + + export interface LifecyclePolicyPolicyDetailsParameters { + excludeBootVolume?: boolean; + noReboot?: boolean; + } + + export interface LifecyclePolicyPolicyDetailsSchedule { + copyTags: boolean; + createRule: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCreateRule; + crossRegionCopyRules?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRule[]; + deprecateRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleDeprecateRule; + fastRestoreRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleFastRestoreRule; + name: string; + retainRule: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleRetainRule; + shareRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleShareRule; + tagsToAdd?: {[key: string]: string}; + variableTags?: {[key: string]: string}; + } + + export interface LifecyclePolicyPolicyDetailsScheduleCreateRule { + cronExpression?: string; + interval?: number; + intervalUnit: string; + location: string; + times: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRule { + cmkArn?: string; + copyTags: boolean; + deprecateRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleDeprecateRule; + encrypted: boolean; + retainRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleRetainRule; + target: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleDeprecateRule { + interval: number; + intervalUnit: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleRetainRule { + interval: number; + intervalUnit: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleDeprecateRule { + count?: number; + interval?: number; + intervalUnit?: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleFastRestoreRule { + availabilityZones: string[]; + count?: number; + interval?: number; + intervalUnit?: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleRetainRule { + count?: number; + interval?: number; + intervalUnit?: string; + } + + export interface LifecyclePolicyPolicyDetailsScheduleShareRule { + targetAccounts: string[]; + unshareInterval?: number; + unshareIntervalUnit?: string; } } -export namespace datapipeline { - export interface GetPipelineDefinitionParameterObject { - attributes: outputs.datapipeline.GetPipelineDefinitionParameterObjectAttribute[]; +export namespace dms { + export interface EndpointElasticsearchSettings { /** - * ID of the object. + * Endpoint for the OpenSearch cluster. */ - id: string; - } - - export interface GetPipelineDefinitionParameterObjectAttribute { + endpointUri: string; /** - * Field identifier. + * Maximum number of seconds for which DMS retries failed API requests to the OpenSearch cluster. Default is `300`. */ - key: string; + errorRetryDuration?: number; /** - * Field value, expressed as a String. + * Maximum percentage of records that can fail to be written before a full load operation stops. Default is `10`. */ - stringValue: string; - } - - export interface GetPipelineDefinitionParameterValue { + fullLoadErrorPercentage?: number; /** - * ID of the object. + * ARN of the IAM Role with permissions to write to the OpenSearch cluster. */ - id: string; + serviceAccessRoleArn: string; /** - * Field value, expressed as a String. + * Enable to migrate documentation using the documentation type `_doc`. OpenSearch and an Elasticsearch clusters only support the _doc documentation type in versions 7.x and later. The default value is `false`. */ - stringValue: string; + useNewMappingType?: boolean; } - export interface GetPipelineDefinitionPipelineObject { + export interface EndpointKafkaSettings { /** - * Key-value pairs that define the properties of the object. See below + * Kafka broker location. Specify in the form broker-hostname-or-ip:port. */ - fields?: outputs.datapipeline.GetPipelineDefinitionPipelineObjectField[]; + broker: string; /** - * ID of the object. + * Shows detailed control information for table definition, column definition, and table and column changes in the Kafka message output. Default is `false`. */ - id: string; + includeControlDetails?: boolean; /** - * ARN of the storage connector. + * Include NULL and empty columns for records migrated to the endpoint. Default is `false`. */ - name: string; - } - - export interface GetPipelineDefinitionPipelineObjectField { + includeNullAndEmpty?: boolean; /** - * Field identifier. + * Shows the partition value within the Kafka message output unless the partition type is `schema-table-type`. Default is `false`. */ - key: string; + includePartitionValue?: boolean; /** - * Field value, expressed as the identifier of another object + * Includes any data definition language (DDL) operations that change the table in the control data, such as `rename-table`, `drop-table`, `add-column`, `drop-column`, and `rename-column`. Default is `false`. */ - refValue: string; + includeTableAlterOperations?: boolean; /** - * Field value, expressed as a String. + * Provides detailed transaction information from the source database. This information includes a commit timestamp, a log position, and values for `transactionId`, previous `transactionId`, and `transactionRecordId` (the record offset within a transaction). Default is `false`. */ - stringValue: string; - } - - export interface PipelineDefinitionParameterObject { + includeTransactionDetails?: boolean; /** - * Configuration block for attributes of the parameter object. See below + * Output format for the records created on the endpoint. Message format is `JSON` (default) or `JSON_UNFORMATTED` (a single line with no tab). */ - attributes?: outputs.datapipeline.PipelineDefinitionParameterObjectAttribute[]; + messageFormat?: string; /** - * ID of the parameter object. + * Maximum size in bytes for records created on the endpoint Default is `1,000,000`. */ - id: string; - } - - export interface PipelineDefinitionParameterObjectAttribute { + messageMaxBytes?: number; /** - * Field identifier. + * Set this optional parameter to true to avoid adding a '0x' prefix to raw data in hexadecimal format. For example, by default, AWS DMS adds a '0x' prefix to the LOB column type in hexadecimal format moving from an Oracle source to a Kafka target. Use the `noHexPrefix` endpoint setting to enable migration of RAW data type columns without adding the `'0x'` prefix. */ - key: string; + noHexPrefix?: boolean; /** - * Field value, expressed as a String. + * Prefixes schema and table names to partition values, when the partition type is `primary-key-type`. Doing this increases data distribution among Kafka partitions. For example, suppose that a SysBench schema has thousands of tables and each table has only limited range for a primary key. In this case, the same primary key is sent from thousands of tables to the same partition, which causes throttling. Default is `false`. */ - stringValue: string; - } - - export interface PipelineDefinitionParameterValue { + partitionIncludeSchemaTable?: boolean; /** - * ID of the parameter value. + * Secure password you created when you first set up your MSK cluster to validate a client identity and make an encrypted connection between server and client using SASL-SSL authentication. */ - id: string; + saslPassword?: string; /** - * Field value, expressed as a String. + * Secure user name you created when you first set up your MSK cluster to validate a client identity and make an encrypted connection between server and client using SASL-SSL authentication. */ - stringValue: string; - } - - export interface PipelineDefinitionPipelineObject { + saslUsername?: string; /** - * Configuration block for Key-value pairs that define the properties of the object. See below + * Set secure connection to a Kafka target endpoint using Transport Layer Security (TLS). Options include `ssl-encryption`, `ssl-authentication`, and `sasl-ssl`. `sasl-ssl` requires `saslUsername` and `saslPassword`. */ - fields?: outputs.datapipeline.PipelineDefinitionPipelineObjectField[]; + securityProtocol?: string; /** - * ID of the object. + * ARN for the private certificate authority (CA) cert that AWS DMS uses to securely connect to your Kafka target endpoint. */ - id: string; + sslCaCertificateArn?: string; /** - * ARN of the storage connector. + * ARN of the client certificate used to securely connect to a Kafka target endpoint. */ - name: string; - } - - export interface PipelineDefinitionPipelineObjectField { + sslClientCertificateArn?: string; /** - * Field identifier. + * ARN for the client private key used to securely connect to a Kafka target endpoint. */ - key: string; + sslClientKeyArn?: string; /** - * Field value, expressed as the identifier of another object + * Password for the client private key used to securely connect to a Kafka target endpoint. */ - refValue?: string; + sslClientKeyPassword?: string; /** - * Field value, expressed as a String. + * Kafka topic for migration. Default is `kafka-default-topic`. */ - stringValue?: string; + topic?: string; } -} - -export namespace datasync { - export interface EfsLocationEc2Config { + export interface EndpointKinesisSettings { /** - * List of Amazon Resource Names (ARNs) of the EC2 Security Groups that are associated with the EFS Mount Target. + * Shows detailed control information for table definition, column definition, and table and column changes in the Kinesis message output. Default is `false`. */ - securityGroupArns: string[]; + includeControlDetails?: boolean; /** - * Amazon Resource Name (ARN) of the EC2 Subnet that is associated with the EFS Mount Target. + * Include NULL and empty columns in the target. Default is `false`. */ - subnetArn: string; - } - - export interface FsxOpenZfsFileSystemProtocol { + includeNullAndEmpty?: boolean; /** - * Represents the Network File System (NFS) protocol that DataSync uses to access your FSx for OpenZFS file system. See below. + * Shows the partition value within the Kinesis message output, unless the partition type is schema-table-type. Default is `false`. */ - nfs: outputs.datasync.FsxOpenZfsFileSystemProtocolNfs; - } - - export interface FsxOpenZfsFileSystemProtocolNfs { + includePartitionValue?: boolean; /** - * Represents the mount options that are available for DataSync to access an NFS location. See below. + * Includes any data definition language (DDL) operations that change the table in the control data. Default is `false`. */ - mountOptions: outputs.datasync.FsxOpenZfsFileSystemProtocolNfsMountOptions; - } - - export interface FsxOpenZfsFileSystemProtocolNfsMountOptions { + includeTableAlterOperations?: boolean; /** - * The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC` + * Provides detailed transaction information from the source database. Default is `false`. */ - version?: string; - } - - export interface LocationAzureBlobSasConfiguration { + includeTransactionDetails?: boolean; /** - * A SAS token that provides permissions to access your Azure Blob Storage. + * Output format for the records created. Default is `json`. Valid values are `json` and `json-unformatted` (a single line with no tab). */ - token: string; - } - - export interface LocationFsxOntapFileSystemProtocol { + messageFormat?: string; /** - * Network File System (NFS) protocol that DataSync uses to access your FSx ONTAP file system. See NFS below. + * Prefixes schema and table names to partition values, when the partition type is primary-key-type. Default is `false`. */ - nfs?: outputs.datasync.LocationFsxOntapFileSystemProtocolNfs; + partitionIncludeSchemaTable?: boolean; /** - * Server Message Block (SMB) protocol that DataSync uses to access your FSx ONTAP file system. See [SMB] (#smb) below. + * ARN of the IAM Role with permissions to write to the Kinesis data stream. */ - smb?: outputs.datasync.LocationFsxOntapFileSystemProtocolSmb; - } - - export interface LocationFsxOntapFileSystemProtocolNfs { + serviceAccessRoleArn?: string; /** - * Mount options that are available for DataSync to access an NFS location. See NFS Mount Options below. + * ARN of the Kinesis data stream. */ - mountOptions: outputs.datasync.LocationFsxOntapFileSystemProtocolNfsMountOptions; - } - - export interface LocationFsxOntapFileSystemProtocolNfsMountOptions { - version?: string; + streamArn?: string; } - export interface LocationFsxOntapFileSystemProtocolSmb { - /** - * Fully qualified domain name of the Microsoft Active Directory (AD) that your storage virtual machine belongs to. - */ - domain?: string; - /** - * Mount options that are available for DataSync to access an SMB location. See SMB Mount Options below. - */ - mountOptions: outputs.datasync.LocationFsxOntapFileSystemProtocolSmbMountOptions; - /** - * Password of a user who has permission to access your SVM. - */ - password: string; + export interface EndpointMongodbSettings { /** - * Username that can mount the location and access the files, folders, and metadata that you need in the SVM. + * Authentication mechanism to access the MongoDB source endpoint. Default is `default`. */ - user: string; - } - - export interface LocationFsxOntapFileSystemProtocolSmbMountOptions { - version?: string; - } - - export interface LocationHdfsNameNode { + authMechanism?: string; /** - * The hostname of the NameNode in the HDFS cluster. This value is the IP address or Domain Name Service (DNS) name of the NameNode. An agent that's installed on-premises uses this hostname to communicate with the NameNode in the network. + * Authentication database name. Not used when `authType` is `no`. Default is `admin`. */ - hostname: string; + authSource?: string; /** - * The port that the NameNode uses to listen to client requests. + * Authentication type to access the MongoDB source endpoint. Default is `password`. */ - port: number; - } - - export interface LocationHdfsQopConfiguration { + authType?: string; /** - * The data transfer protection setting configured on the HDFS cluster. This setting corresponds to your dfs.data.transfer.protection setting in the hdfs-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`. + * Number of documents to preview to determine the document organization. Use this setting when `nestingLevel` is set to `one`. Default is `1000`. */ - dataTransferProtection: string; + docsToInvestigate?: string; /** - * The RPC protection setting configured on the HDFS cluster. This setting corresponds to your hadoop.rpc.protection setting in your core-site.xml file on your Hadoop cluster. Valid values are `DISABLED`, `AUTHENTICATION`, `INTEGRITY` and `PRIVACY`. + * Document ID. Use this setting when `nestingLevel` is set to `none`. Default is `false`. */ - rpcProtection: string; - } - - export interface LocationSmbMountOptions { + extractDocId?: string; /** - * The specific SMB version that you want DataSync to use for mounting your SMB share. Valid values: `AUTOMATIC`, `SMB2`, and `SMB3`. Default: `AUTOMATIC` + * Specifies either document or table mode. Default is `none`. Valid values are `one` (table mode) and `none` (document mode). */ - version?: string; + nestingLevel?: string; } - export interface NfsLocationMountOptions { + export interface EndpointPostgresSettings { /** - * The specific NFS version that you want DataSync to use for mounting your NFS share. Valid values: `AUTOMATIC`, `NFS3`, `NFS4_0` and `NFS4_1`. Default: `AUTOMATIC` + * For use with change data capture (CDC) only, this attribute has AWS DMS bypass foreign keys and user triggers to reduce the time it takes to bulk load data. */ - version?: string; - } - - export interface NfsLocationOnPremConfig { + afterConnectScript?: string; /** - * List of Amazon Resource Names (ARNs) of the DataSync Agents used to connect to the NFS server. + * The Babelfish for Aurora PostgreSQL database name for the endpoint. */ - agentArns: string[]; - } - - export interface S3LocationS3Config { + babelfishDatabaseName?: string; /** - * ARN of the IAM Role used to connect to the S3 Bucket. + * To capture DDL events, AWS DMS creates various artifacts in the PostgreSQL database when the task starts. */ - bucketAccessRoleArn: string; - } - - export interface TaskExcludes { + captureDdls?: boolean; /** - * The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`. + * Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints. */ - filterType?: string; + databaseMode?: string; /** - * A single filter string that consists of the patterns to exclude. The patterns are delimited by "|" (that is, a pipe), for example: `/folder1|/folder2` + * Sets the schema in which the operational DDL database artifacts are created. Default is `public`. */ - value?: string; - } - - export interface TaskIncludes { + ddlArtifactsSchema?: string; /** - * The type of filter rule to apply. Valid values: `SIMPLE_PATTERN`. + * Sets the client statement timeout for the PostgreSQL instance, in seconds. Default value is `60`. */ - filterType?: string; + executeTimeout?: number; /** - * A single filter string that consists of the patterns to include. The patterns are delimited by "|" (that is, a pipe), for example: `/folder1|/folder2` + * When set to `true`, this value causes a task to fail if the actual size of a LOB column is greater than the specified `LobMaxSize`. Default is `false`. */ - value?: string; - } - - export interface TaskOptions { + failTasksOnLobTruncation?: boolean; /** - * A file metadata that shows the last time a file was accessed (that is when the file was read or written to). If set to `BEST_EFFORT`, the DataSync Task attempts to preserve the original (that is, the version before sync `PREPARING` phase) `atime` attribute on all source files. Valid values: `BEST_EFFORT`, `NONE`. Default: `BEST_EFFORT`. + * The write-ahead log (WAL) heartbeat feature mimics a dummy transaction. By doing this, it prevents idle logical replication slots from holding onto old WAL logs, which can result in storage full situations on the source. */ - atime?: string; + heartbeatEnable?: boolean; /** - * Limits the bandwidth utilized. For example, to set a maximum of 1 MB, set this value to `1048576`. Value values: `-1` or greater. Default: `-1` (unlimited). + * Sets the WAL heartbeat frequency (in minutes). Default value is `5`. */ - bytesPerSecond?: number; + heartbeatFrequency?: number; /** - * Group identifier of the file's owners. Valid values: `BOTH`, `INT_VALUE`, `NAME`, `NONE`. Default: `INT_VALUE` (preserve integer value of the ID). + * Sets the schema in which the heartbeat artifacts are created. Default value is `public`. */ - gid?: string; + heartbeatSchema?: string; /** - * Determines the type of logs that DataSync publishes to a log stream in the Amazon CloudWatch log group that you provide. Valid values: `OFF`, `BASIC`, `TRANSFER`. Default: `OFF`. + * You can use PostgreSQL endpoint settings to map a boolean as a boolean from your PostgreSQL source to a Amazon Redshift target. Default value is `false`. */ - logLevel?: string; + mapBooleanAsBoolean?: boolean; /** - * A file metadata that indicates the last time a file was modified (written to) before the sync `PREPARING` phase. Value values: `NONE`, `PRESERVE`. Default: `PRESERVE`. + * Optional When true, DMS migrates JSONB values as CLOB. */ - mtime?: string; + mapJsonbAsClob?: boolean; /** - * Specifies whether object tags are maintained when transferring between object storage systems. If you want your DataSync task to ignore object tags, specify the NONE value. Valid values: `PRESERVE`, `NONE`. Default value: `PRESERVE`. + * Optional When true, DMS migrates LONG values as VARCHAR. */ - objectTags?: string; + mapLongVarcharAs?: string; /** - * Determines whether files at the destination should be overwritten or preserved when copying files. Valid values: `ALWAYS`, `NEVER`. Default: `ALWAYS`. + * Specifies the maximum size (in KB) of any .csv file used to transfer data to PostgreSQL. Default is `32,768 KB`. */ - overwriteMode?: string; + maxFileSize?: number; /** - * Determines which users or groups can access a file for a specific purpose such as reading, writing, or execution of the file. Valid values: `NONE`, `PRESERVE`. Default: `PRESERVE`. + * Specifies the plugin to use to create a replication slot. Valid values: `pglogical`, `testDecoding`. */ - posixPermissions?: string; + pluginName?: string; /** - * Whether files deleted in the source should be removed or preserved in the destination file system. Valid values: `PRESERVE`, `REMOVE`. Default: `PRESERVE`. + * Sets the name of a previously created logical replication slot for a CDC load of the PostgreSQL source instance. */ - preserveDeletedFiles?: string; + slotName?: string; + } + + export interface EndpointRedisSettings { /** - * Whether the DataSync Task should preserve the metadata of block and character devices in the source files system, and recreate the files with that device name and metadata on the destination. The DataSync Task can’t sync the actual contents of such devices, because many of the devices are non-terminal and don’t return an end of file (EOF) marker. Valid values: `NONE`, `PRESERVE`. Default: `NONE` (ignore special devices). + * The password provided with the auth-role and auth-token options of the AuthType setting for a Redis target endpoint. */ - preserveDevices?: string; + authPassword?: string; /** - * Determines which components of the SMB security descriptor are copied from source to destination objects. This value is only used for transfers between SMB and Amazon FSx for Windows File Server locations, or between two Amazon FSx for Windows File Server locations. Valid values: `NONE`, `OWNER_DACL`, `OWNER_DACL_SACL`. Default: `OWNER_DACL`. + * The type of authentication to perform when connecting to a Redis target. Options include `none`, `auth-token`, and `auth-role`. The `auth-token` option requires an `authPassword` value to be provided. The `auth-role` option requires `authUserName` and `authPassword` values to be provided. */ - securityDescriptorCopyFlags: string; + authType: string; /** - * Determines whether tasks should be queued before executing the tasks. Valid values: `ENABLED`, `DISABLED`. Default `ENABLED`. + * The username provided with the `auth-role` option of the AuthType setting for a Redis target endpoint. */ - taskQueueing?: string; + authUserName?: string; /** - * Determines whether DataSync transfers only the data and metadata that differ between the source and the destination location, or whether DataSync transfers all the content from the source, without comparing to the destination location. Valid values: `CHANGED`, `ALL`. Default: `CHANGED` + * Transmission Control Protocol (TCP) port for the endpoint. */ - transferMode?: string; + port: number; /** - * User identifier of the file's owners. Valid values: `BOTH`, `INT_VALUE`, `NAME`, `NONE`. Default: `INT_VALUE` (preserve integer value of the ID). + * Fully qualified domain name of the endpoint. */ - uid?: string; + serverName: string; /** - * Whether a data integrity verification should be performed at the end of a task execution after all data and metadata have been transferred. Valid values: `NONE`, `POINT_IN_TIME_CONSISTENT`, `ONLY_FILES_TRANSFERRED`. Default: `POINT_IN_TIME_CONSISTENT`. + * The Amazon Resource Name (ARN) for the certificate authority (CA) that DMS uses to connect to your Redis target endpoint. */ - verifyMode?: string; - } - - export interface TaskSchedule { + sslCaCertificateArn?: string; /** - * Specifies the schedule you want your task to use for repeated executions. For more information, see [Schedule Expressions for Rules](https://docs.aws.amazon.com/AmazonCloudWatch/latest/events/ScheduledEvents.html). + * The plaintext option doesn't provide Transport Layer Security (TLS) encryption for traffic between endpoint and database. Options include `plaintext`, `ssl-encryption`. The default is `ssl-encryption`. */ - scheduleExpression: string; + sslSecurityProtocol?: string; } - export interface TaskTaskReportConfig { + export interface EndpointRedshiftSettings { /** - * Specifies the type of task report you'd like. Valid values: `SUMMARY_ONLY` and `STANDARD`. + * Custom S3 Bucket Object prefix for intermediate storage. */ - outputType?: string; + bucketFolder?: string; /** - * Specifies whether you want your task report to include only what went wrong with your transfer or a list of what succeeded and didn't. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. + * Custom S3 Bucket name for intermediate storage. */ - reportLevel?: string; + bucketName?: string; /** - * Configuration block containing the configuration of the reporting level for aspects of your task report. See `reportOverrides` below. + * The server-side encryption mode that you want to encrypt your intermediate .csv object files copied to S3. Defaults to `SSE_S3`. Valid values are `SSE_S3` and `SSE_KMS`. */ - reportOverrides?: outputs.datasync.TaskTaskReportConfigReportOverrides; + encryptionMode?: string; /** - * Configuration block containing the configuration for the Amazon S3 bucket where DataSync uploads your task report. See `s3Destination` below. + * ARN or Id of KMS Key to use when `encryptionMode` is `SSE_KMS`. */ - s3Destination: outputs.datasync.TaskTaskReportConfigS3Destination; + serverSideEncryptionKmsKeyId?: string; /** - * Specifies whether your task report includes the new version of each object transferred into an S3 bucket. This only applies if you enable versioning on your bucket. Keep in mind that setting this to INCLUDE can increase the duration of your task execution. Valid values: `INCLUDE` and `NONE`. + * Amazon Resource Name (ARN) of the IAM Role with permissions to read from or write to the S3 Bucket for intermediate storage. */ - s3ObjectVersioning?: string; + serviceAccessRoleArn?: string; } - export interface TaskTaskReportConfigReportOverrides { + export interface EndpointS3Settings { /** - * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to delete in your destination location. This only applies if you configure your task to delete data in the destination that isn't in the source. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. + * Whether to add column name information to the .csv output file. Default is `false`. */ - deletedOverride?: string; + addColumnName?: boolean; /** - * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to skip during your transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. + * S3 object prefix. */ - skippedOverride?: string; + bucketFolder?: string; /** - * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. + * S3 bucket name. */ - transferredOverride?: string; + bucketName?: string; /** - * Specifies the level of reporting for the files, objects, and directories that DataSync attempted to verify at the end of your transfer. Valid values: `ERRORS_ONLY` and `SUCCESSES_AND_ERRORS`. - * - * > **NOTE:** If any `reportOverrides` are set to the same value as `task_report_config.report_level`, they will always be flagged as changed. Only set overrides to a value that differs from `task_report_config.report_level`. + * Predefined (canned) access control list for objects created in an S3 bucket. Valid values include `none`, `private`, `public-read`, `public-read-write`, `authenticated-read`, `aws-exec-read`, `bucket-owner-read`, and `bucket-owner-full-control`. Default is `none`. */ - verifiedOverride?: string; - } - - export interface TaskTaskReportConfigS3Destination { + cannedAclForObjects?: string; /** - * Specifies the Amazon Resource Name (ARN) of the IAM policy that allows DataSync to upload a task report to your S3 bucket. + * Whether to write insert and update operations to .csv or .parquet output files. Default is `false`. */ - bucketAccessRoleArn: string; + cdcInsertsAndUpdates?: boolean; /** - * Specifies the ARN of the S3 bucket where DataSync uploads your report. + * Whether to write insert operations to .csv or .parquet output files. Default is `false`. */ - s3BucketArn: string; + cdcInsertsOnly?: boolean; /** - * Specifies a bucket prefix for your report. + * Maximum length of the interval, defined in seconds, after which to output a file to Amazon S3. Default is `60`. */ - subdirectory?: string; - } - -} - -export namespace datazone { - export interface DomainSingleSignOn { - type: string; - userAssignment?: string; - } - - export interface DomainTimeouts { + cdcMaxBatchInterval?: number; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Minimum file size condition as defined in kilobytes to output a file to Amazon S3. Default is `32000`. **NOTE:** Previously, this setting was measured in megabytes but now represents kilobytes. Update configurations accordingly. */ - create?: string; + cdcMinFileSize?: number; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * Folder path of CDC files. For an S3 source, this setting is required if a task captures change data; otherwise, it's optional. If `cdcPath` is set, AWS DMS reads CDC files from this path and replicates the data changes to the target endpoint. Supported in AWS DMS versions 3.4.2 and later. */ - delete?: string; - } - -} - -export namespace dax { - export interface ClusterNode { - address: string; - availabilityZone: string; - id: string; + cdcPath?: string; /** - * The port used by the configuration endpoint + * Set to compress target files. Default is `NONE`. Valid values are `GZIP` and `NONE`. */ - port: number; - } - - export interface ClusterServerSideEncryption { + compressionType?: string; /** - * Whether to enable encryption at rest. Defaults to `false`. + * Delimiter used to separate columns in the source files. Default is `,`. */ - enabled?: boolean; - } - - export interface ParameterGroupParameter { + csvDelimiter?: string; /** - * The name of the parameter. + * String to use for all columns not included in the supplemental log. */ - name: string; + csvNoSupValue?: string; /** - * The value for the parameter. + * String to as null when writing to the target. */ - value: string; - } - -} - -export namespace devicefarm { - export interface DevicePoolRule { + csvNullValue?: string; /** - * The rule's stringified attribute. Valid values are: `APPIUM_VERSION`, `ARN`, `AVAILABILITY`, `FLEET_TYPE`, `FORM_FACTOR`, `INSTANCE_ARN`, `INSTANCE_LABELS`, `MANUFACTURER`, `MODEL`, `OS_VERSION`, `PLATFORM`, `REMOTE_ACCESS_ENABLED`, `REMOTE_DEBUG_ENABLED`. + * Delimiter used to separate rows in the source files. Default is `\n`. */ - attribute?: string; + csvRowDelimiter?: string; /** - * Specifies how Device Farm compares the rule's attribute to the value. For the operators that are supported by each attribute. Valid values are: `EQUALS`, `NOT_IN`, `IN`, `GREATER_THAN`, `GREATER_THAN_OR_EQUALS`, `LESS_THAN`, `LESS_THAN_OR_EQUALS`, `CONTAINS`. + * Output format for the files that AWS DMS uses to create S3 objects. Valid values are `csv` and `parquet`. Default is `csv`. */ - operator?: string; + dataFormat?: string; /** - * The rule's value. + * Size of one data page in bytes. Default is `1048576` (1 MiB). */ - value?: string; - } - - export interface TestGridProjectVpcConfig { + dataPageSize?: number; /** - * A list of VPC security group IDs in your Amazon VPC. + * Date separating delimiter to use during folder partitioning. Valid values are `SLASH`, `UNDERSCORE`, `DASH`, and `NONE`. Default is `SLASH`. */ - securityGroupIds: string[]; + datePartitionDelimiter?: string; /** - * A list of VPC subnet IDs in your Amazon VPC. + * Partition S3 bucket folders based on transaction commit dates. Default is `false`. */ - subnetIds: string[]; + datePartitionEnabled?: boolean; /** - * The ID of the Amazon VPC. + * Date format to use during folder partitioning. Use this parameter when `datePartitionEnabled` is set to true. Valid values are `YYYYMMDD`, `YYYYMMDDHH`, `YYYYMM`, `MMYYYYDD`, and `DDMMYYYY`. Default is `YYYYMMDD`. */ - vpcId: string; - } - -} - -export namespace devopsguru { - export interface EventSourcesConfigEventSource { + datePartitionSequence?: string; /** - * Stores whether DevOps Guru is configured to consume recommendations which are generated from AWS CodeGuru Profiler. See `amazonCodeGuruProfiler` below. + * Maximum size in bytes of an encoded dictionary page of a column. Default is `1048576` (1 MiB). */ - amazonCodeGuruProfilers?: outputs.devopsguru.EventSourcesConfigEventSourceAmazonCodeGuruProfiler[]; - } - - export interface EventSourcesConfigEventSourceAmazonCodeGuruProfiler { + dictPageSizeLimit?: number; /** - * Status of the CodeGuru Profiler integration. Valid values are `ENABLED` and `DISABLED`. + * Whether to enable statistics for Parquet pages and row groups. Default is `true`. */ - status: string; - } - - export interface GetNotificationChannelFilter { + enableStatistics?: boolean; /** - * Events to receive notifications for. + * Type of encoding to use. Value values are `rleDictionary`, `plain`, and `plainDictionary`. Default is `rleDictionary`. */ - messageTypes: string[]; + encodingType?: string; /** - * Severity levels to receive notifications for. + * Server-side encryption mode that you want to encrypt your .csv or .parquet object files copied to S3. Valid values are `SSE_S3` and `SSE_KMS`. Default is `SSE_S3`. */ - severities: string[]; - } - - export interface GetNotificationChannelSn { + encryptionMode?: string; /** - * Amazon Resource Name (ARN) of an Amazon Simple Notification Service topic. + * JSON document that describes how AWS DMS should interpret the data. */ - topicArn: string; - } - - export interface GetResourceCollectionCloudformation { + externalTableDefinition?: string; /** - * Array of the names of the AWS CloudFormation stacks. + * Whether to integrate AWS Glue Data Catalog with an Amazon S3 target. See [Using AWS Glue Data Catalog with an Amazon S3 target for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.S3.html#CHAP_Target.S3.GlueCatalog) for more information. Default is `false`. */ - stackNames: string[]; - } - - export interface GetResourceCollectionTag { + glueCatalogGeneration?: boolean; /** - * An AWS tag key that is used to identify the AWS resources that DevOps Guru analyzes. + * When this value is set to `1`, DMS ignores the first row header in a .csv file. Default is `0`. */ - appBoundaryKey: string; + ignoreHeaderRows?: number; /** - * Array of tag values. + * Whether to enable a full load to write INSERT operations to the .csv output files only to indicate how the rows were added to the source database. Default is `false`. */ - tagValues: string[]; - } - - export interface NotificationChannelFilters { + includeOpForFullLoad?: boolean; /** - * Events to receive notifications for. Valid values are `NEW_INSIGHT`, `CLOSED_INSIGHT`, `NEW_ASSOCIATION`, `SEVERITY_UPGRADED`, and `NEW_RECOMMENDATION`. + * Maximum size (in KB) of any .csv file to be created while migrating to an S3 target during full load. Valid values are from `1` to `1048576`. Default is `1048576` (1 GB). */ - messageTypes?: string[]; + maxFileSize?: number; /** - * Severity levels to receive notifications for. Valid values are `LOW`, `MEDIUM`, and `HIGH`. + * Specifies the precision of any TIMESTAMP column values written to an S3 object file in .parquet format. Default is `false`. */ - severities?: string[]; - } - - export interface NotificationChannelSns { + parquetTimestampInMillisecond?: boolean; /** - * Amazon Resource Name (ARN) of an Amazon Simple Notification Service topic. + * Version of the .parquet file format. Default is `parquet-1-0`. Valid values are `parquet-1-0` and `parquet-2-0`. */ - topicArn: string; - } - - export interface ResourceCollectionCloudformation { + parquetVersion?: string; /** - * Array of the names of the AWS CloudFormation stacks. If `type` is `AWS_SERVICE` (all acccount resources) this array should be a single item containing a wildcard (`"*"`). + * Whether DMS saves the transaction order for a CDC load on the S3 target specified by `cdcPath`. Default is `false`. */ - stackNames: string[]; - } - - export interface ResourceCollectionTags { + preserveTransactions?: boolean; /** - * An AWS tag key that is used to identify the AWS resources that DevOps Guru analyzes. All AWS resources in your account and Region tagged with this key make up your DevOps Guru application and analysis boundary. The key must begin with the prefix `DevOps-Guru-`. Any casing can be used for the prefix, but the associated tags __must use the same casing__ in their tag key. + * For an S3 source, whether each leading double quotation mark has to be followed by an ending double quotation mark. Default is `true`. */ - appBoundaryKey: string; + rfc4180?: boolean; /** - * Array of tag values. These can be used to further filter for specific resources within the application boundary. To analyze all resources tagged with the `appBoundaryKey` regardless of the corresponding tag value, this array should be a single item containing a wildcard (`"*"`). + * Number of rows in a row group. Default is `10000`. */ - tagValues: string[]; - } - - export interface ServiceIntegrationKmsServerSideEncryption { + rowGroupLength?: number; /** - * KMS key ID. This value can be a key ID, key ARN, alias name, or alias ARN. + * ARN or Id of KMS Key to use when `encryptionMode` is `SSE_KMS`. */ - kmsKeyId: string; + serverSideEncryptionKmsKeyId?: string; /** - * Specifies whether KMS integration is enabled. Valid values are `DISABLED` and `ENABLED`. + * ARN of the IAM Role with permissions to read from or write to the S3 Bucket. */ - optInStatus: string; + serviceAccessRoleArn?: string; /** - * Type of KMS key used. Valid values are `CUSTOMER_MANAGED_KEY` and `AWS_OWNED_KMS_KEY`. + * Column to add with timestamp information to the endpoint data for an Amazon S3 target. */ - type: string; - } - - export interface ServiceIntegrationLogsAnomalyDetection { + timestampColumnName?: string; /** - * Specifies if DevOps Guru is configured to perform log anomaly detection on CloudWatch log groups. Valid values are `DISABLED` and `ENABLED`. + * Whether to use `csvNoSupValue` for columns not included in the supplemental log. */ - optInStatus: string; - } - - export interface ServiceIntegrationOpsCenter { + useCsvNoSupValue?: boolean; /** - * Specifies if DevOps Guru is enabled to create an AWS Systems Manager OpsItem for each created insight. Valid values are `DISABLED` and `ENABLED`. + * When set to true, uses the task start time as the timestamp column value instead of the time data is written to target. For full load, when set to true, each row of the timestamp column contains the task start time. For CDC loads, each row of the timestamp column contains the transaction commit time. When set to false, the full load timestamp in the timestamp column increments with the time data arrives at the target. Default is `false`. */ - optInStatus: string; + useTaskStartTimeForFullLoadTimestamp?: boolean; } -} + export interface GetEndpointElasticsearchSetting { + endpointUri: string; + errorRetryDuration: number; + fullLoadErrorPercentage: number; + serviceAccessRoleArn: string; + } -export namespace directconnect { - export interface GetRouterConfigurationRouter { - /** - * Router platform - */ - platform: string; + export interface GetEndpointKafkaSetting { + broker: string; + includeControlDetails: boolean; + includeNullAndEmpty: boolean; + includePartitionValue: boolean; + includeTableAlterOperations: boolean; + includeTransactionDetails: boolean; + messageFormat: string; + messageMaxBytes: number; + noHexPrefix: boolean; + partitionIncludeSchemaTable: boolean; + saslPassword: string; + saslUsername: string; + securityProtocol: string; + sslCaCertificateArn: string; + sslClientCertificateArn: string; + sslClientKeyArn: string; + sslClientKeyPassword: string; + topic: string; + } + + export interface GetEndpointKinesisSetting { + includeControlDetails: boolean; + includeNullAndEmpty: boolean; + includePartitionValue: boolean; + includeTableAlterOperations: boolean; + includeTransactionDetails: boolean; + messageFormat: string; + partitionIncludeSchemaTable: boolean; + serviceAccessRoleArn: string; + streamArn: string; + } + + export interface GetEndpointMongodbSetting { + authMechanism: string; + authSource: string; + authType: string; + docsToInvestigate: string; + extractDocId: string; + nestingLevel: string; + } + + export interface GetEndpointPostgresSetting { + afterConnectScript: string; + babelfishDatabaseName: string; + captureDdls: boolean; + databaseMode: string; + ddlArtifactsSchema: string; + executeTimeout: number; + failTasksOnLobTruncation: boolean; + heartbeatEnable: boolean; + heartbeatFrequency: number; + heartbeatSchema: string; + mapBooleanAsBoolean: boolean; + mapJsonbAsClob: boolean; + mapLongVarcharAs: string; + maxFileSize: number; + pluginName: string; + slotName: string; + } + + export interface GetEndpointRedisSetting { + authPassword: string; + authType: string; + authUserName: string; + port: number; + serverName: string; + sslCaCertificateArn: string; + sslSecurityProtocol: string; + } + + export interface GetEndpointRedshiftSetting { + bucketFolder: string; + bucketName: string; + encryptionMode: string; + serverSideEncryptionKmsKeyId: string; + serviceAccessRoleArn: string; + } + + export interface GetEndpointS3Setting { + addColumnName: boolean; + bucketFolder: string; + bucketName: string; + cannedAclForObjects: string; + cdcInsertsAndUpdates: boolean; + cdcInsertsOnly: boolean; + cdcMaxBatchInterval: number; + cdcMinFileSize: number; + cdcPath: string; + compressionType: string; + csvDelimiter: string; + csvNoSupValue: string; + csvNullValue: string; + csvRowDelimiter: string; + dataFormat: string; + dataPageSize: number; + datePartitionDelimiter: string; + datePartitionEnabled: boolean; + datePartitionSequence: string; + dictPageSizeLimit: number; + enableStatistics: boolean; + encodingType: string; + encryptionMode: string; + externalTableDefinition: string; + glueCatalogGeneration: boolean; + ignoreHeaderRows: number; + ignoreHeadersRow: number; + includeOpForFullLoad: boolean; + maxFileSize: number; + parquetTimestampInMillisecond: boolean; + parquetVersion: string; + preserveTransactions: boolean; + rfc4180: boolean; + rowGroupLength: number; + serverSideEncryptionKmsKeyId: string; + serviceAccessRoleArn: string; + timestampColumnName: string; + useCsvNoSupValue: boolean; + useTaskStartTimeForFullLoadTimestamp: boolean; + } + + export interface ReplicationConfigComputeConfig { /** - * ID of the Router Type. For example: `CiscoSystemsInc-2900SeriesRouters-IOS124` - * - * There is currently no AWS API to retrieve the full list of `routerTypeIdentifier` values. Here is a list of known `RouterType` objects that can be used: - * - * ```json - * { - * "routerTypes": [ - * {"platform":"2900 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-2900SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"3700 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-3700SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"7200 Series Routers","routerTypeIdentifier":"CiscoSystemsInc-7200SeriesRouters-IOS124","software":"IOS 12.4+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-router-cisco-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"Nexus 7000 Series Switches","routerTypeIdentifier":"CiscoSystemsInc-Nexus7000SeriesSwitches-NXOS51","software":"NX-OS 5.1+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-switch-cisco-nexus-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"Nexus 9K+ Series Switches","routerTypeIdentifier":"CiscoSystemsInc-Nexus9KSeriesSwitches-NXOS93","software":"NX-OS 9.3+","vendor":"Cisco Systems, Inc.","xsltTemplateName":"customer-switch-cisco-nexus-generic.xslt","xsltTemplateNameForMacSec":"customer-switch-cisco-nexus-generic-macsec.xslt"}, - * {"platform":"M/MX Series Routers","routerTypeIdentifier":"JuniperNetworksInc-MMXSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":"customer-router-juniper-generic-macsec.xslt"}, - * {"platform":"SRX Series Routers","routerTypeIdentifier":"JuniperNetworksInc-SRXSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"T Series Routers","routerTypeIdentifier":"JuniperNetworksInc-TSeriesRouters-JunOS95","software":"JunOS 9.5+","vendor":"Juniper Networks, Inc.","xsltTemplateName":"customer-router-juniper-generic.xslt","xsltTemplateNameForMacSec":""}, - * {"platform":"PA-3000+ and 5000+ series","routerTypeIdentifier":"PaloAltoNetworks-PA3000and5000series-PANOS803","software":"PAN-OS 8.0.3+","vendor":"Palo Alto Networks","xsltTemplateName":"customer-router-palo-alto-generic.xslt","xsltTemplateNameForMacSec":""}] - * } - * ``` + * The Availability Zone where the DMS Serverless replication using this configuration will run. The default value is a random. */ - routerTypeIdentifier: string; + availabilityZone: string; /** - * Router operating system + * A list of custom DNS name servers supported for the DMS Serverless replication to access your source or target database. */ - software: string; + dnsNameServers?: string; /** - * Router vendor + * An Key Management Service (KMS) key Amazon Resource Name (ARN) that is used to encrypt the data during DMS Serverless replication. If you don't specify a value for the KmsKeyId parameter, DMS uses your default encryption key. */ - vendor: string; + kmsKeyId: string; /** - * Router XSLT Template Name + * Specifies the maximum value of the DMS capacity units (DCUs) for which a given DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 2 DCUs as the minimum value allowed. The list of valid DCU values includes 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. */ - xsltTemplateName: string; - xsltTemplateNameForMacSec: string; - } - -} - -export namespace directoryservice { - export interface DirectoryConnectSettings { - availabilityZones: string[]; + maxCapacityUnits?: number; /** - * The IP addresses of the AD Connector servers. + * Specifies the minimum value of the DMS capacity units (DCUs) for which a given DMS Serverless replication can be provisioned. The list of valid DCU values includes 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. If this value isn't set DMS scans the current activity of available source tables to identify an optimum setting for this parameter. */ - connectIps: string[]; + minCapacityUnits?: number; /** - * The DNS IP addresses of the domain to connect to. + * Specifies if the replication instance is a multi-az deployment. You cannot set the `availabilityZone` parameter if the `multiAz` parameter is set to `true`. */ - customerDnsIps: string[]; + multiAz: boolean; /** - * The username corresponding to the password provided. + * The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). + * + * - Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week. + * - Format: `ddd:hh24:mi-ddd:hh24:mi` + * - Valid Days: `mon, tue, wed, thu, fri, sat, sun` + * - Constraints: Minimum 30-minute window. */ - customerUsername: string; + preferredMaintenanceWindow: string; /** - * The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs). + * Specifies a subnet group identifier to associate with the DMS Serverless replication. */ - subnetIds: string[]; + replicationSubnetGroupId: string; /** - * The identifier of the VPC that the directory is in. + * Specifies the virtual private cloud (VPC) security group to use with the DMS Serverless replication. The VPC security group must work with the VPC containing the replication. */ - vpcId: string; + vpcSecurityGroupIds: string[]; } - export interface DirectoryVpcSettings { - availabilityZones: string[]; +} + +export namespace docdb { + export interface ClusterParameterGroupParameter { /** - * The identifiers of the subnets for the directory servers (2 subnets in 2 different AZs). + * Valid values are `immediate` and `pending-reboot`. Defaults to `pending-reboot`. */ - subnetIds: string[]; + applyMethod?: string; /** - * The identifier of the VPC that the directory is in. + * The name of the DocumentDB parameter. */ - vpcId: string; - } - - export interface GetDirectoryConnectSetting { - availabilityZones: string[]; + name: string; /** - * IP addresses of the AD Connector servers. + * The value of the DocumentDB parameter. */ - connectIps: string[]; + value: string; + } + + export interface ClusterRestoreToPointInTime { /** - * DNS IP addresses of the domain to connect to. + * The date and time to restore from. Value must be a time in Universal Coordinated Time (UTC) format and must be before the latest restorable time for the DB instance. Cannot be specified with `useLatestRestorableTime`. */ - customerDnsIps: string[]; + restoreToTime?: string; /** - * Username corresponding to the password provided. + * The type of restore to be performed. Valid values are `full-copy`, `copy-on-write`. */ - customerUsername: string; + restoreType?: string; /** - * Identifiers of the subnets for the connector servers (2 subnets in 2 different AZs). + * The identifier of the source DB cluster from which to restore. Must match the identifier of an existing DB cluster. */ - subnetIds: string[]; + sourceClusterIdentifier: string; /** - * ID of the VPC that the connector is in. + * A boolean value that indicates whether the DB cluster is restored from the latest backup time. Defaults to `false`. Cannot be specified with `restoreToTime`. */ - vpcId: string; + useLatestRestorableTime?: boolean; } - export interface GetDirectoryRadiusSetting { - /** - * The protocol specified for your RADIUS endpoints. - */ - authenticationProtocol: string; - /** - * Display label. - */ - displayLabel: string; + export interface ElasticClusterTimeouts { /** - * Port that your RADIUS server is using for communications. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - radiusPort: number; + create?: string; /** - * Maximum number of times that communication with the RADIUS server is attempted. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - radiusRetries: number; + delete?: string; /** - * Set of strings that contains the fully qualified domain name (FQDN) or IP addresses of the RADIUS server endpoints, or the FQDN or IP addresses of your RADIUS server load balancer. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - radiusServers: string[]; + update?: string; + } + + export interface GlobalClusterGlobalClusterMember { /** - * Amount of time, in seconds, to wait for the RADIUS server to respond. + * Amazon Resource Name (ARN) of member DB Cluster. */ - radiusTimeout: number; + dbClusterArn: string; /** - * Not currently used. + * Whether the member is the primary DB Cluster. */ - useSameUsername: boolean; + isWriter: boolean; } - export interface GetDirectoryVpcSetting { - availabilityZones: string[]; +} + +export namespace drs { + export interface ReplicationConfigurationTemplatePitPolicy { /** - * Identifiers of the subnets for the connector servers (2 subnets in 2 different AZs). + * Whether this rule is enabled or not. */ - subnetIds: string[]; + enabled?: boolean; /** - * ID of the VPC that the connector is in. + * How often, in the chosen units, a snapshot should be taken. */ - vpcId: string; - } - - export interface ServiceRegionVpcSettings { + interval: number; /** - * The identifiers of the subnets for the directory servers. + * Duration to retain a snapshot for, in the chosen `units`. */ - subnetIds: string[]; + retentionDuration: number; /** - * The identifier of the VPC in which to create the directory. + * ID of the rule. Valid values are integers. */ - vpcId: string; + ruleId?: number; + /** + * Units used to measure the `interval` and `retentionDuration`. Valid values are `MINUTE`, `HOUR`, and `DAY`. + */ + units: string; } - export interface SharedDirectoryTarget { + export interface ReplicationConfigurationTemplateTimeouts { /** - * Identifier of the directory consumer account. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - id: string; + create?: string; /** - * Type of identifier to be used in the `id` field. Valid value is `ACCOUNT`. Default is `ACCOUNT`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - type?: string; + delete?: string; + /** + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + */ + update?: string; } } -export namespace dlm { - export interface LifecyclePolicyPolicyDetails { - action?: outputs.dlm.LifecyclePolicyPolicyDetailsAction; - eventSource?: outputs.dlm.LifecyclePolicyPolicyDetailsEventSource; - parameters?: outputs.dlm.LifecyclePolicyPolicyDetailsParameters; - policyType?: string; - resourceLocations: string; - resourceTypes?: string[]; - schedules?: outputs.dlm.LifecyclePolicyPolicyDetailsSchedule[]; - targetTags?: {[key: string]: string}; - } - - export interface LifecyclePolicyPolicyDetailsAction { - crossRegionCopies: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopy[]; +export namespace dynamodb { + export interface GetTableAttribute { + /** + * Name of the DynamoDB table. + */ name: string; - } - - export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopy { - encryptionConfiguration: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopyEncryptionConfiguration; - retainRule?: outputs.dlm.LifecyclePolicyPolicyDetailsActionCrossRegionCopyRetainRule; - target: string; - } - - export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopyEncryptionConfiguration { - cmkArn?: string; - encrypted?: boolean; - } - - export interface LifecyclePolicyPolicyDetailsActionCrossRegionCopyRetainRule { - interval: number; - intervalUnit: string; - } - - export interface LifecyclePolicyPolicyDetailsEventSource { - parameters: outputs.dlm.LifecyclePolicyPolicyDetailsEventSourceParameters; type: string; } - export interface LifecyclePolicyPolicyDetailsEventSourceParameters { - descriptionRegex: string; - eventType: string; - snapshotOwners: string[]; - } - - export interface LifecyclePolicyPolicyDetailsParameters { - excludeBootVolume?: boolean; - noReboot?: boolean; - } - - export interface LifecyclePolicyPolicyDetailsSchedule { - copyTags: boolean; - createRule: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCreateRule; - crossRegionCopyRules?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRule[]; - deprecateRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleDeprecateRule; - fastRestoreRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleFastRestoreRule; + export interface GetTableGlobalSecondaryIndex { + hashKey: string; + /** + * Name of the DynamoDB table. + */ name: string; - retainRule: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleRetainRule; - shareRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleShareRule; - tagsToAdd?: {[key: string]: string}; - variableTags?: {[key: string]: string}; - } - - export interface LifecyclePolicyPolicyDetailsScheduleCreateRule { - cronExpression?: string; - interval?: number; - intervalUnit: string; - location: string; - times: string; - } - - export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRule { - cmkArn?: string; - copyTags: boolean; - deprecateRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleDeprecateRule; - encrypted: boolean; - retainRule?: outputs.dlm.LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleRetainRule; - target: string; + nonKeyAttributes: string[]; + projectionType: string; + rangeKey: string; + readCapacity: number; + writeCapacity: number; } - export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleDeprecateRule { - interval: number; - intervalUnit: string; + export interface GetTableLocalSecondaryIndex { + /** + * Name of the DynamoDB table. + */ + name: string; + nonKeyAttributes: string[]; + projectionType: string; + rangeKey: string; } - export interface LifecyclePolicyPolicyDetailsScheduleCrossRegionCopyRuleRetainRule { - interval: number; - intervalUnit: string; + export interface GetTablePointInTimeRecovery { + enabled: boolean; } - export interface LifecyclePolicyPolicyDetailsScheduleDeprecateRule { - count?: number; - interval?: number; - intervalUnit?: string; + export interface GetTableReplica { + kmsKeyArn: string; + regionName: string; } - export interface LifecyclePolicyPolicyDetailsScheduleFastRestoreRule { - availabilityZones: string[]; - count?: number; - interval?: number; - intervalUnit?: string; + export interface GetTableServerSideEncryption { + enabled: boolean; + kmsKeyArn: string; } - export interface LifecyclePolicyPolicyDetailsScheduleRetainRule { - count?: number; - interval?: number; - intervalUnit?: string; + export interface GetTableTtl { + attributeName: string; + enabled: boolean; } - export interface LifecyclePolicyPolicyDetailsScheduleShareRule { - targetAccounts: string[]; - unshareInterval?: number; - unshareIntervalUnit?: string; + export interface GlobalTableReplica { + /** + * AWS region name of replica DynamoDB TableE.g., `us-east-1` + */ + regionName: string; } -} - -export namespace dms { - export interface EndpointElasticsearchSettings { + export interface TableAttribute { /** - * Endpoint for the OpenSearch cluster. + * Name of the attribute */ - endpointUri: string; + name: string; /** - * Maximum number of seconds for which DMS retries failed API requests to the OpenSearch cluster. Default is `300`. + * Attribute type. Valid values are `S` (string), `N` (number), `B` (binary). */ - errorRetryDuration?: number; + type: string; + } + + export interface TableGlobalSecondaryIndex { /** - * Maximum percentage of records that can fail to be written before a full load operation stops. Default is `10`. + * Name of the hash key in the index; must be defined as an attribute in the resource. */ - fullLoadErrorPercentage?: number; + hashKey: string; /** - * ARN of the IAM Role with permissions to write to the OpenSearch cluster. + * Name of the index. */ - serviceAccessRoleArn: string; + name: string; /** - * Enable to migrate documentation using the documentation type `_doc`. OpenSearch and an Elasticsearch clusters only support the _doc documentation type in versions 7.x and later. The default value is `false`. + * Only required with `INCLUDE` as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table. */ - useNewMappingType?: boolean; - } - - export interface EndpointKafkaSettings { + nonKeyAttributes?: string[]; /** - * Kafka broker location. Specify in the form broker-hostname-or-ip:port. + * One of `ALL`, `INCLUDE` or `KEYS_ONLY` where `ALL` projects every attribute into the index, `KEYS_ONLY` projects into the index only the table and index hashKey and sortKey attributes , `INCLUDE` projects into the index all of the attributes that are defined in `nonKeyAttributes` in addition to the attributes that that`KEYS_ONLY` project. */ - broker: string; + projectionType: string; /** - * Shows detailed control information for table definition, column definition, and table and column changes in the Kafka message output. Default is `false`. + * Name of the range key; must be defined */ - includeControlDetails?: boolean; + rangeKey?: string; /** - * Include NULL and empty columns for records migrated to the endpoint. Default is `false`. + * Number of read units for this index. Must be set if billingMode is set to PROVISIONED. */ - includeNullAndEmpty?: boolean; + readCapacity?: number; /** - * Shows the partition value within the Kafka message output unless the partition type is `schema-table-type`. Default is `false`. + * Number of write units for this index. Must be set if billingMode is set to PROVISIONED. */ - includePartitionValue?: boolean; + writeCapacity?: number; + } + + export interface TableImportTable { /** - * Includes any data definition language (DDL) operations that change the table in the control data, such as `rename-table`, `drop-table`, `add-column`, `drop-column`, and `rename-column`. Default is `false`. + * Type of compression to be used on the input coming from the imported table. + * Valid values are `GZIP`, `ZSTD` and `NONE`. */ - includeTableAlterOperations?: boolean; + inputCompressionType?: string; /** - * Provides detailed transaction information from the source database. This information includes a commit timestamp, a log position, and values for `transactionId`, previous `transactionId`, and `transactionRecordId` (the record offset within a transaction). Default is `false`. + * The format of the source data. + * Valid values are `CSV`, `DYNAMODB_JSON`, and `ION`. */ - includeTransactionDetails?: boolean; + inputFormat: string; /** - * Output format for the records created on the endpoint. Message format is `JSON` (default) or `JSON_UNFORMATTED` (a single line with no tab). + * Describe the format options for the data that was imported into the target table. + * There is one value, `csv`. + * See below. */ - messageFormat?: string; + inputFormatOptions?: outputs.dynamodb.TableImportTableInputFormatOptions; /** - * Maximum size in bytes for records created on the endpoint Default is `1,000,000`. + * Values for the S3 bucket the source file is imported from. + * See below. */ - messageMaxBytes?: number; + s3BucketSource: outputs.dynamodb.TableImportTableS3BucketSource; + } + + export interface TableImportTableInputFormatOptions { /** - * Set this optional parameter to true to avoid adding a '0x' prefix to raw data in hexadecimal format. For example, by default, AWS DMS adds a '0x' prefix to the LOB column type in hexadecimal format moving from an Oracle source to a Kafka target. Use the `noHexPrefix` endpoint setting to enable migration of RAW data type columns without adding the `'0x'` prefix. + * This block contains the processing options for the CSV file being imported: */ - noHexPrefix?: boolean; + csv?: outputs.dynamodb.TableImportTableInputFormatOptionsCsv; + } + + export interface TableImportTableInputFormatOptionsCsv { /** - * Prefixes schema and table names to partition values, when the partition type is `primary-key-type`. Doing this increases data distribution among Kafka partitions. For example, suppose that a SysBench schema has thousands of tables and each table has only limited range for a primary key. In this case, the same primary key is sent from thousands of tables to the same partition, which causes throttling. Default is `false`. + * The delimiter used for separating items in the CSV file being imported. */ - partitionIncludeSchemaTable?: boolean; + delimiter?: string; /** - * Secure password you created when you first set up your MSK cluster to validate a client identity and make an encrypted connection between server and client using SASL-SSL authentication. + * List of the headers used to specify a common header for all source CSV files being imported. */ - saslPassword?: string; + headerLists?: string[]; + } + + export interface TableImportTableS3BucketSource { /** - * Secure user name you created when you first set up your MSK cluster to validate a client identity and make an encrypted connection between server and client using SASL-SSL authentication. + * The S3 bucket that is being imported from. */ - saslUsername?: string; + bucket: string; /** - * Set secure connection to a Kafka target endpoint using Transport Layer Security (TLS). Options include `ssl-encryption`, `ssl-authentication`, and `sasl-ssl`. `sasl-ssl` requires `saslUsername` and `saslPassword`. + * The account number of the S3 bucket that is being imported from. */ - securityProtocol?: string; + bucketOwner?: string; /** - * ARN for the private certificate authority (CA) cert that AWS DMS uses to securely connect to your Kafka target endpoint. + * The key prefix shared by all S3 Objects that are being imported. */ - sslCaCertificateArn?: string; + keyPrefix?: string; + } + + export interface TableLocalSecondaryIndex { /** - * ARN of the client certificate used to securely connect to a Kafka target endpoint. + * Name of the index */ - sslClientCertificateArn?: string; + name: string; /** - * ARN for the client private key used to securely connect to a Kafka target endpoint. + * Only required with `INCLUDE` as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table. */ - sslClientKeyArn?: string; + nonKeyAttributes?: string[]; /** - * Password for the client private key used to securely connect to a Kafka target endpoint. + * One of `ALL`, `INCLUDE` or `KEYS_ONLY` where `ALL` projects every attribute into the index, `KEYS_ONLY` projects into the index only the table and index hashKey and sortKey attributes , `INCLUDE` projects into the index all of the attributes that are defined in `nonKeyAttributes` in addition to the attributes that that`KEYS_ONLY` project. */ - sslClientKeyPassword?: string; + projectionType: string; /** - * Kafka topic for migration. Default is `kafka-default-topic`. + * Name of the range key. */ - topic?: string; + rangeKey: string; } - export interface EndpointKinesisSettings { - /** - * Shows detailed control information for table definition, column definition, and table and column changes in the Kinesis message output. Default is `false`. - */ - includeControlDetails?: boolean; + export interface TablePointInTimeRecovery { /** - * Include NULL and empty columns in the target. Default is `false`. + * Whether to enable point-in-time recovery. It can take 10 minutes to enable for new tables. If the `pointInTimeRecovery` block is not provided, this defaults to `false`. */ - includeNullAndEmpty?: boolean; + enabled: boolean; + } + + export interface TableReplica { /** - * Shows the partition value within the Kinesis message output, unless the partition type is schema-table-type. Default is `false`. + * ARN of the table */ - includePartitionValue?: boolean; + arn: string; /** - * Includes any data definition language (DDL) operations that change the table in the control data. Default is `false`. + * ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, `alias/aws/dynamodb`. **Note:** This attribute will _not_ be populated with the ARN of _default_ keys. */ - includeTableAlterOperations?: boolean; + kmsKeyArn: string; /** - * Provides detailed transaction information from the source database. Default is `false`. + * Whether to enable Point In Time Recovery for the replica. Default is `false`. */ - includeTransactionDetails?: boolean; + pointInTimeRecovery?: boolean; /** - * Output format for the records created. Default is `json`. Valid values are `json` and `json-unformatted` (a single line with no tab). + * Whether to propagate the global table's tags to a replica. Default is `false`. Changes to tags only move in one direction: from global (source) to replica. In other words, tag drift on a replica will not trigger an update. Tag or replica changes on the global table, whether from drift or configuration changes, are propagated to replicas. Changing from `true` to `false` on a subsequent `apply` means replica tags are left as they were, unmanaged, not deleted. */ - messageFormat?: string; + propagateTags?: boolean; /** - * Prefixes schema and table names to partition values, when the partition type is primary-key-type. Default is `false`. + * Region name of the replica. */ - partitionIncludeSchemaTable?: boolean; + regionName: string; /** - * ARN of the IAM Role with permissions to write to the Kinesis data stream. + * ARN of the Table Stream. Only available when `streamEnabled = true` */ - serviceAccessRoleArn?: string; + streamArn: string; /** - * ARN of the Kinesis data stream. + * Timestamp, in ISO 8601 format, for this stream. Note that this timestamp is not a unique identifier for the stream on its own. However, the combination of AWS customer ID, table name and this field is guaranteed to be unique. It can be used for creating CloudWatch Alarms. Only available when `streamEnabled = true`. */ - streamArn?: string; + streamLabel: string; } - export interface EndpointMongodbSettings { + export interface TableServerSideEncryption { /** - * Authentication mechanism to access the MongoDB source endpoint. Default is `default`. + * Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK). If `enabled` is `false` then server-side encryption is set to AWS-_owned_ key (shown as `DEFAULT` in the AWS console). Potentially confusingly, if `enabled` is `true` and no `kmsKeyArn` is specified then server-side encryption is set to the _default_ KMS-_managed_ key (shown as `KMS` in the AWS console). The [AWS KMS documentation](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) explains the difference between AWS-_owned_ and KMS-_managed_ keys. */ - authMechanism?: string; + enabled: boolean; /** - * Authentication database name. Not used when `authType` is `no`. Default is `admin`. + * ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, `alias/aws/dynamodb`. **Note:** This attribute will _not_ be populated with the ARN of _default_ keys. */ - authSource?: string; + kmsKeyArn: string; + } + + export interface TableTtl { /** - * Authentication type to access the MongoDB source endpoint. Default is `password`. + * Name of the table attribute to store the TTL timestamp in. + * Required if `enabled` is `true`, must not be set otherwise. */ - authType?: string; + attributeName?: string; /** - * Number of documents to preview to determine the document organization. Use this setting when `nestingLevel` is set to `one`. Default is `1000`. + * Whether TTL is enabled. + * Default value is `false`. */ - docsToInvestigate?: string; + enabled?: boolean; + } + +} + +export namespace ebs { + export interface FastSnapshotRestoreTimeouts { /** - * Document ID. Use this setting when `nestingLevel` is set to `none`. Default is `false`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - extractDocId?: string; + create?: string; /** - * Specifies either document or table mode. Default is `none`. Valid values are `one` (table mode) and `none` (document mode). + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - nestingLevel?: string; + delete?: string; } - export interface EndpointPostgresSettings { + export interface GetEbsVolumesFilter { /** - * For use with change data capture (CDC) only, this attribute has AWS DMS bypass foreign keys and user triggers to reduce the time it takes to bulk load data. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html). + * For example, if matching against the `size` filter, use: + * + * ```typescript + * import * as pulumi from "@pulumi/pulumi"; + * import * as aws from "@pulumi/aws"; + * + * const tenOrTwentyGbVolumes = aws.ebs.getEbsVolumes({ + * filters: [{ + * name: "size", + * values: [ + * "10", + * "20", + * ], + * }], + * }); + * ``` */ - afterConnectScript?: string; + name: string; /** - * The Babelfish for Aurora PostgreSQL database name for the endpoint. + * Set of values that are accepted for the given field. + * EBS Volume IDs will be selected if any one of the given values match. */ - babelfishDatabaseName?: string; + values: string[]; + } + + export interface GetSnapshotFilter { + name: string; + values: string[]; + } + + export interface GetSnapshotIdsFilter { + name: string; + values: string[]; + } + + export interface GetVolumeFilter { + name: string; + values: string[]; + } + + export interface SnapshotImportClientData { /** - * To capture DDL events, AWS DMS creates various artifacts in the PostgreSQL database when the task starts. + * A user-defined comment about the disk upload. */ - captureDdls?: boolean; + comment?: string; /** - * Specifies the default behavior of the replication's handling of PostgreSQL- compatible endpoints that require some additional configuration, such as Babelfish endpoints. + * The time that the disk upload ends. */ - databaseMode?: string; + uploadEnd: string; /** - * Sets the schema in which the operational DDL database artifacts are created. Default is `public`. + * The size of the uploaded disk image, in GiB. */ - ddlArtifactsSchema?: string; + uploadSize: number; /** - * Sets the client statement timeout for the PostgreSQL instance, in seconds. Default value is `60`. + * The time that the disk upload starts. */ - executeTimeout?: number; + uploadStart: string; + } + + export interface SnapshotImportDiskContainer { /** - * When set to `true`, this value causes a task to fail if the actual size of a LOB column is greater than the specified `LobMaxSize`. Default is `false`. + * The description of the disk image being imported. */ - failTasksOnLobTruncation?: boolean; + description?: string; /** - * The write-ahead log (WAL) heartbeat feature mimics a dummy transaction. By doing this, it prevents idle logical replication slots from holding onto old WAL logs, which can result in storage full situations on the source. + * The format of the disk image being imported. One of `VHD` or `VMDK`. */ - heartbeatEnable?: boolean; + format: string; /** - * Sets the WAL heartbeat frequency (in minutes). Default value is `5`. + * The URL to the Amazon S3-based disk image being imported. It can either be a https URL (https://..) or an Amazon S3 URL (s3://..). One of `url` or `userBucket` must be set. */ - heartbeatFrequency?: number; + url?: string; /** - * Sets the schema in which the heartbeat artifacts are created. Default value is `public`. + * The Amazon S3 bucket for the disk image. One of `url` or `userBucket` must be set. Detailed below. */ - heartbeatSchema?: string; + userBucket?: outputs.ebs.SnapshotImportDiskContainerUserBucket; + } + + export interface SnapshotImportDiskContainerUserBucket { /** - * You can use PostgreSQL endpoint settings to map a boolean as a boolean from your PostgreSQL source to a Amazon Redshift target. Default value is `false`. + * The name of the Amazon S3 bucket where the disk image is located. */ - mapBooleanAsBoolean?: boolean; + s3Bucket: string; /** - * Optional When true, DMS migrates JSONB values as CLOB. + * The file name of the disk image. */ - mapJsonbAsClob?: boolean; + s3Key: string; + } + +} + +export namespace ec2 { + export interface AmiCopyEbsBlockDevice { /** - * Optional When true, DMS migrates LONG values as VARCHAR. + * Boolean controlling whether the EBS volumes created to + * support each created instance will be deleted once that instance is terminated. */ - mapLongVarcharAs?: string; + deleteOnTermination: boolean; /** - * Specifies the maximum size (in KB) of any .csv file used to transfer data to PostgreSQL. Default is `32,768 KB`. + * Path at which the device is exposed to created instances. */ - maxFileSize?: number; + deviceName: string; /** - * Specifies the plugin to use to create a replication slot. Valid values: `pglogical`, `testDecoding`. + * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. */ - pluginName?: string; + encrypted: boolean; /** - * Sets the name of a previously created logical replication slot for a CDC load of the PostgreSQL source instance. + * Number of I/O operations per second the + * created volumes will support. */ - slotName?: string; - } - - export interface EndpointRedisSettings { + iops: number; /** - * The password provided with the auth-role and auth-token options of the AuthType setting for a Redis target endpoint. + * ARN of the Outpost on which the snapshot is stored. + * + * > **Note:** You can specify `encrypted` or `snapshotId` but not both. */ - authPassword?: string; + outpostArn: string; /** - * The type of authentication to perform when connecting to a Redis target. Options include `none`, `auth-token`, and `auth-role`. The `auth-token` option requires an `authPassword` value to be provided. The `auth-role` option requires `authUserName` and `authPassword` values to be provided. + * ID of an EBS snapshot that will be used to initialize the created + * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced + * snapshot. */ - authType: string; + snapshotId: string; /** - * The username provided with the `auth-role` option of the AuthType setting for a Redis target endpoint. + * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. */ - authUserName?: string; + throughput: number; /** - * Transmission Control Protocol (TCP) port for the endpoint. + * Size of created volumes in GiB. + * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size + * as the selected snapshot. */ - port: number; + volumeSize: number; /** - * Fully qualified domain name of the endpoint. + * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). */ - serverName: string; + volumeType: string; + } + + export interface AmiCopyEphemeralBlockDevice { /** - * The Amazon Resource Name (ARN) for the certificate authority (CA) that DMS uses to connect to your Redis target endpoint. + * Path at which the device is exposed to created instances. */ - sslCaCertificateArn?: string; + deviceName: string; /** - * The plaintext option doesn't provide Transport Layer Security (TLS) encryption for traffic between endpoint and database. Options include `plaintext`, `ssl-encryption`. The default is `ssl-encryption`. + * Name for the ephemeral device, of the form "ephemeralN" where + * *N* is a volume number starting from zero. */ - sslSecurityProtocol?: string; + virtualName: string; } - export interface EndpointRedshiftSettings { + export interface AmiEbsBlockDevice { /** - * Custom S3 Bucket Object prefix for intermediate storage. + * Boolean controlling whether the EBS volumes created to + * support each created instance will be deleted once that instance is terminated. */ - bucketFolder?: string; + deleteOnTermination?: boolean; /** - * Custom S3 Bucket name for intermediate storage. + * Path at which the device is exposed to created instances. */ - bucketName?: string; + deviceName: string; /** - * The server-side encryption mode that you want to encrypt your intermediate .csv object files copied to S3. Defaults to `SSE_S3`. Valid values are `SSE_S3` and `SSE_KMS`. + * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. */ - encryptionMode?: string; + encrypted?: boolean; /** - * ARN or Id of KMS Key to use when `encryptionMode` is `SSE_KMS`. + * Number of I/O operations per second the + * created volumes will support. */ - serverSideEncryptionKmsKeyId?: string; + iops?: number; /** - * Amazon Resource Name (ARN) of the IAM Role with permissions to read from or write to the S3 Bucket for intermediate storage. + * ARN of the Outpost on which the snapshot is stored. + * + * > **Note:** You can specify `encrypted` or `snapshotId` but not both. */ - serviceAccessRoleArn?: string; - } - - export interface EndpointS3Settings { + outpostArn?: string; /** - * Whether to add column name information to the .csv output file. Default is `false`. + * ID of an EBS snapshot that will be used to initialize the created + * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced + * snapshot. */ - addColumnName?: boolean; + snapshotId?: string; /** - * S3 object prefix. + * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. */ - bucketFolder?: string; + throughput: number; /** - * S3 bucket name. + * Size of created volumes in GiB. + * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size + * as the selected snapshot. */ - bucketName?: string; + volumeSize: number; /** - * Predefined (canned) access control list for objects created in an S3 bucket. Valid values include `none`, `private`, `public-read`, `public-read-write`, `authenticated-read`, `aws-exec-read`, `bucket-owner-read`, and `bucket-owner-full-control`. Default is `none`. + * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). */ - cannedAclForObjects?: string; + volumeType?: string; + } + + export interface AmiEphemeralBlockDevice { /** - * Whether to write insert and update operations to .csv or .parquet output files. Default is `false`. + * Path at which the device is exposed to created instances. */ - cdcInsertsAndUpdates?: boolean; + deviceName: string; /** - * Whether to write insert operations to .csv or .parquet output files. Default is `false`. + * Name for the ephemeral device, of the form "ephemeralN" where + * *N* is a volume number starting from zero. */ - cdcInsertsOnly?: boolean; + virtualName: string; + } + + export interface AmiFromInstanceEbsBlockDevice { /** - * Maximum length of the interval, defined in seconds, after which to output a file to Amazon S3. Default is `60`. + * Boolean controlling whether the EBS volumes created to + * support each created instance will be deleted once that instance is terminated. */ - cdcMaxBatchInterval?: number; + deleteOnTermination: boolean; /** - * Minimum file size condition as defined in kilobytes to output a file to Amazon S3. Default is `32000`. **NOTE:** Previously, this setting was measured in megabytes but now represents kilobytes. Update configurations accordingly. + * Path at which the device is exposed to created instances. */ - cdcMinFileSize?: number; + deviceName: string; /** - * Folder path of CDC files. For an S3 source, this setting is required if a task captures change data; otherwise, it's optional. If `cdcPath` is set, AWS DMS reads CDC files from this path and replicates the data changes to the target endpoint. Supported in AWS DMS versions 3.4.2 and later. + * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. */ - cdcPath?: string; + encrypted: boolean; /** - * Set to compress target files. Default is `NONE`. Valid values are `GZIP` and `NONE`. + * Number of I/O operations per second the + * created volumes will support. */ - compressionType?: string; + iops: number; /** - * Delimiter used to separate columns in the source files. Default is `,`. + * ARN of the Outpost on which the snapshot is stored. + * + * > **Note:** You can specify `encrypted` or `snapshotId` but not both. */ - csvDelimiter?: string; + outpostArn: string; /** - * String to use for all columns not included in the supplemental log. + * ID of an EBS snapshot that will be used to initialize the created + * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced + * snapshot. */ - csvNoSupValue?: string; + snapshotId: string; /** - * String to as null when writing to the target. + * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. */ - csvNullValue?: string; + throughput: number; /** - * Delimiter used to separate rows in the source files. Default is `\n`. + * Size of created volumes in GiB. + * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size + * as the selected snapshot. */ - csvRowDelimiter?: string; + volumeSize: number; /** - * Output format for the files that AWS DMS uses to create S3 objects. Valid values are `csv` and `parquet`. Default is `csv`. + * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). */ - dataFormat?: string; + volumeType: string; + } + + export interface AmiFromInstanceEphemeralBlockDevice { /** - * Size of one data page in bytes. Default is `1048576` (1 MiB). + * Path at which the device is exposed to created instances. */ - dataPageSize?: number; + deviceName: string; /** - * Date separating delimiter to use during folder partitioning. Valid values are `SLASH`, `UNDERSCORE`, `DASH`, and `NONE`. Default is `SLASH`. + * Name for the ephemeral device, of the form "ephemeralN" where + * *N* is a volume number starting from zero. */ - datePartitionDelimiter?: string; + virtualName: string; + } + + export interface CapacityBlockReservationTimeouts { /** - * Partition S3 bucket folders based on transaction commit dates. Default is `false`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - datePartitionEnabled?: boolean; + create?: string; + } + + export interface DefaultNetworkAclEgress { /** - * Date format to use during folder partitioning. Use this parameter when `datePartitionEnabled` is set to true. Valid values are `YYYYMMDD`, `YYYYMMDDHH`, `YYYYMM`, `MMYYYYDD`, and `DDMMYYYY`. Default is `YYYYMMDD`. + * The action to take. */ - datePartitionSequence?: string; + action: string; /** - * Maximum size in bytes of an encoded dictionary page of a column. Default is `1048576` (1 MiB). + * The CIDR block to match. This must be a valid network mask. */ - dictPageSizeLimit?: number; + cidrBlock?: string; /** - * Whether to enable statistics for Parquet pages and row groups. Default is `true`. + * The from port to match. */ - enableStatistics?: boolean; + fromPort: number; /** - * Type of encoding to use. Value values are `rleDictionary`, `plain`, and `plainDictionary`. Default is `rleDictionary`. + * The ICMP type code to be used. Default 0. */ - encodingType?: string; + icmpCode?: number; /** - * Server-side encryption mode that you want to encrypt your .csv or .parquet object files copied to S3. Valid values are `SSE_S3` and `SSE_KMS`. Default is `SSE_S3`. + * The ICMP type to be used. Default 0. */ - encryptionMode?: string; + icmpType?: number; /** - * JSON document that describes how AWS DMS should interpret the data. + * The IPv6 CIDR block. + * + * > For more information on ICMP types and codes, see [Internet Control Message Protocol (ICMP) Parameters](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml). */ - externalTableDefinition?: string; + ipv6CidrBlock?: string; /** - * Whether to integrate AWS Glue Data Catalog with an Amazon S3 target. See [Using AWS Glue Data Catalog with an Amazon S3 target for AWS DMS](https://docs.aws.amazon.com/dms/latest/userguide/CHAP_Target.S3.html#CHAP_Target.S3.GlueCatalog) for more information. Default is `false`. + * The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0. */ - glueCatalogGeneration?: boolean; + protocol: string; /** - * When this value is set to `1`, DMS ignores the first row header in a .csv file. Default is `0`. + * The rule number. Used for ordering. */ - ignoreHeaderRows?: number; + ruleNo: number; /** - * Whether to enable a full load to write INSERT operations to the .csv output files only to indicate how the rows were added to the source database. Default is `false`. + * The to port to match. + * + * The following arguments are optional: */ - includeOpForFullLoad?: boolean; + toPort: number; + } + + export interface DefaultNetworkAclIngress { + action: string; + cidrBlock?: string; + fromPort: number; + icmpCode?: number; + icmpType?: number; + ipv6CidrBlock?: string; + protocol: string; + ruleNo: number; + toPort: number; + } + + export interface DefaultRouteTableRoute { /** - * Maximum size (in KB) of any .csv file to be created while migrating to an S3 target during full load. Valid values are from `1` to `1048576`. Default is `1048576` (1 GB). + * The CIDR block of the route. */ - maxFileSize?: number; + cidrBlock?: string; /** - * Specifies the precision of any TIMESTAMP column values written to an S3 object file in .parquet format. Default is `false`. + * The Amazon Resource Name (ARN) of a core network. */ - parquetTimestampInMillisecond?: boolean; + coreNetworkArn?: string; /** - * Version of the .parquet file format. Default is `parquet-1-0`. Valid values are `parquet-1-0` and `parquet-2-0`. - */ - parquetVersion?: string; - /** - * Whether DMS saves the transaction order for a CDC load on the S3 target specified by `cdcPath`. Default is `false`. - */ - preserveTransactions?: boolean; - /** - * For an S3 source, whether each leading double quotation mark has to be followed by an ending double quotation mark. Default is `true`. + * The ID of a managed prefix list destination of the route. + * + * One of the following target arguments must be supplied: */ - rfc4180?: boolean; + destinationPrefixListId?: string; /** - * Number of rows in a row group. Default is `10000`. + * Identifier of a VPC Egress Only Internet Gateway. */ - rowGroupLength?: number; + egressOnlyGatewayId?: string; /** - * ARN or Id of KMS Key to use when `encryptionMode` is `SSE_KMS`. + * Identifier of a VPC internet gateway or a virtual private gateway. */ - serverSideEncryptionKmsKeyId?: string; + gatewayId?: string; /** - * ARN of the IAM Role with permissions to read from or write to the S3 Bucket. + * Identifier of an EC2 instance. */ - serviceAccessRoleArn?: string; + instanceId?: string; /** - * Column to add with timestamp information to the endpoint data for an Amazon S3 target. + * The Ipv6 CIDR block of the route */ - timestampColumnName?: string; + ipv6CidrBlock?: string; /** - * Whether to use `csvNoSupValue` for columns not included in the supplemental log. + * Identifier of a VPC NAT gateway. */ - useCsvNoSupValue?: boolean; + natGatewayId?: string; /** - * When set to true, uses the task start time as the timestamp column value instead of the time data is written to target. For full load, when set to true, each row of the timestamp column contains the task start time. For CDC loads, each row of the timestamp column contains the transaction commit time. When set to false, the full load timestamp in the timestamp column increments with the time data arrives at the target. Default is `false`. + * Identifier of an EC2 network interface. */ - useTaskStartTimeForFullLoadTimestamp?: boolean; - } - - export interface GetEndpointElasticsearchSetting { - endpointUri: string; - errorRetryDuration: number; - fullLoadErrorPercentage: number; - serviceAccessRoleArn: string; - } - - export interface GetEndpointKafkaSetting { - broker: string; - includeControlDetails: boolean; - includeNullAndEmpty: boolean; - includePartitionValue: boolean; - includeTableAlterOperations: boolean; - includeTransactionDetails: boolean; - messageFormat: string; - messageMaxBytes: number; - noHexPrefix: boolean; - partitionIncludeSchemaTable: boolean; - saslPassword: string; - saslUsername: string; - securityProtocol: string; - sslCaCertificateArn: string; - sslClientCertificateArn: string; - sslClientKeyArn: string; - sslClientKeyPassword: string; - topic: string; - } - - export interface GetEndpointKinesisSetting { - includeControlDetails: boolean; - includeNullAndEmpty: boolean; - includePartitionValue: boolean; - includeTableAlterOperations: boolean; - includeTransactionDetails: boolean; - messageFormat: string; - partitionIncludeSchemaTable: boolean; - serviceAccessRoleArn: string; - streamArn: string; - } - - export interface GetEndpointMongodbSetting { - authMechanism: string; - authSource: string; - authType: string; - docsToInvestigate: string; - extractDocId: string; - nestingLevel: string; - } - - export interface GetEndpointPostgresSetting { - afterConnectScript: string; - babelfishDatabaseName: string; - captureDdls: boolean; - databaseMode: string; - ddlArtifactsSchema: string; - executeTimeout: number; - failTasksOnLobTruncation: boolean; - heartbeatEnable: boolean; - heartbeatFrequency: number; - heartbeatSchema: string; - mapBooleanAsBoolean: boolean; - mapJsonbAsClob: boolean; - mapLongVarcharAs: string; - maxFileSize: number; - pluginName: string; - slotName: string; - } - - export interface GetEndpointRedisSetting { - authPassword: string; - authType: string; - authUserName: string; - port: number; - serverName: string; - sslCaCertificateArn: string; - sslSecurityProtocol: string; - } - - export interface GetEndpointRedshiftSetting { - bucketFolder: string; - bucketName: string; - encryptionMode: string; - serverSideEncryptionKmsKeyId: string; - serviceAccessRoleArn: string; - } - - export interface GetEndpointS3Setting { - addColumnName: boolean; - bucketFolder: string; - bucketName: string; - cannedAclForObjects: string; - cdcInsertsAndUpdates: boolean; - cdcInsertsOnly: boolean; - cdcMaxBatchInterval: number; - cdcMinFileSize: number; - cdcPath: string; - compressionType: string; - csvDelimiter: string; - csvNoSupValue: string; - csvNullValue: string; - csvRowDelimiter: string; - dataFormat: string; - dataPageSize: number; - datePartitionDelimiter: string; - datePartitionEnabled: boolean; - datePartitionSequence: string; - dictPageSizeLimit: number; - enableStatistics: boolean; - encodingType: string; - encryptionMode: string; - externalTableDefinition: string; - glueCatalogGeneration: boolean; - ignoreHeaderRows: number; - ignoreHeadersRow: number; - includeOpForFullLoad: boolean; - maxFileSize: number; - parquetTimestampInMillisecond: boolean; - parquetVersion: string; - preserveTransactions: boolean; - rfc4180: boolean; - rowGroupLength: number; - serverSideEncryptionKmsKeyId: string; - serviceAccessRoleArn: string; - timestampColumnName: string; - useCsvNoSupValue: boolean; - useTaskStartTimeForFullLoadTimestamp: boolean; - } - - export interface ReplicationConfigComputeConfig { + networkInterfaceId?: string; /** - * The Availability Zone where the DMS Serverless replication using this configuration will run. The default value is a random. + * Identifier of an EC2 Transit Gateway. */ - availabilityZone: string; + transitGatewayId?: string; /** - * A list of custom DNS name servers supported for the DMS Serverless replication to access your source or target database. + * Identifier of a VPC Endpoint. This route must be removed prior to VPC Endpoint deletion. */ - dnsNameServers?: string; + vpcEndpointId?: string; /** - * An Key Management Service (KMS) key Amazon Resource Name (ARN) that is used to encrypt the data during DMS Serverless replication. If you don't specify a value for the KmsKeyId parameter, DMS uses your default encryption key. + * Identifier of a VPC peering connection. + * + * Note that the default route, mapping the VPC's CIDR block to "local", is created implicitly and cannot be specified. */ - kmsKeyId: string; + vpcPeeringConnectionId?: string; + } + + export interface DefaultSecurityGroupEgress { /** - * Specifies the maximum value of the DMS capacity units (DCUs) for which a given DMS Serverless replication can be provisioned. A single DCU is 2GB of RAM, with 2 DCUs as the minimum value allowed. The list of valid DCU values includes 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. + * List of CIDR blocks. */ - maxCapacityUnits?: number; + cidrBlocks?: string[]; /** - * Specifies the minimum value of the DMS capacity units (DCUs) for which a given DMS Serverless replication can be provisioned. The list of valid DCU values includes 2, 4, 8, 16, 32, 64, 128, 192, 256, and 384. If this value isn't set DMS scans the current activity of available source tables to identify an optimum setting for this parameter. + * Description of this rule. */ - minCapacityUnits?: number; + description?: string; /** - * Specifies if the replication instance is a multi-az deployment. You cannot set the `availabilityZone` parameter if the `multiAz` parameter is set to `true`. + * Start port (or ICMP type number if protocol is `icmp`) */ - multiAz: boolean; + fromPort: number; /** - * The weekly time range during which system maintenance can occur, in Universal Coordinated Time (UTC). - * - * - Default: A 30-minute window selected at random from an 8-hour block of time per region, occurring on a random day of the week. - * - Format: `ddd:hh24:mi-ddd:hh24:mi` - * - Valid Days: `mon, tue, wed, thu, fri, sat, sun` - * - Constraints: Minimum 30-minute window. + * List of IPv6 CIDR blocks. */ - preferredMaintenanceWindow: string; + ipv6CidrBlocks?: string[]; /** - * Specifies a subnet group identifier to associate with the DMS Serverless replication. + * List of prefix list IDs (for allowing access to VPC endpoints) */ - replicationSubnetGroupId: string; + prefixListIds?: string[]; /** - * Specifies the virtual private cloud (VPC) security group to use with the DMS Serverless replication. The VPC security group must work with the VPC containing the replication. + * Protocol. If you select a protocol of "-1" (semantically equivalent to `all`, which is not a valid value here), you must specify a `fromPort` and `toPort` equal to `0`. If not `icmp`, `tcp`, `udp`, or `-1` use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). */ - vpcSecurityGroupIds: string[]; - } - -} - -export namespace docdb { - export interface ClusterParameterGroupParameter { + protocol: string; /** - * Valid values are `immediate` and `pending-reboot`. Defaults to `pending-reboot`. + * List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID. */ - applyMethod?: string; + securityGroups?: string[]; /** - * The name of the DocumentDB parameter. + * Whether the security group itself will be added as a source to this egress rule. */ - name: string; + self?: boolean; /** - * The value of the DocumentDB parameter. + * End range port (or ICMP code if protocol is `icmp`). */ - value: string; + toPort: number; } - export interface ClusterRestoreToPointInTime { - /** - * The date and time to restore from. Value must be a time in Universal Coordinated Time (UTC) format and must be before the latest restorable time for the DB instance. Cannot be specified with `useLatestRestorableTime`. - */ - restoreToTime?: string; - /** - * The type of restore to be performed. Valid values are `full-copy`, `copy-on-write`. - */ - restoreType?: string; - /** - * The identifier of the source DB cluster from which to restore. Must match the identifier of an existing DB cluster. - */ - sourceClusterIdentifier: string; + export interface DefaultSecurityGroupIngress { + cidrBlocks?: string[]; /** - * A boolean value that indicates whether the DB cluster is restored from the latest backup time. Defaults to `false`. Cannot be specified with `restoreToTime`. + * Description of the security group. */ - useLatestRestorableTime?: boolean; + description?: string; + fromPort: number; + ipv6CidrBlocks?: string[]; + prefixListIds?: string[]; + protocol: string; + securityGroups?: string[]; + self?: boolean; + toPort: number; } - export interface ElasticClusterTimeouts { + export interface EipDomainNameTimeouts { /** * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ @@ -21731,1458 +21710,1111 @@ export namespace docdb { update?: string; } - export interface GlobalClusterGlobalClusterMember { + export interface FleetFleetInstanceSet { /** - * Amazon Resource Name (ARN) of member DB Cluster. + * The IDs of the instances. */ - dbClusterArn: string; + instanceIds: string[]; /** - * Whether the member is the primary DB Cluster. + * The instance type. */ - isWriter: boolean; + instanceType: string; + /** + * Indicates if the instance that was launched is a Spot Instance or On-Demand Instance. + */ + lifecycle: string; + /** + * The value is `Windows` for Windows instances. Otherwise, the value is blank. + */ + platform: string; } -} - -export namespace drs { - export interface ReplicationConfigurationTemplatePitPolicy { + export interface FleetLaunchTemplateConfig { /** - * Whether this rule is enabled or not. + * Nested argument containing EC2 Launch Template to use. Defined below. */ - enabled?: boolean; + launchTemplateSpecification?: outputs.ec2.FleetLaunchTemplateConfigLaunchTemplateSpecification; /** - * How often, in the chosen units, a snapshot should be taken. + * Nested argument(s) containing parameters to override the same parameters in the Launch Template. Defined below. */ - interval: number; + overrides?: outputs.ec2.FleetLaunchTemplateConfigOverride[]; + } + + export interface FleetLaunchTemplateConfigLaunchTemplateSpecification { /** - * Duration to retain a snapshot for, in the chosen `units`. + * The ID of the launch template. */ - retentionDuration: number; + launchTemplateId?: string; /** - * ID of the rule. Valid values are integers. + * The name of the launch template. */ - ruleId?: number; + launchTemplateName?: string; /** - * Units used to measure the `interval` and `retentionDuration`. Valid values are `MINUTE`, `HOUR`, and `DAY`. + * The launch template version number, `$Latest`, or `$Default.` */ - units: string; + version: string; } - export interface ReplicationConfigurationTemplateTimeouts { + export interface FleetLaunchTemplateConfigOverride { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Availability Zone in which to launch the instances. */ - create?: string; + availabilityZone?: string; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * Override the instance type in the Launch Template with instance types that satisfy the requirements. */ - delete?: string; + instanceRequirements?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirements; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Instance type. */ - update?: string; - } - -} - -export namespace dynamodb { - export interface GetTableAttribute { + instanceType?: string; /** - * Name of the DynamoDB table. + * Maximum price per unit hour that you are willing to pay for a Spot Instance. */ - name: string; - type: string; - } - - export interface GetTableGlobalSecondaryIndex { - hashKey: string; + maxPrice?: string; /** - * Name of the DynamoDB table. + * Priority for the launch template override. If `onDemandOptions` `allocationStrategy` is set to `prioritized`, EC2 Fleet uses priority to determine which launch template override to use first in fulfilling On-Demand capacity. The highest priority is launched first. The lower the number, the higher the priority. If no number is set, the launch template override has the lowest priority. Valid values are whole numbers starting at 0. */ - name: string; - nonKeyAttributes: string[]; - projectionType: string; - rangeKey: string; - readCapacity: number; - writeCapacity: number; - } - - export interface GetTableLocalSecondaryIndex { + priority?: number; /** - * Name of the DynamoDB table. + * ID of the subnet in which to launch the instances. */ - name: string; - nonKeyAttributes: string[]; - projectionType: string; - rangeKey: string; - } - - export interface GetTablePointInTimeRecovery { - enabled: boolean; - } - - export interface GetTableReplica { - kmsKeyArn: string; - regionName: string; - } - - export interface GetTableServerSideEncryption { - enabled: boolean; - kmsKeyArn: string; - } - - export interface GetTableTtl { - attributeName: string; - enabled: boolean; - } - - export interface GlobalTableReplica { + subnetId?: string; /** - * AWS region name of replica DynamoDB TableE.g., `us-east-1` + * Number of units provided by the specified instance type. */ - regionName: string; + weightedCapacity?: number; } - export interface TableAttribute { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirements { /** - * Name of the attribute + * Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum limits. */ - name: string; + acceleratorCount?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorCount; /** - * Attribute type. Valid values are `S` (string), `N` (number), `B` (binary). + * List of accelerator manufacturer names. Default is any manufacturer. */ - type: string; - } - - export interface TableGlobalSecondaryIndex { + acceleratorManufacturers?: string[]; /** - * Name of the hash key in the index; must be defined as an attribute in the resource. + * List of accelerator names. Default is any acclerator. */ - hashKey: string; + acceleratorNames?: string[]; /** - * Name of the index. + * Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum. */ - name: string; + acceleratorTotalMemoryMib?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorTotalMemoryMib; /** - * Only required with `INCLUDE` as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table. + * The accelerator types that must be on the instance type. Default is any accelerator type. */ - nonKeyAttributes?: string[]; + acceleratorTypes?: string[]; /** - * One of `ALL`, `INCLUDE` or `KEYS_ONLY` where `ALL` projects every attribute into the index, `KEYS_ONLY` projects into the index only the table and index hashKey and sortKey attributes , `INCLUDE` projects into the index all of the attributes that are defined in `nonKeyAttributes` in addition to the attributes that that`KEYS_ONLY` project. + * The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards,represented by an asterisk (\*). The following are examples: `c5*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types. Default is any instance type. + * + * If you specify `AllowedInstanceTypes`, you can't specify `ExcludedInstanceTypes`. */ - projectionType: string; + allowedInstanceTypes?: string[]; /** - * Name of the range key; must be defined + * Indicate whether bare metal instace types should be `included`, `excluded`, or `required`. Default is `excluded`. */ - rangeKey?: string; + bareMetal?: string; /** - * Number of read units for this index. Must be set if billingMode is set to PROVISIONED. + * Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum. */ - readCapacity?: number; + baselineEbsBandwidthMbps?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsBaselineEbsBandwidthMbps; /** - * Number of write units for this index. Must be set if billingMode is set to PROVISIONED. + * Indicates whether burstable performance T instance types are `included`, `excluded`, or `required`. Default is `excluded`. */ - writeCapacity?: number; - } - - export interface TableImportTable { + burstablePerformance?: string; /** - * Type of compression to be used on the input coming from the imported table. - * Valid values are `GZIP`, `ZSTD` and `NONE`. + * The CPU manufacturers to include. Default is any manufacturer. + * > **NOTE:** Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. */ - inputCompressionType?: string; + cpuManufacturers?: string[]; /** - * The format of the source data. - * Valid values are `CSV`, `DYNAMODB_JSON`, and `ION`. + * The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (\*). The following are examples: `c5*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types. + * + * If you specify `AllowedInstanceTypes`, you can't specify `ExcludedInstanceTypes`. */ - inputFormat: string; + excludedInstanceTypes?: string[]; /** - * Describe the format options for the data that was imported into the target table. - * There is one value, `csv`. - * See below. + * Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Valid values are `current` and `previous`. Default is `current` and `previous` generation instance types. */ - inputFormatOptions?: outputs.dynamodb.TableImportTableInputFormatOptions; + instanceGenerations?: string[]; /** - * Values for the S3 bucket the source file is imported from. - * See below. + * Indicate whether instance types with local storage volumes are `included`, `excluded`, or `required`. Default is `included`. */ - s3BucketSource: outputs.dynamodb.TableImportTableS3BucketSource; - } - - export interface TableImportTableInputFormatOptions { + localStorage?: string; /** - * This block contains the processing options for the CSV file being imported: + * List of local storage type names. Valid values are `hdd` and `ssd`. Default any storage type. */ - csv?: outputs.dynamodb.TableImportTableInputFormatOptionsCsv; - } - - export interface TableImportTableInputFormatOptionsCsv { + localStorageTypes?: string[]; /** - * The delimiter used for separating items in the CSV file being imported. + * The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Conflicts with `spotMaxPricePercentageOverLowestPrice` */ - delimiter?: string; + maxSpotPriceAsPercentageOfOptimalOnDemandPrice?: number; /** - * List of the headers used to specify a common header for all source CSV files being imported. + * Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum. */ - headerLists?: string[]; - } - - export interface TableImportTableS3BucketSource { + memoryGibPerVcpu?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryGibPerVcpu; /** - * The S3 bucket that is being imported from. + * The minimum and maximum amount of memory per vCPU, in GiB. Default is no minimum or maximum limits. */ - bucket: string; + memoryMib: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryMib; /** - * The account number of the S3 bucket that is being imported from. + * The minimum and maximum amount of network bandwidth, in gigabits per second (Gbps). Default is No minimum or maximum. */ - bucketOwner?: string; + networkBandwidthGbps?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkBandwidthGbps; /** - * The key prefix shared by all S3 Objects that are being imported. + * Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum. */ - keyPrefix?: string; - } - - export interface TableLocalSecondaryIndex { + networkInterfaceCount?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkInterfaceCount; /** - * Name of the index + * The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20. + * + * If you set `targetCapacityUnitType` to `vcpu` or `memory-mib`, the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. */ - name: string; + onDemandMaxPricePercentageOverLowestPrice?: number; /** - * Only required with `INCLUDE` as a projection type; a list of attributes to project into the index. These do not need to be defined as attributes on the table. + * Indicate whether instance types must support On-Demand Instance Hibernation, either `true` or `false`. Default is `false`. */ - nonKeyAttributes?: string[]; + requireHibernateSupport?: boolean; /** - * One of `ALL`, `INCLUDE` or `KEYS_ONLY` where `ALL` projects every attribute into the index, `KEYS_ONLY` projects into the index only the table and index hashKey and sortKey attributes , `INCLUDE` projects into the index all of the attributes that are defined in `nonKeyAttributes` in addition to the attributes that that`KEYS_ONLY` project. + * The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100. Conflicts with `maxSpotPriceAsPercentageOfOptimalOnDemandPrice` + * + * If you set DesiredCapacityType to vcpu or memory-mib, the price protection threshold is applied based on the per vCPU or per memory price instead of the per instance price. */ - projectionType: string; + spotMaxPricePercentageOverLowestPrice?: number; /** - * Name of the range key. + * Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum. */ - rangeKey: string; + totalLocalStorageGb?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsTotalLocalStorageGb; + /** + * Block describing the minimum and maximum number of vCPUs. Default is no maximum. + */ + vcpuCount: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsVcpuCount; } - export interface TablePointInTimeRecovery { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorCount { /** - * Whether to enable point-in-time recovery. It can take 10 minutes to enable for new tables. If the `pointInTimeRecovery` block is not provided, this defaults to `false`. + * Maximum. Set to `0` to exclude instance types with accelerators. */ - enabled: boolean; - } - - export interface TableReplica { + max?: number; /** - * ARN of the table + * Minimum. */ - arn: string; + min?: number; + } + + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorTotalMemoryMib { /** - * ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, `alias/aws/dynamodb`. **Note:** This attribute will _not_ be populated with the ARN of _default_ keys. + * The maximum amount of accelerator memory, in MiB. To specify no maximum limit, omit this parameter. */ - kmsKeyArn: string; + max?: number; /** - * Whether to enable Point In Time Recovery for the replica. Default is `false`. + * The minimum amount of accelerator memory, in MiB. To specify no minimum limit, omit this parameter. */ - pointInTimeRecovery?: boolean; + min?: number; + } + + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsBaselineEbsBandwidthMbps { /** - * Whether to propagate the global table's tags to a replica. Default is `false`. Changes to tags only move in one direction: from global (source) to replica. In other words, tag drift on a replica will not trigger an update. Tag or replica changes on the global table, whether from drift or configuration changes, are propagated to replicas. Changing from `true` to `false` on a subsequent `apply` means replica tags are left as they were, unmanaged, not deleted. + * The maximum baseline bandwidth, in Mbps. To specify no maximum limit, omit this parameter.. */ - propagateTags?: boolean; + max?: number; /** - * Region name of the replica. + * The minimum baseline bandwidth, in Mbps. To specify no minimum limit, omit this parameter.. */ - regionName: string; + min?: number; + } + + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryGibPerVcpu { /** - * ARN of the Table Stream. Only available when `streamEnabled = true` + * The maximum amount of memory per vCPU, in GiB. To specify no maximum limit, omit this parameter. */ - streamArn: string; + max?: number; /** - * Timestamp, in ISO 8601 format, for this stream. Note that this timestamp is not a unique identifier for the stream on its own. However, the combination of AWS customer ID, table name and this field is guaranteed to be unique. It can be used for creating CloudWatch Alarms. Only available when `streamEnabled = true`. + * The minimum amount of memory per vCPU, in GiB. To specify no minimum limit, omit this parameter. */ - streamLabel: string; + min?: number; } - export interface TableServerSideEncryption { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryMib { /** - * Whether or not to enable encryption at rest using an AWS managed KMS customer master key (CMK). If `enabled` is `false` then server-side encryption is set to AWS-_owned_ key (shown as `DEFAULT` in the AWS console). Potentially confusingly, if `enabled` is `true` and no `kmsKeyArn` is specified then server-side encryption is set to the _default_ KMS-_managed_ key (shown as `KMS` in the AWS console). The [AWS KMS documentation](https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html) explains the difference between AWS-_owned_ and KMS-_managed_ keys. + * The maximum amount of memory, in MiB. To specify no maximum limit, omit this parameter. */ - enabled: boolean; + max?: number; /** - * ARN of the CMK that should be used for the AWS KMS encryption. This argument should only be used if the key is different from the default KMS-managed DynamoDB key, `alias/aws/dynamodb`. **Note:** This attribute will _not_ be populated with the ARN of _default_ keys. + * The minimum amount of memory, in MiB. To specify no minimum limit, specify `0`. */ - kmsKeyArn: string; + min: number; } - export interface TableTtl { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkBandwidthGbps { /** - * Name of the table attribute to store the TTL timestamp in. - * Required if `enabled` is `true`, must not be set otherwise. + * The maximum amount of network bandwidth, in Gbps. To specify no maximum limit, omit this parameter. */ - attributeName?: string; + max?: number; /** - * Whether TTL is enabled. - * Default value is `false`. + * The minimum amount of network bandwidth, in Gbps. To specify no minimum limit, omit this parameter. */ - enabled?: boolean; + min?: number; } -} - -export namespace ebs { - export interface FastSnapshotRestoreTimeouts { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkInterfaceCount { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * The maximum number of network interfaces. To specify no maximum limit, omit this parameter. */ - create?: string; + max?: number; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * The minimum number of network interfaces. To specify no minimum limit, omit this parameter. */ - delete?: string; + min?: number; } - export interface GetEbsVolumesFilter { + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsTotalLocalStorageGb { /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeVolumes.html). - * For example, if matching against the `size` filter, use: - * - * ```typescript - * import * as pulumi from "@pulumi/pulumi"; - * import * as aws from "@pulumi/aws"; - * - * const tenOrTwentyGbVolumes = aws.ebs.getEbsVolumes({ - * filters: [{ - * name: "size", - * values: [ - * "10", - * "20", - * ], - * }], - * }); - * ``` + * The maximum amount of total local storage, in GB. To specify no maximum limit, omit this parameter. */ - name: string; + max?: number; /** - * Set of values that are accepted for the given field. - * EBS Volume IDs will be selected if any one of the given values match. + * The minimum amount of total local storage, in GB. To specify no minimum limit, omit this parameter. */ - values: string[]; - } - - export interface GetSnapshotFilter { - name: string; - values: string[]; - } - - export interface GetSnapshotIdsFilter { - name: string; - values: string[]; + min?: number; } - export interface GetVolumeFilter { - name: string; - values: string[]; + export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsVcpuCount { + /** + * The maximum number of vCPUs. To specify no maximum limit, omit this parameter. + */ + max?: number; + /** + * The minimum number of vCPUs. To specify no minimum limit, specify `0`. + */ + min: number; } - export interface SnapshotImportClientData { + export interface FleetOnDemandOptions { /** - * A user-defined comment about the disk upload. + * The order of the launch template overrides to use in fulfilling On-Demand capacity. Valid values: `lowestPrice`, `prioritized`. Default: `lowestPrice`. */ - comment?: string; + allocationStrategy?: string; /** - * The time that the disk upload ends. + * The strategy for using unused Capacity Reservations for fulfilling On-Demand capacity. Supported only for fleets of type `instant`. */ - uploadEnd: string; + capacityReservationOptions?: outputs.ec2.FleetOnDemandOptionsCapacityReservationOptions; /** - * The size of the uploaded disk image, in GiB. + * The maximum amount per hour for On-Demand Instances that you're willing to pay. */ - uploadSize: number; + maxTotalPrice?: string; /** - * The time that the disk upload starts. + * The minimum target capacity for On-Demand Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances. Supported only for fleets of type `instant`. + * If you specify `minTargetCapacity`, at least one of the following must be specified: `singleAvailabilityZone` or `singleInstanceType`. */ - uploadStart: string; + minTargetCapacity?: number; + /** + * Indicates that the fleet launches all On-Demand Instances into a single Availability Zone. Supported only for fleets of type `instant`. + */ + singleAvailabilityZone?: boolean; + /** + * Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet. Supported only for fleets of type `instant`. + */ + singleInstanceType?: boolean; } - export interface SnapshotImportDiskContainer { + export interface FleetOnDemandOptionsCapacityReservationOptions { /** - * The description of the disk image being imported. + * Indicates whether to use unused Capacity Reservations for fulfilling On-Demand capacity. Valid values: `use-capacity-reservations-first`. */ - description?: string; + usageStrategy?: string; + } + + export interface FleetSpotOptions { /** - * The format of the disk image being imported. One of `VHD` or `VMDK`. + * How to allocate the target capacity across the Spot pools. Valid values: `diversified`, `lowestPrice`, `capacity-optimized`, `capacity-optimized-prioritized` and `price-capacity-optimized`. Default: `lowestPrice`. */ - format: string; + allocationStrategy?: string; /** - * The URL to the Amazon S3-based disk image being imported. It can either be a https URL (https://..) or an Amazon S3 URL (s3://..). One of `url` or `userBucket` must be set. + * Behavior when a Spot Instance is interrupted. Valid values: `hibernate`, `stop`, `terminate`. Default: `terminate`. */ - url?: string; + instanceInterruptionBehavior?: string; /** - * The Amazon S3 bucket for the disk image. One of `url` or `userBucket` must be set. Detailed below. + * Number of Spot pools across which to allocate your target Spot capacity. Valid only when Spot `allocationStrategy` is set to `lowestPrice`. Default: `1`. */ - userBucket?: outputs.ebs.SnapshotImportDiskContainerUserBucket; - } - - export interface SnapshotImportDiskContainerUserBucket { + instancePoolsToUseCount?: number; /** - * The name of the Amazon S3 bucket where the disk image is located. + * Nested argument containing maintenance strategies for managing your Spot Instances that are at an elevated risk of being interrupted. Defined below. */ - s3Bucket: string; + maintenanceStrategies?: outputs.ec2.FleetSpotOptionsMaintenanceStrategies; + } + + export interface FleetSpotOptionsMaintenanceStrategies { /** - * The file name of the disk image. + * Nested argument containing the capacity rebalance for your fleet request. Defined below. */ - s3Key: string; + capacityRebalance?: outputs.ec2.FleetSpotOptionsMaintenanceStrategiesCapacityRebalance; } -} - -export namespace ec2 { - export interface AmiCopyEbsBlockDevice { + export interface FleetSpotOptionsMaintenanceStrategiesCapacityRebalance { /** - * Boolean controlling whether the EBS volumes created to - * support each created instance will be deleted once that instance is terminated. + * The replacement strategy to use. Only available for fleets of `type` set to `maintain`. Valid values: `launch`. */ - deleteOnTermination: boolean; + replacementStrategy?: string; + terminationDelay?: number; + } + + export interface FleetTargetCapacitySpecification { /** - * Path at which the device is exposed to created instances. + * Default target capacity type. Valid values: `on-demand`, `spot`. */ - deviceName: string; + defaultTargetCapacityType: string; /** - * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. + * The number of On-Demand units to request. */ - encrypted: boolean; + onDemandTargetCapacity?: number; /** - * Number of I/O operations per second the - * created volumes will support. + * The number of Spot units to request. */ - iops: number; + spotTargetCapacity?: number; /** - * ARN of the Outpost on which the snapshot is stored. - * - * > **Note:** You can specify `encrypted` or `snapshotId` but not both. + * The unit for the target capacity. + * If you specify `targetCapacityUnitType`, `instanceRequirements` must be specified. */ - outpostArn: string; + targetCapacityUnitType?: string; /** - * ID of an EBS snapshot that will be used to initialize the created - * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced - * snapshot. + * The number of units to request, filled using `defaultTargetCapacityType`. */ - snapshotId: string; + totalTargetCapacity: number; + } + + export interface FlowLogDestinationOptions { /** - * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. + * The format for the flow log. Default value: `plain-text`. Valid values: `plain-text`, `parquet`. */ - throughput: number; + fileFormat?: string; /** - * Size of created volumes in GiB. - * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size - * as the selected snapshot. + * Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value: `false`. */ - volumeSize: number; + hiveCompatiblePartitions?: boolean; /** - * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). + * Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value: `false`. */ - volumeType: string; + perHourPartition?: boolean; } - export interface AmiCopyEphemeralBlockDevice { + export interface GetAmiBlockDeviceMapping { /** - * Path at which the device is exposed to created instances. + * Physical name of the device. */ deviceName: string; /** - * Name for the ephemeral device, of the form "ephemeralN" where - * *N* is a volume number starting from zero. + * Map containing EBS information, if the device is EBS based. Unlike most object attributes, these are accessed directly (e.g., `ebs.volume_size` or `ebs["volumeSize"]`) rather than accessed through the first element of a list (e.g., `ebs[0].volume_size`). */ - virtualName: string; - } - - export interface AmiEbsBlockDevice { + ebs: {[key: string]: string}; /** - * Boolean controlling whether the EBS volumes created to - * support each created instance will be deleted once that instance is terminated. + * Suppresses the specified device included in the block device mapping of the AMI. */ - deleteOnTermination?: boolean; + noDevice: string; /** - * Path at which the device is exposed to created instances. + * Virtual device name (for instance stores). */ - deviceName: string; + virtualName: string; + } + + export interface GetAmiFilter { /** - * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. + * Name of the AMI that was provided during image creation. */ - encrypted?: boolean; + name: string; + values: string[]; + } + + export interface GetAmiIdsFilter { + name: string; + values: string[]; + } + + export interface GetAmiProductCode { + productCodeId: string; + productCodeType: string; + } + + export interface GetCoipPoolFilter { /** - * Number of I/O operations per second the - * created volumes will support. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCoipPools.html). */ - iops?: number; + name: string; /** - * ARN of the Outpost on which the snapshot is stored. - * - * > **Note:** You can specify `encrypted` or `snapshotId` but not both. + * Set of values that are accepted for the given field. + * A COIP Pool will be selected if any one of the given values matches. */ - outpostArn?: string; + values: string[]; + } + + export interface GetCoipPoolsFilter { /** - * ID of an EBS snapshot that will be used to initialize the created - * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced - * snapshot. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCoipPools.html). */ - snapshotId?: string; + name: string; /** - * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. + * Set of values that are accepted for the given field. + * A COIP Pool will be selected if any one of the given values matches. */ - throughput: number; + values: string[]; + } + + export interface GetCustomerGatewayFilter { + name: string; + values: string[]; + } + + export interface GetDedicatedHostFilter { /** - * Size of created volumes in GiB. - * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size - * as the selected snapshot. + * Name of the field to filter by, as defined by [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeHosts.html). */ - volumeSize: number; + name: string; /** - * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). + * Set of values that are accepted for the given field. A host will be selected if any one of the given values matches. */ - volumeType?: string; + values: string[]; } - export interface AmiEphemeralBlockDevice { + export interface GetEipsFilter { /** - * Path at which the device is exposed to created instances. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html). */ - deviceName: string; + name: string; /** - * Name for the ephemeral device, of the form "ephemeralN" where - * *N* is a volume number starting from zero. + * Set of values that are accepted for the given field. An Elastic IP will be selected if any one of the given values matches. */ - virtualName: string; + values: string[]; } - export interface AmiFromInstanceEbsBlockDevice { + export interface GetElasticIpFilter { + name: string; + values: string[]; + } + + export interface GetInstanceCreditSpecification { + cpuCredits: string; + } + + export interface GetInstanceEbsBlockDevice { /** - * Boolean controlling whether the EBS volumes created to - * support each created instance will be deleted once that instance is terminated. + * If the root block device will be deleted on termination. */ deleteOnTermination: boolean; /** - * Path at which the device is exposed to created instances. + * Physical name of the device. */ deviceName: string; /** - * Boolean controlling whether the created EBS volumes will be encrypted. Can't be used with `snapshotId`. + * If the EBS volume is encrypted. */ encrypted: boolean; /** - * Number of I/O operations per second the - * created volumes will support. + * `0` If the volume is not a provisioned IOPS image, otherwise the supported IOPS count. */ iops: number; + kmsKeyId: string; /** - * ARN of the Outpost on which the snapshot is stored. - * - * > **Note:** You can specify `encrypted` or `snapshotId` but not both. + * ID of the snapshot. */ - outpostArn: string; + snapshotId: string; /** - * ID of an EBS snapshot that will be used to initialize the created - * EBS volumes. If set, the `volumeSize` attribute must be at least as large as the referenced - * snapshot. + * Map of tags assigned to the Instance. */ - snapshotId: string; + tags: {[key: string]: string}; /** - * Throughput that the EBS volume supports, in MiB/s. Only valid for `volumeType` of `gp3`. + * Throughput of the volume, in MiB/s. */ throughput: number; + volumeId: string; /** - * Size of created volumes in GiB. - * If `snapshotId` is set and `volumeSize` is omitted then the volume will have the same size - * as the selected snapshot. + * Size of the volume, in GiB. */ volumeSize: number; /** - * Type of EBS volume to create. Can be `standard`, `gp2`, `gp3`, `io1`, `io2`, `sc1` or `st1` (Default: `standard`). + * Type of the volume. */ volumeType: string; } - export interface AmiFromInstanceEphemeralBlockDevice { + export interface GetInstanceEnclaveOption { /** - * Path at which the device is exposed to created instances. + * Whether Nitro Enclaves are enabled. + */ + enabled: boolean; + } + + export interface GetInstanceEphemeralBlockDevice { + /** + * Physical name of the device. */ deviceName: string; /** - * Name for the ephemeral device, of the form "ephemeralN" where - * *N* is a volume number starting from zero. + * Whether the specified device included in the device mapping was suppressed or not (Boolean). */ - virtualName: string; - } - - export interface CapacityBlockReservationTimeouts { + noDevice?: boolean; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Virtual device name. */ - create?: string; + virtualName?: string; } - export interface DefaultNetworkAclEgress { + export interface GetInstanceFilter { + name: string; + values: string[]; + } + + export interface GetInstanceMaintenanceOption { /** - * The action to take. + * Automatic recovery behavior of the instance. */ - action: string; + autoRecovery: string; + } + + export interface GetInstanceMetadataOption { /** - * The CIDR block to match. This must be a valid network mask. + * State of the metadata service: `enabled`, `disabled`. */ - cidrBlock?: string; + httpEndpoint: string; /** - * The from port to match. + * Whether the IPv6 endpoint for the instance metadata service is `enabled` or `disabled` */ - fromPort: number; + httpProtocolIpv6: string; /** - * The ICMP type code to be used. Default 0. + * Desired HTTP PUT response hop limit for instance metadata requests. */ - icmpCode?: number; + httpPutResponseHopLimit: number; /** - * The ICMP type to be used. Default 0. + * If session tokens are required: `optional`, `required`. */ - icmpType?: number; + httpTokens: string; /** - * The IPv6 CIDR block. - * - * > For more information on ICMP types and codes, see [Internet Control Message Protocol (ICMP) Parameters](https://www.iana.org/assignments/icmp-parameters/icmp-parameters.xhtml). + * If access to instance tags is allowed from the metadata service: `enabled`, `disabled`. */ - ipv6CidrBlock?: string; + instanceMetadataTags: string; + } + + export interface GetInstancePrivateDnsNameOption { /** - * The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0. + * Indicates whether to respond to DNS queries for instance hostnames with DNS A records. */ - protocol: string; + enableResourceNameDnsARecord: boolean; /** - * The rule number. Used for ordering. + * Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. */ - ruleNo: number; + enableResourceNameDnsAaaaRecord: boolean; /** - * The to port to match. - * - * The following arguments are optional: + * Type of hostname for EC2 instances. */ - toPort: number; - } - - export interface DefaultNetworkAclIngress { - action: string; - cidrBlock?: string; - fromPort: number; - icmpCode?: number; - icmpType?: number; - ipv6CidrBlock?: string; - protocol: string; - ruleNo: number; - toPort: number; + hostnameType: string; } - export interface DefaultRouteTableRoute { + export interface GetInstanceRootBlockDevice { /** - * The CIDR block of the route. + * If the root block device will be deleted on termination. */ - cidrBlock?: string; + deleteOnTermination: boolean; /** - * The Amazon Resource Name (ARN) of a core network. + * Physical name of the device. */ - coreNetworkArn?: string; + deviceName: string; /** - * The ID of a managed prefix list destination of the route. - * - * One of the following target arguments must be supplied: + * If the EBS volume is encrypted. */ - destinationPrefixListId?: string; + encrypted: boolean; /** - * Identifier of a VPC Egress Only Internet Gateway. + * `0` If the volume is not a provisioned IOPS image, otherwise the supported IOPS count. */ - egressOnlyGatewayId?: string; + iops: number; + kmsKeyId: string; /** - * Identifier of a VPC internet gateway or a virtual private gateway. + * Map of tags assigned to the Instance. */ - gatewayId?: string; + tags: {[key: string]: string}; /** - * Identifier of an EC2 instance. + * Throughput of the volume, in MiB/s. */ - instanceId?: string; + throughput: number; + volumeId: string; /** - * The Ipv6 CIDR block of the route + * Size of the volume, in GiB. */ - ipv6CidrBlock?: string; - /** - * Identifier of a VPC NAT gateway. - */ - natGatewayId?: string; - /** - * Identifier of an EC2 network interface. - */ - networkInterfaceId?: string; - /** - * Identifier of an EC2 Transit Gateway. - */ - transitGatewayId?: string; - /** - * Identifier of a VPC Endpoint. This route must be removed prior to VPC Endpoint deletion. - */ - vpcEndpointId?: string; + volumeSize: number; /** - * Identifier of a VPC peering connection. - * - * Note that the default route, mapping the VPC's CIDR block to "local", is created implicitly and cannot be specified. + * Type of the volume. */ - vpcPeeringConnectionId?: string; + volumeType: string; } - export interface DefaultSecurityGroupEgress { - /** - * List of CIDR blocks. - */ - cidrBlocks?: string[]; - /** - * Description of this rule. - */ - description?: string; - /** - * Start port (or ICMP type number if protocol is `icmp`) - */ - fromPort: number; - /** - * List of IPv6 CIDR blocks. - */ - ipv6CidrBlocks?: string[]; - /** - * List of prefix list IDs (for allowing access to VPC endpoints) - */ - prefixListIds?: string[]; - /** - * Protocol. If you select a protocol of "-1" (semantically equivalent to `all`, which is not a valid value here), you must specify a `fromPort` and `toPort` equal to `0`. If not `icmp`, `tcp`, `udp`, or `-1` use the [protocol number](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml). - */ - protocol: string; - /** - * List of security groups. A group name can be used relative to the default VPC. Otherwise, group ID. - */ - securityGroups?: string[]; - /** - * Whether the security group itself will be added as a source to this egress rule. - */ - self?: boolean; + export interface GetInstanceTypeFpga { + count: number; + manufacturer: string; /** - * End range port (or ICMP code if protocol is `icmp`). + * Size of the instance memory, in MiB. */ - toPort: number; + memorySize: number; + name: string; } - export interface DefaultSecurityGroupIngress { - cidrBlocks?: string[]; + export interface GetInstanceTypeGpus { + count: number; + manufacturer: string; /** - * Description of the security group. + * Size of the instance memory, in MiB. */ - description?: string; - fromPort: number; - ipv6CidrBlocks?: string[]; - prefixListIds?: string[]; - protocol: string; - securityGroups?: string[]; - self?: boolean; - toPort: number; + memorySize: number; + name: string; } - export interface EipDomainNameTimeouts { - /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). - */ - create?: string; - /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. - */ - delete?: string; - /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). - */ - update?: string; + export interface GetInstanceTypeInferenceAccelerator { + count: number; + manufacturer: string; + name: string; } - export interface FleetFleetInstanceSet { - /** - * The IDs of the instances. - */ - instanceIds: string[]; - /** - * The instance type. - */ - instanceType: string; - /** - * Indicates if the instance that was launched is a Spot Instance or On-Demand Instance. - */ - lifecycle: string; - /** - * The value is `Windows` for Windows instances. Otherwise, the value is blank. - */ - platform: string; + export interface GetInstanceTypeInstanceDisk { + count: number; + size: number; + type: string; } - export interface FleetLaunchTemplateConfig { + export interface GetInstanceTypeOfferingFilter { /** - * Nested argument containing EC2 Launch Template to use. Defined below. + * Name of the filter. The `location` filter depends on the top-level `locationType` argument and if not specified, defaults to the current region. */ - launchTemplateSpecification?: outputs.ec2.FleetLaunchTemplateConfigLaunchTemplateSpecification; + name: string; /** - * Nested argument(s) containing parameters to override the same parameters in the Launch Template. Defined below. + * List of one or more values for the filter. */ - overrides?: outputs.ec2.FleetLaunchTemplateConfigOverride[]; + values: string[]; } - export interface FleetLaunchTemplateConfigLaunchTemplateSpecification { - /** - * The ID of the launch template. - */ - launchTemplateId?: string; + export interface GetInstanceTypeOfferingsFilter { /** - * The name of the launch template. + * Name of the filter. The `location` filter depends on the top-level `locationType` argument and if not specified, defaults to the current region. */ - launchTemplateName?: string; + name: string; /** - * The launch template version number, `$Latest`, or `$Default.` + * List of one or more values for the filter. */ - version: string; + values: string[]; } - export interface FleetLaunchTemplateConfigOverride { - /** - * Availability Zone in which to launch the instances. - */ - availabilityZone?: string; - /** - * Override the instance type in the Launch Template with instance types that satisfy the requirements. - */ - instanceRequirements?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirements; - /** - * Instance type. - */ - instanceType?: string; + export interface GetInstanceTypesFilter { /** - * Maximum price per unit hour that you are willing to pay for a Spot Instance. + * Name of the filter. */ - maxPrice?: string; + name: string; /** - * Priority for the launch template override. If `onDemandOptions` `allocationStrategy` is set to `prioritized`, EC2 Fleet uses priority to determine which launch template override to use first in fulfilling On-Demand capacity. The highest priority is launched first. The lower the number, the higher the priority. If no number is set, the launch template override has the lowest priority. Valid values are whole numbers starting at 0. + * List of one or more values for the filter. */ - priority?: number; + values: string[]; + } + + export interface GetInstancesFilter { + name: string; + values: string[]; + } + + export interface GetInternetGatewayAttachment { /** - * ID of the subnet in which to launch the instances. + * Current state of the attachment between the gateway and the VPC. Present only if a VPC is attached */ - subnetId?: string; + state: string; /** - * Number of units provided by the specified instance type. + * ID of an attached VPC. */ - weightedCapacity?: number; + vpcId: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirements { + export interface GetInternetGatewayFilter { /** - * Block describing the minimum and maximum number of accelerators (GPUs, FPGAs, or AWS Inferentia chips). Default is no minimum or maximum limits. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInternetGateways.html). */ - acceleratorCount?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorCount; + name: string; /** - * List of accelerator manufacturer names. Default is any manufacturer. + * Set of values that are accepted for the given field. + * An Internet Gateway will be selected if any one of the given values matches. */ - acceleratorManufacturers?: string[]; + values: string[]; + } + + export interface GetKeyPairFilter { /** - * List of accelerator names. Default is any acclerator. + * Name of the filter field. Valid values can be found in the [EC2 DescribeKeyPairs API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeKeyPairs.html). */ - acceleratorNames?: string[]; + name: string; /** - * Block describing the minimum and maximum total memory of the accelerators. Default is no minimum or maximum. + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. */ - acceleratorTotalMemoryMib?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorTotalMemoryMib; + values: string[]; + } + + export interface GetLaunchConfigurationEbsBlockDevice { /** - * The accelerator types that must be on the instance type. Default is any accelerator type. + * Whether the EBS Volume will be deleted on instance termination. */ - acceleratorTypes?: string[]; + deleteOnTermination: boolean; /** - * The instance types to apply your specified attributes against. All other instance types are ignored, even if they match your specified attributes. You can use strings with one or more wild cards,represented by an asterisk (\*). The following are examples: `c5*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types. Default is any instance type. - * - * If you specify `AllowedInstanceTypes`, you can't specify `ExcludedInstanceTypes`. + * Name of the device. */ - allowedInstanceTypes?: string[]; + deviceName: string; /** - * Indicate whether bare metal instace types should be `included`, `excluded`, or `required`. Default is `excluded`. + * Whether the volume is Encrypted. */ - bareMetal?: string; + encrypted: boolean; /** - * Block describing the minimum and maximum baseline EBS bandwidth, in Mbps. Default is no minimum or maximum. + * Provisioned IOPs of the volume. */ - baselineEbsBandwidthMbps?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsBaselineEbsBandwidthMbps; + iops: number; /** - * Indicates whether burstable performance T instance types are `included`, `excluded`, or `required`. Default is `excluded`. + * Whether the device in the block device mapping of the AMI is suppressed. */ - burstablePerformance?: string; + noDevice: boolean; /** - * The CPU manufacturers to include. Default is any manufacturer. - * > **NOTE:** Don't confuse the CPU hardware manufacturer with the CPU hardware architecture. Instances will be launched with a compatible CPU architecture based on the Amazon Machine Image (AMI) that you specify in your launch template. + * Snapshot ID of the mount. */ - cpuManufacturers?: string[]; + snapshotId: string; /** - * The instance types to exclude. You can use strings with one or more wild cards, represented by an asterisk (\*). The following are examples: `c5*`, `m5a.*`, `r*`, `*3*`. For example, if you specify `c5*`, you are excluding the entire C5 instance family, which includes all C5a and C5n instance types. If you specify `m5a.*`, you are excluding all the M5a instance types, but not the M5n instance types. Maximum of 400 entries in the list; each entry is limited to 30 characters. Default is no excluded instance types. - * - * If you specify `AllowedInstanceTypes`, you can't specify `ExcludedInstanceTypes`. + * Throughput of the volume. */ - excludedInstanceTypes?: string[]; + throughput: number; /** - * Indicates whether current or previous generation instance types are included. The current generation instance types are recommended for use. Valid values are `current` and `previous`. Default is `current` and `previous` generation instance types. + * Size of the volume. */ - instanceGenerations?: string[]; + volumeSize: number; /** - * Indicate whether instance types with local storage volumes are `included`, `excluded`, or `required`. Default is `included`. + * Type of the volume. */ - localStorage?: string; + volumeType: string; + } + + export interface GetLaunchConfigurationEphemeralBlockDevice { /** - * List of local storage type names. Valid values are `hdd` and `ssd`. Default any storage type. + * Name of the device. */ - localStorageTypes?: string[]; + deviceName: string; /** - * The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Conflicts with `spotMaxPricePercentageOverLowestPrice` + * Virtual Name of the device. */ - maxSpotPriceAsPercentageOfOptimalOnDemandPrice?: number; + virtualName: string; + } + + export interface GetLaunchConfigurationMetadataOption { /** - * Block describing the minimum and maximum amount of memory (GiB) per vCPU. Default is no minimum or maximum. + * State of the metadata service: `enabled`, `disabled`. */ - memoryGibPerVcpu?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryGibPerVcpu; + httpEndpoint: string; /** - * The minimum and maximum amount of memory per vCPU, in GiB. Default is no minimum or maximum limits. + * The desired HTTP PUT response hop limit for instance metadata requests. */ - memoryMib: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryMib; + httpPutResponseHopLimit: number; /** - * The minimum and maximum amount of network bandwidth, in gigabits per second (Gbps). Default is No minimum or maximum. + * If session tokens are required: `optional`, `required`. */ - networkBandwidthGbps?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkBandwidthGbps; + httpTokens: string; + } + + export interface GetLaunchConfigurationRootBlockDevice { /** - * Block describing the minimum and maximum number of network interfaces. Default is no minimum or maximum. + * Whether the EBS Volume will be deleted on instance termination. */ - networkInterfaceCount?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkInterfaceCount; + deleteOnTermination: boolean; /** - * The price protection threshold for On-Demand Instances. This is the maximum you’ll pay for an On-Demand Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 20. - * - * If you set `targetCapacityUnitType` to `vcpu` or `memory-mib`, the price protection threshold is applied based on the per-vCPU or per-memory price instead of the per-instance price. + * Whether the volume is Encrypted. */ - onDemandMaxPricePercentageOverLowestPrice?: number; + encrypted: boolean; /** - * Indicate whether instance types must support On-Demand Instance Hibernation, either `true` or `false`. Default is `false`. + * Provisioned IOPs of the volume. */ - requireHibernateSupport?: boolean; + iops: number; /** - * The price protection threshold for Spot Instances. This is the maximum you’ll pay for a Spot Instance, expressed as a percentage higher than the cheapest M, C, or R instance type with your specified attributes. When Amazon EC2 Auto Scaling selects instance types with your attributes, we will exclude instance types whose price is higher than your threshold. The parameter accepts an integer, which Amazon EC2 Auto Scaling interprets as a percentage. To turn off price protection, specify a high value, such as 999999. Default is 100. Conflicts with `maxSpotPriceAsPercentageOfOptimalOnDemandPrice` - * - * If you set DesiredCapacityType to vcpu or memory-mib, the price protection threshold is applied based on the per vCPU or per memory price instead of the per instance price. + * Throughput of the volume. */ - spotMaxPricePercentageOverLowestPrice?: number; + throughput: number; /** - * Block describing the minimum and maximum total local storage (GB). Default is no minimum or maximum. + * Size of the volume. */ - totalLocalStorageGb?: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsTotalLocalStorageGb; + volumeSize: number; /** - * Block describing the minimum and maximum number of vCPUs. Default is no maximum. + * Type of the volume. */ - vcpuCount: outputs.ec2.FleetLaunchTemplateConfigOverrideInstanceRequirementsVcpuCount; + volumeType: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorCount { - /** - * Maximum. Set to `0` to exclude instance types with accelerators. - */ - max?: number; - /** - * Minimum. - */ - min?: number; + export interface GetLaunchTemplateBlockDeviceMapping { + deviceName: string; + ebs: outputs.ec2.GetLaunchTemplateBlockDeviceMappingEb[]; + noDevice: string; + virtualName: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsAcceleratorTotalMemoryMib { - /** - * The maximum amount of accelerator memory, in MiB. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum amount of accelerator memory, in MiB. To specify no minimum limit, omit this parameter. - */ - min?: number; + export interface GetLaunchTemplateBlockDeviceMappingEb { + deleteOnTermination: string; + encrypted: string; + iops: number; + kmsKeyId: string; + snapshotId: string; + throughput: number; + volumeSize: number; + volumeType: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsBaselineEbsBandwidthMbps { - /** - * The maximum baseline bandwidth, in Mbps. To specify no maximum limit, omit this parameter.. - */ - max?: number; - /** - * The minimum baseline bandwidth, in Mbps. To specify no minimum limit, omit this parameter.. - */ - min?: number; + export interface GetLaunchTemplateCapacityReservationSpecification { + capacityReservationPreference: string; + capacityReservationTargets: outputs.ec2.GetLaunchTemplateCapacityReservationSpecificationCapacityReservationTarget[]; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryGibPerVcpu { - /** - * The maximum amount of memory per vCPU, in GiB. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum amount of memory per vCPU, in GiB. To specify no minimum limit, omit this parameter. - */ - min?: number; + export interface GetLaunchTemplateCapacityReservationSpecificationCapacityReservationTarget { + capacityReservationId: string; + capacityReservationResourceGroupArn: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsMemoryMib { - /** - * The maximum amount of memory, in MiB. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum amount of memory, in MiB. To specify no minimum limit, specify `0`. - */ - min: number; + export interface GetLaunchTemplateCpuOption { + amdSevSnp: string; + coreCount: number; + threadsPerCore: number; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkBandwidthGbps { - /** - * The maximum amount of network bandwidth, in Gbps. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum amount of network bandwidth, in Gbps. To specify no minimum limit, omit this parameter. - */ - min?: number; + export interface GetLaunchTemplateCreditSpecification { + cpuCredits: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsNetworkInterfaceCount { - /** - * The maximum number of network interfaces. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum number of network interfaces. To specify no minimum limit, omit this parameter. - */ - min?: number; + export interface GetLaunchTemplateElasticGpuSpecification { + type: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsTotalLocalStorageGb { - /** - * The maximum amount of total local storage, in GB. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum amount of total local storage, in GB. To specify no minimum limit, omit this parameter. - */ - min?: number; + export interface GetLaunchTemplateElasticInferenceAccelerator { + type: string; } - export interface FleetLaunchTemplateConfigOverrideInstanceRequirementsVcpuCount { - /** - * The maximum number of vCPUs. To specify no maximum limit, omit this parameter. - */ - max?: number; - /** - * The minimum number of vCPUs. To specify no minimum limit, specify `0`. - */ - min: number; + export interface GetLaunchTemplateEnclaveOption { + enabled: boolean; } - export interface FleetOnDemandOptions { - /** - * The order of the launch template overrides to use in fulfilling On-Demand capacity. Valid values: `lowestPrice`, `prioritized`. Default: `lowestPrice`. - */ - allocationStrategy?: string; - /** - * The strategy for using unused Capacity Reservations for fulfilling On-Demand capacity. Supported only for fleets of type `instant`. - */ - capacityReservationOptions?: outputs.ec2.FleetOnDemandOptionsCapacityReservationOptions; - /** - * The maximum amount per hour for On-Demand Instances that you're willing to pay. - */ - maxTotalPrice?: string; - /** - * The minimum target capacity for On-Demand Instances in the fleet. If the minimum target capacity is not reached, the fleet launches no instances. Supported only for fleets of type `instant`. - * If you specify `minTargetCapacity`, at least one of the following must be specified: `singleAvailabilityZone` or `singleInstanceType`. - */ - minTargetCapacity?: number; + export interface GetLaunchTemplateFilter { /** - * Indicates that the fleet launches all On-Demand Instances into a single Availability Zone. Supported only for fleets of type `instant`. + * Name of the filter field. Valid values can be found in the [EC2 DescribeLaunchTemplates API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplates.html). */ - singleAvailabilityZone?: boolean; + name: string; /** - * Indicates that the fleet uses a single instance type to launch all On-Demand Instances in the fleet. Supported only for fleets of type `instant`. + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. */ - singleInstanceType?: boolean; + values: string[]; } - export interface FleetOnDemandOptionsCapacityReservationOptions { - /** - * Indicates whether to use unused Capacity Reservations for fulfilling On-Demand capacity. Valid values: `use-capacity-reservations-first`. - */ - usageStrategy?: string; + export interface GetLaunchTemplateHibernationOption { + configured: boolean; } - export interface FleetSpotOptions { - /** - * How to allocate the target capacity across the Spot pools. Valid values: `diversified`, `lowestPrice`, `capacity-optimized`, `capacity-optimized-prioritized` and `price-capacity-optimized`. Default: `lowestPrice`. - */ - allocationStrategy?: string; - /** - * Behavior when a Spot Instance is interrupted. Valid values: `hibernate`, `stop`, `terminate`. Default: `terminate`. - */ - instanceInterruptionBehavior?: string; - /** - * Number of Spot pools across which to allocate your target Spot capacity. Valid only when Spot `allocationStrategy` is set to `lowestPrice`. Default: `1`. - */ - instancePoolsToUseCount?: number; + export interface GetLaunchTemplateIamInstanceProfile { + arn: string; /** - * Nested argument containing maintenance strategies for managing your Spot Instances that are at an elevated risk of being interrupted. Defined below. + * Name of the launch template. */ - maintenanceStrategies?: outputs.ec2.FleetSpotOptionsMaintenanceStrategies; + name: string; } - export interface FleetSpotOptionsMaintenanceStrategies { - /** - * Nested argument containing the capacity rebalance for your fleet request. Defined below. - */ - capacityRebalance?: outputs.ec2.FleetSpotOptionsMaintenanceStrategiesCapacityRebalance; + export interface GetLaunchTemplateInstanceMarketOption { + marketType: string; + spotOptions: outputs.ec2.GetLaunchTemplateInstanceMarketOptionSpotOption[]; } - export interface FleetSpotOptionsMaintenanceStrategiesCapacityRebalance { - /** - * The replacement strategy to use. Only available for fleets of `type` set to `maintain`. Valid values: `launch`. - */ - replacementStrategy?: string; - terminationDelay?: number; + export interface GetLaunchTemplateInstanceMarketOptionSpotOption { + blockDurationMinutes: number; + instanceInterruptionBehavior: string; + maxPrice: string; + spotInstanceType: string; + validUntil: string; } - export interface FleetTargetCapacitySpecification { - /** - * Default target capacity type. Valid values: `on-demand`, `spot`. - */ - defaultTargetCapacityType: string; - /** - * The number of On-Demand units to request. - */ - onDemandTargetCapacity?: number; - /** - * The number of Spot units to request. - */ - spotTargetCapacity?: number; - /** - * The unit for the target capacity. - * If you specify `targetCapacityUnitType`, `instanceRequirements` must be specified. - */ - targetCapacityUnitType?: string; - /** - * The number of units to request, filled using `defaultTargetCapacityType`. - */ - totalTargetCapacity: number; - } - - export interface FlowLogDestinationOptions { - /** - * The format for the flow log. Default value: `plain-text`. Valid values: `plain-text`, `parquet`. - */ - fileFormat?: string; - /** - * Indicates whether to use Hive-compatible prefixes for flow logs stored in Amazon S3. Default value: `false`. - */ - hiveCompatiblePartitions?: boolean; - /** - * Indicates whether to partition the flow log per hour. This reduces the cost and response time for queries. Default value: `false`. - */ - perHourPartition?: boolean; + export interface GetLaunchTemplateInstanceRequirement { + acceleratorCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementAcceleratorCount[]; + acceleratorManufacturers: string[]; + acceleratorNames: string[]; + acceleratorTotalMemoryMibs: outputs.ec2.GetLaunchTemplateInstanceRequirementAcceleratorTotalMemoryMib[]; + acceleratorTypes: string[]; + allowedInstanceTypes: string[]; + bareMetal: string; + baselineEbsBandwidthMbps: outputs.ec2.GetLaunchTemplateInstanceRequirementBaselineEbsBandwidthMbp[]; + burstablePerformance: string; + cpuManufacturers: string[]; + excludedInstanceTypes: string[]; + instanceGenerations: string[]; + localStorage: string; + localStorageTypes: string[]; + maxSpotPriceAsPercentageOfOptimalOnDemandPrice: number; + memoryGibPerVcpus: outputs.ec2.GetLaunchTemplateInstanceRequirementMemoryGibPerVcpus[]; + memoryMibs: outputs.ec2.GetLaunchTemplateInstanceRequirementMemoryMib[]; + networkBandwidthGbps: outputs.ec2.GetLaunchTemplateInstanceRequirementNetworkBandwidthGbp[]; + networkInterfaceCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementNetworkInterfaceCount[]; + onDemandMaxPricePercentageOverLowestPrice: number; + requireHibernateSupport: boolean; + spotMaxPricePercentageOverLowestPrice: number; + totalLocalStorageGbs: outputs.ec2.GetLaunchTemplateInstanceRequirementTotalLocalStorageGb[]; + vcpuCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementVcpuCount[]; } - export interface GetAmiBlockDeviceMapping { - /** - * Physical name of the device. - */ - deviceName: string; - /** - * Map containing EBS information, if the device is EBS based. Unlike most object attributes, these are accessed directly (e.g., `ebs.volume_size` or `ebs["volumeSize"]`) rather than accessed through the first element of a list (e.g., `ebs[0].volume_size`). - */ - ebs: {[key: string]: string}; - /** - * Suppresses the specified device included in the block device mapping of the AMI. - */ - noDevice: string; - /** - * Virtual device name (for instance stores). - */ - virtualName: string; + export interface GetLaunchTemplateInstanceRequirementAcceleratorCount { + max: number; + min: number; } - export interface GetAmiFilter { - /** - * Name of the AMI that was provided during image creation. - */ - name: string; - values: string[]; + export interface GetLaunchTemplateInstanceRequirementAcceleratorTotalMemoryMib { + max: number; + min: number; } - export interface GetAmiIdsFilter { - name: string; - values: string[]; + export interface GetLaunchTemplateInstanceRequirementBaselineEbsBandwidthMbp { + max: number; + min: number; } - export interface GetAmiProductCode { - productCodeId: string; - productCodeType: string; + export interface GetLaunchTemplateInstanceRequirementMemoryGibPerVcpus { + max: number; + min: number; } - export interface GetCoipPoolFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCoipPools.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A COIP Pool will be selected if any one of the given values matches. - */ - values: string[]; + export interface GetLaunchTemplateInstanceRequirementMemoryMib { + max: number; + min: number; } - export interface GetCoipPoolsFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeCoipPools.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A COIP Pool will be selected if any one of the given values matches. - */ - values: string[]; + export interface GetLaunchTemplateInstanceRequirementNetworkBandwidthGbp { + max: number; + min: number; } - export interface GetCustomerGatewayFilter { - name: string; - values: string[]; + export interface GetLaunchTemplateInstanceRequirementNetworkInterfaceCount { + max: number; + min: number; } - export interface GetDedicatedHostFilter { - /** - * Name of the field to filter by, as defined by [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeHosts.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. A host will be selected if any one of the given values matches. - */ - values: string[]; + export interface GetLaunchTemplateInstanceRequirementTotalLocalStorageGb { + max: number; + min: number; } - export interface GetEipsFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeAddresses.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. An Elastic IP will be selected if any one of the given values matches. - */ - values: string[]; + export interface GetLaunchTemplateInstanceRequirementVcpuCount { + max: number; + min: number; } - export interface GetElasticIpFilter { - name: string; - values: string[]; + export interface GetLaunchTemplateLicenseSpecification { + licenseConfigurationArn: string; } - export interface GetInstanceCreditSpecification { - cpuCredits: string; + export interface GetLaunchTemplateMaintenanceOption { + autoRecovery: string; } - export interface GetInstanceEbsBlockDevice { - /** - * If the root block device will be deleted on termination. - */ - deleteOnTermination: boolean; - /** - * Physical name of the device. - */ - deviceName: string; - /** - * If the EBS volume is encrypted. - */ - encrypted: boolean; - /** - * `0` If the volume is not a provisioned IOPS image, otherwise the supported IOPS count. - */ - iops: number; - kmsKeyId: string; - /** - * ID of the snapshot. - */ - snapshotId: string; - /** - * Map of tags assigned to the Instance. - */ - tags: {[key: string]: string}; - /** - * Throughput of the volume, in MiB/s. - */ - throughput: number; - volumeId: string; - /** - * Size of the volume, in GiB. - */ - volumeSize: number; - /** - * Type of the volume. - */ - volumeType: string; + export interface GetLaunchTemplateMetadataOption { + httpEndpoint: string; + httpProtocolIpv6: string; + httpPutResponseHopLimit: number; + httpTokens: string; + instanceMetadataTags: string; } - export interface GetInstanceEnclaveOption { - /** - * Whether Nitro Enclaves are enabled. - */ + export interface GetLaunchTemplateMonitoring { enabled: boolean; } - export interface GetInstanceEphemeralBlockDevice { - /** - * Physical name of the device. - */ - deviceName: string; - /** - * Whether the specified device included in the device mapping was suppressed or not (Boolean). - */ - noDevice?: boolean; - /** - * Virtual device name. - */ - virtualName?: string; - } - - export interface GetInstanceFilter { - name: string; - values: string[]; - } - - export interface GetInstanceMaintenanceOption { - /** - * Automatic recovery behavior of the instance. - */ - autoRecovery: string; + export interface GetLaunchTemplateNetworkInterface { + associateCarrierIpAddress: string; + associatePublicIpAddress?: boolean; + deleteOnTermination?: boolean; + description: string; + deviceIndex: number; + interfaceType: string; + ipv4AddressCount: number; + ipv4Addresses: string[]; + ipv4PrefixCount: number; + ipv4Prefixes: string[]; + ipv6AddressCount: number; + ipv6Addresses: string[]; + ipv6PrefixCount: number; + ipv6Prefixes: string[]; + networkCardIndex: number; + networkInterfaceId: string; + privateIpAddress: string; + securityGroups: string[]; + subnetId: string; } - export interface GetInstanceMetadataOption { - /** - * State of the metadata service: `enabled`, `disabled`. - */ - httpEndpoint: string; - /** - * Whether the IPv6 endpoint for the instance metadata service is `enabled` or `disabled` - */ - httpProtocolIpv6: string; - /** - * Desired HTTP PUT response hop limit for instance metadata requests. - */ - httpPutResponseHopLimit: number; - /** - * If session tokens are required: `optional`, `required`. - */ - httpTokens: string; - /** - * If access to instance tags is allowed from the metadata service: `enabled`, `disabled`. - */ - instanceMetadataTags: string; + export interface GetLaunchTemplatePlacement { + affinity: string; + availabilityZone: string; + groupName: string; + hostId: string; + hostResourceGroupArn: string; + partitionNumber: number; + spreadDomain: string; + tenancy: string; } - export interface GetInstancePrivateDnsNameOption { - /** - * Indicates whether to respond to DNS queries for instance hostnames with DNS A records. - */ + export interface GetLaunchTemplatePrivateDnsNameOption { enableResourceNameDnsARecord: boolean; - /** - * Indicates whether to respond to DNS queries for instance hostnames with DNS AAAA records. - */ enableResourceNameDnsAaaaRecord: boolean; - /** - * Type of hostname for EC2 instances. - */ hostnameType: string; } - export interface GetInstanceRootBlockDevice { - /** - * If the root block device will be deleted on termination. - */ - deleteOnTermination: boolean; - /** - * Physical name of the device. - */ - deviceName: string; - /** - * If the EBS volume is encrypted. - */ - encrypted: boolean; - /** - * `0` If the volume is not a provisioned IOPS image, otherwise the supported IOPS count. - */ - iops: number; - kmsKeyId: string; + export interface GetLaunchTemplateTagSpecification { + resourceType: string; /** - * Map of tags assigned to the Instance. + * Map of tags, each pair of which must exactly match a pair on the desired Launch Template. */ tags: {[key: string]: string}; + } + + export interface GetLocalGatewayFilter { /** - * Throughput of the volume, in MiB/s. - */ - throughput: number; - volumeId: string; - /** - * Size of the volume, in GiB. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGateways.html). */ - volumeSize: number; + name: string; /** - * Type of the volume. + * Set of values that are accepted for the given field. + * A Local Gateway will be selected if any one of the given values matches. */ - volumeType: string; + values: string[]; } - export interface GetInstanceTypeFpga { - count: number; - manufacturer: string; + export interface GetLocalGatewayRouteTableFilter { /** - * Size of the instance memory, in MiB. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTables.html). */ - memorySize: number; name: string; - } - - export interface GetInstanceTypeGpus { - count: number; - manufacturer: string; /** - * Size of the instance memory, in MiB. + * Set of values that are accepted for the given field. + * A local gateway route table will be selected if any one of the given values matches. */ - memorySize: number; - name: string; - } - - export interface GetInstanceTypeInferenceAccelerator { - count: number; - manufacturer: string; - name: string; - } - - export interface GetInstanceTypeInstanceDisk { - count: number; - size: number; - type: string; + values: string[]; } - export interface GetInstanceTypeOfferingFilter { + export interface GetLocalGatewayRouteTablesFilter { /** - * Name of the filter. The `location` filter depends on the top-level `locationType` argument and if not specified, defaults to the current region. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTables.html). */ name: string; /** - * List of one or more values for the filter. + * Set of values that are accepted for the given field. + * A Local Gateway Route Table will be selected if any one of the given values matches. */ values: string[]; } - export interface GetInstanceTypeOfferingsFilter { + export interface GetLocalGatewayVirtualInterfaceFilter { /** - * Name of the filter. The `location` filter depends on the top-level `locationType` argument and if not specified, defaults to the current region. + * Name of the filter. */ name: string; /** @@ -23191,7 +22823,7 @@ export namespace ec2 { values: string[]; } - export interface GetInstanceTypesFilter { + export interface GetLocalGatewayVirtualInterfaceGroupFilter { /** * Name of the filter. */ @@ -23202,38 +22834,38 @@ export namespace ec2 { values: string[]; } - export interface GetInstancesFilter { - name: string; - values: string[]; - } - - export interface GetInternetGatewayAttachment { + export interface GetLocalGatewayVirtualInterfaceGroupsFilter { /** - * Current state of the attachment between the gateway and the VPC. Present only if a VPC is attached + * Name of the filter. */ - state: string; + name: string; /** - * ID of an attached VPC. + * List of one or more values for the filter. */ - vpcId: string; + values: string[]; } - export interface GetInternetGatewayFilter { + export interface GetLocalGatewaysFilter { /** * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInternetGateways.html). + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGateways.html). */ name: string; /** * Set of values that are accepted for the given field. - * An Internet Gateway will be selected if any one of the given values matches. + * A Local Gateway will be selected if any one of the given values matches. */ values: string[]; } - export interface GetKeyPairFilter { + export interface GetManagedPrefixListEntry { + cidr: string; + description: string; + } + + export interface GetManagedPrefixListFilter { /** - * Name of the filter field. Valid values can be found in the [EC2 DescribeKeyPairs API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeKeyPairs.html). + * Name of the filter field. Valid values can be found in the EC2 [DescribeManagedPrefixLists](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html) API Reference. */ name: string; /** @@ -23242,479 +22874,61 @@ export namespace ec2 { values: string[]; } - export interface GetLaunchConfigurationEbsBlockDevice { - /** - * Whether the EBS Volume will be deleted on instance termination. - */ - deleteOnTermination: boolean; - /** - * Name of the device. - */ - deviceName: string; - /** - * Whether the volume is Encrypted. - */ - encrypted: boolean; - /** - * Provisioned IOPs of the volume. - */ - iops: number; - /** - * Whether the device in the block device mapping of the AMI is suppressed. - */ - noDevice: boolean; - /** - * Snapshot ID of the mount. - */ - snapshotId: string; - /** - * Throughput of the volume. - */ - throughput: number; + export interface GetManagedPrefixListsFilter { /** - * Size of the volume. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html). */ - volumeSize: number; + name: string; /** - * Type of the volume. + * Set of values that are accepted for the given field. + * A managed prefix list will be selected if any one of the given values matches. */ - volumeType: string; + values: string[]; } - export interface GetLaunchConfigurationEphemeralBlockDevice { + export interface GetNatGatewayFilter { /** - * Name of the device. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNatGateways.html). */ - deviceName: string; + name: string; /** - * Virtual Name of the device. + * Set of values that are accepted for the given field. + * An Nat Gateway will be selected if any one of the given values matches. */ - virtualName: string; + values: string[]; } - export interface GetLaunchConfigurationMetadataOption { - /** - * State of the metadata service: `enabled`, `disabled`. - */ - httpEndpoint: string; + export interface GetNatGatewaysFilter { /** - * The desired HTTP PUT response hop limit for instance metadata requests. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNatGateways.html). */ - httpPutResponseHopLimit: number; + name: string; /** - * If session tokens are required: `optional`, `required`. + * Set of values that are accepted for the given field. + * A Nat Gateway will be selected if any one of the given values matches. */ - httpTokens: string; + values: string[]; } - export interface GetLaunchConfigurationRootBlockDevice { - /** - * Whether the EBS Volume will be deleted on instance termination. - */ - deleteOnTermination: boolean; - /** - * Whether the volume is Encrypted. - */ - encrypted: boolean; - /** - * Provisioned IOPs of the volume. - */ - iops: number; - /** - * Throughput of the volume. - */ - throughput: number; + export interface GetNetworkAclsFilter { /** - * Size of the volume. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html). */ - volumeSize: number; + name: string; /** - * Type of the volume. + * Set of values that are accepted for the given field. + * A VPC will be selected if any one of the given values matches. */ - volumeType: string; + values: string[]; } - export interface GetLaunchTemplateBlockDeviceMapping { - deviceName: string; - ebs: outputs.ec2.GetLaunchTemplateBlockDeviceMappingEb[]; - noDevice: string; - virtualName: string; - } - - export interface GetLaunchTemplateBlockDeviceMappingEb { - deleteOnTermination: string; - encrypted: string; - iops: number; - kmsKeyId: string; - snapshotId: string; - throughput: number; - volumeSize: number; - volumeType: string; - } - - export interface GetLaunchTemplateCapacityReservationSpecification { - capacityReservationPreference: string; - capacityReservationTargets: outputs.ec2.GetLaunchTemplateCapacityReservationSpecificationCapacityReservationTarget[]; - } - - export interface GetLaunchTemplateCapacityReservationSpecificationCapacityReservationTarget { - capacityReservationId: string; - capacityReservationResourceGroupArn: string; - } - - export interface GetLaunchTemplateCpuOption { - amdSevSnp: string; - coreCount: number; - threadsPerCore: number; - } - - export interface GetLaunchTemplateCreditSpecification { - cpuCredits: string; - } - - export interface GetLaunchTemplateElasticGpuSpecification { - type: string; - } - - export interface GetLaunchTemplateElasticInferenceAccelerator { - type: string; - } - - export interface GetLaunchTemplateEnclaveOption { - enabled: boolean; - } - - export interface GetLaunchTemplateFilter { - /** - * Name of the filter field. Valid values can be found in the [EC2 DescribeLaunchTemplates API Reference](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLaunchTemplates.html). - */ - name: string; - /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. - */ - values: string[]; - } - - export interface GetLaunchTemplateHibernationOption { - configured: boolean; - } - - export interface GetLaunchTemplateIamInstanceProfile { - arn: string; - /** - * Name of the launch template. - */ - name: string; - } - - export interface GetLaunchTemplateInstanceMarketOption { - marketType: string; - spotOptions: outputs.ec2.GetLaunchTemplateInstanceMarketOptionSpotOption[]; - } - - export interface GetLaunchTemplateInstanceMarketOptionSpotOption { - blockDurationMinutes: number; - instanceInterruptionBehavior: string; - maxPrice: string; - spotInstanceType: string; - validUntil: string; - } - - export interface GetLaunchTemplateInstanceRequirement { - acceleratorCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementAcceleratorCount[]; - acceleratorManufacturers: string[]; - acceleratorNames: string[]; - acceleratorTotalMemoryMibs: outputs.ec2.GetLaunchTemplateInstanceRequirementAcceleratorTotalMemoryMib[]; - acceleratorTypes: string[]; - allowedInstanceTypes: string[]; - bareMetal: string; - baselineEbsBandwidthMbps: outputs.ec2.GetLaunchTemplateInstanceRequirementBaselineEbsBandwidthMbp[]; - burstablePerformance: string; - cpuManufacturers: string[]; - excludedInstanceTypes: string[]; - instanceGenerations: string[]; - localStorage: string; - localStorageTypes: string[]; - maxSpotPriceAsPercentageOfOptimalOnDemandPrice: number; - memoryGibPerVcpus: outputs.ec2.GetLaunchTemplateInstanceRequirementMemoryGibPerVcpus[]; - memoryMibs: outputs.ec2.GetLaunchTemplateInstanceRequirementMemoryMib[]; - networkBandwidthGbps: outputs.ec2.GetLaunchTemplateInstanceRequirementNetworkBandwidthGbp[]; - networkInterfaceCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementNetworkInterfaceCount[]; - onDemandMaxPricePercentageOverLowestPrice: number; - requireHibernateSupport: boolean; - spotMaxPricePercentageOverLowestPrice: number; - totalLocalStorageGbs: outputs.ec2.GetLaunchTemplateInstanceRequirementTotalLocalStorageGb[]; - vcpuCounts: outputs.ec2.GetLaunchTemplateInstanceRequirementVcpuCount[]; - } - - export interface GetLaunchTemplateInstanceRequirementAcceleratorCount { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementAcceleratorTotalMemoryMib { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementBaselineEbsBandwidthMbp { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementMemoryGibPerVcpus { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementMemoryMib { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementNetworkBandwidthGbp { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementNetworkInterfaceCount { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementTotalLocalStorageGb { - max: number; - min: number; - } - - export interface GetLaunchTemplateInstanceRequirementVcpuCount { - max: number; - min: number; - } - - export interface GetLaunchTemplateLicenseSpecification { - licenseConfigurationArn: string; - } - - export interface GetLaunchTemplateMaintenanceOption { - autoRecovery: string; - } - - export interface GetLaunchTemplateMetadataOption { - httpEndpoint: string; - httpProtocolIpv6: string; - httpPutResponseHopLimit: number; - httpTokens: string; - instanceMetadataTags: string; - } - - export interface GetLaunchTemplateMonitoring { - enabled: boolean; - } - - export interface GetLaunchTemplateNetworkInterface { - associateCarrierIpAddress: string; - associatePublicIpAddress?: boolean; - deleteOnTermination?: boolean; - description: string; - deviceIndex: number; - interfaceType: string; - ipv4AddressCount: number; - ipv4Addresses: string[]; - ipv4PrefixCount: number; - ipv4Prefixes: string[]; - ipv6AddressCount: number; - ipv6Addresses: string[]; - ipv6PrefixCount: number; - ipv6Prefixes: string[]; - networkCardIndex: number; - networkInterfaceId: string; - privateIpAddress: string; - securityGroups: string[]; - subnetId: string; - } - - export interface GetLaunchTemplatePlacement { - affinity: string; - availabilityZone: string; - groupName: string; - hostId: string; - hostResourceGroupArn: string; - partitionNumber: number; - spreadDomain: string; - tenancy: string; - } - - export interface GetLaunchTemplatePrivateDnsNameOption { - enableResourceNameDnsARecord: boolean; - enableResourceNameDnsAaaaRecord: boolean; - hostnameType: string; - } - - export interface GetLaunchTemplateTagSpecification { - resourceType: string; - /** - * Map of tags, each pair of which must exactly match a pair on the desired Launch Template. - */ - tags: {[key: string]: string}; - } - - export interface GetLocalGatewayFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGateways.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A Local Gateway will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetLocalGatewayRouteTableFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTables.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A local gateway route table will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetLocalGatewayRouteTablesFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGatewayRouteTables.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A Local Gateway Route Table will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetLocalGatewayVirtualInterfaceFilter { - /** - * Name of the filter. - */ - name: string; - /** - * List of one or more values for the filter. - */ - values: string[]; - } - - export interface GetLocalGatewayVirtualInterfaceGroupFilter { - /** - * Name of the filter. - */ - name: string; - /** - * List of one or more values for the filter. - */ - values: string[]; - } - - export interface GetLocalGatewayVirtualInterfaceGroupsFilter { - /** - * Name of the filter. - */ - name: string; - /** - * List of one or more values for the filter. - */ - values: string[]; - } - - export interface GetLocalGatewaysFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeLocalGateways.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A Local Gateway will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetManagedPrefixListEntry { - cidr: string; - description: string; - } - - export interface GetManagedPrefixListFilter { - /** - * Name of the filter field. Valid values can be found in the EC2 [DescribeManagedPrefixLists](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html) API Reference. - */ - name: string; - /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. - */ - values: string[]; - } - - export interface GetManagedPrefixListsFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeManagedPrefixLists.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A managed prefix list will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetNatGatewayFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNatGateways.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * An Nat Gateway will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetNatGatewaysFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNatGateways.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A Nat Gateway will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetNetworkAclsFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeNetworkAcls.html). - */ - name: string; - /** - * Set of values that are accepted for the given field. - * A VPC will be selected if any one of the given values matches. - */ - values: string[]; - } - - export interface GetNetworkInsightsAnalysisAlternatePathHint { - componentArn: string; - componentId: string; + export interface GetNetworkInsightsAnalysisAlternatePathHint { + componentArn: string; + componentId: string; } export interface GetNetworkInsightsAnalysisExplanation { @@ -67087,17146 +66301,10748 @@ export namespace s3 { * > **NOTE on `objectLockConfiguration`:** You can only enable S3 Object Lock for new buckets. If you need to turn on S3 Object Lock for an existing bucket, please contact AWS Support. * When you create a bucket with S3 Object Lock enabled, Amazon S3 automatically enables versioning for the bucket. * Once you create a bucket with S3 Object Lock enabled, you can't disable Object Lock or suspend versioning for the bucket. - */ - years?: number; - } - - export interface BucketObjectLockConfigurationV2Rule { - /** - * Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below. - */ - defaultRetention: outputs.s3.BucketObjectLockConfigurationV2RuleDefaultRetention; - } - - export interface BucketObjectLockConfigurationV2RuleDefaultRetention { - /** - * Number of days that you want to specify for the default retention period. - */ - days?: number; - /** - * Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: `COMPLIANCE`, `GOVERNANCE`. - */ - mode?: string; - /** - * Number of years that you want to specify for the default retention period. - */ - years?: number; - } - - export interface BucketObjectv2OverrideProvider { - /** - * Override the provider `defaultTags` configuration block. - */ - defaultTags?: outputs.s3.BucketObjectv2OverrideProviderDefaultTags; - } - - export interface BucketObjectv2OverrideProviderDefaultTags { - /** - * Map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. - */ - tags?: {[key: string]: string}; - } - - export interface BucketOwnershipControlsRule { - /** - * Object ownership. Valid values: `BucketOwnerPreferred`, `ObjectWriter` or `BucketOwnerEnforced` - * * `BucketOwnerPreferred` - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the `bucket-owner-full-control` canned ACL. - * * `ObjectWriter` - Uploading account will own the object if the object is uploaded with the `bucket-owner-full-control` canned ACL. - * * `BucketOwnerEnforced` - Bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. - */ - objectOwnership: string; - } - - export interface BucketReplicationConfigRule { - /** - * Whether delete markers are replicated. This argument is only valid with V2 replication configurations (i.e., when `filter` is used)documented below. - */ - deleteMarkerReplication?: outputs.s3.BucketReplicationConfigRuleDeleteMarkerReplication; - /** - * Specifies the destination for the rule. See below. - */ - destination: outputs.s3.BucketReplicationConfigRuleDestination; - /** - * Replicate existing objects in the source bucket according to the rule configurations. See below. - */ - existingObjectReplication?: outputs.s3.BucketReplicationConfigRuleExistingObjectReplication; - /** - * Filter that identifies subset of objects to which the replication rule applies. See below. If not specified, the `rule` will default to using `prefix`. - */ - filter?: outputs.s3.BucketReplicationConfigRuleFilter; - /** - * Unique identifier for the rule. Must be less than or equal to 255 characters in length. - */ - id: string; - /** - * Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string (`""`) if `filter` is not specified. - * - * @deprecated Use filter instead - */ - prefix?: string; - /** - * Priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. - */ - priority?: number; - /** - * Specifies special object selection criteria. See below. - */ - sourceSelectionCriteria?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteria; - /** - * Status of the rule. Either `"Enabled"` or `"Disabled"`. The rule is ignored if status is not "Enabled". - */ - status: string; - } - - export interface BucketReplicationConfigRuleDeleteMarkerReplication { - /** - * Whether delete markers should be replicated. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - } - - export interface BucketReplicationConfigRuleDestination { - /** - * Configuration block that specifies the overrides to use for object owners on replication. See below. Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. Must be used in conjunction with `account` owner override configuration. - */ - accessControlTranslation?: outputs.s3.BucketReplicationConfigRuleDestinationAccessControlTranslation; - /** - * Account ID to specify the replica ownership. Must be used in conjunction with `accessControlTranslation` override configuration. - */ - account?: string; - /** - * ARN of the bucket where you want Amazon S3 to store the results. - */ - bucket: string; - /** - * Configuration block that provides information about encryption. See below. If `sourceSelectionCriteria` is specified, you must specify this element. - */ - encryptionConfiguration?: outputs.s3.BucketReplicationConfigRuleDestinationEncryptionConfiguration; - /** - * Configuration block that specifies replication metrics-related settings enabling replication metrics and events. See below. - */ - metrics?: outputs.s3.BucketReplicationConfigRuleDestinationMetrics; - /** - * Configuration block that specifies S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. See below. Replication Time Control must be used in conjunction with `metrics`. - */ - replicationTime?: outputs.s3.BucketReplicationConfigRuleDestinationReplicationTime; - /** - * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. - */ - storageClass?: string; - } - - export interface BucketReplicationConfigRuleDestinationAccessControlTranslation { - /** - * Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the Amazon S3 API Reference. Valid values: `Destination`. - */ - owner: string; - } - - export interface BucketReplicationConfigRuleDestinationEncryptionConfiguration { - /** - * ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. - */ - replicaKmsKeyId: string; - } - - export interface BucketReplicationConfigRuleDestinationMetrics { - /** - * Configuration block that specifies the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event. See below. - */ - eventThreshold?: outputs.s3.BucketReplicationConfigRuleDestinationMetricsEventThreshold; - /** - * Status of the Destination Metrics. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - } - - export interface BucketReplicationConfigRuleDestinationMetricsEventThreshold { - /** - * Time in minutes. Valid values: `15`. - */ - minutes: number; - } - - export interface BucketReplicationConfigRuleDestinationReplicationTime { - /** - * Status of the Replication Time Control. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - /** - * Configuration block specifying the time by which replication should be complete for all objects and operations on objects. See below. - */ - time: outputs.s3.BucketReplicationConfigRuleDestinationReplicationTimeTime; - } - - export interface BucketReplicationConfigRuleDestinationReplicationTimeTime { - /** - * Time in minutes. Valid values: `15`. - */ - minutes: number; - } - - export interface BucketReplicationConfigRuleExistingObjectReplication { - /** - * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - } - - export interface BucketReplicationConfigRuleFilter { - /** - * Configuration block for specifying rule filters. This element is required only if you specify more than one filter. See and below for more details. - */ - and?: outputs.s3.BucketReplicationConfigRuleFilterAnd; - /** - * Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * Configuration block for specifying a tag key and value. See below. - */ - tag?: outputs.s3.BucketReplicationConfigRuleFilterTag; - } - - export interface BucketReplicationConfigRuleFilterAnd { - /** - * Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * Map of tags (key and value pairs) that identifies a subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset. - */ - tags?: {[key: string]: string}; - } - - export interface BucketReplicationConfigRuleFilterTag { - /** - * Name of the object key. - */ - key: string; - /** - * Value of the tag. - */ - value: string; - } - - export interface BucketReplicationConfigRuleSourceSelectionCriteria { - /** - * Configuration block that you can specify for selections for modifications on replicas. Amazon S3 doesn't replicate replica modifications by default. In the latest version of replication configuration (when `filter` is specified), you can specify this element and set the status to `Enabled` to replicate modifications on replicas. - */ - replicaModifications?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteriaReplicaModifications; - /** - * Configuration block for filter information for the selection of Amazon S3 objects encrypted with AWS KMS. If specified, `replicaKmsKeyId` in `destination` `encryptionConfiguration` must be specified as well. - */ - sseKmsEncryptedObjects?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteriaSseKmsEncryptedObjects; - } - - export interface BucketReplicationConfigRuleSourceSelectionCriteriaReplicaModifications { - /** - * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - } - - export interface BucketReplicationConfigRuleSourceSelectionCriteriaSseKmsEncryptedObjects { - /** - * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. - */ - status: string; - } - - export interface BucketReplicationConfiguration { - role: string; - rules: outputs.s3.BucketReplicationConfigurationRule[]; - } - - export interface BucketReplicationConfigurationRule { - /** - * Whether delete markers are replicated. The only valid value is `Enabled`. To disable, omit this argument. This argument is only valid with V2 replication configurations (i.e., when `filter` is used). - */ - deleteMarkerReplicationStatus?: string; - /** - * Specifies the destination for the rule (documented below). - */ - destination: outputs.s3.BucketReplicationConfigurationRuleDestination; - /** - * Filter that identifies subset of objects to which the replication rule applies (documented below). - */ - filter?: outputs.s3.BucketReplicationConfigurationRuleFilter; - /** - * Unique identifier for the rule. Must be less than or equal to 255 characters in length. - */ - id?: string; - /** - * Object keyname prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * The priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. - */ - priority?: number; - /** - * Specifies special object selection criteria (documented below). - */ - sourceSelectionCriteria?: outputs.s3.BucketReplicationConfigurationRuleSourceSelectionCriteria; - /** - * The status of the rule. Either `Enabled` or `Disabled`. The rule is ignored if status is not Enabled. - * - * > **NOTE:** Replication to multiple destination buckets requires that `priority` is specified in the `rules` object. If the corresponding rule requires no filter, an empty configuration block `filter {}` must be specified. - */ - status: string; - } - - export interface BucketReplicationConfigurationRuleDestination { - /** - * Specifies the overrides to use for object owners on replication. Must be used in conjunction with `accountId` owner override configuration. - */ - accessControlTranslation?: outputs.s3.BucketReplicationConfigurationRuleDestinationAccessControlTranslation; - /** - * The Account ID to use for overriding the object owner on replication. Must be used in conjunction with `accessControlTranslation` override configuration. - */ - accountId?: string; - /** - * The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule. - */ - bucket: string; - /** - * Enables replication metrics (required for S3 RTC) (documented below). - */ - metrics?: outputs.s3.BucketReplicationConfigurationRuleDestinationMetrics; - /** - * Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with - * `sseKmsEncryptedObjects` source selection criteria. - */ - replicaKmsKeyId?: string; - /** - * Enables S3 Replication Time Control (S3 RTC) (documented below). - */ - replicationTime?: outputs.s3.BucketReplicationConfigurationRuleDestinationReplicationTime; - /** - * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. - */ - storageClass?: string; - } - - export interface BucketReplicationConfigurationRuleDestinationAccessControlTranslation { - /** - * The override value for the owner on replicated objects. Currently only `Destination` is supported. - */ - owner: string; - } - - export interface BucketReplicationConfigurationRuleDestinationMetrics { - /** - * Threshold within which objects are to be replicated. The only valid value is `15`. - */ - minutes?: number; - /** - * The status of replication metrics. Either `Enabled` or `Disabled`. - */ - status?: string; - } - - export interface BucketReplicationConfigurationRuleDestinationReplicationTime { - /** - * Threshold within which objects are to be replicated. The only valid value is `15`. - */ - minutes?: number; - /** - * The status of RTC. Either `Enabled` or `Disabled`. - */ - status?: string; - } - - export interface BucketReplicationConfigurationRuleFilter { - /** - * Object keyname prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * A map of tags that identifies subset of objects to which the rule applies. - * The rule applies only to objects having all the tags in its tagset. - */ - tags?: {[key: string]: string}; - } - - export interface BucketReplicationConfigurationRuleSourceSelectionCriteria { - /** - * Match SSE-KMS encrypted objects (documented below). If specified, `replicaKmsKeyId` - * in `destination` must be specified as well. - */ - sseKmsEncryptedObjects?: outputs.s3.BucketReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObjects; - } - - export interface BucketReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObjects { - /** - * Boolean which indicates if this criteria is enabled. - */ - enabled: boolean; - } - - export interface BucketServerSideEncryptionConfiguration { - /** - * A single object for server-side encryption by default configuration. (documented below) - */ - rule: outputs.s3.BucketServerSideEncryptionConfigurationRule; - } - - export interface BucketServerSideEncryptionConfigurationRule { - /** - * A single object for setting server-side encryption by default. (documented below) - */ - applyServerSideEncryptionByDefault: outputs.s3.BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault; - /** - * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. - */ - bucketKeyEnabled?: boolean; - } - - export interface BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault { - /** - * The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. - */ - kmsMasterKeyId?: string; - /** - * The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` - */ - sseAlgorithm: string; - } - - export interface BucketServerSideEncryptionConfigurationV2Rule { - /** - * Single object for setting server-side encryption by default. See below. - */ - applyServerSideEncryptionByDefault?: outputs.s3.BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault; - /** - * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. - */ - bucketKeyEnabled?: boolean; - } - - export interface BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault { - /** - * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. - */ - kmsMasterKeyId?: string; - /** - * Server-side encryption algorithm to use. Valid values are `AES256`, `aws:kms`, and `aws:kms:dsse` - */ - sseAlgorithm: string; - } - - export interface BucketV2CorsRule { - /** - * List of headers allowed. - */ - allowedHeaders?: string[]; - /** - * One or more HTTP methods that you allow the origin to execute. Can be `GET`, `PUT`, `POST`, `DELETE` or `HEAD`. - */ - allowedMethods: string[]; - /** - * One or more origins you want customers to be able to access the bucket from. - */ - allowedOrigins: string[]; - /** - * One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript `XMLHttpRequest` object). - */ - exposeHeaders?: string[]; - /** - * Specifies time in seconds that browser can cache the response for a preflight request. - */ - maxAgeSeconds?: number; - } - - export interface BucketV2Grant { - /** - * Canonical user id to grant for. Used only when `type` is `CanonicalUser`. - */ - id?: string; - /** - * List of permissions to apply for grantee. Valid values are `READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. - */ - permissions: string[]; - /** - * Type of grantee to apply for. Valid values are `CanonicalUser` and `Group`. `AmazonCustomerByEmail` is not supported. - */ - type: string; - /** - * Uri address to grant for. Used only when `type` is `Group`. - */ - uri?: string; - } - - export interface BucketV2LifecycleRule { - /** - * Specifies the number of days after initiating a multipart upload when the multipart upload must be completed. - */ - abortIncompleteMultipartUploadDays?: number; - /** - * Specifies lifecycle rule status. - */ - enabled: boolean; - /** - * Specifies a period in the object's expire. See Expiration below for details. - */ - expirations?: outputs.s3.BucketV2LifecycleRuleExpiration[]; - /** - * Unique identifier for the rule. Must be less than or equal to 255 characters in length. - */ - id: string; - /** - * Specifies when noncurrent object versions expire. See Noncurrent Version Expiration below for details. - */ - noncurrentVersionExpirations?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionExpiration[]; - /** - * Specifies when noncurrent object versions transitions. See Noncurrent Version Transition below for details. - */ - noncurrentVersionTransitions?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionTransition[]; - /** - * Object key prefix identifying one or more objects to which the rule applies. - */ - prefix?: string; - /** - * Specifies object tags key and value. - */ - tags?: {[key: string]: string}; - /** - * Specifies a period in the object's transitions. See Transition below for details. - */ - transitions?: outputs.s3.BucketV2LifecycleRuleTransition[]; - } - - export interface BucketV2LifecycleRuleExpiration { - /** - * Specifies the date after which you want the corresponding action to take effect. - */ - date?: string; - /** - * Specifies the number of days after object creation when the specific rule action takes effect. - */ - days?: number; - /** - * On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers. This cannot be specified with Days or Date in a Lifecycle Expiration Policy. - */ - expiredObjectDeleteMarker?: boolean; - } - - export interface BucketV2LifecycleRuleNoncurrentVersionExpiration { - /** - * Specifies the number of days noncurrent object versions expire. - */ - days?: number; - } - - export interface BucketV2LifecycleRuleNoncurrentVersionTransition { - /** - * Specifies the number of days noncurrent object versions transition. - */ - days?: number; - /** - * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition. - */ - storageClass: string; - } - - export interface BucketV2LifecycleRuleTransition { - /** - * Specifies the date after which you want the corresponding action to take effect. - */ - date?: string; - /** - * Specifies the number of days after object creation when the specific rule action takes effect. - */ - days?: number; - /** - * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition. - */ - storageClass: string; - } - - export interface BucketV2Logging { - /** - * Name of the bucket that will receive the log objects. - */ - targetBucket: string; - /** - * To specify a key prefix for log objects. - */ - targetPrefix?: string; - } - - export interface BucketV2ObjectLockConfiguration { - /** - * Indicates whether this bucket has an Object Lock configuration enabled. Valid values are `true` or `false`. This argument is not supported in all regions or partitions. - * - * @deprecated Use the top-level parameter objectLockEnabled instead - */ - objectLockEnabled?: string; - /** - * Object Lock rule in place for this bucket (documented below). - * - * @deprecated Use the aws.s3.BucketObjectLockConfigurationV2 resource instead - */ - rules?: outputs.s3.BucketV2ObjectLockConfigurationRule[]; - } - - export interface BucketV2ObjectLockConfigurationRule { - /** - * Default retention period that you want to apply to new objects placed in this bucket (documented below). - */ - defaultRetentions: outputs.s3.BucketV2ObjectLockConfigurationRuleDefaultRetention[]; - } - - export interface BucketV2ObjectLockConfigurationRuleDefaultRetention { - /** - * Number of days that you want to specify for the default retention period. - */ - days?: number; - /** - * Default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are `GOVERNANCE` and `COMPLIANCE`. - */ - mode: string; - /** - * Number of years that you want to specify for the default retention period. - */ - years?: number; - } - - export interface BucketV2ReplicationConfiguration { - /** - * ARN of the IAM role for Amazon S3 to assume when replicating the objects. - */ - role: string; - /** - * Specifies the rules managing the replication (documented below). - */ - rules: outputs.s3.BucketV2ReplicationConfigurationRule[]; - } - - export interface BucketV2ReplicationConfigurationRule { - /** - * Whether delete markers are replicated. The only valid value is `Enabled`. To disable, omit this argument. This argument is only valid with V2 replication configurations (i.e., when `filter` is used). - */ - deleteMarkerReplicationStatus?: string; - /** - * Specifies the destination for the rule (documented below). - */ - destinations: outputs.s3.BucketV2ReplicationConfigurationRuleDestination[]; - /** - * Filter that identifies subset of objects to which the replication rule applies (documented below). - */ - filters?: outputs.s3.BucketV2ReplicationConfigurationRuleFilter[]; - /** - * Unique identifier for the rule. Must be less than or equal to 255 characters in length. - */ - id?: string; - /** - * Object keyname prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * Priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. - */ - priority?: number; - /** - * Specifies special object selection criteria (documented below). - */ - sourceSelectionCriterias?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteria[]; - /** - * Status of the rule. Either `Enabled` or `Disabled`. The rule is ignored if status is not Enabled. - */ - status: string; - } - - export interface BucketV2ReplicationConfigurationRuleDestination { - /** - * Specifies the overrides to use for object owners on replication (documented below). Must be used in conjunction with `accountId` owner override configuration. - */ - accessControlTranslations?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation[]; - /** - * Account ID to use for overriding the object owner on replication. Must be used in conjunction with `accessControlTranslation` override configuration. - */ - accountId?: string; - /** - * ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule. - */ - bucket: string; - /** - * Enables replication metrics (required for S3 RTC) (documented below). - */ - metrics?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationMetric[]; - /** - * Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with - * `sseKmsEncryptedObjects` source selection criteria. - */ - replicaKmsKeyId?: string; - /** - * Enables S3 Replication Time Control (S3 RTC) (documented below). - */ - replicationTimes?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationReplicationTime[]; - /** - * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. - */ - storageClass?: string; - } - - export interface BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation { - /** - * Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html) in the Amazon S3 API Reference. The only valid value is `Destination`. - */ - owner: string; - } - - export interface BucketV2ReplicationConfigurationRuleDestinationMetric { - /** - * Threshold within which objects are to be replicated. The only valid value is `15`. - */ - minutes?: number; - /** - * Status of replication metrics. Either `Enabled` or `Disabled`. - */ - status?: string; - } - - export interface BucketV2ReplicationConfigurationRuleDestinationReplicationTime { - /** - * Threshold within which objects are to be replicated. The only valid value is `15`. - */ - minutes?: number; - /** - * Status of RTC. Either `Enabled` or `Disabled`. - */ - status?: string; - } - - export interface BucketV2ReplicationConfigurationRuleFilter { - /** - * Object keyname prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. - */ - prefix?: string; - /** - * A map of tags that identifies subset of objects to which the rule applies. - * The rule applies only to objects having all the tags in its tagset. - */ - tags?: {[key: string]: string}; - } - - export interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteria { - /** - * Match SSE-KMS encrypted objects (documented below). If specified, `replicaKmsKeyId` - * in `destination` must be specified as well. - */ - sseKmsEncryptedObjects?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject[]; - } - - export interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject { - /** - * Boolean which indicates if this criteria is enabled. - */ - enabled: boolean; - } - - export interface BucketV2ServerSideEncryptionConfiguration { - /** - * Single object for server-side encryption by default configuration. (documented below) - */ - rules: outputs.s3.BucketV2ServerSideEncryptionConfigurationRule[]; - } - - export interface BucketV2ServerSideEncryptionConfigurationRule { - /** - * Single object for setting server-side encryption by default. (documented below) - */ - applyServerSideEncryptionByDefaults: outputs.s3.BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault[]; - /** - * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. - */ - bucketKeyEnabled?: boolean; - } - - export interface BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault { - /** - * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. - */ - kmsMasterKeyId?: string; - /** - * Server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` - */ - sseAlgorithm: string; - } - - export interface BucketV2Versioning { - /** - * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. - */ - enabled?: boolean; - /** - * Enable MFA delete for either `Change the versioning state of your bucket` or `Permanently delete an object version`. Default is `false`. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS - */ - mfaDelete?: boolean; - } - - export interface BucketV2Website { - /** - * Absolute path to the document to return in case of a 4XX error. - */ - errorDocument?: string; - /** - * Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. - */ - indexDocument?: string; - /** - * Hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (`http://` or `https://`) to use when redirecting requests. The default is the protocol that is used in the original request. - */ - redirectAllRequestsTo?: string; - /** - * JSON array containing [routing rules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html) - * describing redirect behavior and when redirects are applied. - */ - routingRules?: string; - } - - export interface BucketVersioning { - /** - * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. - */ - enabled?: boolean; - /** - * Enable MFA delete for either `Change the versioning state of your bucket` or `Permanently delete an object version`. Default is `false`. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS - */ - mfaDelete?: boolean; - } - - export interface BucketVersioningV2VersioningConfiguration { - /** - * Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: `Enabled` or `Disabled`. - */ - mfaDelete: string; - /** - * Versioning state of the bucket. Valid values: `Enabled`, `Suspended`, or `Disabled`. `Disabled` should only be used when creating or importing resources that correspond to unversioned S3 buckets. - */ - status: string; - } - - export interface BucketWebsite { - /** - * An absolute path to the document to return in case of a 4XX error. - */ - errorDocument?: string; - /** - * Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. - */ - indexDocument?: string; - /** - * A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (`http://` or `https://`) to use when redirecting requests. The default is the protocol that is used in the original request. - */ - redirectAllRequestsTo?: string; - /** - * A json array containing [routing rules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html) - * describing redirect behavior and when redirects are applied. - * - * The `CORS` object supports the following: - */ - routingRules?: string; - } - - export interface BucketWebsiteConfigurationV2ErrorDocument { - /** - * Object key name to use when a 4XX class error occurs. - */ - key: string; - } - - export interface BucketWebsiteConfigurationV2IndexDocument { - /** - * Suffix that is appended to a request that is for a directory on the website endpoint. - * For example, if the suffix is `index.html` and you make a request to `samplebucket/images/`, the data that is returned will be for the object with the key name `images/index.html`. - * The suffix must not be empty and must not include a slash character. - */ - suffix: string; - } - - export interface BucketWebsiteConfigurationV2RedirectAllRequestsTo { - /** - * Name of the host where requests are redirected. - */ - hostName: string; - /** - * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`. - */ - protocol?: string; - } - - export interface BucketWebsiteConfigurationV2RoutingRule { - /** - * Configuration block for describing a condition that must be met for the specified redirect to apply. See below. - */ - condition?: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleCondition; - /** - * Configuration block for redirect information. See below. - */ - redirect: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleRedirect; - } - - export interface BucketWebsiteConfigurationV2RoutingRuleCondition { - /** - * HTTP error code when the redirect is applied. If specified with `keyPrefixEquals`, then both must be true for the redirect to be applied. - */ - httpErrorCodeReturnedEquals?: string; - /** - * Object key name prefix when the redirect is applied. If specified with `httpErrorCodeReturnedEquals`, then both must be true for the redirect to be applied. - */ - keyPrefixEquals?: string; - } - - export interface BucketWebsiteConfigurationV2RoutingRuleRedirect { - /** - * Host name to use in the redirect request. - */ - hostName?: string; - /** - * HTTP redirect code to use on the response. - */ - httpRedirectCode?: string; - /** - * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`. - */ - protocol?: string; - /** - * Object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix `docs/` (objects in the `docs/` folder) to `documents/`, you can set a `condition` block with `keyPrefixEquals` set to `docs/` and in the `redirect` set `replaceKeyPrefixWith` to `/documents`. - */ - replaceKeyPrefixWith?: string; - /** - * Specific object key to use in the redirect request. For example, redirect request to `error.html`. - */ - replaceKeyWith?: string; - } - - export interface DirectoryBucketLocation { - /** - * [Availability Zone ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids). - */ - name: string; - /** - * Location type. Valid values: `AvailabilityZone`. - */ - type: string; - } - - export interface InventoryDestination { - /** - * S3 bucket configuration where inventory results are published (documented below). - */ - bucket: outputs.s3.InventoryDestinationBucket; - } - - export interface InventoryDestinationBucket { - /** - * ID of the account that owns the destination bucket. Recommended to be set to prevent problems if the destination bucket ownership changes. - */ - accountId?: string; - /** - * Amazon S3 bucket ARN of the destination. - */ - bucketArn: string; - /** - * Contains the type of server-side encryption to use to encrypt the inventory (documented below). - */ - encryption?: outputs.s3.InventoryDestinationBucketEncryption; - /** - * Specifies the output format of the inventory results. Can be `CSV`, [`ORC`](https://orc.apache.org/) or [`Parquet`](https://parquet.apache.org/). - */ - format: string; - /** - * Prefix that is prepended to all inventory results. - */ - prefix?: string; - } - - export interface InventoryDestinationBucketEncryption { - /** - * Specifies to use server-side encryption with AWS KMS-managed keys to encrypt the inventory file (documented below). - */ - sseKms?: outputs.s3.InventoryDestinationBucketEncryptionSseKms; - /** - * Specifies to use server-side encryption with Amazon S3-managed keys (SSE-S3) to encrypt the inventory file. - */ - sseS3?: outputs.s3.InventoryDestinationBucketEncryptionSseS3; - } - - export interface InventoryDestinationBucketEncryptionSseKms { - /** - * ARN of the KMS customer master key (CMK) used to encrypt the inventory file. - */ - keyId: string; - } - - export interface InventoryDestinationBucketEncryptionSseS3 { - } - - export interface InventoryFilter { - /** - * Prefix that an object must have to be included in the inventory results. - */ - prefix?: string; - } - - export interface InventorySchedule { - /** - * Specifies how frequently inventory results are produced. Valid values: `Daily`, `Weekly`. - */ - frequency: string; - } - - export interface ObjectCopyGrant { - /** - * Email address of the grantee. Used only when `type` is `AmazonCustomerByEmail`. - */ - email?: string; - /** - * Canonical user ID of the grantee. Used only when `type` is `CanonicalUser`. - */ - id?: string; - /** - * List of permissions to grant to grantee. Valid values are `READ`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. - */ - permissions: string[]; - /** - * Type of grantee. Valid values are `CanonicalUser`, `Group`, and `AmazonCustomerByEmail`. - * - * This configuration block has the following optional arguments (one of the three is required): - */ - type: string; - /** - * URI of the grantee group. Used only when `type` is `Group`. - */ - uri?: string; - } - -} - -export namespace s3control { - export interface AccessGrantAccessGrantsLocationConfiguration { - /** - * Sub-prefix. - */ - s3SubPrefix?: string; - } - - export interface AccessGrantGrantee { - /** - * Grantee identifier. - */ - granteeIdentifier: string; - /** - * Grantee types. Valid values: `DIRECTORY_USER`, `DIRECTORY_GROUP`, `IAM`. - */ - granteeType: string; - } - - export interface BucketLifecycleConfigurationRule { - /** - * Configuration block containing settings for abort incomplete multipart upload. - */ - abortIncompleteMultipartUpload?: outputs.s3control.BucketLifecycleConfigurationRuleAbortIncompleteMultipartUpload; - /** - * Configuration block containing settings for expiration of objects. - */ - expiration?: outputs.s3control.BucketLifecycleConfigurationRuleExpiration; - /** - * Configuration block containing settings for filtering. - */ - filter?: outputs.s3control.BucketLifecycleConfigurationRuleFilter; - /** - * Unique identifier for the rule. - */ - id: string; - /** - * Status of the rule. Valid values: `Enabled` and `Disabled`. Defaults to `Enabled`. - */ - status?: string; - } - - export interface BucketLifecycleConfigurationRuleAbortIncompleteMultipartUpload { - /** - * Number of days after which Amazon S3 aborts an incomplete multipart upload. - */ - daysAfterInitiation: number; - } - - export interface BucketLifecycleConfigurationRuleExpiration { - /** - * Date the object is to be deleted. Should be in `YYYY-MM-DD` date format, e.g., `2020-09-30`. - */ - date?: string; - /** - * Number of days before the object is to be deleted. - */ - days?: number; - /** - * Enable to remove a delete marker with no noncurrent versions. Cannot be specified with `date` or `days`. - */ - expiredObjectDeleteMarker?: boolean; - } - - export interface BucketLifecycleConfigurationRuleFilter { - /** - * Object prefix for rule filtering. - */ - prefix?: string; - /** - * Key-value map of object tags for rule filtering. - */ - tags?: {[key: string]: string}; - } - - export interface GetMultiRegionAccessPointPublicAccessBlock { - /** - * Specifies whether Amazon S3 should block public access control lists (ACLs). When set to `true` causes the following behavior: - * * PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. - * * PUT Object calls fail if the request includes a public ACL. - * * PUT Bucket calls fail if the request includes a public ACL. - */ - blockPublicAcls: boolean; - /** - * Specifies whether Amazon S3 should block public bucket policies for buckets in this account. When set to `true` causes Amazon S3 to: - * * Reject calls to PUT Bucket policy if the specified bucket policy allows public access. - */ - blockPublicPolicy: boolean; - /** - * Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. When set to `true` causes Amazon S3 to: - * * Ignore all public ACLs on buckets in this account and any objects that they contain. - */ - ignorePublicAcls: boolean; - /** - * Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. When set to `true`: - * * Only the bucket owner and AWS Services can access buckets with public policies. - */ - restrictPublicBuckets: boolean; - } - - export interface GetMultiRegionAccessPointRegion { - /** - * The name of the bucket. - */ - bucket: string; - /** - * The AWS account ID that owns the bucket. - */ - bucketAccountId: string; - /** - * The name of the region. - */ - region: string; - } - - export interface MultiRegionAccessPointDetails { - name: string; - publicAccessBlock?: outputs.s3control.MultiRegionAccessPointDetailsPublicAccessBlock; - regions: outputs.s3control.MultiRegionAccessPointDetailsRegion[]; - } - - export interface MultiRegionAccessPointDetailsPublicAccessBlock { - blockPublicAcls?: boolean; - blockPublicPolicy?: boolean; - ignorePublicAcls?: boolean; - restrictPublicBuckets?: boolean; - } - - export interface MultiRegionAccessPointDetailsRegion { - bucket: string; - bucketAccountId: string; - region: string; - } - - export interface MultiRegionAccessPointPolicyDetails { - /** - * The name of the Multi-Region Access Point. - */ - name: string; - /** - * A valid JSON document that specifies the policy that you want to associate with this Multi-Region Access Point. Once applied, the policy can be edited, but not deleted. For more information, see the documentation on [Multi-Region Access Point Permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointPermissions.html). - * - * > **NOTE:** When you update the `policy`, the update is first listed as the proposed policy. After the update is finished and all Regions have been updated, the proposed policy is listed as the established policy. If both policies have the same version number, the proposed policy is the established policy. - */ - policy: string; - } - - export interface ObjectLambdaAccessPointConfiguration { - /** - * Allowed features. Valid values: `GetObject-Range`, `GetObject-PartNumber`. - */ - allowedFeatures?: string[]; - /** - * Whether or not the CloudWatch metrics configuration is enabled. - */ - cloudWatchMetricsEnabled?: boolean; - /** - * Standard access point associated with the Object Lambda Access Point. - */ - supportingAccessPoint: string; - /** - * List of transformation configurations for the Object Lambda Access Point. See Transformation Configuration below for more details. - */ - transformationConfigurations: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfiguration[]; - } - - export interface ObjectLambdaAccessPointConfigurationTransformationConfiguration { - /** - * The actions of an Object Lambda Access Point configuration. Valid values: `GetObject`. - */ - actions: string[]; - /** - * The content transformation of an Object Lambda Access Point configuration. See Content Transformation below for more details. - */ - contentTransformation: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformation; - } - - export interface ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformation { - /** - * Configuration for an AWS Lambda function. See AWS Lambda below for more details. - */ - awsLambda: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformationAwsLambda; - } - - export interface ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformationAwsLambda { - /** - * The Amazon Resource Name (ARN) of the AWS Lambda function. - */ - functionArn: string; - /** - * Additional JSON that provides supplemental data to the Lambda function used to transform objects. - */ - functionPayload?: string; - } - - export interface StorageLensConfigurationStorageLensConfiguration { - /** - * The account-level configurations of the S3 Storage Lens configuration. See Account Level below for more details. - */ - accountLevel: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevel; - /** - * The Amazon Web Services organization for the S3 Storage Lens configuration. See AWS Org below for more details. - */ - awsOrg?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAwsOrg; - /** - * Properties of S3 Storage Lens metrics export including the destination, schema and format. See Data Export below for more details. - */ - dataExport?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExport; - /** - * Whether the S3 Storage Lens configuration is enabled. - */ - enabled: boolean; - /** - * What is excluded in this configuration. Conflicts with `include`. See Exclude below for more details. - */ - exclude?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationExclude; - /** - * What is included in this configuration. Conflicts with `exclude`. See Include below for more details. - */ - include?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationInclude; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevel { - /** - * S3 Storage Lens activity metrics. See Activity Metrics below for more details. - */ - activityMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelActivityMetrics; - /** - * Advanced cost-optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics below for more details. - */ - advancedCostOptimizationMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedCostOptimizationMetrics; - /** - * Advanced data-protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics below for more details. - */ - advancedDataProtectionMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedDataProtectionMetrics; - /** - * S3 Storage Lens bucket-level configuration. See Bucket Level below for more details. - */ - bucketLevel: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevel; - /** - * Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics below for more details. - */ - detailedStatusCodeMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelDetailedStatusCodeMetrics; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelActivityMetrics { - /** - * Whether the activity metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedCostOptimizationMetrics { - /** - * Whether advanced cost-optimization metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedDataProtectionMetrics { - /** - * Whether advanced data-protection metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevel { - /** - * S3 Storage Lens activity metrics. See Activity Metrics above for more details. - */ - activityMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelActivityMetrics; - /** - * Advanced cost-optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics above for more details. - */ - advancedCostOptimizationMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedCostOptimizationMetrics; - /** - * Advanced data-protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics above for more details. - */ - advancedDataProtectionMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedDataProtectionMetrics; - /** - * Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics above for more details. - */ - detailedStatusCodeMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelDetailedStatusCodeMetrics; - /** - * Prefix-level metrics for S3 Storage Lens. See Prefix Level below for more details. - */ - prefixLevel?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevel; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelActivityMetrics { - /** - * Whether the activity metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedCostOptimizationMetrics { - /** - * Whether advanced cost-optimization metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedDataProtectionMetrics { - /** - * Whether advanced data-protection metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelDetailedStatusCodeMetrics { - /** - * Whether detailed status code metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevel { - /** - * Prefix-level storage metrics for S3 Storage Lens. See Prefix Level Storage Metrics below for more details. - */ - storageMetrics: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetrics; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetrics { - /** - * Whether prefix-level storage metrics are enabled. - */ - enabled?: boolean; - /** - * Selection criteria. See Selection Criteria below for more details. - */ - selectionCriteria?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetricsSelectionCriteria; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetricsSelectionCriteria { - /** - * The delimiter of the selection criteria being used. - */ - delimiter?: string; - /** - * The max depth of the selection criteria. - */ - maxDepth?: number; - /** - * The minimum number of storage bytes percentage whose metrics will be selected. - */ - minStorageBytesPercentage?: number; - } - - export interface StorageLensConfigurationStorageLensConfigurationAccountLevelDetailedStatusCodeMetrics { - /** - * Whether detailed status code metrics are enabled. - */ - enabled?: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationAwsOrg { - /** - * The Amazon Resource Name (ARN) of the Amazon Web Services organization. - */ - arn: string; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExport { - /** - * Amazon CloudWatch publishing for S3 Storage Lens metrics. See Cloud Watch Metrics below for more details. - */ - cloudWatchMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportCloudWatchMetrics; - /** - * The bucket where the S3 Storage Lens metrics export will be located. See S3 Bucket Destination below for more details. - */ - s3BucketDestination?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestination; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExportCloudWatchMetrics { - /** - * Whether CloudWatch publishing for S3 Storage Lens metrics is enabled. - */ - enabled: boolean; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestination { - /** - * The account ID of the owner of the S3 Storage Lens metrics export bucket. - */ - accountId: string; - /** - * The Amazon Resource Name (ARN) of the bucket. - */ - arn: string; - /** - * Encryption of the metrics exports in this bucket. See Encryption below for more details. - */ - encryption?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryption; - /** - * The export format. Valid values: `CSV`, `Parquet`. - */ - format: string; - /** - * The schema version of the export file. Valid values: `V_1`. - */ - outputSchemaVersion: string; - /** - * The prefix of the destination bucket where the metrics export will be delivered. - */ - prefix?: string; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryption { - /** - * SSE-KMS encryption. See SSE KMS below for more details. - */ - sseKms?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseKms; - /** - * SSE-S3 encryption. An empty configuration block `{}` should be used. - */ - sseS3s?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseS3[]; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseKms { - /** - * KMS key ARN. - */ - keyId: string; - } - - export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseS3 { - } - - export interface StorageLensConfigurationStorageLensConfigurationExclude { - /** - * List of S3 bucket ARNs. - */ - buckets?: string[]; - /** - * List of AWS Regions. - */ - regions?: string[]; - } - - export interface StorageLensConfigurationStorageLensConfigurationInclude { - /** - * List of S3 bucket ARNs. - */ - buckets?: string[]; - /** - * List of AWS Regions. - */ - regions?: string[]; - } - -} - -export namespace s3outposts { - export interface EndpointNetworkInterface { - /** - * Identifier of the Elastic Network Interface (ENI). - */ - networkInterfaceId: string; - } - -} - -export namespace sagemaker { - export interface AppImageConfigCodeEditorAppImageConfig { - /** - * The configuration used to run the application image container. See Container Config details below. - */ - containerConfig?: outputs.sagemaker.AppImageConfigCodeEditorAppImageConfigContainerConfig; - /** - * The URL where the Git repository is located. See File System Config details below. - */ - fileSystemConfig?: outputs.sagemaker.AppImageConfigCodeEditorAppImageConfigFileSystemConfig; - } - - export interface AppImageConfigCodeEditorAppImageConfigContainerConfig { - /** - * The arguments for the container when you're running the application. - */ - containerArguments?: string[]; - /** - * The entrypoint used to run the application in the container. - */ - containerEntrypoints?: string[]; - /** - * The environment variables to set in the container. - */ - containerEnvironmentVariables?: {[key: string]: string}; - } - - export interface AppImageConfigCodeEditorAppImageConfigFileSystemConfig { - /** - * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. - */ - defaultGid?: number; - /** - * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. - */ - defaultUid?: number; - /** - * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. - * - * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. - */ - mountPath?: string; - } - - export interface AppImageConfigJupyterLabImageConfig { - /** - * The configuration used to run the application image container. See Container Config details below. - */ - containerConfig?: outputs.sagemaker.AppImageConfigJupyterLabImageConfigContainerConfig; - /** - * The URL where the Git repository is located. See File System Config details below. - */ - fileSystemConfig?: outputs.sagemaker.AppImageConfigJupyterLabImageConfigFileSystemConfig; - } - - export interface AppImageConfigJupyterLabImageConfigContainerConfig { - /** - * The arguments for the container when you're running the application. - */ - containerArguments?: string[]; - /** - * The entrypoint used to run the application in the container. - */ - containerEntrypoints?: string[]; - /** - * The environment variables to set in the container. - */ - containerEnvironmentVariables?: {[key: string]: string}; - } - - export interface AppImageConfigJupyterLabImageConfigFileSystemConfig { - /** - * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. - */ - defaultGid?: number; - /** - * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. - */ - defaultUid?: number; - /** - * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. - * - * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. - */ - mountPath?: string; - } - - export interface AppImageConfigKernelGatewayImageConfig { - /** - * The URL where the Git repository is located. See File System Config details below. - */ - fileSystemConfig?: outputs.sagemaker.AppImageConfigKernelGatewayImageConfigFileSystemConfig; - /** - * The default branch for the Git repository. See Kernel Spec details below. - */ - kernelSpec: outputs.sagemaker.AppImageConfigKernelGatewayImageConfigKernelSpec; - } - - export interface AppImageConfigKernelGatewayImageConfigFileSystemConfig { - /** - * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. - */ - defaultGid?: number; - /** - * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. - */ - defaultUid?: number; - /** - * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. - * - * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. - */ - mountPath?: string; - } - - export interface AppImageConfigKernelGatewayImageConfigKernelSpec { - /** - * The display name of the kernel. - */ - displayName?: string; - /** - * The name of the kernel. - */ - name: string; - } - - export interface AppResourceSpec { - /** - * The instance type that the image version runs on. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface CodeRepositoryGitConfig { - /** - * The default branch for the Git repository. - */ - branch?: string; - /** - * The URL where the Git repository is located. - */ - repositoryUrl: string; - /** - * The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the credentials used to access the git repository. The secret must have a staging label of AWSCURRENT and must be in the following format: `{"username": UserName, "password": Password}` - */ - secretArn?: string; - } - - export interface DataQualityJobDefinitionDataQualityAppSpecification { - /** - * Sets the environment variables in the container that the monitoring job runs. A list of key value pairs. - */ - environment?: {[key: string]: string}; - /** - * The container image that the data quality monitoring job runs. - */ - imageUri: string; - /** - * An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers. - */ - postAnalyticsProcessorSourceUri?: string; - /** - * An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers. - */ - recordPreprocessorSourceUri?: string; - } - - export interface DataQualityJobDefinitionDataQualityBaselineConfig { - /** - * The constraints resource for a monitoring job. Fields are documented below. - */ - constraintsResource?: outputs.sagemaker.DataQualityJobDefinitionDataQualityBaselineConfigConstraintsResource; - /** - * The statistics resource for a monitoring job. Fields are documented below. - */ - statisticsResource?: outputs.sagemaker.DataQualityJobDefinitionDataQualityBaselineConfigStatisticsResource; - } - - export interface DataQualityJobDefinitionDataQualityBaselineConfigConstraintsResource { - /** - * The Amazon S3 URI for the constraints resource. - */ - s3Uri?: string; - } - - export interface DataQualityJobDefinitionDataQualityBaselineConfigStatisticsResource { - /** - * The Amazon S3 URI for the statistics resource. - */ - s3Uri?: string; - } - - export interface DataQualityJobDefinitionDataQualityJobInput { - /** - * Input object for the batch transform job. Fields are documented below. - */ - batchTransformInput?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInput; - /** - * Input object for the endpoint. Fields are documented below. - */ - endpointInput?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputEndpointInput; - } - - export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInput { - /** - * The Amazon S3 location being used to capture the data. - */ - dataCapturedDestinationS3Uri: string; - /** - * The dataset format for your batch transform job. Fields are documented below. - */ - datasetFormat: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormat; - /** - * Path to the filesystem where the batch transform data is available to the container. Defaults to `/opt/ml/processing/input`. - */ - localPath?: string; - /** - * Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`. Valid values are `FullyReplicated` or `ShardedByS3Key` - */ - s3DataDistributionType: string; - /** - * Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File`. Valid values are `Pipe` or `File` - */ - s3InputMode: string; - } - - export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormat { - /** - * The CSV dataset used in the monitoring job. Fields are documented below. - */ - csv?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatCsv; - /** - * The JSON dataset used in the monitoring job. Fields are documented below. - */ - json?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatJson; - } - - export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatCsv { - /** - * Indicates if the CSV data has a header. - */ - header?: boolean; - } - - export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatJson { - /** - * Indicates if the file should be read as a json object per line. - */ - line?: boolean; - } - - export interface DataQualityJobDefinitionDataQualityJobInputEndpointInput { - /** - * An endpoint in customer's account which has `dataCaptureConfig` enabled. - */ - endpointName: string; - /** - * Path to the filesystem where the endpoint data is available to the container. Defaults to `/opt/ml/processing/input`. - */ - localPath?: string; - /** - * Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`. Valid values are `FullyReplicated` or `ShardedByS3Key` - */ - s3DataDistributionType: string; - /** - * Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File`. Valid values are `Pipe` or `File` - */ - s3InputMode: string; - } - - export interface DataQualityJobDefinitionDataQualityJobOutputConfig { - /** - * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption. - */ - kmsKeyId?: string; - /** - * Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded. Fields are documented below. - */ - monitoringOutputs: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputs; - } - - export interface DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputs { - /** - * The Amazon S3 storage location where the results of a monitoring job are saved. Fields are documented below. - */ - s3Output: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputsS3Output; - } - - export interface DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputsS3Output { - /** - * The local path to the Amazon S3 storage location where Amazon SageMaker saves the results of a monitoring job. LocalPath is an absolute path for the output data. Defaults to `/opt/ml/processing/output`. - */ - localPath?: string; - /** - * Whether to upload the results of the monitoring job continuously or after the job completes. Valid values are `Continuous` or `EndOfJob` - */ - s3UploadMode: string; - /** - * A URI that identifies the Amazon S3 storage location where Amazon SageMaker saves the results of a monitoring job. - */ - s3Uri: string; - } - - export interface DataQualityJobDefinitionJobResources { - /** - * The configuration for the cluster resources used to run the processing job. Fields are documented below. - */ - clusterConfig: outputs.sagemaker.DataQualityJobDefinitionJobResourcesClusterConfig; - } - - export interface DataQualityJobDefinitionJobResourcesClusterConfig { - /** - * The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. - */ - instanceCount: number; - /** - * The ML compute instance type for the processing job. - */ - instanceType: string; - /** - * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume attached to the ML compute instance(s) that run the model monitoring job. - */ - volumeKmsKeyId?: string; - /** - * The size of the ML storage volume, in gigabytes, that you want to provision. You must specify sufficient ML storage for your scenario. - */ - volumeSizeInGb: number; - } - - export interface DataQualityJobDefinitionNetworkConfig { - /** - * Whether to encrypt all communications between the instances used for the monitoring jobs. Choose `true` to encrypt communications. Encryption provides greater security for distributed jobs, but the processing might take longer. - */ - enableInterContainerTrafficEncryption?: boolean; - /** - * Whether to allow inbound and outbound network calls to and from the containers used for the monitoring job. - */ - enableNetworkIsolation?: boolean; - /** - * Specifies a VPC that your training jobs and hosted models have access to. Control access to and from your training and model containers by configuring the VPC. Fields are documented below. - */ - vpcConfig?: outputs.sagemaker.DataQualityJobDefinitionNetworkConfigVpcConfig; - } - - export interface DataQualityJobDefinitionNetworkConfigVpcConfig { - /** - * The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `subnets` field. - */ - securityGroupIds: string[]; - /** - * The ID of the subnets in the VPC to which you want to connect your training job or model. - */ - subnets: string[]; - } - - export interface DataQualityJobDefinitionStoppingCondition { - /** - * The maximum runtime allowed in seconds. - */ - maxRuntimeInSeconds: number; - } - - export interface DeviceDevice { - /** - * A description for the device. - */ - description?: string; - /** - * The name of the device. - */ - deviceName: string; - /** - * Amazon Web Services Internet of Things (IoT) object name. - */ - iotThingName?: string; - } - - export interface DeviceFleetOutputConfig { - /** - * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume after compilation job. If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account. - */ - kmsKeyId?: string; - /** - * The Amazon Simple Storage (S3) bucker URI. - */ - s3OutputLocation: string; - } - - export interface DomainDefaultSpaceSettings { - /** - * The execution role for the space. - */ - executionRole: string; - /** - * The Jupyter server's app settings. See `jupyterServerAppSettings` Block below. - */ - jupyterServerAppSettings?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettings; - /** - * The kernel gateway app settings. See `kernelGatewayAppSettings` Block below. - */ - kernelGatewayAppSettings?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettings; - /** - * The security groups for the Amazon Virtual Private Cloud that the space uses for communication. - */ - securityGroups?: string[]; - } - - export interface DomainDefaultSpaceSettingsJupyterServerAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. - */ - codeRepositories?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettingsCodeRepository[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultSpaceSettingsJupyterServerAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface DomainDefaultSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultSpaceSettingsKernelGatewayAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a KernelGateway app. see `customImage` Block below. - */ - customImages?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultSpaceSettingsKernelGatewayAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface DomainDefaultSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettings { - /** - * The Canvas app settings. See `canvasAppSettings` Block below. - */ - canvasAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettings; - /** - * The Code Editor application settings. See `codeEditorAppSettings` Block below. - */ - codeEditorAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsCodeEditorAppSettings; - /** - * The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio. See `customFileSystemConfig` Block below. - */ - customFileSystemConfigs?: outputs.sagemaker.DomainDefaultUserSettingsCustomFileSystemConfig[]; - /** - * Details about the POSIX identity that is used for file system operations. See `customPosixUserConfig` Block below. - */ - customPosixUserConfig?: outputs.sagemaker.DomainDefaultUserSettingsCustomPosixUserConfig; - /** - * The default experience that the user is directed to when accessing the domain. The supported values are: `studio::`: Indicates that Studio is the default experience. This value can only be passed if StudioWebPortal is set to ENABLED. `app:JupyterServer:`: Indicates that Studio Classic is the default experience. - */ - defaultLandingUri: string; - /** - * The execution role ARN for the user. - */ - executionRole: string; - /** - * The settings for the JupyterLab application. See `jupyterLabAppSettings` Block below. - */ - jupyterLabAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettings; - /** - * The Jupyter server's app settings. See `jupyterServerAppSettings` Block below. - */ - jupyterServerAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettings; - /** - * The kernel gateway app settings. See `kernelGatewayAppSettings` Block below. - */ - kernelGatewayAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettings; - /** - * The RSession app settings. See `rSessionAppSettings` Block below. - */ - rSessionAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettings; - /** - * A collection of settings that configure user interaction with the RStudioServerPro app. See `rStudioServerProAppSettings` Block below. - */ - rStudioServerProAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsRStudioServerProAppSettings; - /** - * A list of security group IDs that will be attached to the user. - */ - securityGroups?: string[]; - /** - * The sharing settings. See `sharingSettings` Block below. - */ - sharingSettings?: outputs.sagemaker.DomainDefaultUserSettingsSharingSettings; - /** - * The storage settings for a private space. See `spaceStorageSettings` Block below. - */ - spaceStorageSettings: outputs.sagemaker.DomainDefaultUserSettingsSpaceStorageSettings; - /** - * Whether the user can access Studio. If this value is set to `DISABLED`, the user cannot access Studio, even if that is the default experience for the domain. Valid values are `ENABLED` and `DISABLED`. - */ - studioWebPortal: string; - /** - * The TensorBoard app settings. See `tensorBoardAppSettings` Block below. - */ - tensorBoardAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsTensorBoardAppSettings; - } - - export interface DomainDefaultUserSettingsCanvasAppSettings { - /** - * The model deployment settings for the SageMaker Canvas application. See `directDeploySettings` Block below. - */ - directDeploySettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsDirectDeploySettings; - /** - * The settings for connecting to an external data source with OAuth. See `identityProviderOauthSettings` Block below. - */ - identityProviderOauthSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsIdentityProviderOauthSetting[]; - /** - * The settings for document querying. See `kendraSettings` Block below. - */ - kendraSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsKendraSettings; - /** - * The model registry settings for the SageMaker Canvas application. See `modelRegisterSettings` Block below. - */ - modelRegisterSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsModelRegisterSettings; - /** - * Time series forecast settings for the Canvas app. See `timeSeriesForecastingSettings` Block below. - */ - timeSeriesForecastingSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings; - /** - * The workspace settings for the SageMaker Canvas application. See `workspaceSettings` Block below. - */ - workspaceSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsWorkspaceSettings; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsDirectDeploySettings { - /** - * Describes whether model deployment permissions are enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsIdentityProviderOauthSetting { - /** - * The name of the data source that you're connecting to. Canvas currently supports OAuth for Snowflake and Salesforce Data Cloud. Valid values are `SalesforceGenie` and `Snowflake`. - */ - dataSourceName?: string; - /** - * The ARN of an Amazon Web Services Secrets Manager secret that stores the credentials from your identity provider, such as the client ID and secret, authorization URL, and token URL. - */ - secretArn: string; - /** - * Describes whether OAuth for a data source is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsKendraSettings { - /** - * Describes whether the document querying feature is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsModelRegisterSettings { - /** - * The Amazon Resource Name (ARN) of the SageMaker model registry account. Required only to register model versions created by a different SageMaker Canvas AWS account than the AWS account in which SageMaker model registry is set up. - */ - crossAccountModelRegisterRoleArn?: string; - /** - * Describes whether the integration to the model registry is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings { - /** - * The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the [AmazonSageMakerCanvasForecastAccess](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol-canvas.html#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) policy attached and forecast.amazonaws.com added in the trust relationship as a service principal. - */ - amazonForecastRoleArn?: string; - /** - * Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface DomainDefaultUserSettingsCanvasAppSettingsWorkspaceSettings { - /** - * The Amazon S3 bucket used to store artifacts generated by Canvas. Updating the Amazon S3 location impacts existing configuration settings, and Canvas users no longer have access to their artifacts. Canvas users must log out and log back in to apply the new location. - */ - s3ArtifactPath?: string; - /** - * The Amazon Web Services Key Management Service (KMS) encryption key ID that is used to encrypt artifacts generated by Canvas in the Amazon S3 bucket. - */ - s3KmsKeyId?: string; - } - - export interface DomainDefaultUserSettingsCodeEditorAppSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsCodeEditorAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultUserSettingsCodeEditorAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettingsCustomFileSystemConfig { - /** - * The default EBS storage settings for a private space. See `efsFileSystemConfig` Block below. - */ - efsFileSystemConfig?: outputs.sagemaker.DomainDefaultUserSettingsCustomFileSystemConfigEfsFileSystemConfig; - } - - export interface DomainDefaultUserSettingsCustomFileSystemConfigEfsFileSystemConfig { - /** - * The ID of your Amazon EFS file system. - */ - fileSystemId: string; - /** - * The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below. - */ - fileSystemPath: string; - } - - export interface DomainDefaultUserSettingsCustomPosixUserConfig { - /** - * The POSIX group ID. - */ - gid: number; - /** - * The POSIX user ID. - */ - uid: number; - } - - export interface DomainDefaultUserSettingsJupyterLabAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. - */ - codeRepositories?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsCodeRepository[]; - /** - * A list of custom SageMaker images that are configured to run as a JupyterLab app. see `customImage` Block below. - */ - customImages?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultUserSettingsJupyterLabAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface DomainDefaultUserSettingsJupyterLabAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface DomainDefaultUserSettingsJupyterLabAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettingsJupyterServerAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. - */ - codeRepositories?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettingsCodeRepository[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultUserSettingsJupyterServerAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface DomainDefaultUserSettingsJupyterServerAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettingsKernelGatewayAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a KernelGateway app. see `customImage` Block below. - */ - customImages?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface DomainDefaultUserSettingsKernelGatewayAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface DomainDefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettingsRSessionAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a RSession app. see `customImage` Block below. - */ - customImages?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block above. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettingsDefaultResourceSpec; - } - - export interface DomainDefaultUserSettingsRSessionAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface DomainDefaultUserSettingsRSessionAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDefaultUserSettingsRStudioServerProAppSettings { - /** - * Indicates whether the current user has access to the RStudioServerPro app. Valid values are `ENABLED` and `DISABLED`. - */ - accessStatus?: string; - /** - * The level of permissions that the user has within the RStudioServerPro app. This value defaults to `R_STUDIO_USER`. The `R_STUDIO_ADMIN` value allows the user access to the RStudio Administrative Dashboard. Valid values are `R_STUDIO_USER` and `R_STUDIO_ADMIN`. - */ - userGroup?: string; - } - - export interface DomainDefaultUserSettingsSharingSettings { - /** - * Whether to include the notebook cell output when sharing the notebook. The default is `Disabled`. Valid values are `Allowed` and `Disabled`. - */ - notebookOutputOption?: string; - /** - * When `notebookOutputOption` is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket. - */ - s3KmsKeyId?: string; - /** - * When `notebookOutputOption` is Allowed, the Amazon S3 bucket used to save the notebook cell output. - */ - s3OutputPath?: string; - } - - export interface DomainDefaultUserSettingsSpaceStorageSettings { - /** - * The default EBS storage settings for a private space. See `defaultEbsStorageSettings` Block below. - */ - defaultEbsStorageSettings?: outputs.sagemaker.DomainDefaultUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings; - } - - export interface DomainDefaultUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings { - /** - * The default size of the EBS storage volume for a private space. - */ - defaultEbsVolumeSizeInGb: number; - /** - * The maximum size of the EBS storage volume for a private space. - */ - maximumEbsVolumeSizeInGb: number; - } - - export interface DomainDefaultUserSettingsTensorBoardAppSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsTensorBoardAppSettingsDefaultResourceSpec; - } - - export interface DomainDefaultUserSettingsTensorBoardAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainDomainSettings { - /** - * The configuration for attaching a SageMaker user profile name to the execution role as a sts:SourceIdentity key [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html). Valid values are `USER_PROFILE_NAME` and `DISABLED`. - */ - executionRoleIdentityConfig?: string; - /** - * A collection of settings that configure the RStudioServerPro Domain-level app. see `rStudioServerProDomainSettings` Block below. - */ - rStudioServerProDomainSettings?: outputs.sagemaker.DomainDomainSettingsRStudioServerProDomainSettings; - /** - * The security groups for the Amazon Virtual Private Cloud that the Domain uses for communication between Domain-level apps and user apps. - */ - securityGroupIds?: string[]; - } - - export interface DomainDomainSettingsRStudioServerProDomainSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block above. - */ - defaultResourceSpec?: outputs.sagemaker.DomainDomainSettingsRStudioServerProDomainSettingsDefaultResourceSpec; - /** - * The ARN of the execution role for the RStudioServerPro Domain-level app. - */ - domainExecutionRoleArn: string; - /** - * A URL pointing to an RStudio Connect server. - */ - rStudioConnectUrl?: string; - /** - * A URL pointing to an RStudio Package Manager server. - */ - rStudioPackageManagerUrl?: string; - } - - export interface DomainDomainSettingsRStudioServerProDomainSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface DomainRetentionPolicy { - /** - * The retention policy for data stored on an Amazon Elastic File System (EFS) volume. Valid values are `Retain` or `Delete`. Default value is `Retain`. - */ - homeEfsFileSystem?: string; - } - - export interface EndpointConfigurationAsyncInferenceConfig { - /** - * Configures the behavior of the client used by Amazon SageMaker to interact with the model container during asynchronous inference. - */ - clientConfig?: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigClientConfig; - /** - * Specifies the configuration for asynchronous inference invocation outputs. - */ - outputConfig: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigOutputConfig; - } - - export interface EndpointConfigurationAsyncInferenceConfigClientConfig { - /** - * The maximum number of concurrent requests sent by the SageMaker client to the model container. If no value is provided, Amazon SageMaker will choose an optimal value for you. - */ - maxConcurrentInvocationsPerInstance?: number; - } - - export interface EndpointConfigurationAsyncInferenceConfigOutputConfig { - /** - * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that Amazon SageMaker uses to encrypt the asynchronous inference output in Amazon S3. - */ - kmsKeyId?: string; - /** - * Specifies the configuration for notifications of inference results for asynchronous inference. - */ - notificationConfig?: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigOutputConfigNotificationConfig; - /** - * The Amazon S3 location to upload failure inference responses to. - */ - s3FailurePath?: string; - /** - * The Amazon S3 location to upload inference responses to. - */ - s3OutputPath: string; - } - - export interface EndpointConfigurationAsyncInferenceConfigOutputConfigNotificationConfig { - /** - * Amazon SNS topic to post a notification to when inference fails. If no topic is provided, no notification is sent on failure. - */ - errorTopic?: string; - /** - * The Amazon SNS topics where you want the inference response to be included. Valid values are `SUCCESS_NOTIFICATION_TOPIC` and `ERROR_NOTIFICATION_TOPIC`. - */ - includeInferenceResponseIns?: string[]; - /** - * Amazon SNS topic to post a notification to when inference completes successfully. If no topic is provided, no notification is sent on success. - */ - successTopic?: string; - } - - export interface EndpointConfigurationDataCaptureConfig { - /** - * The content type headers to capture. Fields are documented below. - */ - captureContentTypeHeader?: outputs.sagemaker.EndpointConfigurationDataCaptureConfigCaptureContentTypeHeader; - /** - * Specifies what data to capture. Fields are documented below. - */ - captureOptions: outputs.sagemaker.EndpointConfigurationDataCaptureConfigCaptureOption[]; - /** - * The URL for S3 location where the captured data is stored. - */ - destinationS3Uri: string; - /** - * Flag to enable data capture. Defaults to `false`. - */ - enableCapture?: boolean; - /** - * Portion of data to capture. Should be between 0 and 100. - */ - initialSamplingPercentage: number; - /** - * Amazon Resource Name (ARN) of a AWS Key Management Service key that Amazon SageMaker uses to encrypt the captured data on Amazon S3. - */ - kmsKeyId?: string; - } - - export interface EndpointConfigurationDataCaptureConfigCaptureContentTypeHeader { - /** - * The CSV content type headers to capture. - */ - csvContentTypes?: string[]; - /** - * The JSON content type headers to capture. - */ - jsonContentTypes?: string[]; - } - - export interface EndpointConfigurationDataCaptureConfigCaptureOption { - /** - * Specifies the data to be captured. Should be one of `Input` or `Output`. - */ - captureMode: string; - } - - export interface EndpointConfigurationProductionVariant { - /** - * The size of the Elastic Inference (EI) instance to use for the production variant. - */ - acceleratorType?: string; - /** - * The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests). Valid values between `60` and `3600`. - */ - containerStartupHealthCheckTimeoutInSeconds?: number; - /** - * Specifies configuration for a core dump from the model container when the process crashes. Fields are documented below. - */ - coreDumpConfig?: outputs.sagemaker.EndpointConfigurationProductionVariantCoreDumpConfig; - /** - * You can use this parameter to turn on native Amazon Web Services Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoints. - */ - enableSsmAccess?: boolean; - /** - * Initial number of instances used for auto-scaling. - */ - initialInstanceCount?: number; - /** - * Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. If unspecified, it defaults to `1.0`. - */ - initialVariantWeight?: number; - /** - * The type of instance to start. - */ - instanceType?: string; - /** - * The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant. Valid values between `60` and `3600`. - */ - modelDataDownloadTimeoutInSeconds?: number; - /** - * The name of the model to use. - */ - modelName: string; - /** - * Sets how the endpoint routes incoming traffic. See routingConfig below. - */ - routingConfigs?: outputs.sagemaker.EndpointConfigurationProductionVariantRoutingConfig[]; - /** - * Specifies configuration for how an endpoint performs asynchronous inference. - */ - serverlessConfig?: outputs.sagemaker.EndpointConfigurationProductionVariantServerlessConfig; - /** - * The name of the variant. If omitted, this provider will assign a random, unique name. - */ - variantName: string; - /** - * The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Valid values between `1` and `512`. - */ - volumeSizeInGb: number; - } - - export interface EndpointConfigurationProductionVariantCoreDumpConfig { - /** - * The Amazon S3 bucket to send the core dump to. - */ - destinationS3Uri: string; - /** - * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption. - */ - kmsKeyId?: string; - } - - export interface EndpointConfigurationProductionVariantRoutingConfig { - /** - * Sets how the endpoint routes incoming traffic. Valid values are `LEAST_OUTSTANDING_REQUESTS` and `RANDOM`. `LEAST_OUTSTANDING_REQUESTS` routes requests to the specific instances that have more capacity to process them. `RANDOM` routes each request to a randomly chosen instance. - */ - routingStrategy: string; - } - - export interface EndpointConfigurationProductionVariantServerlessConfig { - /** - * The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between `1` and `200`. - */ - maxConcurrency: number; - /** - * The memory size of your serverless endpoint. Valid values are in 1 GB increments: `1024` MB, `2048` MB, `3072` MB, `4096` MB, `5120` MB, or `6144` MB. - */ - memorySizeInMb: number; - /** - * The amount of provisioned concurrency to allocate for the serverless endpoint. Should be less than or equal to `maxConcurrency`. Valid values are between `1` and `200`. - */ - provisionedConcurrency?: number; - } - - export interface EndpointConfigurationShadowProductionVariant { - acceleratorType?: string; - containerStartupHealthCheckTimeoutInSeconds?: number; - coreDumpConfig?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantCoreDumpConfig; - enableSsmAccess?: boolean; - initialInstanceCount?: number; - initialVariantWeight?: number; - instanceType?: string; - modelDataDownloadTimeoutInSeconds?: number; - modelName: string; - routingConfigs?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantRoutingConfig[]; - serverlessConfig?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantServerlessConfig; - variantName: string; - volumeSizeInGb?: number; - } - - export interface EndpointConfigurationShadowProductionVariantCoreDumpConfig { - /** - * The Amazon S3 bucket to send the core dump to. - */ - destinationS3Uri: string; - /** - * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption. - */ - kmsKeyId: string; - } - - export interface EndpointConfigurationShadowProductionVariantRoutingConfig { - /** - * Sets how the endpoint routes incoming traffic. Valid values are `LEAST_OUTSTANDING_REQUESTS` and `RANDOM`. `LEAST_OUTSTANDING_REQUESTS` routes requests to the specific instances that have more capacity to process them. `RANDOM` routes each request to a randomly chosen instance. - */ - routingStrategy: string; - } - - export interface EndpointConfigurationShadowProductionVariantServerlessConfig { - /** - * The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between `1` and `200`. - */ - maxConcurrency: number; - /** - * The memory size of your serverless endpoint. Valid values are in 1 GB increments: `1024` MB, `2048` MB, `3072` MB, `4096` MB, `5120` MB, or `6144` MB. - */ - memorySizeInMb: number; - /** - * The amount of provisioned concurrency to allocate for the serverless endpoint. Should be less than or equal to `maxConcurrency`. Valid values are between `1` and `200`. - */ - provisionedConcurrency?: number; - } - - export interface EndpointDeploymentConfig { - /** - * Automatic rollback configuration for handling endpoint deployment failures and recovery. See Auto Rollback Configuration. - */ - autoRollbackConfiguration?: outputs.sagemaker.EndpointDeploymentConfigAutoRollbackConfiguration; - /** - * Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default. See Blue Green Update Config. - */ - blueGreenUpdatePolicy?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicy; - /** - * Specifies a rolling deployment strategy for updating a SageMaker endpoint. See Rolling Update Policy. - */ - rollingUpdatePolicy?: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicy; - } - - export interface EndpointDeploymentConfigAutoRollbackConfiguration { - /** - * List of CloudWatch alarms in your account that are configured to monitor metrics on an endpoint. If any alarms are tripped during a deployment, SageMaker rolls back the deployment. See Alarms. - */ - alarms?: outputs.sagemaker.EndpointDeploymentConfigAutoRollbackConfigurationAlarm[]; - } - - export interface EndpointDeploymentConfigAutoRollbackConfigurationAlarm { - /** - * The name of a CloudWatch alarm in your account. - */ - alarmName: string; - } - - export interface EndpointDeploymentConfigBlueGreenUpdatePolicy { - maximumExecutionTimeoutInSeconds?: number; - terminationWaitInSeconds?: number; - trafficRoutingConfiguration: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfiguration; - } - - export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfiguration { - /** - * Batch size for the first step to turn on traffic on the new endpoint fleet. Value must be less than or equal to 50% of the variant's total instance count. See Canary Size. - */ - canarySize?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationCanarySize; - /** - * Batch size for each step to turn on traffic on the new endpoint fleet. Value must be 10-50% of the variant's total instance count. See Linear Step Size. - */ - linearStepSize?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationLinearStepSize; - /** - * Traffic routing strategy type. Valid values are: `ALL_AT_ONCE`, `CANARY`, and `LINEAR`. - */ - type: string; - /** - * The waiting time (in seconds) between incremental steps to turn on traffic on the new endpoint fleet. Valid values are between `0` and `3600`. - */ - waitIntervalInSeconds: number; - } - - export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationCanarySize { - /** - * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. - */ - type: string; - /** - * Defines the capacity size, either as a number of instances or a capacity percentage. - */ - value: number; - } - - export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationLinearStepSize { - /** - * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. - */ - type: string; - /** - * Defines the capacity size, either as a number of instances or a capacity percentage. - */ - value: number; - } - - export interface EndpointDeploymentConfigRollingUpdatePolicy { - /** - * Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count. See Maximum Batch Size. - */ - maximumBatchSize: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicyMaximumBatchSize; - /** - * The time limit for the total deployment. Exceeding this limit causes a timeout. Valid values are between `600` and `14400`. - */ - maximumExecutionTimeoutInSeconds?: number; - /** - * Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback. See Rollback Maximum Batch Size. - */ - rollbackMaximumBatchSize?: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicyRollbackMaximumBatchSize; - /** - * The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet. Valid values are between `0` and `3600`. - */ - waitIntervalInSeconds: number; - } - - export interface EndpointDeploymentConfigRollingUpdatePolicyMaximumBatchSize { - /** - * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. - */ - type: string; - /** - * Defines the capacity size, either as a number of instances or a capacity percentage. - */ - value: number; - } - - export interface EndpointDeploymentConfigRollingUpdatePolicyRollbackMaximumBatchSize { - /** - * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. - */ - type: string; - /** - * Defines the capacity size, either as a number of instances or a capacity percentage. - */ - value: number; - } - - export interface FeatureGroupFeatureDefinition { - /** - * The name of a feature. `featureName` cannot be any of the following: `isDeleted`, `writeTime`, `apiInvocationTime`. - */ - featureName?: string; - /** - * The value type of a feature. Valid values are `Integral`, `Fractional`, or `String`. - */ - featureType?: string; - } - - export interface FeatureGroupOfflineStoreConfig { - /** - * The meta data of the Glue table that is autogenerated when an OfflineStore is created. See Data Catalog Config Below. - */ - dataCatalogConfig: outputs.sagemaker.FeatureGroupOfflineStoreConfigDataCatalogConfig; - disableGlueTableCreation?: boolean; - /** - * The Amazon Simple Storage (Amazon S3) location of OfflineStore. See S3 Storage Config Below. - */ - s3StorageConfig: outputs.sagemaker.FeatureGroupOfflineStoreConfigS3StorageConfig; - /** - * Format for the offline store table. Supported formats are `Glue` (Default) and Apache `Iceberg` (https://iceberg.apache.org/). - */ - tableFormat?: string; - } - - export interface FeatureGroupOfflineStoreConfigDataCatalogConfig { - /** - * The name of the Glue table catalog. - */ - catalog: string; - /** - * The name of the Glue table database. - */ - database: string; - /** - * The name of the Glue table. - */ - tableName: string; - } - - export interface FeatureGroupOfflineStoreConfigS3StorageConfig { - /** - * The AWS Key Management Service (KMS) key ID of the key used to encrypt any objects written into the OfflineStore S3 location. - */ - kmsKeyId?: string; - /** - * The S3 path where offline records are written. - */ - resolvedOutputS3Uri: string; - /** - * The S3 URI, or location in Amazon S3, of OfflineStore. - */ - s3Uri: string; - } - - export interface FeatureGroupOnlineStoreConfig { - enableOnlineStore?: boolean; - /** - * Security config for at-rest encryption of your OnlineStore. See Security Config Below. - */ - securityConfig?: outputs.sagemaker.FeatureGroupOnlineStoreConfigSecurityConfig; - /** - * Option for different tiers of low latency storage for real-time data retrieval. Valid values are `Standard`, or `InMemory`. - */ - storageType?: string; - /** - * Time to live duration, where the record is hard deleted after the expiration time is reached; ExpiresAt = EventTime + TtlDuration.. See TTl Duration Below. - */ - ttlDuration?: outputs.sagemaker.FeatureGroupOnlineStoreConfigTtlDuration; - } - - export interface FeatureGroupOnlineStoreConfigSecurityConfig { - /** - * The ID of the AWS Key Management Service (AWS KMS) key that SageMaker Feature Store uses to encrypt the Amazon S3 objects at rest using Amazon S3 server-side encryption. - */ - kmsKeyId?: string; - } - - export interface FeatureGroupOnlineStoreConfigTtlDuration { - /** - * TtlDuration time unit. Valid values are `Seconds`, `Minutes`, `Hours`, `Days`, or `Weeks`. - */ - unit?: string; - /** - * TtlDuration time value. - */ - value?: number; - } - - export interface FlowDefinitionHumanLoopActivationConfig { - /** - * defines under what conditions SageMaker creates a human loop. See Human Loop Activation Conditions Config details below. - */ - humanLoopActivationConditionsConfig?: outputs.sagemaker.FlowDefinitionHumanLoopActivationConfigHumanLoopActivationConditionsConfig; - } - - export interface FlowDefinitionHumanLoopActivationConfigHumanLoopActivationConditionsConfig { - /** - * A JSON expressing use-case specific conditions declaratively. If any condition is matched, atomic tasks are created against the configured work team. For more information about how to structure the JSON, see [JSON Schema for Human Loop Activation Conditions in Amazon Augmented AI](https://docs.aws.amazon.com/sagemaker/latest/dg/a2i-human-fallback-conditions-json-schema.html). - */ - humanLoopActivationConditions: string; - } - - export interface FlowDefinitionHumanLoopConfig { - /** - * The Amazon Resource Name (ARN) of the human task user interface. - */ - humanTaskUiArn: string; - /** - * Defines the amount of money paid to an Amazon Mechanical Turk worker for each task performed. See Public Workforce Task Price details below. - */ - publicWorkforceTaskPrice?: outputs.sagemaker.FlowDefinitionHumanLoopConfigPublicWorkforceTaskPrice; - /** - * The length of time that a task remains available for review by human workers. Valid value range between `1` and `864000`. - */ - taskAvailabilityLifetimeInSeconds?: number; - /** - * The number of distinct workers who will perform the same task on each object. Valid value range between `1` and `3`. - */ - taskCount: number; - /** - * A description for the human worker task. - */ - taskDescription: string; - /** - * An array of keywords used to describe the task so that workers can discover the task. - */ - taskKeywords?: string[]; - /** - * The amount of time that a worker has to complete a task. The default value is `3600` seconds. - */ - taskTimeLimitInSeconds?: number; - /** - * A title for the human worker task. - */ - taskTitle: string; - /** - * The Amazon Resource Name (ARN) of the human task user interface. Amazon Resource Name (ARN) of a team of workers. For Public workforces see [AWS Docs](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management-public.html). - */ - workteamArn: string; - } - - export interface FlowDefinitionHumanLoopConfigPublicWorkforceTaskPrice { - /** - * Defines the amount of money paid to an Amazon Mechanical Turk worker in United States dollars. See Amount In Usd details below. - */ - amountInUsd?: outputs.sagemaker.FlowDefinitionHumanLoopConfigPublicWorkforceTaskPriceAmountInUsd; - } - - export interface FlowDefinitionHumanLoopConfigPublicWorkforceTaskPriceAmountInUsd { - /** - * The fractional portion, in cents, of the amount. Valid value range between `0` and `99`. - */ - cents?: number; - /** - * The whole number of dollars in the amount. Valid value range between `0` and `2`. - */ - dollars?: number; - /** - * Fractions of a cent, in tenths. Valid value range between `0` and `9`. - */ - tenthFractionsOfACent?: number; - } - - export interface FlowDefinitionHumanLoopRequestSource { - /** - * Specifies whether Amazon Rekognition or Amazon Textract are used as the integration source. Valid values are: `AWS/Rekognition/DetectModerationLabels/Image/V3` and `AWS/Textract/AnalyzeDocument/Forms/V1`. - */ - awsManagedHumanLoopRequestSource: string; - } - - export interface FlowDefinitionOutputConfig { - /** - * The Amazon Key Management Service (KMS) key ARN for server-side encryption. - */ - kmsKeyId?: string; - /** - * The Amazon S3 path where the object containing human output will be made available. - */ - s3OutputPath: string; - } - - export interface HumanTaskUIUiTemplate { - /** - * The content of the Liquid template for the worker user interface. - */ - content?: string; - /** - * The SHA-256 digest of the contents of the template. - */ - contentSha256: string; - /** - * The URL for the user interface template. - */ - url: string; - } - - export interface ModelContainer { - /** - * The DNS host name for the container. - */ - containerHostname?: string; - /** - * Environment variables for the Docker container. - * A list of key value pairs. - */ - environment?: {[key: string]: string}; - /** - * The registry path where the inference code image is stored in Amazon ECR. - */ - image?: string; - /** - * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For more information see [Using a Private Docker Registry for Real-Time Inference Containers](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-containers-inference-private.html). see Image Config. - */ - imageConfig?: outputs.sagemaker.ModelContainerImageConfig; - /** - * The container hosts value `SingleModel/MultiModel`. The default value is `SingleModel`. - */ - mode?: string; - /** - * The location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker Developer Guide_. - */ - modelDataSource: outputs.sagemaker.ModelContainerModelDataSource; - /** - * The URL for the S3 location where model artifacts are stored. - */ - modelDataUrl?: string; - /** - * The Amazon Resource Name (ARN) of the model package to use to create the model. - */ - modelPackageName?: string; - } - - export interface ModelContainerImageConfig { - /** - * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`. - */ - repositoryAccessMode: string; - /** - * Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config. - */ - repositoryAuthConfig?: outputs.sagemaker.ModelContainerImageConfigRepositoryAuthConfig; - } - - export interface ModelContainerImageConfigRepositoryAuthConfig { - /** - * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_. - */ - repositoryCredentialsProviderArn: string; - } - - export interface ModelContainerModelDataSource { - /** - * The S3 location of model data to deploy. - */ - s3DataSources: outputs.sagemaker.ModelContainerModelDataSourceS3DataSource[]; - } - - export interface ModelContainerModelDataSourceS3DataSource { - /** - * How the model data is prepared. Allowed values are: `None` and `Gzip`. - */ - compressionType: string; - /** - * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`. - */ - s3DataType: string; - /** - * The S3 path of model data to deploy. - */ - s3Uri: string; - } - - export interface ModelInferenceExecutionConfig { - mode: string; - } - - export interface ModelPrimaryContainer { - containerHostname?: string; - environment?: {[key: string]: string}; - image?: string; - imageConfig?: outputs.sagemaker.ModelPrimaryContainerImageConfig; - mode?: string; - modelDataSource: outputs.sagemaker.ModelPrimaryContainerModelDataSource; - modelDataUrl?: string; - modelPackageName?: string; - } - - export interface ModelPrimaryContainerImageConfig { - /** - * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`. - */ - repositoryAccessMode: string; - /** - * Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config. - */ - repositoryAuthConfig?: outputs.sagemaker.ModelPrimaryContainerImageConfigRepositoryAuthConfig; - } - - export interface ModelPrimaryContainerImageConfigRepositoryAuthConfig { - /** - * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_. - */ - repositoryCredentialsProviderArn: string; - } - - export interface ModelPrimaryContainerModelDataSource { - /** - * The S3 location of model data to deploy. - */ - s3DataSources: outputs.sagemaker.ModelPrimaryContainerModelDataSourceS3DataSource[]; - } - - export interface ModelPrimaryContainerModelDataSourceS3DataSource { - /** - * How the model data is prepared. Allowed values are: `None` and `Gzip`. - */ - compressionType: string; - /** - * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`. - */ - s3DataType: string; - /** - * The S3 path of model data to deploy. - */ - s3Uri: string; - } - - export interface ModelVpcConfig { - securityGroupIds: string[]; - subnets: string[]; - } - - export interface MonitoringScheduleMonitoringScheduleConfig { - /** - * The name of the monitoring job definition to schedule. - */ - monitoringJobDefinitionName: string; - /** - * The type of the monitoring job definition to schedule. Valid values are `DataQuality`, `ModelQuality`, `ModelBias` or `ModelExplainability` - */ - monitoringType: string; - /** - * Configures the monitoring schedule. Fields are documented below. - */ - scheduleConfig: outputs.sagemaker.MonitoringScheduleMonitoringScheduleConfigScheduleConfig; - } - - export interface MonitoringScheduleMonitoringScheduleConfigScheduleConfig { - /** - * A cron expression that describes details about the monitoring schedule. For example, and hourly schedule would be `cron(0 * ? * * *)`. - */ - scheduleExpression: string; - } - - export interface NotebookInstanceInstanceMetadataServiceConfiguration { - /** - * Indicates the minimum IMDS version that the notebook instance supports. When passed "1" is passed. This means that both IMDSv1 and IMDSv2 are supported. Valid values are `1` and `2`. - */ - minimumInstanceMetadataServiceVersion: string; - } - - export interface PipelineParallelismConfiguration { - /** - * The max number of steps that can be executed in parallel. - */ - maxParallelExecutionSteps: number; - } - - export interface PipelinePipelineDefinitionS3Location { - /** - * Name of the S3 bucket. - */ - bucket: string; - /** - * The object key (or key name) uniquely identifies the object in an S3 bucket. - */ - objectKey: string; - /** - * Version Id of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version. - */ - versionId?: string; - } - - export interface ProjectServiceCatalogProvisioningDetails { - /** - * The path identifier of the product. This value is optional if the product has a default path, and required if the product has more than one path. - */ - pathId?: string; - /** - * The ID of the product to provision. - */ - productId: string; - /** - * The ID of the provisioning artifact. - */ - provisioningArtifactId: string; - /** - * A list of key value pairs that you specify when you provision a product. See Provisioning Parameter below. - */ - provisioningParameters?: outputs.sagemaker.ProjectServiceCatalogProvisioningDetailsProvisioningParameter[]; - } - - export interface ProjectServiceCatalogProvisioningDetailsProvisioningParameter { - /** - * The key that identifies a provisioning parameter. - */ - key: string; - /** - * The value of the provisioning parameter. - */ - value?: string; - } - - export interface SpaceOwnershipSettings { - /** - * The user profile who is the owner of the private space. - */ - ownerUserProfileName: string; - } - - export interface SpaceSpaceSettings { - /** - * The type of app created within the space. - */ - appType?: string; - /** - * The Code Editor application settings. See Code Editor App Settings below. - */ - codeEditorAppSettings?: outputs.sagemaker.SpaceSpaceSettingsCodeEditorAppSettings; - /** - * A file system, created by you, that you assign to a space for an Amazon SageMaker Domain. See Custom File System below. - */ - customFileSystems?: outputs.sagemaker.SpaceSpaceSettingsCustomFileSystem[]; - /** - * The settings for the JupyterLab application. See Jupyter Lab App Settings below. - */ - jupyterLabAppSettings?: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettings; - /** - * The Jupyter server's app settings. See Jupyter Server App Settings below. - */ - jupyterServerAppSettings?: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettings; - /** - * The kernel gateway app settings. See Kernel Gateway App Settings below. - */ - kernelGatewayAppSettings?: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettings; - spaceStorageSettings: outputs.sagemaker.SpaceSpaceSettingsSpaceStorageSettings; - } - - export interface SpaceSpaceSettingsCodeEditorAppSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsCodeEditorAppSettingsDefaultResourceSpec; - } - - export interface SpaceSpaceSettingsCodeEditorAppSettingsDefaultResourceSpec { - /** - * The instance type. - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface SpaceSpaceSettingsCustomFileSystem { - /** - * A custom file system in Amazon EFS. see EFS File System below. - */ - efsFileSystem: outputs.sagemaker.SpaceSpaceSettingsCustomFileSystemEfsFileSystem; - } - - export interface SpaceSpaceSettingsCustomFileSystemEfsFileSystem { - /** - * The ID of your Amazon EFS file system. - */ - fileSystemId: string; - } - - export interface SpaceSpaceSettingsJupyterLabAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. - */ - codeRepositories?: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettingsCodeRepository[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettingsDefaultResourceSpec; - } - - export interface SpaceSpaceSettingsJupyterLabAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface SpaceSpaceSettingsJupyterLabAppSettingsDefaultResourceSpec { - /** - * The instance type. - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface SpaceSpaceSettingsJupyterServerAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. - */ - codeRepositories?: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettingsCodeRepository[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface SpaceSpaceSettingsJupyterServerAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface SpaceSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec { - /** - * The instance type. - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface SpaceSpaceSettingsKernelGatewayAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. - */ - customImages?: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface SpaceSpaceSettingsKernelGatewayAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface SpaceSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec { - /** - * The instance type. - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface SpaceSpaceSettingsSpaceStorageSettings { - ebsStorageSettings: outputs.sagemaker.SpaceSpaceSettingsSpaceStorageSettingsEbsStorageSettings; - } - - export interface SpaceSpaceSettingsSpaceStorageSettingsEbsStorageSettings { - ebsVolumeSizeInGb: number; - } - - export interface SpaceSpaceSharingSettings { - /** - * Specifies the sharing type of the space. Valid values are `Private` and `Shared`. - */ - sharingType: string; - } - - export interface UserProfileUserSettings { - /** - * The Canvas app settings. See Canvas App Settings below. - */ - canvasAppSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettings; - /** - * The Code Editor application settings. See Code Editor App Settings below. - */ - codeEditorAppSettings?: outputs.sagemaker.UserProfileUserSettingsCodeEditorAppSettings; - /** - * The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio. See Custom File System Config below. - */ - customFileSystemConfigs?: outputs.sagemaker.UserProfileUserSettingsCustomFileSystemConfig[]; - /** - * Details about the POSIX identity that is used for file system operations. See Custom Posix User Config below. - */ - customPosixUserConfig?: outputs.sagemaker.UserProfileUserSettingsCustomPosixUserConfig; - /** - * The default experience that the user is directed to when accessing the domain. The supported values are: `studio::`: Indicates that Studio is the default experience. This value can only be passed if StudioWebPortal is set to ENABLED. `app:JupyterServer:`: Indicates that Studio Classic is the default experience. - */ - defaultLandingUri?: string; - /** - * The execution role ARN for the user. - */ - executionRole: string; - /** - * The settings for the JupyterLab application. See Jupyter Lab App Settings below. - */ - jupyterLabAppSettings?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettings; - /** - * The Jupyter server's app settings. See Jupyter Server App Settings below. - */ - jupyterServerAppSettings?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettings; - /** - * The kernel gateway app settings. See Kernel Gateway App Settings below. - */ - kernelGatewayAppSettings?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettings; - /** - * The RSession app settings. See RSession App Settings below. - */ - rSessionAppSettings?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettings; - /** - * A collection of settings that configure user interaction with the RStudioServerPro app. See RStudioServerProAppSettings below. - */ - rStudioServerProAppSettings?: outputs.sagemaker.UserProfileUserSettingsRStudioServerProAppSettings; - /** - * A list of security group IDs that will be attached to the user. - */ - securityGroups?: string[]; - /** - * The sharing settings. See Sharing Settings below. - */ - sharingSettings?: outputs.sagemaker.UserProfileUserSettingsSharingSettings; - /** - * The storage settings for a private space. See Space Storage Settings below. - */ - spaceStorageSettings: outputs.sagemaker.UserProfileUserSettingsSpaceStorageSettings; - /** - * Whether the user can access Studio. If this value is set to `DISABLED`, the user cannot access Studio, even if that is the default experience for the domain. Valid values are `ENABLED` and `DISABLED`. - */ - studioWebPortal: string; - /** - * The TensorBoard app settings. See TensorBoard App Settings below. - */ - tensorBoardAppSettings?: outputs.sagemaker.UserProfileUserSettingsTensorBoardAppSettings; - } - - export interface UserProfileUserSettingsCanvasAppSettings { - /** - * The model deployment settings for the SageMaker Canvas application. See Direct Deploy Settings below. - */ - directDeploySettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsDirectDeploySettings; - /** - * The settings for connecting to an external data source with OAuth. See Identity Provider OAuth Settings below. - */ - identityProviderOauthSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsIdentityProviderOauthSetting[]; - /** - * The settings for document querying. See Kendra Settings below. - */ - kendraSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsKendraSettings; - /** - * The model registry settings for the SageMaker Canvas application. See Model Register Settings below. - */ - modelRegisterSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsModelRegisterSettings; - /** - * Time series forecast settings for the Canvas app. See Time Series Forecasting Settings below. - */ - timeSeriesForecastingSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings; - /** - * The workspace settings for the SageMaker Canvas application. See Workspace Settings below. - */ - workspaceSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsWorkspaceSettings; - } - - export interface UserProfileUserSettingsCanvasAppSettingsDirectDeploySettings { - /** - * Describes whether model deployment permissions are enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface UserProfileUserSettingsCanvasAppSettingsIdentityProviderOauthSetting { - /** - * The name of the data source that you're connecting to. Canvas currently supports OAuth for Snowflake and Salesforce Data Cloud. Valid values are `SalesforceGenie` and `Snowflake`. - */ - dataSourceName?: string; - /** - * The ARN of an Amazon Web Services Secrets Manager secret that stores the credentials from your identity provider, such as the client ID and secret, authorization URL, and token URL. - */ - secretArn: string; - /** - * Describes whether OAuth for a data source is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface UserProfileUserSettingsCanvasAppSettingsKendraSettings { - /** - * Describes whether the document querying feature is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface UserProfileUserSettingsCanvasAppSettingsModelRegisterSettings { - /** - * The Amazon Resource Name (ARN) of the SageMaker model registry account. Required only to register model versions created by a different SageMaker Canvas AWS account than the AWS account in which SageMaker model registry is set up. - */ - crossAccountModelRegisterRoleArn?: string; - /** - * Describes whether the integration to the model registry is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface UserProfileUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings { - /** - * The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the [AmazonSageMakerCanvasForecastAccess](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol-canvas.html#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) policy attached and forecast.amazonaws.com added in the trust relationship as a service principal. - */ - amazonForecastRoleArn?: string; - /** - * Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are `ENABLED` and `DISABLED`. - */ - status?: string; - } - - export interface UserProfileUserSettingsCanvasAppSettingsWorkspaceSettings { - /** - * The Amazon S3 bucket used to store artifacts generated by Canvas. Updating the Amazon S3 location impacts existing configuration settings, and Canvas users no longer have access to their artifacts. Canvas users must log out and log back in to apply the new location. - */ - s3ArtifactPath?: string; - /** - * The Amazon Web Services Key Management Service (KMS) encryption key ID that is used to encrypt artifacts generated by Canvas in the Amazon S3 bucket. - */ - s3KmsKeyId?: string; - } - - export interface UserProfileUserSettingsCodeEditorAppSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsCodeEditorAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface UserProfileUserSettingsCodeEditorAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface UserProfileUserSettingsCustomFileSystemConfig { - /** - * The default EBS storage settings for a private space. See EFS File System Config below. - */ - efsFileSystemConfigs?: outputs.sagemaker.UserProfileUserSettingsCustomFileSystemConfigEfsFileSystemConfig[]; - } - - export interface UserProfileUserSettingsCustomFileSystemConfigEfsFileSystemConfig { - /** - * The ID of your Amazon EFS file system. - */ - fileSystemId: string; - /** - * The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below. - */ - fileSystemPath?: string; - } - - export interface UserProfileUserSettingsCustomPosixUserConfig { - /** - * The POSIX group ID. - */ - gid: number; - /** - * The POSIX user ID. - */ - uid: number; - } - - export interface UserProfileUserSettingsJupyterLabAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. - */ - codeRepositories?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsCodeRepository[]; - customImages?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface UserProfileUserSettingsJupyterLabAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface UserProfileUserSettingsJupyterLabAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface UserProfileUserSettingsJupyterLabAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface UserProfileUserSettingsJupyterServerAppSettings { - /** - * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. - */ - codeRepositories?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettingsCodeRepository[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface UserProfileUserSettingsJupyterServerAppSettingsCodeRepository { - /** - * The URL of the Git repository. - */ - repositoryUrl: string; - } - - export interface UserProfileUserSettingsJupyterServerAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface UserProfileUserSettingsKernelGatewayAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. - */ - customImages?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettingsDefaultResourceSpec; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configurations. - */ - lifecycleConfigArns?: string[]; - } - - export interface UserProfileUserSettingsKernelGatewayAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface UserProfileUserSettingsKernelGatewayAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface UserProfileUserSettingsRSessionAppSettings { - /** - * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. - */ - customImages?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettingsCustomImage[]; - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettingsDefaultResourceSpec; - } - - export interface UserProfileUserSettingsRSessionAppSettingsCustomImage { - /** - * The name of the App Image Config. - */ - appImageConfigName: string; - /** - * The name of the Custom Image. - */ - imageName: string; - /** - * The version number of the Custom Image. - */ - imageVersionNumber?: number; - } - - export interface UserProfileUserSettingsRSessionAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface UserProfileUserSettingsRStudioServerProAppSettings { - /** - * Indicates whether the current user has access to the RStudioServerPro app. Valid values are `ENABLED` and `DISABLED`. - */ - accessStatus?: string; - /** - * The level of permissions that the user has within the RStudioServerPro app. This value defaults to `R_STUDIO_USER`. The `R_STUDIO_ADMIN` value allows the user access to the RStudio Administrative Dashboard. Valid values are `R_STUDIO_USER` and `R_STUDIO_ADMIN`. - */ - userGroup?: string; - } - - export interface UserProfileUserSettingsSharingSettings { - /** - * Whether to include the notebook cell output when sharing the notebook. The default is `Disabled`. Valid values are `Allowed` and `Disabled`. - */ - notebookOutputOption?: string; - /** - * When `notebookOutputOption` is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket. - */ - s3KmsKeyId?: string; - /** - * When `notebookOutputOption` is Allowed, the Amazon S3 bucket used to save the notebook cell output. - */ - s3OutputPath?: string; - } - - export interface UserProfileUserSettingsSpaceStorageSettings { - /** - * The default EBS storage settings for a private space. See Default EBS Storage Settings below. - */ - defaultEbsStorageSettings?: outputs.sagemaker.UserProfileUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings; - } - - export interface UserProfileUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings { - /** - * The default size of the EBS storage volume for a private space. - */ - defaultEbsVolumeSizeInGb: number; - /** - * The maximum size of the EBS storage volume for a private space. - */ - maximumEbsVolumeSizeInGb: number; - } - - export interface UserProfileUserSettingsTensorBoardAppSettings { - /** - * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. - */ - defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsTensorBoardAppSettingsDefaultResourceSpec; - } - - export interface UserProfileUserSettingsTensorBoardAppSettingsDefaultResourceSpec { - /** - * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). - */ - instanceType?: string; - /** - * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. - */ - lifecycleConfigArn?: string; - /** - * The ARN of the SageMaker image that the image version belongs to. - */ - sagemakerImageArn?: string; - /** - * The SageMaker Image Version Alias. - */ - sagemakerImageVersionAlias?: string; - /** - * The ARN of the image version created on the instance. - */ - sagemakerImageVersionArn?: string; - } - - export interface WorkforceCognitoConfig { - /** - * The client ID for your Amazon Cognito user pool. - */ - clientId: string; - /** - * ID for your Amazon Cognito user pool. - */ - userPool: string; - } - - export interface WorkforceOidcConfig { - /** - * The OIDC IdP authorization endpoint used to configure your private workforce. - */ - authorizationEndpoint: string; - /** - * The OIDC IdP client ID used to configure your private workforce. - */ - clientId: string; - /** - * The OIDC IdP client secret used to configure your private workforce. - */ - clientSecret: string; - /** - * The OIDC IdP issuer used to configure your private workforce. - */ - issuer: string; - /** - * The OIDC IdP JSON Web Key Set (Jwks) URI used to configure your private workforce. - */ - jwksUri: string; - /** - * The OIDC IdP logout endpoint used to configure your private workforce. - */ - logoutEndpoint: string; - /** - * The OIDC IdP token endpoint used to configure your private workforce. - */ - tokenEndpoint: string; - /** - * The OIDC IdP user information endpoint used to configure your private workforce. - */ - userInfoEndpoint: string; - } - - export interface WorkforceSourceIpConfig { - /** - * A list of up to 10 CIDR values. - */ - cidrs: string[]; - } - - export interface WorkforceWorkforceVpcConfig { - /** - * The VPC security group IDs. The security groups must be for the same VPC as specified in the subnet. - */ - securityGroupIds?: string[]; - /** - * The ID of the subnets in the VPC that you want to connect. - */ - subnets?: string[]; - /** - * The IDs for the VPC service endpoints of your VPC workforce. - */ - vpcEndpointId: string; - /** - * The ID of the VPC that the workforce uses for communication. - */ - vpcId?: string; - } - - export interface WorkteamMemberDefinition { - /** - * The Amazon Cognito user group that is part of the work team. See Cognito Member Definition details below. - */ - cognitoMemberDefinition?: outputs.sagemaker.WorkteamMemberDefinitionCognitoMemberDefinition; - /** - * A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. See Cognito Member Definition details below. - */ - oidcMemberDefinition?: outputs.sagemaker.WorkteamMemberDefinitionOidcMemberDefinition; - } - - export interface WorkteamMemberDefinitionCognitoMemberDefinition { - /** - * An identifier for an application client. You must create the app client ID using Amazon Cognito. - */ - clientId: string; - /** - * An identifier for a user group. - */ - userGroup: string; - /** - * An identifier for a user pool. The user pool must be in the same region as the service that you are calling. - */ - userPool: string; - } - - export interface WorkteamMemberDefinitionOidcMemberDefinition { - /** - * A list of comma separated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers. - */ - groups: string[]; - } - - export interface WorkteamNotificationConfiguration { - /** - * The ARN for the SNS topic to which notifications should be published. - */ - notificationTopicArn?: string; - } - -} - -export namespace scheduler { - export interface ScheduleFlexibleTimeWindow { - /** - * Maximum time window during which a schedule can be invoked. Ranges from `1` to `1440` minutes. - */ - maximumWindowInMinutes?: number; - /** - * Determines whether the schedule is invoked within a flexible time window. One of: `OFF`, `FLEXIBLE`. - */ - mode: string; - } - - export interface ScheduleTarget { - /** - * ARN of the target of this schedule, such as a SQS queue or ECS cluster. For universal targets, this is a [Service ARN specific to the target service](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html#supported-universal-targets). - */ - arn: string; - /** - * Information about an Amazon SQS queue that EventBridge Scheduler uses as a dead-letter queue for your schedule. If specified, EventBridge Scheduler delivers failed events that could not be successfully delivered to a target to the queue. Detailed below. - */ - deadLetterConfig?: outputs.scheduler.ScheduleTargetDeadLetterConfig; - /** - * Templated target type for the Amazon ECS [`RunTask`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) API operation. Detailed below. - */ - ecsParameters?: outputs.scheduler.ScheduleTargetEcsParameters; - /** - * Templated target type for the EventBridge [`PutEvents`](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutEvents.html) API operation. Detailed below. - */ - eventbridgeParameters?: outputs.scheduler.ScheduleTargetEventbridgeParameters; - /** - * Text, or well-formed JSON, passed to the target. Read more in [Universal target](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html). - */ - input?: string; - /** - * Templated target type for the Amazon Kinesis [`PutRecord`](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_PutRecord.html) API operation. Detailed below. - */ - kinesisParameters?: outputs.scheduler.ScheduleTargetKinesisParameters; - /** - * Information about the retry policy settings. Detailed below. - */ - retryPolicy?: outputs.scheduler.ScheduleTargetRetryPolicy; - /** - * ARN of the IAM role that EventBridge Scheduler will use for this target when the schedule is invoked. Read more in [Set up the execution role](https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html#setting-up-execution-role). - * - * The following arguments are optional: - */ - roleArn: string; - /** - * Templated target type for the Amazon SageMaker [`StartPipelineExecution`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StartPipelineExecution.html) API operation. Detailed below. - */ - sagemakerPipelineParameters?: outputs.scheduler.ScheduleTargetSagemakerPipelineParameters; - /** - * The templated target type for the Amazon SQS [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) API operation. Detailed below. - */ - sqsParameters?: outputs.scheduler.ScheduleTargetSqsParameters; - } - - export interface ScheduleTargetDeadLetterConfig { - /** - * ARN of the SQS queue specified as the destination for the dead-letter queue. - */ - arn: string; - } - - export interface ScheduleTargetEcsParameters { - /** - * Up to `6` capacity provider strategies to use for the task. Detailed below. - */ - capacityProviderStrategies?: outputs.scheduler.ScheduleTargetEcsParametersCapacityProviderStrategy[]; - /** - * Specifies whether to enable Amazon ECS managed tags for the task. For more information, see [Tagging Your Amazon ECS Resources](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html) in the Amazon ECS Developer Guide. - */ - enableEcsManagedTags?: boolean; - /** - * Specifies whether to enable the execute command functionality for the containers in this task. - */ - enableExecuteCommand?: boolean; - /** - * Specifies an ECS task group for the task. At most 255 characters. - */ - group?: string; - /** - * Specifies the launch type on which your task is running. The launch type that you specify here must match one of the launch type (compatibilities) of the target task. One of: `EC2`, `FARGATE`, `EXTERNAL`. - */ - launchType?: string; - /** - * Configures the networking associated with the task. Detailed below. - */ - networkConfiguration?: outputs.scheduler.ScheduleTargetEcsParametersNetworkConfiguration; - /** - * A set of up to 10 placement constraints to use for the task. Detailed below. - */ - placementConstraints?: outputs.scheduler.ScheduleTargetEcsParametersPlacementConstraint[]; - /** - * A set of up to 5 placement strategies. Detailed below. - */ - placementStrategies?: outputs.scheduler.ScheduleTargetEcsParametersPlacementStrategy[]; - /** - * Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as `1.1.0`. - */ - platformVersion?: string; - /** - * Specifies whether to propagate the tags from the task definition to the task. One of: `TASK_DEFINITION`. - */ - propagateTags?: string; - /** - * Reference ID to use for the task. - */ - referenceId?: string; - /** - * The metadata that you apply to the task. Each tag consists of a key and an optional value. For more information, see [`RunTask`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) in the Amazon ECS API Reference. - */ - tags?: {[key: string]: string}; - /** - * The number of tasks to create. Ranges from `1` (default) to `10`. - */ - taskCount?: number; - /** - * ARN of the task definition to use. - * - * The following arguments are optional: - */ - taskDefinitionArn: string; - } - - export interface ScheduleTargetEcsParametersCapacityProviderStrategy { - /** - * How many tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Ranges from `0` (default) to `100000`. - */ - base?: number; - /** - * Short name of the capacity provider. - */ - capacityProvider: string; - /** - * Designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied. Ranges from from `0` to `1000`. - */ - weight?: number; - } - - export interface ScheduleTargetEcsParametersNetworkConfiguration { - /** - * Specifies whether the task's elastic network interface receives a public IP address. This attribute is a boolean type, where `true` maps to `ENABLED` and `false` to `DISABLED`. You can specify `true` only when the `launchType` is set to `FARGATE`. - */ - assignPublicIp?: boolean; - /** - * Set of 1 to 5 Security Group ID-s to be associated with the task. These security groups must all be in the same VPC. - */ - securityGroups?: string[]; - /** - * Set of 1 to 16 subnets to be associated with the task. These subnets must all be in the same VPC. - */ - subnets: string[]; - } - - export interface ScheduleTargetEcsParametersPlacementConstraint { - /** - * A cluster query language expression to apply to the constraint. You cannot specify an expression if the constraint type is `distinctInstance`. For more information, see [Cluster query language](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-query-language.html) in the Amazon ECS Developer Guide. - */ - expression?: string; - /** - * The type of constraint. One of: `distinctInstance`, `memberOf`. - */ - type: string; - } - - export interface ScheduleTargetEcsParametersPlacementStrategy { - /** - * The field to apply the placement strategy against. - */ - field?: string; - /** - * The type of placement strategy. One of: `random`, `spread`, `binpack`. - */ - type: string; - } - - export interface ScheduleTargetEventbridgeParameters { - /** - * Free-form string used to decide what fields to expect in the event detail. Up to 128 characters. - */ - detailType: string; - /** - * Source of the event. - */ - source: string; - } - - export interface ScheduleTargetKinesisParameters { - /** - * Specifies the shard to which EventBridge Scheduler sends the event. Up to 256 characters. - */ - partitionKey: string; - } - - export interface ScheduleTargetRetryPolicy { - /** - * Maximum amount of time, in seconds, to continue to make retry attempts. Ranges from `60` to `86400` (default). - */ - maximumEventAgeInSeconds?: number; - /** - * Maximum number of retry attempts to make before the request fails. Ranges from `0` to `185` (default). - */ - maximumRetryAttempts?: number; - } - - export interface ScheduleTargetSagemakerPipelineParameters { - /** - * Set of up to 200 parameter names and values to use when executing the SageMaker Model Building Pipeline. Detailed below. - */ - pipelineParameters?: outputs.scheduler.ScheduleTargetSagemakerPipelineParametersPipelineParameter[]; - } - - export interface ScheduleTargetSagemakerPipelineParametersPipelineParameter { - /** - * Name of parameter to start execution of a SageMaker Model Building Pipeline. - */ - name: string; - /** - * Value of parameter to start execution of a SageMaker Model Building Pipeline. - */ - value: string; - } - - export interface ScheduleTargetSqsParameters { - /** - * FIFO message group ID to use as the target. - */ - messageGroupId?: string; - } - -} - -export namespace secretsmanager { - export interface GetSecretRotationRotationRule { - automaticallyAfterDays: number; - duration: string; - scheduleExpression: string; - } - - export interface GetSecretsFilter { - /** - * Name of the filter field. Valid values can be found in the [Secrets Manager ListSecrets API Reference](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html). - */ - name: string; - /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. - */ - values: string[]; - } - - export interface SecretReplica { - /** - * ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (`aws/secretsmanager`) in the region or creates one for use if non-existent. - */ - kmsKeyId: string; - /** - * Date that you last accessed the secret in the Region. - */ - lastAccessedDate: string; - /** - * Region for replicating the secret. - */ - region: string; - /** - * Status can be `InProgress`, `Failed`, or `InSync`. - */ - status: string; - /** - * Message such as `Replication succeeded` or `Secret with this name already exists in this region`. - */ - statusMessage: string; - } - - export interface SecretRotationRotationRules { - /** - * Specifies the number of days between automatic scheduled rotations of the secret. Either `automaticallyAfterDays` or `scheduleExpression` must be specified. - */ - automaticallyAfterDays?: number; - /** - * The length of the rotation window in hours. For example, `3h` for a three hour window. - */ - duration?: string; - /** - * A `cron()` or `rate()` expression that defines the schedule for rotating your secret. Either `automaticallyAfterDays` or `scheduleExpression` must be specified. - */ - scheduleExpression?: string; - } - -} - -export namespace securityhub { - export interface AutomationRuleAction { - /** - * A block that specifies that the automation rule action is an update to a finding field. Documented below. - */ - findingFieldsUpdate?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdate; - /** - * Specifies that the rule action should update the `Types` finding field. The `Types` finding field classifies findings in the format of namespace/category/classifier. - */ - type?: string; - } - - export interface AutomationRuleActionFindingFieldsUpdate { - /** - * The rule action updates the `Confidence` field of a finding. - */ - confidence?: number; - /** - * The rule action updates the `Criticality` field of a finding. - */ - criticality?: number; - /** - * A resource block that updates the note. Documented below. - */ - note?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateNote; - /** - * A resource block that the rule action updates the `RelatedFindings` field of a finding. Documented below. - */ - relatedFindings?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateRelatedFinding[]; - /** - * A resource block that updates to the severity information for a finding. Documented below. - */ - severity?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateSeverity; - /** - * The rule action updates the `Types` field of a finding. - */ - types?: string[]; - /** - * The rule action updates the `UserDefinedFields` field of a finding. - */ - userDefinedFields?: {[key: string]: string}; - /** - * The rule action updates the `VerificationState` field of a finding. The allowed values are the following `UNKNOWN`, `TRUE_POSITIVE`, `FALSE_POSITIVE` and `BENIGN_POSITIVE`. - */ - verificationState?: string; - /** - * A resource block that is used to update information about the investigation into the finding. Documented below. - */ - workflow?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateWorkflow; - } - - export interface AutomationRuleActionFindingFieldsUpdateNote { - /** - * The updated note text. - */ - text: string; - /** - * The principal that updated the note. - */ - updatedBy: string; - } - - export interface AutomationRuleActionFindingFieldsUpdateRelatedFinding { - /** - * The product-generated identifier for a related finding. - */ - id: string; - /** - * The ARN of the product that generated a related finding. - */ - productArn: string; - } - - export interface AutomationRuleActionFindingFieldsUpdateSeverity { - /** - * The severity value of the finding. The allowed values are the following `INFORMATIONAL`, `LOW`, `MEDIUM`, `HIGH` and `CRITICAL`. - */ - label: string; - /** - * The native severity as defined by the AWS service or integrated partner product that generated the finding. - */ - product?: number; - } - - export interface AutomationRuleActionFindingFieldsUpdateWorkflow { - /** - * The status of the investigation into the finding. The allowed values are the following `NEW`, `NOTIFIED`, `RESOLVED` and `SUPPRESSED`. - */ - status?: string; - } - - export interface AutomationRuleCriteria { - /** - * The AWS account ID in which a finding was generated. Documented below. - */ - awsAccountIds?: outputs.securityhub.AutomationRuleCriteriaAwsAccountId[]; - /** - * The name of the AWS account in which a finding was generated. Documented below. - */ - awsAccountNames?: outputs.securityhub.AutomationRuleCriteriaAwsAccountName[]; - /** - * The name of the company for the product that generated the finding. For control-based findings, the company is AWS. Documented below. - */ - companyNames?: outputs.securityhub.AutomationRuleCriteriaCompanyName[]; - /** - * The unique identifier of a standard in which a control is enabled. Documented below. - */ - complianceAssociatedStandardsIds?: outputs.securityhub.AutomationRuleCriteriaComplianceAssociatedStandardsId[]; - /** - * The security control ID for which a finding was generated. Security control IDs are the same across standards. Documented below. - */ - complianceSecurityControlIds?: outputs.securityhub.AutomationRuleCriteriaComplianceSecurityControlId[]; - /** - * The result of a security check. This field is only used for findings generated from controls. Documented below. - */ - complianceStatuses?: outputs.securityhub.AutomationRuleCriteriaComplianceStatus[]; - /** - * The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0–100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. Documented below. - */ - confidences?: outputs.securityhub.AutomationRuleCriteriaConfidence[]; - /** - * A timestamp that indicates when this finding record was created. Documented below. - */ - createdAts?: outputs.securityhub.AutomationRuleCriteriaCreatedAt[]; - /** - * The level of importance that is assigned to the resources that are associated with a finding. Documented below. - */ - criticalities?: outputs.securityhub.AutomationRuleCriteriaCriticality[]; - /** - * A finding's description. Documented below. - */ - descriptions?: outputs.securityhub.AutomationRuleCriteriaDescription[]; - /** - * A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. Documented below. - */ - firstObservedAts?: outputs.securityhub.AutomationRuleCriteriaFirstObservedAt[]; - /** - * The identifier for the solution-specific component that generated a finding. Documented below. - */ - generatorIds?: outputs.securityhub.AutomationRuleCriteriaGeneratorId[]; - /** - * The product-specific identifier for a finding. Documented below. - */ - ids?: outputs.securityhub.AutomationRuleCriteriaId[]; - /** - * A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product. Documented below. - */ - lastObservedAts?: outputs.securityhub.AutomationRuleCriteriaLastObservedAt[]; - /** - * The text of a user-defined note that's added to a finding. Documented below. - */ - noteTexts?: outputs.securityhub.AutomationRuleCriteriaNoteText[]; - /** - * The timestamp of when the note was updated. Documented below. - */ - noteUpdatedAts?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedAt[]; - /** - * The principal that created a note. Documented below. - */ - noteUpdatedBies?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedBy[]; - /** - * The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Documented below. - */ - productArns?: outputs.securityhub.AutomationRuleCriteriaProductArn[]; - /** - * Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Documented below. - */ - productNames?: outputs.securityhub.AutomationRuleCriteriaProductName[]; - /** - * Provides the current state of a finding. Documented below. - */ - recordStates?: outputs.securityhub.AutomationRuleCriteriaRecordState[]; - /** - * The product-generated identifier for a related finding. Documented below. - */ - relatedFindingsIds?: outputs.securityhub.AutomationRuleCriteriaRelatedFindingsId[]; - /** - * The ARN for the product that generated a related finding. Documented below. - */ - relatedFindingsProductArns?: outputs.securityhub.AutomationRuleCriteriaRelatedFindingsProductArn[]; - /** - * The Amazon Resource Name (ARN) of the application that is related to a finding. Documented below. - */ - resourceApplicationArns?: outputs.securityhub.AutomationRuleCriteriaResourceApplicationArn[]; - /** - * The name of the application that is related to a finding. Documented below. - */ - resourceApplicationNames?: outputs.securityhub.AutomationRuleCriteriaResourceApplicationName[]; - /** - * Custom fields and values about the resource that a finding pertains to. Documented below. - */ - resourceDetailsOthers?: outputs.securityhub.AutomationRuleCriteriaResourceDetailsOther[]; - /** - * The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non-AWS resources, this is a unique identifier that is associated with the resource. Documented below. - */ - resourceIds?: outputs.securityhub.AutomationRuleCriteriaResourceId[]; - /** - * The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions. Each AWS account is scoped to one partition. Documented below. - */ - resourcePartitions?: outputs.securityhub.AutomationRuleCriteriaResourcePartition[]; - /** - * The AWS Region where the resource that a finding pertains to is located. Documented below. - */ - resourceRegions?: outputs.securityhub.AutomationRuleCriteriaResourceRegion[]; - /** - * A list of AWS tags associated with a resource at the time the finding was processed. Documented below. - */ - resourceTags?: outputs.securityhub.AutomationRuleCriteriaResourceTag[]; - /** - * The type of resource that the finding pertains to. Documented below. - */ - resourceTypes?: outputs.securityhub.AutomationRuleCriteriaResourceType[]; - /** - * The severity value of the finding. Documented below. - */ - severityLabels?: outputs.securityhub.AutomationRuleCriteriaSeverityLabel[]; - /** - * Provides a URL that links to a page about the current finding in the finding product. Documented below. - */ - sourceUrls?: outputs.securityhub.AutomationRuleCriteriaSourceUrl[]; - /** - * A finding's title. Documented below. - */ - titles?: outputs.securityhub.AutomationRuleCriteriaTitle[]; - /** - * One or more finding types in the format of namespace/category/classifier that classify a finding. Documented below. - */ - types?: outputs.securityhub.AutomationRuleCriteriaType[]; - /** - * A timestamp that indicates when the finding record was most recently updated. Documented below. - */ - updatedAts?: outputs.securityhub.AutomationRuleCriteriaUpdatedAt[]; - /** - * A list of user-defined name and value string pairs added to a finding. Documented below. - */ - userDefinedFields?: outputs.securityhub.AutomationRuleCriteriaUserDefinedField[]; - /** - * Provides the veracity of a finding. Documented below. - */ - verificationStates?: outputs.securityhub.AutomationRuleCriteriaVerificationState[]; - /** - * Provides information about the status of the investigation into a finding. Documented below. - */ - workflowStatuses?: outputs.securityhub.AutomationRuleCriteriaWorkflowStatus[]; - } - - export interface AutomationRuleCriteriaAwsAccountId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaAwsAccountName { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaCompanyName { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaComplianceAssociatedStandardsId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaComplianceSecurityControlId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaComplianceStatus { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaConfidence { - eq?: number; - gt?: number; - gte?: number; - lt?: number; - lte?: number; - } - - export interface AutomationRuleCriteriaCreatedAt { - dateRange?: outputs.securityhub.AutomationRuleCriteriaCreatedAtDateRange; - end?: string; - start?: string; - } - - export interface AutomationRuleCriteriaCreatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface AutomationRuleCriteriaCriticality { - eq?: number; - gt?: number; - gte?: number; - lt?: number; - lte?: number; - } - - export interface AutomationRuleCriteriaDescription { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaFirstObservedAt { - dateRange?: outputs.securityhub.AutomationRuleCriteriaFirstObservedAtDateRange; - end?: string; - start?: string; - } - - export interface AutomationRuleCriteriaFirstObservedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface AutomationRuleCriteriaGeneratorId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaLastObservedAt { - dateRange?: outputs.securityhub.AutomationRuleCriteriaLastObservedAtDateRange; - end?: string; - start?: string; - } - - export interface AutomationRuleCriteriaLastObservedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface AutomationRuleCriteriaNoteText { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaNoteUpdatedAt { - dateRange?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedAtDateRange; - end?: string; - start?: string; - } - - export interface AutomationRuleCriteriaNoteUpdatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface AutomationRuleCriteriaNoteUpdatedBy { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaProductArn { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaProductName { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaRecordState { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaRelatedFindingsId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaRelatedFindingsProductArn { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceApplicationArn { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceApplicationName { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceDetailsOther { - comparison: string; - key: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceId { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourcePartition { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceRegion { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceTag { - comparison: string; - key: string; - value: string; - } - - export interface AutomationRuleCriteriaResourceType { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaSeverityLabel { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaSourceUrl { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaTitle { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaType { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaUpdatedAt { - dateRange?: outputs.securityhub.AutomationRuleCriteriaUpdatedAtDateRange; - end?: string; - start?: string; - } - - export interface AutomationRuleCriteriaUpdatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface AutomationRuleCriteriaUserDefinedField { - comparison: string; - key: string; - value: string; - } - - export interface AutomationRuleCriteriaVerificationState { - comparison: string; - value: string; - } - - export interface AutomationRuleCriteriaWorkflowStatus { - comparison: string; - value: string; - } - - export interface ConfigurationPolicyConfigurationPolicy { - /** - * A list that defines which security standards are enabled in the configuration policy. It must be defined if `serviceEnabled` is set to true. - */ - enabledStandardArns?: string[]; - /** - * Defines which security controls are enabled in the configuration policy and any customizations to parameters affecting them. See below. - */ - securityControlsConfiguration?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfiguration; - /** - * Indicates whether Security Hub is enabled in the policy. - */ - serviceEnabled: boolean; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfiguration { - /** - * A list of security controls that are disabled in the configuration policy Security Hub enables all other controls (including newly released controls) other than the listed controls. Conflicts with `enabledControlIdentifiers`. - */ - disabledControlIdentifiers?: string[]; - /** - * A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. Conflicts with `disabledControlIdentifiers`. - */ - enabledControlIdentifiers?: string[]; - /** - * A list of control parameter customizations that are included in a configuration policy. Include multiple blocks to define multiple control custom parameters. See below. - */ - securityControlCustomParameters?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameter[]; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameter { - /** - * An object that specifies parameter values for a control in a configuration policy. See below. - */ - parameters: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameter[]; - /** - * The ID of the security control. For more information see the [Security Hub controls reference] documentation. - */ - securityControlId: string; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameter { - /** - * The bool `value` for a Boolean-typed Security Hub Control Parameter. - */ - bool?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBool; - /** - * The float `value` for a Double-typed Security Hub Control Parameter. - */ - double?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterDouble; - /** - * The string `value` for a Enum-typed Security Hub Control Parameter. - */ - enum?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnum; - /** - * The string list `value` for a EnumList-typed Security Hub Control Parameter. - */ - enumList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumList; - /** - * The int `value` for a Int-typed Security Hub Control Parameter. - */ - int?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterInt; - /** - * The int list `value` for a IntList-typed Security Hub Control Parameter. - */ - intList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntList; - /** - * The name of the control parameter. For more information see the [Security Hub controls reference] documentation. - */ - name: string; - /** - * The string `value` for a String-typed Security Hub Control Parameter. - */ - string?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterString; - /** - * The string list `value` for a StringList-typed Security Hub Control Parameter. - */ - stringList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterStringList; - /** - * Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. Valid values: `DEFAULT`, `CUSTOM`. - */ - valueType: string; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBool { - value: boolean; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterDouble { - value: number; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnum { - value: string; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumList { - values: string[]; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterInt { - value: number; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntList { - values: number[]; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterString { - value: string; - } - - export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterStringList { - values: string[]; - } - - export interface InsightFilters { - /** - * AWS account ID that a finding is generated in. See String_Filter below for more details. - */ - awsAccountIds?: outputs.securityhub.InsightFiltersAwsAccountId[]; - /** - * The name of the findings provider (company) that owns the solution (product) that generates findings. See String_Filter below for more details. - */ - companyNames?: outputs.securityhub.InsightFiltersCompanyName[]; - /** - * Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. See String Filter below for more details. - */ - complianceStatuses?: outputs.securityhub.InsightFiltersComplianceStatus[]; - /** - * A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details. - */ - confidences?: outputs.securityhub.InsightFiltersConfidence[]; - /** - * An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured. See Date Filter below for more details. - */ - createdAts?: outputs.securityhub.InsightFiltersCreatedAt[]; - /** - * The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details. - */ - criticalities?: outputs.securityhub.InsightFiltersCriticality[]; - /** - * A finding's description. See String Filter below for more details. - */ - descriptions?: outputs.securityhub.InsightFiltersDescription[]; - /** - * The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details. - */ - findingProviderFieldsConfidences?: outputs.securityhub.InsightFiltersFindingProviderFieldsConfidence[]; - /** - * The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details. - */ - findingProviderFieldsCriticalities?: outputs.securityhub.InsightFiltersFindingProviderFieldsCriticality[]; - /** - * The finding identifier of a related finding that is identified by the finding provider. See String Filter below for more details. - */ - findingProviderFieldsRelatedFindingsIds?: outputs.securityhub.InsightFiltersFindingProviderFieldsRelatedFindingsId[]; - /** - * The ARN of the solution that generated a related finding that is identified by the finding provider. See String Filter below for more details. - */ - findingProviderFieldsRelatedFindingsProductArns?: outputs.securityhub.InsightFiltersFindingProviderFieldsRelatedFindingsProductArn[]; - /** - * The finding provider value for the severity label. See String Filter below for more details. - */ - findingProviderFieldsSeverityLabels?: outputs.securityhub.InsightFiltersFindingProviderFieldsSeverityLabel[]; - /** - * The finding provider's original value for the severity. See String Filter below for more details. - */ - findingProviderFieldsSeverityOriginals?: outputs.securityhub.InsightFiltersFindingProviderFieldsSeverityOriginal[]; - /** - * One or more finding types that the finding provider assigned to the finding. Uses the format of `namespace/category/classifier` that classify a finding. Valid namespace values include: `Software and Configuration Checks`, `TTPs`, `Effects`, `Unusual Behaviors`, and `Sensitive Data Identifications`. See String Filter below for more details. - */ - findingProviderFieldsTypes?: outputs.securityhub.InsightFiltersFindingProviderFieldsType[]; - /** - * An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured. See Date Filter below for more details. - */ - firstObservedAts?: outputs.securityhub.InsightFiltersFirstObservedAt[]; - /** - * The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. See String Filter below for more details. - */ - generatorIds?: outputs.securityhub.InsightFiltersGeneratorId[]; - /** - * The security findings provider-specific identifier for a finding. See String Filter below for more details. - */ - ids?: outputs.securityhub.InsightFiltersId[]; - /** - * A keyword for a finding. See Keyword Filter below for more details. - */ - keywords?: outputs.securityhub.InsightFiltersKeyword[]; - /** - * An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured. See Date Filter below for more details. - */ - lastObservedAts?: outputs.securityhub.InsightFiltersLastObservedAt[]; - /** - * The name of the malware that was observed. See String Filter below for more details. - */ - malwareNames?: outputs.securityhub.InsightFiltersMalwareName[]; - /** - * The filesystem path of the malware that was observed. See String Filter below for more details. - */ - malwarePaths?: outputs.securityhub.InsightFiltersMalwarePath[]; - /** - * The state of the malware that was observed. See String Filter below for more details. - */ - malwareStates?: outputs.securityhub.InsightFiltersMalwareState[]; - /** - * The type of the malware that was observed. See String Filter below for more details. - */ - malwareTypes?: outputs.securityhub.InsightFiltersMalwareType[]; - /** - * The destination domain of network-related information about a finding. See String Filter below for more details. - */ - networkDestinationDomains?: outputs.securityhub.InsightFiltersNetworkDestinationDomain[]; - /** - * The destination IPv4 address of network-related information about a finding. See Ip Filter below for more details. - */ - networkDestinationIpv4s?: outputs.securityhub.InsightFiltersNetworkDestinationIpv4[]; - /** - * The destination IPv6 address of network-related information about a finding. See Ip Filter below for more details. - */ - networkDestinationIpv6s?: outputs.securityhub.InsightFiltersNetworkDestinationIpv6[]; - /** - * The destination port of network-related information about a finding. See Number Filter below for more details. - */ - networkDestinationPorts?: outputs.securityhub.InsightFiltersNetworkDestinationPort[]; - /** - * Indicates the direction of network traffic associated with a finding. See String Filter below for more details. - */ - networkDirections?: outputs.securityhub.InsightFiltersNetworkDirection[]; - /** - * The protocol of network-related information about a finding. See String Filter below for more details. - */ - networkProtocols?: outputs.securityhub.InsightFiltersNetworkProtocol[]; - /** - * The source domain of network-related information about a finding. See String Filter below for more details. - */ - networkSourceDomains?: outputs.securityhub.InsightFiltersNetworkSourceDomain[]; - /** - * The source IPv4 address of network-related information about a finding. See Ip Filter below for more details. - */ - networkSourceIpv4s?: outputs.securityhub.InsightFiltersNetworkSourceIpv4[]; - /** - * The source IPv6 address of network-related information about a finding. See Ip Filter below for more details. - */ - networkSourceIpv6s?: outputs.securityhub.InsightFiltersNetworkSourceIpv6[]; - /** - * The source media access control (MAC) address of network-related information about a finding. See String Filter below for more details. - */ - networkSourceMacs?: outputs.securityhub.InsightFiltersNetworkSourceMac[]; - /** - * The source port of network-related information about a finding. See Number Filter below for more details. - */ - networkSourcePorts?: outputs.securityhub.InsightFiltersNetworkSourcePort[]; - /** - * The text of a note. See String Filter below for more details. - */ - noteTexts?: outputs.securityhub.InsightFiltersNoteText[]; - /** - * The timestamp of when the note was updated. See Date Filter below for more details. - */ - noteUpdatedAts?: outputs.securityhub.InsightFiltersNoteUpdatedAt[]; - /** - * The principal that created a note. See String Filter below for more details. - */ - noteUpdatedBies?: outputs.securityhub.InsightFiltersNoteUpdatedBy[]; - /** - * The date/time that the process was launched. See Date Filter below for more details. - */ - processLaunchedAts?: outputs.securityhub.InsightFiltersProcessLaunchedAt[]; - /** - * The name of the process. See String Filter below for more details. - */ - processNames?: outputs.securityhub.InsightFiltersProcessName[]; - /** - * The parent process ID. See Number Filter below for more details. - */ - processParentPids?: outputs.securityhub.InsightFiltersProcessParentPid[]; - /** - * The path to the process executable. See String Filter below for more details. - */ - processPaths?: outputs.securityhub.InsightFiltersProcessPath[]; - /** - * The process ID. See Number Filter below for more details. - */ - processPids?: outputs.securityhub.InsightFiltersProcessPid[]; - /** - * The date/time that the process was terminated. See Date Filter below for more details. - */ - processTerminatedAts?: outputs.securityhub.InsightFiltersProcessTerminatedAt[]; - /** - * The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. See String Filter below for more details. - */ - productArns?: outputs.securityhub.InsightFiltersProductArn[]; - /** - * A data type where security-findings providers can include additional solution-specific details that aren't part of the defined `AwsSecurityFinding` format. See Map Filter below for more details. - */ - productFields?: outputs.securityhub.InsightFiltersProductField[]; - /** - * The name of the solution (product) that generates findings. See String Filter below for more details. - */ - productNames?: outputs.securityhub.InsightFiltersProductName[]; - /** - * The recommendation of what to do about the issue described in a finding. See String Filter below for more details. - */ - recommendationTexts?: outputs.securityhub.InsightFiltersRecommendationText[]; - /** - * The updated record state for the finding. See String Filter below for more details. - */ - recordStates?: outputs.securityhub.InsightFiltersRecordState[]; - /** - * The solution-generated identifier for a related finding. See String Filter below for more details. - */ - relatedFindingsIds?: outputs.securityhub.InsightFiltersRelatedFindingsId[]; - /** - * The ARN of the solution that generated a related finding. See String Filter below for more details. - */ - relatedFindingsProductArns?: outputs.securityhub.InsightFiltersRelatedFindingsProductArn[]; - /** - * The IAM profile ARN of the instance. See String Filter below for more details. - */ - resourceAwsEc2InstanceIamInstanceProfileArns?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn[]; - /** - * The Amazon Machine Image (AMI) ID of the instance. See String Filter below for more details. - */ - resourceAwsEc2InstanceImageIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceImageId[]; - /** - * The IPv4 addresses associated with the instance. See Ip Filter below for more details. - */ - resourceAwsEc2InstanceIpv4Addresses?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIpv4Address[]; - /** - * The IPv6 addresses associated with the instance. See Ip Filter below for more details. - */ - resourceAwsEc2InstanceIpv6Addresses?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIpv6Address[]; - /** - * The key name associated with the instance. See String Filter below for more details. - */ - resourceAwsEc2InstanceKeyNames?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceKeyName[]; - /** - * The date and time the instance was launched. See Date Filter below for more details. - */ - resourceAwsEc2InstanceLaunchedAts?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceLaunchedAt[]; - /** - * The identifier of the subnet that the instance was launched in. See String Filter below for more details. - */ - resourceAwsEc2InstanceSubnetIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceSubnetId[]; - /** - * The instance type of the instance. See String Filter below for more details. - */ - resourceAwsEc2InstanceTypes?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceType[]; - /** - * The identifier of the VPC that the instance was launched in. See String Filter below for more details. - */ - resourceAwsEc2InstanceVpcIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceVpcId[]; - /** - * The creation date/time of the IAM access key related to a finding. See Date Filter below for more details. - */ - resourceAwsIamAccessKeyCreatedAts?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyCreatedAt[]; - /** - * The status of the IAM access key related to a finding. See String Filter below for more details. - */ - resourceAwsIamAccessKeyStatuses?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyStatus[]; - /** - * The user associated with the IAM access key related to a finding. See String Filter below for more details. - */ - resourceAwsIamAccessKeyUserNames?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyUserName[]; - /** - * The canonical user ID of the owner of the S3 bucket. See String Filter below for more details. - */ - resourceAwsS3BucketOwnerIds?: outputs.securityhub.InsightFiltersResourceAwsS3BucketOwnerId[]; - /** - * The display name of the owner of the S3 bucket. See String Filter below for more details. - */ - resourceAwsS3BucketOwnerNames?: outputs.securityhub.InsightFiltersResourceAwsS3BucketOwnerName[]; - /** - * The identifier of the image related to a finding. See String Filter below for more details. - */ - resourceContainerImageIds?: outputs.securityhub.InsightFiltersResourceContainerImageId[]; - /** - * The name of the image related to a finding. See String Filter below for more details. - */ - resourceContainerImageNames?: outputs.securityhub.InsightFiltersResourceContainerImageName[]; - /** - * The date/time that the container was started. See Date Filter below for more details. - */ - resourceContainerLaunchedAts?: outputs.securityhub.InsightFiltersResourceContainerLaunchedAt[]; - /** - * The name of the container related to a finding. See String Filter below for more details. - */ - resourceContainerNames?: outputs.securityhub.InsightFiltersResourceContainerName[]; - /** - * The details of a resource that doesn't have a specific subfield for the resource type defined. See Map Filter below for more details. - */ - resourceDetailsOthers?: outputs.securityhub.InsightFiltersResourceDetailsOther[]; - /** - * The canonical identifier for the given resource type. See String Filter below for more details. - */ - resourceIds?: outputs.securityhub.InsightFiltersResourceId[]; - /** - * The canonical AWS partition name that the Region is assigned to. See String Filter below for more details. - */ - resourcePartitions?: outputs.securityhub.InsightFiltersResourcePartition[]; - /** - * The canonical AWS external Region name where this resource is located. See String Filter below for more details. - */ - resourceRegions?: outputs.securityhub.InsightFiltersResourceRegion[]; - /** - * A list of AWS tags associated with a resource at the time the finding was processed. See Map Filter below for more details. - */ - resourceTags?: outputs.securityhub.InsightFiltersResourceTag[]; - /** - * Specifies the type of the resource that details are provided for. See String Filter below for more details. - */ - resourceTypes?: outputs.securityhub.InsightFiltersResourceType[]; - /** - * The label of a finding's severity. See String Filter below for more details. - */ - severityLabels?: outputs.securityhub.InsightFiltersSeverityLabel[]; - /** - * A URL that links to a page about the current finding in the security-findings provider's solution. See String Filter below for more details. - */ - sourceUrls?: outputs.securityhub.InsightFiltersSourceUrl[]; - /** - * The category of a threat intelligence indicator. See String Filter below for more details. - */ - threatIntelIndicatorCategories?: outputs.securityhub.InsightFiltersThreatIntelIndicatorCategory[]; - /** - * The date/time of the last observation of a threat intelligence indicator. See Date Filter below for more details. - */ - threatIntelIndicatorLastObservedAts?: outputs.securityhub.InsightFiltersThreatIntelIndicatorLastObservedAt[]; - /** - * The URL for more details from the source of the threat intelligence. See String Filter below for more details. - */ - threatIntelIndicatorSourceUrls?: outputs.securityhub.InsightFiltersThreatIntelIndicatorSourceUrl[]; - /** - * The source of the threat intelligence. See String Filter below for more details. - */ - threatIntelIndicatorSources?: outputs.securityhub.InsightFiltersThreatIntelIndicatorSource[]; - /** - * The type of a threat intelligence indicator. See String Filter below for more details. - */ - threatIntelIndicatorTypes?: outputs.securityhub.InsightFiltersThreatIntelIndicatorType[]; - /** - * The value of a threat intelligence indicator. See String Filter below for more details. - */ - threatIntelIndicatorValues?: outputs.securityhub.InsightFiltersThreatIntelIndicatorValue[]; - /** - * A finding's title. See String Filter below for more details. - */ - titles?: outputs.securityhub.InsightFiltersTitle[]; - /** - * A finding type in the format of `namespace/category/classifier` that classifies a finding. See String Filter below for more details. - */ - types?: outputs.securityhub.InsightFiltersType[]; - /** - * An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record. See Date Filter below for more details. - */ - updatedAts?: outputs.securityhub.InsightFiltersUpdatedAt[]; - /** - * A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. See Map Filter below for more details. - */ - userDefinedValues?: outputs.securityhub.InsightFiltersUserDefinedValue[]; - /** - * The veracity of a finding. See String Filter below for more details. - */ - verificationStates?: outputs.securityhub.InsightFiltersVerificationState[]; - /** - * The status of the investigation into a finding. See Workflow Status Filter below for more details. - */ - workflowStatuses?: outputs.securityhub.InsightFiltersWorkflowStatus[]; - } - - export interface InsightFiltersAwsAccountId { - comparison: string; - value: string; - } - - export interface InsightFiltersCompanyName { - comparison: string; - value: string; - } - - export interface InsightFiltersComplianceStatus { - comparison: string; - value: string; - } - - export interface InsightFiltersConfidence { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersCreatedAt { - dateRange?: outputs.securityhub.InsightFiltersCreatedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersCreatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersCriticality { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersDescription { - comparison: string; - value: string; - } - - export interface InsightFiltersFindingProviderFieldsConfidence { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersFindingProviderFieldsCriticality { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersFindingProviderFieldsRelatedFindingsId { - comparison: string; - value: string; - } - - export interface InsightFiltersFindingProviderFieldsRelatedFindingsProductArn { - comparison: string; - value: string; - } - - export interface InsightFiltersFindingProviderFieldsSeverityLabel { - comparison: string; - value: string; - } - - export interface InsightFiltersFindingProviderFieldsSeverityOriginal { - comparison: string; - value: string; - } - - export interface InsightFiltersFindingProviderFieldsType { - comparison: string; - value: string; - } - - export interface InsightFiltersFirstObservedAt { - dateRange?: outputs.securityhub.InsightFiltersFirstObservedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersFirstObservedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersGeneratorId { - comparison: string; - value: string; - } - - export interface InsightFiltersId { - comparison: string; - value: string; - } - - export interface InsightFiltersKeyword { - /** - * A value for the keyword. - */ - value: string; - } - - export interface InsightFiltersLastObservedAt { - dateRange?: outputs.securityhub.InsightFiltersLastObservedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersLastObservedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersMalwareName { - comparison: string; - value: string; - } - - export interface InsightFiltersMalwarePath { - comparison: string; - value: string; - } - - export interface InsightFiltersMalwareState { - comparison: string; - value: string; - } - - export interface InsightFiltersMalwareType { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkDestinationDomain { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkDestinationIpv4 { - cidr: string; - } - - export interface InsightFiltersNetworkDestinationIpv6 { - cidr: string; - } - - export interface InsightFiltersNetworkDestinationPort { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersNetworkDirection { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkProtocol { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkSourceDomain { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkSourceIpv4 { - cidr: string; - } - - export interface InsightFiltersNetworkSourceIpv6 { - cidr: string; - } - - export interface InsightFiltersNetworkSourceMac { - comparison: string; - value: string; - } - - export interface InsightFiltersNetworkSourcePort { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersNoteText { - comparison: string; - value: string; - } - - export interface InsightFiltersNoteUpdatedAt { - dateRange?: outputs.securityhub.InsightFiltersNoteUpdatedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersNoteUpdatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersNoteUpdatedBy { - comparison: string; - value: string; - } - - export interface InsightFiltersProcessLaunchedAt { - dateRange?: outputs.securityhub.InsightFiltersProcessLaunchedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersProcessLaunchedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersProcessName { - comparison: string; - value: string; - } - - export interface InsightFiltersProcessParentPid { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersProcessPath { - comparison: string; - value: string; - } - - export interface InsightFiltersProcessPid { - eq?: string; - gte?: string; - lte?: string; - } - - export interface InsightFiltersProcessTerminatedAt { - dateRange?: outputs.securityhub.InsightFiltersProcessTerminatedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersProcessTerminatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersProductArn { - comparison: string; - value: string; - } - - export interface InsightFiltersProductField { - comparison: string; - key: string; - value: string; - } - - export interface InsightFiltersProductName { - comparison: string; - value: string; - } - - export interface InsightFiltersRecommendationText { - comparison: string; - value: string; - } - - export interface InsightFiltersRecordState { - comparison: string; - value: string; - } - - export interface InsightFiltersRelatedFindingsId { - comparison: string; - value: string; - } - - export interface InsightFiltersRelatedFindingsProductArn { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceImageId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceIpv4Address { - cidr: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceIpv6Address { - cidr: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceKeyName { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceLaunchedAt { - dateRange?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersResourceAwsEc2InstanceSubnetId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceType { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsEc2InstanceVpcId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsIamAccessKeyCreatedAt { - dateRange?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersResourceAwsIamAccessKeyStatus { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsIamAccessKeyUserName { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsS3BucketOwnerId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceAwsS3BucketOwnerName { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceContainerImageId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceContainerImageName { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceContainerLaunchedAt { - dateRange?: outputs.securityhub.InsightFiltersResourceContainerLaunchedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersResourceContainerLaunchedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersResourceContainerName { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceDetailsOther { - comparison: string; - key: string; - value: string; - } - - export interface InsightFiltersResourceId { - comparison: string; - value: string; - } - - export interface InsightFiltersResourcePartition { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceRegion { - comparison: string; - value: string; - } - - export interface InsightFiltersResourceTag { - comparison: string; - key: string; - value: string; - } - - export interface InsightFiltersResourceType { - comparison: string; - value: string; - } - - export interface InsightFiltersSeverityLabel { - comparison: string; - value: string; - } - - export interface InsightFiltersSourceUrl { - comparison: string; - value: string; - } - - export interface InsightFiltersThreatIntelIndicatorCategory { - comparison: string; - value: string; - } - - export interface InsightFiltersThreatIntelIndicatorLastObservedAt { - dateRange?: outputs.securityhub.InsightFiltersThreatIntelIndicatorLastObservedAtDateRange; - end?: string; - start?: string; - } - - export interface InsightFiltersThreatIntelIndicatorLastObservedAtDateRange { - /** - * A date range unit for the date filter. Valid values: `DAYS`. - */ - unit: string; - /** - * A date range value for the date filter, provided as an Integer. - */ - value: number; - } - - export interface InsightFiltersThreatIntelIndicatorSource { - comparison: string; - value: string; - } - - export interface InsightFiltersThreatIntelIndicatorSourceUrl { - comparison: string; - value: string; - } - - export interface InsightFiltersThreatIntelIndicatorType { - comparison: string; - value: string; - } - - export interface InsightFiltersThreatIntelIndicatorValue { - comparison: string; - value: string; - } - - export interface InsightFiltersTitle { - comparison: string; - value: string; - } - - export interface InsightFiltersType { - comparison: string; - value: string; + */ + years?: number; } - export interface InsightFiltersUpdatedAt { - dateRange?: outputs.securityhub.InsightFiltersUpdatedAtDateRange; - end?: string; - start?: string; + export interface BucketObjectLockConfigurationV2Rule { + /** + * Configuration block for specifying the default Object Lock retention settings for new objects placed in the specified bucket. See below. + */ + defaultRetention: outputs.s3.BucketObjectLockConfigurationV2RuleDefaultRetention; } - export interface InsightFiltersUpdatedAtDateRange { + export interface BucketObjectLockConfigurationV2RuleDefaultRetention { /** - * A date range unit for the date filter. Valid values: `DAYS`. + * Number of days that you want to specify for the default retention period. */ - unit: string; + days?: number; /** - * A date range value for the date filter, provided as an Integer. + * Default Object Lock retention mode you want to apply to new objects placed in the specified bucket. Valid values: `COMPLIANCE`, `GOVERNANCE`. */ - value: number; - } - - export interface InsightFiltersUserDefinedValue { - comparison: string; - key: string; - value: string; + mode?: string; + /** + * Number of years that you want to specify for the default retention period. + */ + years?: number; } - export interface InsightFiltersVerificationState { - comparison: string; - value: string; + export interface BucketObjectv2OverrideProvider { + /** + * Override the provider `defaultTags` configuration block. + */ + defaultTags?: outputs.s3.BucketObjectv2OverrideProviderDefaultTags; } - export interface InsightFiltersWorkflowStatus { - comparison: string; - value: string; + export interface BucketObjectv2OverrideProviderDefaultTags { + /** + * Map of tags to assign to the object. If configured with a provider `defaultTags` configuration block present, tags with matching keys will overwrite those defined at the provider-level. + */ + tags?: {[key: string]: string}; } - export interface OrganizationConfigurationOrganizationConfiguration { + export interface BucketOwnershipControlsRule { /** - * Indicates whether the organization uses local or central configuration. If using central configuration, `autoEnable` must be set to `false` and `autoEnableStandards` set to `NONE`. More information can be found in the [documentation for central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). Valid values: `LOCAL`, `CENTRAL`. + * Object ownership. Valid values: `BucketOwnerPreferred`, `ObjectWriter` or `BucketOwnerEnforced` + * * `BucketOwnerPreferred` - Objects uploaded to the bucket change ownership to the bucket owner if the objects are uploaded with the `bucket-owner-full-control` canned ACL. + * * `ObjectWriter` - Uploading account will own the object if the object is uploaded with the `bucket-owner-full-control` canned ACL. + * * `BucketOwnerEnforced` - Bucket owner automatically owns and has full control over every object in the bucket. ACLs no longer affect permissions to data in the S3 bucket. */ - configurationType: string; + objectOwnership: string; } -} - -export namespace securitylake { - export interface AwsLogSourceSource { + export interface BucketReplicationConfigRule { /** - * Specify the AWS account information where you want to enable Security Lake. - * If not specified, uses all accounts included in the Security Lake. + * Whether delete markers are replicated. This argument is only valid with V2 replication configurations (i.e., when `filter` is used)documented below. */ - accounts: string[]; + deleteMarkerReplication?: outputs.s3.BucketReplicationConfigRuleDeleteMarkerReplication; /** - * Specify the Regions where you want to enable Security Lake. + * Specifies the destination for the rule. See below. */ - regions: string[]; + destination: outputs.s3.BucketReplicationConfigRuleDestination; /** - * The name for a AWS source. This must be a Regionally unique value. Valid values: `ROUTE53`, `VPC_FLOW`, `SH_FINDINGS`, `CLOUD_TRAIL_MGMT`, `LAMBDA_EXECUTION`, `S3_DATA`. + * Replicate existing objects in the source bucket according to the rule configurations. See below. */ - sourceName: string; + existingObjectReplication?: outputs.s3.BucketReplicationConfigRuleExistingObjectReplication; /** - * The version for a AWS source. - * If not specified, the version will be the default. - * This must be a Regionally unique value. + * Filter that identifies subset of objects to which the replication rule applies. See below. If not specified, the `rule` will default to using `prefix`. */ - sourceVersion: string; - } - - export interface CustomLogSourceAttribute { + filter?: outputs.s3.BucketReplicationConfigRuleFilter; /** - * The ARN of the AWS Glue crawler. + * Unique identifier for the rule. Must be less than or equal to 255 characters in length. */ - crawlerArn: string; + id: string; /** - * The ARN of the AWS Glue database where results are written. + * Object key name prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. Defaults to an empty string (`""`) if `filter` is not specified. + * + * @deprecated Use filter instead */ - databaseArn: string; + prefix?: string; /** - * The ARN of the AWS Glue table. + * Priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. */ - tableArn: string; - } - - export interface CustomLogSourceConfiguration { + priority?: number; /** - * The configuration for the Glue Crawler for the third-party custom source. + * Specifies special object selection criteria. See below. */ - crawlerConfiguration?: outputs.securitylake.CustomLogSourceConfigurationCrawlerConfiguration; + sourceSelectionCriteria?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteria; /** - * The identity of the log provider for the third-party custom source. + * Status of the rule. Either `"Enabled"` or `"Disabled"`. The rule is ignored if status is not "Enabled". */ - providerIdentity?: outputs.securitylake.CustomLogSourceConfigurationProviderIdentity; + status: string; } - export interface CustomLogSourceConfigurationCrawlerConfiguration { + export interface BucketReplicationConfigRuleDeleteMarkerReplication { /** - * The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler. + * Whether delete markers should be replicated. Either `"Enabled"` or `"Disabled"`. */ - roleArn: string; + status: string; } - export interface CustomLogSourceConfigurationProviderIdentity { + export interface BucketReplicationConfigRuleDestination { /** - * The external ID used to estalish trust relationship with the AWS identity. + * Configuration block that specifies the overrides to use for object owners on replication. See below. Specify this only in a cross-account scenario (where source and destination bucket owners are not the same), and you want to change replica ownership to the AWS account that owns the destination bucket. If this is not specified in the replication configuration, the replicas are owned by same AWS account that owns the source object. Must be used in conjunction with `account` owner override configuration. */ - externalId: string; + accessControlTranslation?: outputs.s3.BucketReplicationConfigRuleDestinationAccessControlTranslation; /** - * The AWS identity principal. + * Account ID to specify the replica ownership. Must be used in conjunction with `accessControlTranslation` override configuration. */ - principal: string; - } - - export interface CustomLogSourceProviderDetail { + account?: string; /** - * The location of the partition in the Amazon S3 bucket for Security Lake. + * ARN of the bucket where you want Amazon S3 to store the results. */ - location: string; + bucket: string; /** - * The ARN of the IAM role to be used by the entity putting logs into your custom source partition. + * Configuration block that provides information about encryption. See below. If `sourceSelectionCriteria` is specified, you must specify this element. */ - roleArn: string; - } - - export interface DataLakeConfiguration { + encryptionConfiguration?: outputs.s3.BucketReplicationConfigRuleDestinationEncryptionConfiguration; /** - * Provides encryption details of Amazon Security Lake object. + * Configuration block that specifies replication metrics-related settings enabling replication metrics and events. See below. */ - encryptionConfigurations: outputs.securitylake.DataLakeConfigurationEncryptionConfiguration[]; + metrics?: outputs.s3.BucketReplicationConfigRuleDestinationMetrics; /** - * Provides lifecycle details of Amazon Security Lake object. + * Configuration block that specifies S3 Replication Time Control (S3 RTC), including whether S3 RTC is enabled and the time when all objects and operations on objects must be replicated. See below. Replication Time Control must be used in conjunction with `metrics`. */ - lifecycleConfiguration?: outputs.securitylake.DataLakeConfigurationLifecycleConfiguration; + replicationTime?: outputs.s3.BucketReplicationConfigRuleDestinationReplicationTime; /** - * The AWS Regions where Security Lake is automatically enabled. + * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. */ - region: string; + storageClass?: string; + } + + export interface BucketReplicationConfigRuleDestinationAccessControlTranslation { /** - * Provides replication details of Amazon Security Lake object. + * Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketPUTreplication.html) in the Amazon S3 API Reference. Valid values: `Destination`. */ - replicationConfiguration?: outputs.securitylake.DataLakeConfigurationReplicationConfiguration; + owner: string; } - export interface DataLakeConfigurationEncryptionConfiguration { + export interface BucketReplicationConfigRuleDestinationEncryptionConfiguration { /** - * The id of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object. + * ID (Key ARN or Alias ARN) of the customer managed AWS KMS key stored in AWS Key Management Service (KMS) for the destination bucket. */ - kmsKeyId: string; + replicaKmsKeyId: string; } - export interface DataLakeConfigurationLifecycleConfiguration { + export interface BucketReplicationConfigRuleDestinationMetrics { /** - * Provides data expiration details of Amazon Security Lake object. + * Configuration block that specifies the time threshold for emitting the `s3:Replication:OperationMissedThreshold` event. See below. */ - expiration?: outputs.securitylake.DataLakeConfigurationLifecycleConfigurationExpiration; + eventThreshold?: outputs.s3.BucketReplicationConfigRuleDestinationMetricsEventThreshold; /** - * Provides data storage transition details of Amazon Security Lake object. + * Status of the Destination Metrics. Either `"Enabled"` or `"Disabled"`. */ - transitions?: outputs.securitylake.DataLakeConfigurationLifecycleConfigurationTransition[]; + status: string; } - export interface DataLakeConfigurationLifecycleConfigurationExpiration { + export interface BucketReplicationConfigRuleDestinationMetricsEventThreshold { /** - * Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object. + * Time in minutes. Valid values: `15`. */ - days?: number; + minutes: number; } - export interface DataLakeConfigurationLifecycleConfigurationTransition { + export interface BucketReplicationConfigRuleDestinationReplicationTime { /** - * Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object. + * Status of the Replication Time Control. Either `"Enabled"` or `"Disabled"`. */ - days?: number; + status: string; /** - * The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. + * Configuration block specifying the time by which replication should be complete for all objects and operations on objects. See below. */ - storageClass?: string; + time: outputs.s3.BucketReplicationConfigRuleDestinationReplicationTimeTime; } - export interface DataLakeConfigurationReplicationConfiguration { + export interface BucketReplicationConfigRuleDestinationReplicationTimeTime { /** - * Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket. + * Time in minutes. Valid values: `15`. */ - regions?: string[]; + minutes: number; + } + + export interface BucketReplicationConfigRuleExistingObjectReplication { /** - * Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct. + * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. */ - roleArn?: string; + status: string; } - export interface DataLakeTimeouts { + export interface BucketReplicationConfigRuleFilter { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Configuration block for specifying rule filters. This element is required only if you specify more than one filter. See and below for more details. */ - create?: string; + and?: outputs.s3.BucketReplicationConfigRuleFilterAnd; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. */ - delete?: string; + prefix?: string; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Configuration block for specifying a tag key and value. See below. */ - update?: string; + tag?: outputs.s3.BucketReplicationConfigRuleFilterTag; } - export interface SubscriberNotificationConfiguration { + export interface BucketReplicationConfigRuleFilterAnd { /** - * The configurations for HTTPS subscriber notification. + * Object key name prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. */ - httpsNotificationConfiguration?: outputs.securitylake.SubscriberNotificationConfigurationHttpsNotificationConfiguration; + prefix?: string; /** - * The configurations for SQS subscriber notification. - * There are no parameters within `sqsNotificationConfiguration`. + * Map of tags (key and value pairs) that identifies a subset of objects to which the rule applies. The rule applies only to objects having all the tags in its tagset. */ - sqsNotificationConfiguration?: outputs.securitylake.SubscriberNotificationConfigurationSqsNotificationConfiguration; + tags?: {[key: string]: string}; } - export interface SubscriberNotificationConfigurationHttpsNotificationConfiguration { + export interface BucketReplicationConfigRuleFilterTag { /** - * The API key name for the notification subscription. + * Name of the object key. */ - authorizationApiKeyName?: string; + key: string; /** - * The API key value for the notification subscription. + * Value of the tag. */ - authorizationApiKeyValue?: string; + value: string; + } + + export interface BucketReplicationConfigRuleSourceSelectionCriteria { /** - * The subscription endpoint in Security Lake. - * If you prefer notification with an HTTPS endpoint, populate this field. + * Configuration block that you can specify for selections for modifications on replicas. Amazon S3 doesn't replicate replica modifications by default. In the latest version of replication configuration (when `filter` is specified), you can specify this element and set the status to `Enabled` to replicate modifications on replicas. */ - endpoint: string; + replicaModifications?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteriaReplicaModifications; /** - * The HTTP method used for the notification subscription. - * Valid values are `POST` and `PUT`. + * Configuration block for filter information for the selection of Amazon S3 objects encrypted with AWS KMS. If specified, `replicaKmsKeyId` in `destination` `encryptionConfiguration` must be specified as well. */ - httpMethod?: string; + sseKmsEncryptedObjects?: outputs.s3.BucketReplicationConfigRuleSourceSelectionCriteriaSseKmsEncryptedObjects; + } + + export interface BucketReplicationConfigRuleSourceSelectionCriteriaReplicaModifications { /** - * The Amazon Resource Name (ARN) of the EventBridge API destinations IAM role that you created. - * For more information about ARNs and how to use them in policies, see Managing data access and AWS Managed Policies in the Amazon Security Lake User Guide. + * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. */ - targetRoleArn: string; + status: string; } - export interface SubscriberNotificationConfigurationSqsNotificationConfiguration { + export interface BucketReplicationConfigRuleSourceSelectionCriteriaSseKmsEncryptedObjects { + /** + * Whether the existing objects should be replicated. Either `"Enabled"` or `"Disabled"`. + */ + status: string; } - export interface SubscriberSource { + export interface BucketReplicationConfiguration { + role: string; + rules: outputs.s3.BucketReplicationConfigurationRule[]; + } + + export interface BucketReplicationConfigurationRule { /** - * Amazon Security Lake supports log and event collection for natively supported AWS services. + * Whether delete markers are replicated. The only valid value is `Enabled`. To disable, omit this argument. This argument is only valid with V2 replication configurations (i.e., when `filter` is used). */ - awsLogSourceResource?: outputs.securitylake.SubscriberSourceAwsLogSourceResource; + deleteMarkerReplicationStatus?: string; /** - * Amazon Security Lake supports custom source types. + * Specifies the destination for the rule (documented below). */ - customLogSourceResource?: outputs.securitylake.SubscriberSourceCustomLogSourceResource; - } - - export interface SubscriberSourceAwsLogSourceResource { + destination: outputs.s3.BucketReplicationConfigurationRuleDestination; /** - * The name for a third-party custom source. This must be a Regionally unique value. + * Filter that identifies subset of objects to which the replication rule applies (documented below). */ - sourceName: string; + filter?: outputs.s3.BucketReplicationConfigurationRuleFilter; /** - * The version for a third-party custom source. This must be a Regionally unique value. + * Unique identifier for the rule. Must be less than or equal to 255 characters in length. */ - sourceVersion: string; + id?: string; + /** + * Object keyname prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. + */ + prefix?: string; + /** + * The priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. + */ + priority?: number; + /** + * Specifies special object selection criteria (documented below). + */ + sourceSelectionCriteria?: outputs.s3.BucketReplicationConfigurationRuleSourceSelectionCriteria; + /** + * The status of the rule. Either `Enabled` or `Disabled`. The rule is ignored if status is not Enabled. + * + * > **NOTE:** Replication to multiple destination buckets requires that `priority` is specified in the `rules` object. If the corresponding rule requires no filter, an empty configuration block `filter {}` must be specified. + */ + status: string; } - export interface SubscriberSourceCustomLogSourceResource { + export interface BucketReplicationConfigurationRuleDestination { /** - * The attributes of a third-party custom source. + * Specifies the overrides to use for object owners on replication. Must be used in conjunction with `accountId` owner override configuration. */ - attributes: outputs.securitylake.SubscriberSourceCustomLogSourceResourceAttribute[]; - providers: outputs.securitylake.SubscriberSourceCustomLogSourceResourceProvider[]; + accessControlTranslation?: outputs.s3.BucketReplicationConfigurationRuleDestinationAccessControlTranslation; /** - * The name for a third-party custom source. This must be a Regionally unique value. + * The Account ID to use for overriding the object owner on replication. Must be used in conjunction with `accessControlTranslation` override configuration. */ - sourceName: string; + accountId?: string; /** - * The version for a third-party custom source. This must be a Regionally unique value. + * The ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule. */ - sourceVersion: string; + bucket: string; + /** + * Enables replication metrics (required for S3 RTC) (documented below). + */ + metrics?: outputs.s3.BucketReplicationConfigurationRuleDestinationMetrics; + /** + * Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with + * `sseKmsEncryptedObjects` source selection criteria. + */ + replicaKmsKeyId?: string; + /** + * Enables S3 Replication Time Control (S3 RTC) (documented below). + */ + replicationTime?: outputs.s3.BucketReplicationConfigurationRuleDestinationReplicationTime; + /** + * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. + */ + storageClass?: string; } - export interface SubscriberSourceCustomLogSourceResourceAttribute { + export interface BucketReplicationConfigurationRuleDestinationAccessControlTranslation { /** - * The ARN of the AWS Glue crawler. + * The override value for the owner on replicated objects. Currently only `Destination` is supported. */ - crawlerArn: string; + owner: string; + } + + export interface BucketReplicationConfigurationRuleDestinationMetrics { /** - * The ARN of the AWS Glue database where results are written. + * Threshold within which objects are to be replicated. The only valid value is `15`. */ - databaseArn: string; + minutes?: number; /** - * The ARN of the AWS Glue table. + * The status of replication metrics. Either `Enabled` or `Disabled`. */ - tableArn: string; + status?: string; } - export interface SubscriberSourceCustomLogSourceResourceProvider { + export interface BucketReplicationConfigurationRuleDestinationReplicationTime { /** - * The location of the partition in the Amazon S3 bucket for Security Lake. + * Threshold within which objects are to be replicated. The only valid value is `15`. */ - location: string; + minutes?: number; /** - * The ARN of the IAM role to be used by the entity putting logs into your custom source partition. + * The status of RTC. Either `Enabled` or `Disabled`. */ - roleArn: string; + status?: string; } - export interface SubscriberSubscriberIdentity { + export interface BucketReplicationConfigurationRuleFilter { /** - * The AWS Regions where Security Lake is automatically enabled. + * Object keyname prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. */ - externalId: string; + prefix?: string; /** - * Provides encryption details of Amazon Security Lake object. + * A map of tags that identifies subset of objects to which the rule applies. + * The rule applies only to objects having all the tags in its tagset. */ - principal: string; + tags?: {[key: string]: string}; } - export interface SubscriberTimeouts { + export interface BucketReplicationConfigurationRuleSourceSelectionCriteria { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Match SSE-KMS encrypted objects (documented below). If specified, `replicaKmsKeyId` + * in `destination` must be specified as well. */ - create?: string; + sseKmsEncryptedObjects?: outputs.s3.BucketReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObjects; + } + + export interface BucketReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObjects { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * Boolean which indicates if this criteria is enabled. */ - delete?: string; + enabled: boolean; + } + + export interface BucketServerSideEncryptionConfiguration { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * A single object for server-side encryption by default configuration. (documented below) */ - update?: string; + rule: outputs.s3.BucketServerSideEncryptionConfigurationRule; } -} + export interface BucketServerSideEncryptionConfigurationRule { + /** + * A single object for setting server-side encryption by default. (documented below) + */ + applyServerSideEncryptionByDefault: outputs.s3.BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault; + /** + * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. + */ + bucketKeyEnabled?: boolean; + } -export namespace servicecatalog { - export interface GetLaunchPathsSummary { + export interface BucketServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault { /** - * Block for constraints on the portfolio-product relationship. See details below. + * The AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. */ - constraintSummaries: outputs.servicecatalog.GetLaunchPathsSummaryConstraintSummary[]; + kmsMasterKeyId?: string; /** - * Name of the portfolio to which the path was assigned. + * The server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` */ - name: string; + sseAlgorithm: string; + } + + export interface BucketServerSideEncryptionConfigurationV2Rule { /** - * Identifier of the product path. + * Single object for setting server-side encryption by default. See below. */ - pathId: string; + applyServerSideEncryptionByDefault?: outputs.s3.BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault; /** - * Tags associated with this product path. + * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. */ - tags: {[key: string]: string}; + bucketKeyEnabled?: boolean; } - export interface GetLaunchPathsSummaryConstraintSummary { + export interface BucketServerSideEncryptionConfigurationV2RuleApplyServerSideEncryptionByDefault { /** - * Description of the constraint. + * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. */ - description: string; + kmsMasterKeyId?: string; /** - * Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`. + * Server-side encryption algorithm to use. Valid values are `AES256`, `aws:kms`, and `aws:kms:dsse` */ - type: string; + sseAlgorithm: string; } - export interface GetPortfolioConstraintsDetail { + export interface BucketV2CorsRule { /** - * Identifier of the constraint. + * List of headers allowed. */ - constraintId: string; + allowedHeaders?: string[]; /** - * Description of the constraint. + * One or more HTTP methods that you allow the origin to execute. Can be `GET`, `PUT`, `POST`, `DELETE` or `HEAD`. */ - description: string; - owner: string; + allowedMethods: string[]; /** - * Portfolio identifier. - * - * The following arguments are optional: + * One or more origins you want customers to be able to access the bucket from. */ - portfolioId: string; + allowedOrigins: string[]; /** - * Product identifier. + * One or more headers in the response that you want customers to be able to access from their applications (for example, from a JavaScript `XMLHttpRequest` object). */ - productId: string; + exposeHeaders?: string[]; /** - * Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`. + * Specifies time in seconds that browser can cache the response for a preflight request. + */ + maxAgeSeconds?: number; + } + + export interface BucketV2Grant { + /** + * Canonical user id to grant for. Used only when `type` is `CanonicalUser`. + */ + id?: string; + /** + * List of permissions to apply for grantee. Valid values are `READ`, `WRITE`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. + */ + permissions: string[]; + /** + * Type of grantee to apply for. Valid values are `CanonicalUser` and `Group`. `AmazonCustomerByEmail` is not supported. */ type: string; + /** + * Uri address to grant for. Used only when `type` is `Group`. + */ + uri?: string; } - export interface GetProvisioningArtifactsProvisioningArtifactDetail { + export interface BucketV2LifecycleRule { /** - * Indicates whether the product version is active. + * Specifies the number of days after initiating a multipart upload when the multipart upload must be completed. */ - active: boolean; + abortIncompleteMultipartUploadDays?: number; /** - * The UTC time stamp of the creation time. + * Specifies lifecycle rule status. */ - createdTime: string; + enabled: boolean; /** - * The description of the provisioning artifact. + * Specifies a period in the object's expire. See Expiration below for details. */ - description: string; + expirations?: outputs.s3.BucketV2LifecycleRuleExpiration[]; /** - * Information set by the administrator to provide guidance to end users about which provisioning artifacts to use. + * Unique identifier for the rule. Must be less than or equal to 255 characters in length. */ - guidance: string; + id: string; /** - * The identifier of the provisioning artifact. + * Specifies when noncurrent object versions expire. See Noncurrent Version Expiration below for details. + */ + noncurrentVersionExpirations?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionExpiration[]; + /** + * Specifies when noncurrent object versions transitions. See Noncurrent Version Transition below for details. + */ + noncurrentVersionTransitions?: outputs.s3.BucketV2LifecycleRuleNoncurrentVersionTransition[]; + /** + * Object key prefix identifying one or more objects to which the rule applies. */ - id: string; + prefix?: string; /** - * The name of the provisioning artifact. + * Specifies object tags key and value. */ - name: string; + tags?: {[key: string]: string}; /** - * The type of provisioning artifact. + * Specifies a period in the object's transitions. See Transition below for details. */ - type: string; + transitions?: outputs.s3.BucketV2LifecycleRuleTransition[]; } - export interface ProductProvisioningArtifactParameters { + export interface BucketV2LifecycleRuleExpiration { /** - * Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact. + * Specifies the date after which you want the corresponding action to take effect. */ - description?: string; + date?: string; /** - * Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid. + * Specifies the number of days after object creation when the specific rule action takes effect. */ - disableTemplateValidation?: boolean; + days?: number; /** - * Name of the provisioning artifact (for example, `v1`, `v2beta`). No spaces are allowed. + * On a versioned bucket (versioning-enabled or versioning-suspended bucket), you can add this element in the lifecycle configuration to direct Amazon S3 to delete expired object delete markers. This cannot be specified with Days or Date in a Lifecycle Expiration Policy. */ - name?: string; + expiredObjectDeleteMarker?: boolean; + } + + export interface BucketV2LifecycleRuleNoncurrentVersionExpiration { /** - * Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as `arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID]`. + * Specifies the number of days noncurrent object versions expire. */ - templatePhysicalId?: string; + days?: number; + } + + export interface BucketV2LifecycleRuleNoncurrentVersionTransition { /** - * Template source as URL of the CloudFormation template in Amazon S3. + * Specifies the number of days noncurrent object versions transition. */ - templateUrl?: string; + days?: number; /** - * Type of provisioning artifact. See [AWS Docs](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProvisioningArtifactProperties.html) for valid list of values. + * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition. */ - type?: string; + storageClass: string; } - export interface ProvisionedProductOutput { + export interface BucketV2LifecycleRuleTransition { /** - * The description of the output. + * Specifies the date after which you want the corresponding action to take effect. */ - description: string; + date?: string; /** - * The output key. + * Specifies the number of days after object creation when the specific rule action takes effect. */ - key: string; + days?: number; /** - * The output value. + * Specifies the Amazon S3 [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Transition.html#AmazonS3-Type-Transition-StorageClass) to which you want the object to transition. */ - value: string; + storageClass: string; } - export interface ProvisionedProductProvisioningParameter { + export interface BucketV2Logging { /** - * Parameter key. + * Name of the bucket that will receive the log objects. */ - key: string; + targetBucket: string; /** - * Whether to ignore `value` and keep the previous parameter value. Ignored when initially provisioning a product. + * To specify a key prefix for log objects. */ - usePreviousValue?: boolean; + targetPrefix?: string; + } + + export interface BucketV2ObjectLockConfiguration { /** - * Parameter value. + * Indicates whether this bucket has an Object Lock configuration enabled. Valid values are `true` or `false`. This argument is not supported in all regions or partitions. + * + * @deprecated Use the top-level parameter objectLockEnabled instead */ - value?: string; + objectLockEnabled?: string; + /** + * Object Lock rule in place for this bucket (documented below). + * + * @deprecated Use the aws.s3.BucketObjectLockConfigurationV2 resource instead + */ + rules?: outputs.s3.BucketV2ObjectLockConfigurationRule[]; } - export interface ProvisionedProductStackSetProvisioningPreferences { + export interface BucketV2ObjectLockConfigurationRule { /** - * One or more AWS accounts that will have access to the provisioned product. The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the `awsServicecatalogProvisioningParameters` data source. If no values are specified, the default value is all accounts from the STACKSET constraint. + * Default retention period that you want to apply to new objects placed in this bucket (documented below). */ - accounts?: string[]; + defaultRetentions: outputs.s3.BucketV2ObjectLockConfigurationRuleDefaultRetention[]; + } + + export interface BucketV2ObjectLockConfigurationRuleDefaultRetention { /** - * Number of accounts, per region, for which this operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. You must specify either `failureToleranceCount` or `failureTolerancePercentage`, but not both. The default value is 0 if no value is specified. + * Number of days that you want to specify for the default retention period. */ - failureToleranceCount?: number; + days?: number; /** - * Percentage of accounts, per region, for which this stack operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. You must specify either `failureToleranceCount` or `failureTolerancePercentage`, but not both. + * Default Object Lock retention mode you want to apply to new objects placed in this bucket. Valid values are `GOVERNANCE` and `COMPLIANCE`. */ - failureTolerancePercentage?: number; + mode: string; /** - * Maximum number of accounts in which to perform this operation at one time. This is dependent on the value of `failureToleranceCount`. `maxConcurrencyCount` is at most one more than the `failureToleranceCount`. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `maxConcurrencyCount` or `maxConcurrencyPercentage`, but not both. + * Number of years that you want to specify for the default retention period. */ - maxConcurrencyCount?: number; + years?: number; + } + + export interface BucketV2ReplicationConfiguration { /** - * Maximum percentage of accounts in which to perform this operation at one time. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. This is true except in cases where rounding down would result is zero. In this case, AWS Service Catalog sets the number as 1 instead. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `maxConcurrencyCount` or `maxConcurrencyPercentage`, but not both. + * ARN of the IAM role for Amazon S3 to assume when replicating the objects. */ - maxConcurrencyPercentage?: number; + role: string; /** - * One or more AWS Regions where the provisioned product will be available. The specified regions should be within the list of regions from the STACKSET constraint. To get the list of regions in the STACKSET constraint, use the `awsServicecatalogProvisioningParameters` data source. If no values are specified, the default value is all regions from the STACKSET constraint. + * Specifies the rules managing the replication (documented below). */ - regions?: string[]; + rules: outputs.s3.BucketV2ReplicationConfigurationRule[]; } - export interface ServiceActionDefinition { + export interface BucketV2ReplicationConfigurationRule { /** - * ARN of the role that performs the self-service actions on your behalf. For example, `arn:aws:iam::12345678910:role/ActionRole`. To reuse the provisioned product launch role, set to `LAUNCH_ROLE`. + * Whether delete markers are replicated. The only valid value is `Enabled`. To disable, omit this argument. This argument is only valid with V2 replication configurations (i.e., when `filter` is used). */ - assumeRole?: string; + deleteMarkerReplicationStatus?: string; /** - * Name of the SSM document. For example, `AWS-RestartEC2Instance`. If you are using a shared SSM document, you must provide the ARN instead of the name. + * Specifies the destination for the rule (documented below). */ - name: string; + destinations: outputs.s3.BucketV2ReplicationConfigurationRuleDestination[]; /** - * List of parameters in JSON format. For example: `[{\"Name\":\"InstanceId\",\"Type\":\"TARGET\"}]` or `[{\"Name\":\"InstanceId\",\"Type\":\"TEXT_VALUE\"}]`. + * Filter that identifies subset of objects to which the replication rule applies (documented below). */ - parameters?: string; + filters?: outputs.s3.BucketV2ReplicationConfigurationRuleFilter[]; /** - * Service action definition type. Valid value is `SSM_AUTOMATION`. Default is `SSM_AUTOMATION`. + * Unique identifier for the rule. Must be less than or equal to 255 characters in length. */ - type?: string; + id?: string; /** - * SSM document version. For example, `1`. + * Object keyname prefix identifying one or more objects to which the rule applies. Must be less than or equal to 1024 characters in length. */ - version: string; - } - -} - -export namespace servicediscovery { - export interface GetServiceDnsConfig { + prefix?: string; /** - * An array that contains one DnsRecord object for each resource record set. + * Priority associated with the rule. Priority should only be set if `filter` is configured. If not provided, defaults to `0`. Priority must be unique between multiple rules. */ - dnsRecords: outputs.servicediscovery.GetServiceDnsConfigDnsRecord[]; + priority?: number; /** - * ID of the namespace that the service belongs to. + * Specifies special object selection criteria (documented below). */ - namespaceId: string; + sourceSelectionCriterias?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteria[]; /** - * Routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED + * Status of the rule. Either `Enabled` or `Disabled`. The rule is ignored if status is not Enabled. */ - routingPolicy: string; + status: string; } - export interface GetServiceDnsConfigDnsRecord { + export interface BucketV2ReplicationConfigurationRuleDestination { /** - * Amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set. + * Specifies the overrides to use for object owners on replication (documented below). Must be used in conjunction with `accountId` owner override configuration. */ - ttl: number; + accessControlTranslations?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation[]; /** - * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP + * Account ID to use for overriding the object owner on replication. Must be used in conjunction with `accessControlTranslation` override configuration. */ - type: string; - } - - export interface GetServiceHealthCheckConfig { + accountId?: string; /** - * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. + * ARN of the S3 bucket where you want Amazon S3 to store replicas of the object identified by the rule. */ - failureThreshold: number; + bucket: string; /** - * Path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /. + * Enables replication metrics (required for S3 RTC) (documented below). */ - resourcePath: string; + metrics?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationMetric[]; /** - * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP + * Destination KMS encryption key ARN for SSE-KMS replication. Must be used in conjunction with + * `sseKmsEncryptedObjects` source selection criteria. */ - type: string; - } - - export interface GetServiceHealthCheckCustomConfig { + replicaKmsKeyId?: string; /** - * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. + * Enables S3 Replication Time Control (S3 RTC) (documented below). */ - failureThreshold: number; + replicationTimes?: outputs.s3.BucketV2ReplicationConfigurationRuleDestinationReplicationTime[]; + /** + * The [storage class](https://docs.aws.amazon.com/AmazonS3/latest/API/API_Destination.html#AmazonS3-Type-Destination-StorageClass) used to store the object. By default, Amazon S3 uses the storage class of the source object to create the object replica. + */ + storageClass?: string; } - export interface ServiceDnsConfig { + export interface BucketV2ReplicationConfigurationRuleDestinationAccessControlTranslation { /** - * An array that contains one DnsRecord object for each resource record set. + * Specifies the replica ownership. For default and valid values, see [PUT bucket replication](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketReplication.html) in the Amazon S3 API Reference. The only valid value is `Destination`. */ - dnsRecords: outputs.servicediscovery.ServiceDnsConfigDnsRecord[]; + owner: string; + } + + export interface BucketV2ReplicationConfigurationRuleDestinationMetric { /** - * The ID of the namespace to use for DNS configuration. + * Threshold within which objects are to be replicated. The only valid value is `15`. */ - namespaceId: string; + minutes?: number; /** - * The routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED + * Status of replication metrics. Either `Enabled` or `Disabled`. */ - routingPolicy?: string; + status?: string; } - export interface ServiceDnsConfigDnsRecord { + export interface BucketV2ReplicationConfigurationRuleDestinationReplicationTime { /** - * The amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set. + * Threshold within which objects are to be replicated. The only valid value is `15`. */ - ttl: number; + minutes?: number; /** - * The type of the resource, which indicates the value that Amazon Route 53 returns in response to DNS queries. Valid Values: A, AAAA, SRV, CNAME + * Status of RTC. Either `Enabled` or `Disabled`. */ - type: string; + status?: string; } - export interface ServiceHealthCheckConfig { + export interface BucketV2ReplicationConfigurationRuleFilter { /** - * The number of consecutive health checks. Maximum value of 10. + * Object keyname prefix that identifies subset of objects to which the rule applies. Must be less than or equal to 1024 characters in length. */ - failureThreshold?: number; + prefix?: string; /** - * The path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /. + * A map of tags that identifies subset of objects to which the rule applies. + * The rule applies only to objects having all the tags in its tagset. */ - resourcePath?: string; + tags?: {[key: string]: string}; + } + + export interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteria { /** - * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP + * Match SSE-KMS encrypted objects (documented below). If specified, `replicaKmsKeyId` + * in `destination` must be specified as well. */ - type?: string; + sseKmsEncryptedObjects?: outputs.s3.BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject[]; } - export interface ServiceHealthCheckCustomConfig { + export interface BucketV2ReplicationConfigurationRuleSourceSelectionCriteriaSseKmsEncryptedObject { /** - * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. + * Boolean which indicates if this criteria is enabled. */ - failureThreshold?: number; + enabled: boolean; } -} + export interface BucketV2ServerSideEncryptionConfiguration { + /** + * Single object for server-side encryption by default configuration. (documented below) + */ + rules: outputs.s3.BucketV2ServerSideEncryptionConfigurationRule[]; + } -export namespace servicequotas { - export interface GetServiceQuotaUsageMetric { + export interface BucketV2ServerSideEncryptionConfigurationRule { /** - * The metric dimensions. + * Single object for setting server-side encryption by default. (documented below) */ - metricDimensions: outputs.servicequotas.GetServiceQuotaUsageMetricMetricDimension[]; + applyServerSideEncryptionByDefaults: outputs.s3.BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault[]; /** - * The name of the metric. + * Whether or not to use [Amazon S3 Bucket Keys](https://docs.aws.amazon.com/AmazonS3/latest/dev/bucket-key.html) for SSE-KMS. */ - metricName: string; + bucketKeyEnabled?: boolean; + } + + export interface BucketV2ServerSideEncryptionConfigurationRuleApplyServerSideEncryptionByDefault { /** - * The namespace of the metric. + * AWS KMS master key ID used for the SSE-KMS encryption. This can only be used when you set the value of `sseAlgorithm` as `aws:kms`. The default `aws/s3` AWS KMS master key is used if this element is absent while the `sseAlgorithm` is `aws:kms`. */ - metricNamespace: string; + kmsMasterKeyId?: string; /** - * The metric statistic that AWS recommend you use when determining quota usage. + * Server-side encryption algorithm to use. Valid values are `AES256` and `aws:kms` */ - metricStatisticRecommendation: string; + sseAlgorithm: string; } - export interface GetServiceQuotaUsageMetricMetricDimension { - class: string; - resource: string; - service: string; - type: string; + export interface BucketV2Versioning { + /** + * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. + */ + enabled?: boolean; + /** + * Enable MFA delete for either `Change the versioning state of your bucket` or `Permanently delete an object version`. Default is `false`. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS + */ + mfaDelete?: boolean; } - export interface GetTemplatesTemplate { + export interface BucketV2Website { /** - * Indicates whether the quota is global. + * Absolute path to the document to return in case of a 4XX error. */ - globalQuota: boolean; + errorDocument?: string; /** - * Quota identifier. + * Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. */ - quotaCode: string; + indexDocument?: string; /** - * Quota name. + * Hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (`http://` or `https://`) to use when redirecting requests. The default is the protocol that is used in the original request. */ - quotaName: string; + redirectAllRequestsTo?: string; /** - * AWS Region to which the quota increases apply. + * JSON array containing [routing rules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html) + * describing redirect behavior and when redirects are applied. */ - region: string; + routingRules?: string; + } + + export interface BucketVersioning { /** - * (Required) Service identifier. + * Enable versioning. Once you version-enable a bucket, it can never return to an unversioned state. You can, however, suspend versioning on that bucket. */ - serviceCode: string; + enabled?: boolean; /** - * Service name. + * Enable MFA delete for either `Change the versioning state of your bucket` or `Permanently delete an object version`. Default is `false`. This cannot be used to toggle this setting but is available to allow managed buckets to reflect the state in AWS */ - serviceName: string; + mfaDelete?: boolean; + } + + export interface BucketVersioningV2VersioningConfiguration { /** - * Unit of measurement. + * Specifies whether MFA delete is enabled in the bucket versioning configuration. Valid values: `Enabled` or `Disabled`. */ - unit: string; + mfaDelete: string; /** - * (Required) The new, increased value for the quota. + * Versioning state of the bucket. Valid values: `Enabled`, `Suspended`, or `Disabled`. `Disabled` should only be used when creating or importing resources that correspond to unversioned S3 buckets. */ - value: number; + status: string; } - export interface ServiceQuotaUsageMetric { + export interface BucketWebsite { /** - * The metric dimensions. + * An absolute path to the document to return in case of a 4XX error. */ - metricDimensions: outputs.servicequotas.ServiceQuotaUsageMetricMetricDimension[]; + errorDocument?: string; /** - * The name of the metric. + * Amazon S3 returns this index document when requests are made to the root domain or any of the subfolders. */ - metricName: string; + indexDocument?: string; /** - * The namespace of the metric. + * A hostname to redirect all website requests for this bucket to. Hostname can optionally be prefixed with a protocol (`http://` or `https://`) to use when redirecting requests. The default is the protocol that is used in the original request. */ - metricNamespace: string; + redirectAllRequestsTo?: string; /** - * The metric statistic that AWS recommend you use when determining quota usage. + * A json array containing [routing rules](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-s3-websiteconfiguration-routingrules.html) + * describing redirect behavior and when redirects are applied. + * + * The `CORS` object supports the following: */ - metricStatisticRecommendation: string; - } - - export interface ServiceQuotaUsageMetricMetricDimension { - class: string; - resource: string; - service: string; - type: string; + routingRules?: string; } -} - -export namespace ses { - export interface ConfigurationSetDeliveryOptions { + export interface BucketWebsiteConfigurationV2ErrorDocument { /** - * Whether messages that use the configuration set are required to use Transport Layer Security (TLS). If the value is `Require`, messages are only delivered if a TLS connection can be established. If the value is `Optional`, messages can be delivered in plain text if a TLS connection can't be established. Valid values: `Require` or `Optional`. Defaults to `Optional`. + * Object key name to use when a 4XX class error occurs. */ - tlsPolicy?: string; + key: string; } - export interface ConfigurationSetTrackingOptions { + export interface BucketWebsiteConfigurationV2IndexDocument { /** - * Custom subdomain that is used to redirect email recipients to the Amazon SES event tracking domain. + * Suffix that is appended to a request that is for a directory on the website endpoint. + * For example, if the suffix is `index.html` and you make a request to `samplebucket/images/`, the data that is returned will be for the object with the key name `images/index.html`. + * The suffix must not be empty and must not include a slash character. */ - customRedirectDomain?: string; + suffix: string; } - export interface EventDestinationCloudwatchDestination { - /** - * The default value for the event - */ - defaultValue: string; + export interface BucketWebsiteConfigurationV2RedirectAllRequestsTo { /** - * The name for the dimension + * Name of the host where requests are redirected. */ - dimensionName: string; + hostName: string; /** - * The source for the value. May be any of `"messageTag"`, `"emailHeader"` or `"linkTag"`. + * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`. */ - valueSource: string; + protocol?: string; } - export interface EventDestinationKinesisDestination { - /** - * The ARN of the role that has permissions to access the Kinesis Stream - */ - roleArn: string; + export interface BucketWebsiteConfigurationV2RoutingRule { /** - * The ARN of the Kinesis Stream + * Configuration block for describing a condition that must be met for the specified redirect to apply. See below. */ - streamArn: string; - } - - export interface EventDestinationSnsDestination { + condition?: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleCondition; /** - * The ARN of the SNS topic + * Configuration block for redirect information. See below. */ - topicArn: string; + redirect: outputs.s3.BucketWebsiteConfigurationV2RoutingRuleRedirect; } - export interface ReceiptRuleAddHeaderAction { - /** - * The name of the header to add - */ - headerName: string; + export interface BucketWebsiteConfigurationV2RoutingRuleCondition { /** - * The value of the header to add + * HTTP error code when the redirect is applied. If specified with `keyPrefixEquals`, then both must be true for the redirect to be applied. */ - headerValue: string; + httpErrorCodeReturnedEquals?: string; /** - * The position of the action in the receipt rule + * Object key name prefix when the redirect is applied. If specified with `httpErrorCodeReturnedEquals`, then both must be true for the redirect to be applied. */ - position: number; + keyPrefixEquals?: string; } - export interface ReceiptRuleBounceAction { - /** - * The message to send - */ - message: string; + export interface BucketWebsiteConfigurationV2RoutingRuleRedirect { /** - * The position of the action in the receipt rule + * Host name to use in the redirect request. */ - position: number; + hostName?: string; /** - * The email address of the sender + * HTTP redirect code to use on the response. */ - sender: string; + httpRedirectCode?: string; /** - * The RFC 5321 SMTP reply code + * Protocol to use when redirecting requests. The default is the protocol that is used in the original request. Valid values: `http`, `https`. */ - smtpReplyCode: string; + protocol?: string; /** - * The RFC 3463 SMTP enhanced status code + * Object key prefix to use in the redirect request. For example, to redirect requests for all pages with prefix `docs/` (objects in the `docs/` folder) to `documents/`, you can set a `condition` block with `keyPrefixEquals` set to `docs/` and in the `redirect` set `replaceKeyPrefixWith` to `/documents`. */ - statusCode?: string; + replaceKeyPrefixWith?: string; /** - * The ARN of an SNS topic to notify + * Specific object key to use in the redirect request. For example, redirect request to `error.html`. */ - topicArn?: string; + replaceKeyWith?: string; } - export interface ReceiptRuleLambdaAction { - /** - * The ARN of the Lambda function to invoke - */ - functionArn: string; + export interface DirectoryBucketLocation { /** - * `Event` or `RequestResponse` + * [Availability Zone ID](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#az-ids). */ - invocationType?: string; + name: string; /** - * The position of the action in the receipt rule + * Location type. Valid values: `AvailabilityZone`. */ - position: number; + type: string; + } + + export interface InventoryDestination { /** - * The ARN of an SNS topic to notify + * S3 bucket configuration where inventory results are published (documented below). */ - topicArn?: string; + bucket: outputs.s3.InventoryDestinationBucket; } - export interface ReceiptRuleS3Action { + export interface InventoryDestinationBucket { /** - * The name of the S3 bucket + * ID of the account that owns the destination bucket. Recommended to be set to prevent problems if the destination bucket ownership changes. */ - bucketName: string; + accountId?: string; /** - * The ARN of the KMS key + * Amazon S3 bucket ARN of the destination. */ - kmsKeyArn?: string; + bucketArn: string; /** - * The key prefix of the S3 bucket + * Contains the type of server-side encryption to use to encrypt the inventory (documented below). */ - objectKeyPrefix?: string; + encryption?: outputs.s3.InventoryDestinationBucketEncryption; /** - * The position of the action in the receipt rule + * Specifies the output format of the inventory results. Can be `CSV`, [`ORC`](https://orc.apache.org/) or [`Parquet`](https://parquet.apache.org/). */ - position: number; + format: string; /** - * The ARN of an SNS topic to notify + * Prefix that is prepended to all inventory results. */ - topicArn?: string; + prefix?: string; } - export interface ReceiptRuleSnsAction { + export interface InventoryDestinationBucketEncryption { /** - * The encoding to use for the email within the Amazon SNS notification. Default value is `UTF-8`. + * Specifies to use server-side encryption with AWS KMS-managed keys to encrypt the inventory file (documented below). */ - encoding?: string; + sseKms?: outputs.s3.InventoryDestinationBucketEncryptionSseKms; /** - * The position of the action in the receipt rule + * Specifies to use server-side encryption with Amazon S3-managed keys (SSE-S3) to encrypt the inventory file. */ - position: number; + sseS3?: outputs.s3.InventoryDestinationBucketEncryptionSseS3; + } + + export interface InventoryDestinationBucketEncryptionSseKms { /** - * The ARN of an SNS topic to notify + * ARN of the KMS customer master key (CMK) used to encrypt the inventory file. */ - topicArn: string; + keyId: string; + } + + export interface InventoryDestinationBucketEncryptionSseS3 { + } + + export interface InventoryFilter { + /** + * Prefix that an object must have to be included in the inventory results. + */ + prefix?: string; } - export interface ReceiptRuleStopAction { + export interface InventorySchedule { /** - * The position of the action in the receipt rule + * Specifies how frequently inventory results are produced. Valid values: `Daily`, `Weekly`. */ - position: number; + frequency: string; + } + + export interface ObjectCopyGrant { /** - * The scope to apply. The only acceptable value is `RuleSet`. + * Email address of the grantee. Used only when `type` is `AmazonCustomerByEmail`. */ - scope: string; + email?: string; /** - * The ARN of an SNS topic to notify + * Canonical user ID of the grantee. Used only when `type` is `CanonicalUser`. */ - topicArn?: string; - } - - export interface ReceiptRuleWorkmailAction { + id?: string; /** - * The ARN of the WorkMail organization + * List of permissions to grant to grantee. Valid values are `READ`, `READ_ACP`, `WRITE_ACP`, `FULL_CONTROL`. */ - organizationArn: string; + permissions: string[]; /** - * The position of the action in the receipt rule + * Type of grantee. Valid values are `CanonicalUser`, `Group`, and `AmazonCustomerByEmail`. + * + * This configuration block has the following optional arguments (one of the three is required): */ - position: number; + type: string; /** - * The ARN of an SNS topic to notify + * URI of the grantee group. Used only when `type` is `Group`. */ - topicArn?: string; + uri?: string; } } -export namespace sesv2 { - export interface AccountVdmAttributesDashboardAttributes { - /** - * Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`. - */ - engagementMetrics?: string; - } - - export interface AccountVdmAttributesGuardianAttributes { +export namespace s3control { + export interface AccessGrantAccessGrantsLocationConfiguration { /** - * Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`. + * Sub-prefix. */ - optimizedSharedDelivery?: string; + s3SubPrefix?: string; } - export interface ConfigurationSetDeliveryOptions { + export interface AccessGrantGrantee { /** - * The name of the dedicated IP pool to associate with the configuration set. + * Grantee identifier. */ - sendingPoolName?: string; + granteeIdentifier: string; /** - * Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). Valid values: `REQUIRE`, `OPTIONAL`. + * Grantee types. Valid values: `DIRECTORY_USER`, `DIRECTORY_GROUP`, `IAM`. */ - tlsPolicy?: string; + granteeType: string; } - export interface ConfigurationSetEventDestinationEventDestination { - /** - * An object that defines an Amazon CloudWatch destination for email events. See cloudWatchDestination below - */ - cloudWatchDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationCloudWatchDestination; + export interface BucketLifecycleConfigurationRule { /** - * When the event destination is enabled, the specified event types are sent to the destinations. Default: `false`. + * Configuration block containing settings for abort incomplete multipart upload. */ - enabled?: boolean; + abortIncompleteMultipartUpload?: outputs.s3control.BucketLifecycleConfigurationRuleAbortIncompleteMultipartUpload; /** - * An object that defines an Amazon Kinesis Data Firehose destination for email events. See kinesisFirehoseDestination below. + * Configuration block containing settings for expiration of objects. */ - kinesisFirehoseDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination; + expiration?: outputs.s3control.BucketLifecycleConfigurationRuleExpiration; /** - * An array that specifies which events the Amazon SES API v2 should send to the destinations. Valid values: `SEND`, `REJECT`, `BOUNCE`, `COMPLAINT`, `DELIVERY`, `OPEN`, `CLICK`, `RENDERING_FAILURE`, `DELIVERY_DELAY`, `SUBSCRIPTION`. - * - * The following arguments are optional: + * Configuration block containing settings for filtering. */ - matchingEventTypes: string[]; + filter?: outputs.s3control.BucketLifecycleConfigurationRuleFilter; /** - * An object that defines an Amazon Pinpoint project destination for email events. See pinpointDestination below. + * Unique identifier for the rule. */ - pinpointDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationPinpointDestination; + id: string; /** - * An object that defines an Amazon SNS destination for email events. See snsDestination below. + * Status of the rule. Valid values: `Enabled` and `Disabled`. Defaults to `Enabled`. */ - snsDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationSnsDestination; + status?: string; } - export interface ConfigurationSetEventDestinationEventDestinationCloudWatchDestination { + export interface BucketLifecycleConfigurationRuleAbortIncompleteMultipartUpload { /** - * An array of objects that define the dimensions to use when you send email events to Amazon CloudWatch. See dimensionConfiguration below. + * Number of days after which Amazon S3 aborts an incomplete multipart upload. */ - dimensionConfigurations: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration[]; + daysAfterInitiation: number; } - export interface ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration { + export interface BucketLifecycleConfigurationRuleExpiration { /** - * The default value of the dimension that is published to Amazon CloudWatch if you don't provide the value of the dimension when you send an email. + * Date the object is to be deleted. Should be in `YYYY-MM-DD` date format, e.g., `2020-09-30`. */ - defaultDimensionValue: string; + date?: string; /** - * The name of an Amazon CloudWatch dimension associated with an email sending metric. + * Number of days before the object is to be deleted. */ - dimensionName: string; + days?: number; /** - * The location where the Amazon SES API v2 finds the value of a dimension to publish to Amazon CloudWatch. Valid values: `MESSAGE_TAG`, `EMAIL_HEADER`, `LINK_TAG`. + * Enable to remove a delete marker with no noncurrent versions. Cannot be specified with `date` or `days`. */ - dimensionValueSource: string; + expiredObjectDeleteMarker?: boolean; } - export interface ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination { + export interface BucketLifecycleConfigurationRuleFilter { /** - * The Amazon Resource Name (ARN) of the Amazon Kinesis Data Firehose stream that the Amazon SES API v2 sends email events to. + * Object prefix for rule filtering. */ - deliveryStreamArn: string; + prefix?: string; /** - * The Amazon Resource Name (ARN) of the IAM role that the Amazon SES API v2 uses to send email events to the Amazon Kinesis Data Firehose stream. + * Key-value map of object tags for rule filtering. */ - iamRoleArn: string; - } - - export interface ConfigurationSetEventDestinationEventDestinationPinpointDestination { - applicationArn: string; + tags?: {[key: string]: string}; } - export interface ConfigurationSetEventDestinationEventDestinationSnsDestination { + export interface GetMultiRegionAccessPointPublicAccessBlock { /** - * The Amazon Resource Name (ARN) of the Amazon SNS topic to publish email events to. + * Specifies whether Amazon S3 should block public access control lists (ACLs). When set to `true` causes the following behavior: + * * PUT Bucket acl and PUT Object acl calls fail if the specified ACL is public. + * * PUT Object calls fail if the request includes a public ACL. + * * PUT Bucket calls fail if the request includes a public ACL. */ - topicArn: string; - } - - export interface ConfigurationSetReputationOptions { + blockPublicAcls: boolean; /** - * The date and time (in Unix time) when the reputation metrics were last given a fresh start. When your account is given a fresh start, your reputation metrics are calculated starting from the date of the fresh start. + * Specifies whether Amazon S3 should block public bucket policies for buckets in this account. When set to `true` causes Amazon S3 to: + * * Reject calls to PUT Bucket policy if the specified bucket policy allows public access. */ - lastFreshStart: string; + blockPublicPolicy: boolean; /** - * If `true`, tracking of reputation metrics is enabled for the configuration set. If `false`, tracking of reputation metrics is disabled for the configuration set. + * Specifies whether Amazon S3 should ignore public ACLs for buckets in this account. When set to `true` causes Amazon S3 to: + * * Ignore all public ACLs on buckets in this account and any objects that they contain. */ - reputationMetricsEnabled: boolean; - } - - export interface ConfigurationSetSendingOptions { + ignorePublicAcls: boolean; /** - * If `true`, email sending is enabled for the configuration set. If `false`, email sending is disabled for the configuration set. + * Specifies whether Amazon S3 should restrict public bucket policies for buckets in this account. When set to `true`: + * * Only the bucket owner and AWS Services can access buckets with public policies. */ - sendingEnabled: boolean; + restrictPublicBuckets: boolean; } - export interface ConfigurationSetSuppressionOptions { + export interface GetMultiRegionAccessPointRegion { /** - * A list that contains the reasons that email addresses are automatically added to the suppression list for your account. Valid values: `BOUNCE`, `COMPLAINT`. + * The name of the bucket. */ - suppressedReasons?: string[]; - } - - export interface ConfigurationSetTrackingOptions { + bucket: string; /** - * The domain to use for tracking open and click events. + * The AWS account ID that owns the bucket. */ - customRedirectDomain: string; + bucketAccountId: string; + /** + * The name of the region. + */ + region: string; } - export interface ConfigurationSetVdmOptions { + export interface MultiRegionAccessPointDetails { + name: string; + publicAccessBlock?: outputs.s3control.MultiRegionAccessPointDetailsPublicAccessBlock; + regions: outputs.s3control.MultiRegionAccessPointDetailsRegion[]; + } + + export interface MultiRegionAccessPointDetailsPublicAccessBlock { + blockPublicAcls?: boolean; + blockPublicPolicy?: boolean; + ignorePublicAcls?: boolean; + restrictPublicBuckets?: boolean; + } + + export interface MultiRegionAccessPointDetailsRegion { + bucket: string; + bucketAccountId: string; + region: string; + } + + export interface MultiRegionAccessPointPolicyDetails { /** - * Specifies additional settings for your VDM configuration as applicable to the Dashboard. + * The name of the Multi-Region Access Point. */ - dashboardOptions?: outputs.sesv2.ConfigurationSetVdmOptionsDashboardOptions; + name: string; /** - * Specifies additional settings for your VDM configuration as applicable to the Guardian. + * A valid JSON document that specifies the policy that you want to associate with this Multi-Region Access Point. Once applied, the policy can be edited, but not deleted. For more information, see the documentation on [Multi-Region Access Point Permissions](https://docs.aws.amazon.com/AmazonS3/latest/userguide/MultiRegionAccessPointPermissions.html). + * + * > **NOTE:** When you update the `policy`, the update is first listed as the proposed policy. After the update is finished and all Regions have been updated, the proposed policy is listed as the established policy. If both policies have the same version number, the proposed policy is the established policy. */ - guardianOptions?: outputs.sesv2.ConfigurationSetVdmOptionsGuardianOptions; + policy: string; } - export interface ConfigurationSetVdmOptionsDashboardOptions { + export interface ObjectLambdaAccessPointConfiguration { /** - * Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`. + * Allowed features. Valid values: `GetObject-Range`, `GetObject-PartNumber`. */ - engagementMetrics?: string; - } - - export interface ConfigurationSetVdmOptionsGuardianOptions { + allowedFeatures?: string[]; /** - * Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`. + * Whether or not the CloudWatch metrics configuration is enabled. */ - optimizedSharedDelivery?: string; - } - - export interface ContactListTopic { + cloudWatchMetricsEnabled?: boolean; /** - * Default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic. + * Standard access point associated with the Object Lambda Access Point. */ - defaultSubscriptionStatus: string; + supportingAccessPoint: string; /** - * Description of what the topic is about, which the contact will see. + * List of transformation configurations for the Object Lambda Access Point. See Transformation Configuration below for more details. */ - description?: string; + transformationConfigurations: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfiguration[]; + } + + export interface ObjectLambdaAccessPointConfigurationTransformationConfiguration { /** - * Name of the topic the contact will see. + * The actions of an Object Lambda Access Point configuration. Valid values: `GetObject`. */ - displayName: string; + actions: string[]; /** - * Name of the topic. - * - * The following arguments are optional: + * The content transformation of an Object Lambda Access Point configuration. See Content Transformation below for more details. */ - topicName: string; + contentTransformation: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformation; } - export interface EmailIdentityDkimSigningAttributes { + export interface ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformation { /** - * [Easy DKIM] The key length of the DKIM key pair in use. + * Configuration for an AWS Lambda function. See AWS Lambda below for more details. */ - currentSigningKeyLength: string; + awsLambda: outputs.s3control.ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformationAwsLambda; + } + + export interface ObjectLambdaAccessPointConfigurationTransformationConfigurationContentTransformationAwsLambda { /** - * [Bring Your Own DKIM] A private key that's used to generate a DKIM signature. The private key must use 1024 or 2048-bit RSA encryption, and must be encoded using base64 encoding. - * - * > **NOTE:** You have to delete the first and last lines ('-----BEGIN PRIVATE KEY-----' and '-----END PRIVATE KEY-----', respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks. + * The Amazon Resource Name (ARN) of the AWS Lambda function. */ - domainSigningPrivateKey?: string; + functionArn: string; /** - * [Bring Your Own DKIM] A string that's used to identify a public key in the DNS configuration for a domain. + * Additional JSON that provides supplemental data to the Lambda function used to transform objects. */ - domainSigningSelector?: string; + functionPayload?: string; + } + + export interface StorageLensConfigurationStorageLensConfiguration { /** - * [Easy DKIM] The last time a key pair was generated for this identity. + * The account-level configurations of the S3 Storage Lens configuration. See Account Level below for more details. */ - lastKeyGenerationTimestamp: string; + accountLevel: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevel; /** - * [Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. Valid values: `RSA_1024_BIT`, `RSA_2048_BIT`. + * The Amazon Web Services organization for the S3 Storage Lens configuration. See AWS Org below for more details. */ - nextSigningKeyLength: string; + awsOrg?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAwsOrg; /** - * A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM). + * Properties of S3 Storage Lens metrics export including the destination, schema and format. See Data Export below for more details. */ - signingAttributesOrigin: string; + dataExport?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExport; /** - * Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses. + * Whether the S3 Storage Lens configuration is enabled. */ - status: string; + enabled: boolean; /** - * If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key. + * What is excluded in this configuration. Conflicts with `include`. See Exclude below for more details. */ - tokens: string[]; + exclude?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationExclude; + /** + * What is included in this configuration. Conflicts with `exclude`. See Include below for more details. + */ + include?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationInclude; } - export interface GetConfigurationSetDeliveryOption { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevel { /** - * The name of the dedicated IP pool to associate with the configuration set. + * S3 Storage Lens activity metrics. See Activity Metrics below for more details. */ - sendingPoolName: string; + activityMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelActivityMetrics; /** - * Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). + * Advanced cost-optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics below for more details. */ - tlsPolicy: string; - } - - export interface GetConfigurationSetReputationOption { + advancedCostOptimizationMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedCostOptimizationMetrics; /** - * The date and time (in Unix time) when the reputation metrics were last given a fresh start. + * Advanced data-protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics below for more details. */ - lastFreshStart: string; + advancedDataProtectionMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedDataProtectionMetrics; /** - * Specifies whether tracking of reputation metrics is enabled. + * S3 Storage Lens bucket-level configuration. See Bucket Level below for more details. */ - reputationMetricsEnabled: boolean; - } - - export interface GetConfigurationSetSendingOption { + bucketLevel: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevel; /** - * Specifies whether email sending is enabled. + * Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics below for more details. */ - sendingEnabled: boolean; + detailedStatusCodeMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelDetailedStatusCodeMetrics; } - export interface GetConfigurationSetSuppressionOption { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelActivityMetrics { /** - * A list that contains the reasons that email addresses are automatically added to the suppression list for your account. + * Whether the activity metrics are enabled. */ - suppressedReasons: string[]; + enabled?: boolean; } - export interface GetConfigurationSetTrackingOption { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedCostOptimizationMetrics { /** - * The domain to use for tracking open and click events. + * Whether advanced cost-optimization metrics are enabled. */ - customRedirectDomain: string; + enabled?: boolean; } - export interface GetConfigurationSetVdmOption { - /** - * Specifies additional settings for your VDM configuration as applicable to the Dashboard. - */ - dashboardOptions: outputs.sesv2.GetConfigurationSetVdmOptionDashboardOption[]; + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelAdvancedDataProtectionMetrics { /** - * Specifies additional settings for your VDM configuration as applicable to the Guardian. + * Whether advanced data-protection metrics are enabled. */ - guardianOptions: outputs.sesv2.GetConfigurationSetVdmOptionGuardianOption[]; + enabled?: boolean; } - export interface GetConfigurationSetVdmOptionDashboardOption { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevel { /** - * Specifies the status of your VDM engagement metrics collection. + * S3 Storage Lens activity metrics. See Activity Metrics above for more details. */ - engagementMetrics: string; - } - - export interface GetConfigurationSetVdmOptionGuardianOption { + activityMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelActivityMetrics; /** - * Specifies the status of your VDM optimized shared delivery. + * Advanced cost-optimization metrics for S3 Storage Lens. See Advanced Cost-Optimization Metrics above for more details. */ - optimizedSharedDelivery: string; - } - - export interface GetDedicatedIpPoolDedicatedIp { + advancedCostOptimizationMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedCostOptimizationMetrics; /** - * IPv4 address. + * Advanced data-protection metrics for S3 Storage Lens. See Advanced Data-Protection Metrics above for more details. */ - ip: string; + advancedDataProtectionMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedDataProtectionMetrics; /** - * Indicates how complete the dedicated IP warm-up process is. When this value equals `1`, the address has completed the warm-up process and is ready for use. + * Detailed status code metrics for S3 Storage Lens. See Detailed Status Code Metrics above for more details. */ - warmupPercentage: number; + detailedStatusCodeMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelDetailedStatusCodeMetrics; /** - * The warm-up status of a dedicated IP address. Valid values: `IN_PROGRESS`, `DONE`. + * Prefix-level metrics for S3 Storage Lens. See Prefix Level below for more details. */ - warmupStatus: string; + prefixLevel?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevel; } - export interface GetEmailIdentityDkimSigningAttribute { - /** - * [Easy DKIM] The key length of the DKIM key pair in use. - */ - currentSigningKeyLength: string; - domainSigningPrivateKey: string; - domainSigningSelector: string; + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelActivityMetrics { /** - * [Easy DKIM] The last time a key pair was generated for this identity. + * Whether the activity metrics are enabled. */ - lastKeyGenerationTimestamp: string; + enabled?: boolean; + } + + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedCostOptimizationMetrics { /** - * [Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. + * Whether advanced cost-optimization metrics are enabled. */ - nextSigningKeyLength: string; + enabled?: boolean; + } + + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelAdvancedDataProtectionMetrics { /** - * A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM). + * Whether advanced data-protection metrics are enabled. */ - signingAttributesOrigin: string; + enabled?: boolean; + } + + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelDetailedStatusCodeMetrics { /** - * Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses. + * Whether detailed status code metrics are enabled. */ - status: string; + enabled?: boolean; + } + + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevel { /** - * If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key. + * Prefix-level storage metrics for S3 Storage Lens. See Prefix Level Storage Metrics below for more details. */ - tokens: string[]; + storageMetrics: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetrics; } -} - -export namespace sfn { - export interface AliasRoutingConfiguration { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetrics { /** - * The Amazon Resource Name (ARN) of the state machine version. + * Whether prefix-level storage metrics are enabled. */ - stateMachineVersionArn: string; + enabled?: boolean; /** - * Percentage of traffic routed to the state machine version. + * Selection criteria. See Selection Criteria below for more details. */ - weight: number; - } - - export interface GetAliasRoutingConfiguration { - stateMachineVersionArn: string; - weight: number; + selectionCriteria?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetricsSelectionCriteria; } - export interface StateMachineLoggingConfiguration { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelBucketLevelPrefixLevelStorageMetricsSelectionCriteria { /** - * Determines whether execution data is included in your log. When set to `false`, data is excluded. + * The delimiter of the selection criteria being used. */ - includeExecutionData?: boolean; + delimiter?: string; /** - * Defines which category of execution history events are logged. Valid values: `ALL`, `ERROR`, `FATAL`, `OFF` + * The max depth of the selection criteria. */ - level?: string; + maxDepth?: number; /** - * Amazon Resource Name (ARN) of a CloudWatch log group. Make sure the State Machine has the correct IAM policies for logging. The ARN must end with `:*` + * The minimum number of storage bytes percentage whose metrics will be selected. */ - logDestination?: string; + minStorageBytesPercentage?: number; } - export interface StateMachineTracingConfiguration { + export interface StorageLensConfigurationStorageLensConfigurationAccountLevelDetailedStatusCodeMetrics { /** - * When set to `true`, AWS X-Ray tracing is enabled. Make sure the State Machine has the correct IAM policies for logging. See the [AWS Step Functions Developer Guide](https://docs.aws.amazon.com/step-functions/latest/dg/xray-iam.html) for details. + * Whether detailed status code metrics are enabled. */ enabled?: boolean; } -} + export interface StorageLensConfigurationStorageLensConfigurationAwsOrg { + /** + * The Amazon Resource Name (ARN) of the Amazon Web Services organization. + */ + arn: string; + } -export namespace shield { - export interface ApplicationLayerAutomaticResponseTimeouts { + export interface StorageLensConfigurationStorageLensConfigurationDataExport { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Amazon CloudWatch publishing for S3 Storage Lens metrics. See Cloud Watch Metrics below for more details. */ - create?: string; + cloudWatchMetrics?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportCloudWatchMetrics; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * The bucket where the S3 Storage Lens metrics export will be located. See S3 Bucket Destination below for more details. */ - delete?: string; + s3BucketDestination?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestination; + } + + export interface StorageLensConfigurationStorageLensConfigurationDataExportCloudWatchMetrics { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Whether CloudWatch publishing for S3 Storage Lens metrics is enabled. */ - update?: string; + enabled: boolean; } - export interface DrtAccessLogBucketAssociationTimeouts { + export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestination { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * The account ID of the owner of the S3 Storage Lens metrics export bucket. */ - create?: string; + accountId: string; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * The Amazon Resource Name (ARN) of the bucket. */ - delete?: string; - } - - export interface DrtAccessRoleArnAssociationTimeouts { + arn: string; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * Encryption of the metrics exports in this bucket. See Encryption below for more details. */ - create?: string; + encryption?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryption; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + * The export format. Valid values: `CSV`, `Parquet`. */ - delete?: string; + format: string; /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * The schema version of the export file. Valid values: `V_1`. */ - update?: string; - } - - export interface ProactiveEngagementEmergencyContact { - contactNotes?: string; - emailAddress: string; - phoneNumber?: string; - } - -} - -export namespace signer { - export interface GetSigningJobRevocationRecord { - reason: string; - revokedAt: string; - revokedBy: string; - } - - export interface GetSigningJobSignedObject { - s3s: outputs.signer.GetSigningJobSignedObjectS3[]; - } - - export interface GetSigningJobSignedObjectS3 { - bucket: string; - key: string; + outputSchemaVersion: string; + /** + * The prefix of the destination bucket where the metrics export will be delivered. + */ + prefix?: string; } - export interface GetSigningJobSource { - s3s: outputs.signer.GetSigningJobSourceS3[]; + export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryption { + /** + * SSE-KMS encryption. See SSE KMS below for more details. + */ + sseKms?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseKms; + /** + * SSE-S3 encryption. An empty configuration block `{}` should be used. + */ + sseS3s?: outputs.s3control.StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseS3[]; } - export interface GetSigningJobSourceS3 { - bucket: string; - key: string; - version: string; + export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseKms { + /** + * KMS key ARN. + */ + keyId: string; } - export interface GetSigningProfileRevocationRecord { - revocationEffectiveFrom: string; - revokedAt: string; - revokedBy: string; + export interface StorageLensConfigurationStorageLensConfigurationDataExportS3BucketDestinationEncryptionSseS3 { } - export interface GetSigningProfileSignatureValidityPeriod { - type: string; - value: number; + export interface StorageLensConfigurationStorageLensConfigurationExclude { + /** + * List of S3 bucket ARNs. + */ + buckets?: string[]; + /** + * List of AWS Regions. + */ + regions?: string[]; } - export interface SigningJobDestination { + export interface StorageLensConfigurationStorageLensConfigurationInclude { /** - * A configuration block describing the S3 Destination object: See S3 Destination below for details. + * List of S3 bucket ARNs. */ - s3: outputs.signer.SigningJobDestinationS3; + buckets?: string[]; + /** + * List of AWS Regions. + */ + regions?: string[]; } - export interface SigningJobDestinationS3 { - bucket: string; - prefix?: string; - } +} - export interface SigningJobRevocationRecord { - reason: string; - revokedAt: string; - revokedBy: string; +export namespace s3outposts { + export interface EndpointNetworkInterface { + /** + * Identifier of the Elastic Network Interface (ENI). + */ + networkInterfaceId: string; } - export interface SigningJobSignedObject { - s3s: outputs.signer.SigningJobSignedObjectS3[]; +} + +export namespace sagemaker { + export interface AppImageConfigCodeEditorAppImageConfig { + /** + * The configuration used to run the application image container. See Container Config details below. + */ + containerConfig?: outputs.sagemaker.AppImageConfigCodeEditorAppImageConfigContainerConfig; + /** + * The URL where the Git repository is located. See File System Config details below. + */ + fileSystemConfig?: outputs.sagemaker.AppImageConfigCodeEditorAppImageConfigFileSystemConfig; } - export interface SigningJobSignedObjectS3 { - bucket: string; - key: string; + export interface AppImageConfigCodeEditorAppImageConfigContainerConfig { + /** + * The arguments for the container when you're running the application. + */ + containerArguments?: string[]; + /** + * The entrypoint used to run the application in the container. + */ + containerEntrypoints?: string[]; + /** + * The environment variables to set in the container. + */ + containerEnvironmentVariables?: {[key: string]: string}; } - export interface SigningJobSource { + export interface AppImageConfigCodeEditorAppImageConfigFileSystemConfig { /** - * A configuration block describing the S3 Source object: See S3 Source below for details. + * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. */ - s3: outputs.signer.SigningJobSourceS3; + defaultGid?: number; + /** + * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. + */ + defaultUid?: number; + /** + * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. + * + * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. + */ + mountPath?: string; } - export interface SigningJobSourceS3 { - bucket: string; - key: string; - version: string; + export interface AppImageConfigJupyterLabImageConfig { + /** + * The configuration used to run the application image container. See Container Config details below. + */ + containerConfig?: outputs.sagemaker.AppImageConfigJupyterLabImageConfigContainerConfig; + /** + * The URL where the Git repository is located. See File System Config details below. + */ + fileSystemConfig?: outputs.sagemaker.AppImageConfigJupyterLabImageConfigFileSystemConfig; } - export interface SigningProfileRevocationRecord { + export interface AppImageConfigJupyterLabImageConfigContainerConfig { /** - * The time when revocation becomes effective. + * The arguments for the container when you're running the application. */ - revocationEffectiveFrom: string; + containerArguments?: string[]; /** - * The time when the signing profile was revoked. + * The entrypoint used to run the application in the container. */ - revokedAt: string; + containerEntrypoints?: string[]; /** - * The identity of the revoker. + * The environment variables to set in the container. */ - revokedBy: string; + containerEnvironmentVariables?: {[key: string]: string}; } - export interface SigningProfileSignatureValidityPeriod { + export interface AppImageConfigJupyterLabImageConfigFileSystemConfig { /** - * The time unit for signature validity. Valid values: `DAYS`, `MONTHS`, `YEARS`. + * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. */ - type: string; + defaultGid?: number; /** - * The numerical value of the time unit for signature validity. + * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. */ - value: number; + defaultUid?: number; + /** + * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. + * + * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. + */ + mountPath?: string; } - export interface SigningProfileSigningMaterial { + export interface AppImageConfigKernelGatewayImageConfig { /** - * The Amazon Resource Name (ARN) of the certificates that is used to sign your code. + * The URL where the Git repository is located. See File System Config details below. */ - certificateArn: string; + fileSystemConfig?: outputs.sagemaker.AppImageConfigKernelGatewayImageConfigFileSystemConfig; + /** + * The default branch for the Git repository. See Kernel Spec details below. + */ + kernelSpec: outputs.sagemaker.AppImageConfigKernelGatewayImageConfigKernelSpec; } -} - -export namespace ssm { - export interface AssociationOutputLocation { + export interface AppImageConfigKernelGatewayImageConfigFileSystemConfig { /** - * The S3 bucket name. + * The default POSIX group ID (GID). If not specified, defaults to `100`. Valid values are `0` and `100`. */ - s3BucketName: string; + defaultGid?: number; /** - * The S3 bucket prefix. Results stored in the root if not configured. + * The default POSIX user ID (UID). If not specified, defaults to `1000`. Valid values are `0` and `1000`. */ - s3KeyPrefix?: string; + defaultUid?: number; /** - * The S3 bucket region. + * The path within the image to mount the user's EFS home directory. The directory should be empty. If not specified, defaults to `/home/sagemaker-user`. * - * Targets specify what instance IDs or tags to apply the document to and has these keys: + * > **Note:** When specifying `defaultGid` and `defaultUid`, Valid value pairs are [`0`, `0`] and [`100`, `1000`]. */ - s3Region?: string; + mountPath?: string; } - export interface AssociationTarget { + export interface AppImageConfigKernelGatewayImageConfigKernelSpec { /** - * Either `InstanceIds` or `tag:Tag Name` to specify an EC2 tag. + * The display name of the kernel. */ - key: string; + displayName?: string; /** - * A list of instance IDs or tag values. AWS currently limits this list size to one value. + * The name of the kernel. */ - values: string[]; + name: string; } - export interface ContactsRotationRecurrence { - dailySettings?: outputs.ssm.ContactsRotationRecurrenceDailySetting[]; + export interface AppResourceSpec { /** - * (Optional) Information about on-call rotations that recur monthly. See Monthly Settings for more details. + * The instance type that the image version runs on. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - monthlySettings?: outputs.ssm.ContactsRotationRecurrenceMonthlySetting[]; + instanceType?: string; /** - * (Required) The number of contacts, or shift team members designated to be on call concurrently during a shift. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - numberOfOnCalls: number; + lifecycleConfigArn?: string; /** - * (Required) The number of days, weeks, or months a single rotation lasts. + * The ARN of the SageMaker image that the image version belongs to. */ - recurrenceMultiplier: number; + sagemakerImageArn: string; /** - * (Optional) Information about the days of the week that the on-call rotation coverage includes. See Shift Coverages for more details. + * The SageMaker Image Version Alias. */ - shiftCoverages?: outputs.ssm.ContactsRotationRecurrenceShiftCoverage[]; + sagemakerImageVersionAlias?: string; /** - * (Optional) Information about on-call rotations that recur weekly. See Weekly Settings for more details. + * The ARN of the image version created on the instance. */ - weeklySettings?: outputs.ssm.ContactsRotationRecurrenceWeeklySetting[]; + sagemakerImageVersionArn?: string; } - export interface ContactsRotationRecurrenceDailySetting { + export interface CodeRepositoryGitConfig { /** - * (Required) The hour of the day. + * The default branch for the Git repository. */ - hourOfDay: number; + branch?: string; /** - * (Required) The minutes of the hour. + * The URL where the Git repository is located. */ - minuteOfHour: number; + repositoryUrl: string; + /** + * The Amazon Resource Name (ARN) of the AWS Secrets Manager secret that contains the credentials used to access the git repository. The secret must have a staging label of AWSCURRENT and must be in the following format: `{"username": UserName, "password": Password}` + */ + secretArn?: string; } - export interface ContactsRotationRecurrenceMonthlySetting { + export interface DataQualityJobDefinitionDataQualityAppSpecification { /** - * (Required) The day of the month when monthly recurring on-call rotations begin. + * Sets the environment variables in the container that the monitoring job runs. A list of key value pairs. */ - dayOfMonth: number; + environment?: {[key: string]: string}; /** - * (Required) The hand off time. See Hand Off Time for more details. + * The container image that the data quality monitoring job runs. */ - handOffTime?: outputs.ssm.ContactsRotationRecurrenceMonthlySettingHandOffTime; - } - - export interface ContactsRotationRecurrenceMonthlySettingHandOffTime { + imageUri: string; /** - * (Required) The hour of the day. + * An Amazon S3 URI to a script that is called after analysis has been performed. Applicable only for the built-in (first party) containers. */ - hourOfDay: number; + postAnalyticsProcessorSourceUri?: string; /** - * (Required) The minutes of the hour. + * An Amazon S3 URI to a script that is called per row prior to running analysis. It can base64 decode the payload and convert it into a flatted json so that the built-in container can use the converted data. Applicable only for the built-in (first party) containers. */ - minuteOfHour: number; + recordPreprocessorSourceUri?: string; } - export interface ContactsRotationRecurrenceShiftCoverage { + export interface DataQualityJobDefinitionDataQualityBaselineConfig { /** - * (Required) Information about when an on-call shift begins and ends. See Coverage Times for more details. + * The constraints resource for a monitoring job. Fields are documented below. */ - coverageTimes?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTime[]; - mapBlockKey: string; + constraintsResource?: outputs.sagemaker.DataQualityJobDefinitionDataQualityBaselineConfigConstraintsResource; + /** + * The statistics resource for a monitoring job. Fields are documented below. + */ + statisticsResource?: outputs.sagemaker.DataQualityJobDefinitionDataQualityBaselineConfigStatisticsResource; } - export interface ContactsRotationRecurrenceShiftCoverageCoverageTime { + export interface DataQualityJobDefinitionDataQualityBaselineConfigConstraintsResource { /** - * (Required) The end time of the on-call shift. See Hand Off Time for more details. + * The Amazon S3 URI for the constraints resource. */ - end?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd; + s3Uri?: string; + } + + export interface DataQualityJobDefinitionDataQualityBaselineConfigStatisticsResource { /** - * (Required) The start time of the on-call shift. See Hand Off Time for more details. + * The Amazon S3 URI for the statistics resource. */ - start?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTimeStart; + s3Uri?: string; } - export interface ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd { + export interface DataQualityJobDefinitionDataQualityJobInput { /** - * (Required) The hour of the day. + * Input object for the batch transform job. Fields are documented below. */ - hourOfDay: number; + batchTransformInput?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInput; /** - * (Required) The minutes of the hour. + * Input object for the endpoint. Fields are documented below. */ - minuteOfHour: number; + endpointInput?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputEndpointInput; } - export interface ContactsRotationRecurrenceShiftCoverageCoverageTimeStart { + export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInput { /** - * (Required) The hour of the day. + * The Amazon S3 location being used to capture the data. */ - hourOfDay: number; + dataCapturedDestinationS3Uri: string; /** - * (Required) The minutes of the hour. + * The dataset format for your batch transform job. Fields are documented below. */ - minuteOfHour: number; - } - - export interface ContactsRotationRecurrenceWeeklySetting { + datasetFormat: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormat; /** - * (Required) The day of the week when the shift coverage occurs. + * Path to the filesystem where the batch transform data is available to the container. Defaults to `/opt/ml/processing/input`. */ - dayOfWeek: string; + localPath?: string; /** - * (Required) The hand off time. See Hand Off Time for more details. + * Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`. Valid values are `FullyReplicated` or `ShardedByS3Key` */ - handOffTime?: outputs.ssm.ContactsRotationRecurrenceWeeklySettingHandOffTime; + s3DataDistributionType: string; + /** + * Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File`. Valid values are `Pipe` or `File` + */ + s3InputMode: string; } - export interface ContactsRotationRecurrenceWeeklySettingHandOffTime { + export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormat { /** - * (Required) The hour of the day. + * The CSV dataset used in the monitoring job. Fields are documented below. */ - hourOfDay: number; + csv?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatCsv; /** - * (Required) The minutes of the hour. + * The JSON dataset used in the monitoring job. Fields are documented below. */ - minuteOfHour: number; + json?: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatJson; } - export interface DocumentAttachmentsSource { - /** - * The key of a key-value pair that identifies the location of an attachment to the document. Valid values: `SourceUrl`, `S3FileUrl`, `AttachmentReference`. - */ - key: string; + export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatCsv { /** - * The name of the document attachment file. + * Indicates if the CSV data has a header. */ - name?: string; + header?: boolean; + } + + export interface DataQualityJobDefinitionDataQualityJobInputBatchTransformInputDatasetFormatJson { /** - * The value of a key-value pair that identifies the location of an attachment to the document. The argument format is a list of a single string that depends on the type of key you specify - see the [API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_AttachmentsSource.html) for details. + * Indicates if the file should be read as a json object per line. */ - values: string[]; + line?: boolean; } - export interface DocumentParameter { + export interface DataQualityJobDefinitionDataQualityJobInputEndpointInput { /** - * If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional. + * An endpoint in customer's account which has `dataCaptureConfig` enabled. */ - defaultValue: string; + endpointName: string; /** - * A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional. + * Path to the filesystem where the endpoint data is available to the container. Defaults to `/opt/ml/processing/input`. */ - description: string; + localPath?: string; /** - * The name of the document. + * Whether input data distributed in Amazon S3 is fully replicated or sharded by an S3 key. Defaults to `FullyReplicated`. Valid values are `FullyReplicated` or `ShardedByS3Key` */ - name: string; + s3DataDistributionType: string; /** - * The type of parameter. Valid values: `String`, `StringList`. + * Whether the `Pipe` or `File` is used as the input mode for transferring data for the monitoring job. `Pipe` mode is recommended for large datasets. `File` mode is useful for small files that fit in memory. Defaults to `File`. Valid values are `Pipe` or `File` */ - type: string; - } - - export interface GetContactsRotationRecurrence { - dailySettings: any[]; - monthlySettings: any[]; - numberOfOnCalls: number; - recurrenceMultiplier: number; - shiftCoverages: any[]; - weeklySettings: any[]; + s3InputMode: string; } - export interface GetInstancesFilter { + export interface DataQualityJobDefinitionDataQualityJobOutputConfig { /** - * Name of the filter field. Valid values can be found in the [SSM InstanceInformationStringFilter API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_InstanceInformationStringFilter.html). + * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt the model artifacts at rest using Amazon S3 server-side encryption. */ - name: string; + kmsKeyId?: string; /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. + * Monitoring outputs for monitoring jobs. This is where the output of the periodic monitoring jobs is uploaded. Fields are documented below. */ - values: string[]; + monitoringOutputs: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputs; } - export interface GetMaintenanceWindowsFilter { + export interface DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputs { /** - * Name of the filter field. Valid values can be found in the [SSM DescribeMaintenanceWindows API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeMaintenanceWindows.html#API_DescribeMaintenanceWindows_RequestSyntax). + * The Amazon S3 storage location where the results of a monitoring job are saved. Fields are documented below. */ - name: string; + s3Output: outputs.sagemaker.DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputsS3Output; + } + + export interface DataQualityJobDefinitionDataQualityJobOutputConfigMonitoringOutputsS3Output { /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. + * The local path to the Amazon S3 storage location where Amazon SageMaker saves the results of a monitoring job. LocalPath is an absolute path for the output data. Defaults to `/opt/ml/processing/output`. */ - values: string[]; + localPath?: string; + /** + * Whether to upload the results of the monitoring job continuously or after the job completes. Valid values are `Continuous` or `EndOfJob` + */ + s3UploadMode: string; + /** + * A URI that identifies the Amazon S3 storage location where Amazon SageMaker saves the results of a monitoring job. + */ + s3Uri: string; } - export interface GetPatchBaselineApprovalRule { + export interface DataQualityJobDefinitionJobResources { /** - * Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. + * The configuration for the cluster resources used to run the processing job. Fields are documented below. */ - approveAfterDays: number; + clusterConfig: outputs.sagemaker.DataQualityJobDefinitionJobResourcesClusterConfig; + } + + export interface DataQualityJobDefinitionJobResourcesClusterConfig { /** - * Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approveAfterDays` + * The number of ML compute instances to use in the model monitoring job. For distributed processing jobs, specify a value greater than 1. */ - approveUntilDate: string; + instanceCount: number; /** - * Compliance level for patches approved by this rule. + * The ML compute instance type for the processing job. */ - complianceLevel: string; + instanceType: string; /** - * Boolean enabling the application of non-security updates. + * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume attached to the ML compute instance(s) that run the model monitoring job. */ - enableNonSecurity: boolean; + volumeKmsKeyId?: string; /** - * Patch filter group that defines the criteria for the rule. + * The size of the ML storage volume, in gigabytes, that you want to provision. You must specify sufficient ML storage for your scenario. */ - patchFilters: outputs.ssm.GetPatchBaselineApprovalRulePatchFilter[]; + volumeSizeInGb: number; } - export interface GetPatchBaselineApprovalRulePatchFilter { + export interface DataQualityJobDefinitionNetworkConfig { /** - * Key for the filter. + * Whether to encrypt all communications between the instances used for the monitoring jobs. Choose `true` to encrypt communications. Encryption provides greater security for distributed jobs, but the processing might take longer. */ - key: string; + enableInterContainerTrafficEncryption?: boolean; /** - * Value for the filter. + * Whether to allow inbound and outbound network calls to and from the containers used for the monitoring job. */ - values: string[]; + enableNetworkIsolation?: boolean; + /** + * Specifies a VPC that your training jobs and hosted models have access to. Control access to and from your training and model containers by configuring the VPC. Fields are documented below. + */ + vpcConfig?: outputs.sagemaker.DataQualityJobDefinitionNetworkConfigVpcConfig; } - export interface GetPatchBaselineGlobalFilter { + export interface DataQualityJobDefinitionNetworkConfigVpcConfig { /** - * Key for the filter. + * The VPC security group IDs, in the form sg-xxxxxxxx. Specify the security groups for the VPC that is specified in the `subnets` field. */ - key: string; + securityGroupIds: string[]; /** - * Value for the filter. + * The ID of the subnets in the VPC to which you want to connect your training job or model. */ - values: string[]; + subnets: string[]; } - export interface GetPatchBaselineSource { + export interface DataQualityJobDefinitionStoppingCondition { /** - * Value of the yum repo configuration. + * The maximum runtime allowed in seconds. */ - configuration: string; + maxRuntimeInSeconds: number; + } + + export interface DeviceDevice { /** - * Name specified to identify the patch source. + * A description for the device. */ - name: string; + description?: string; /** - * Specific operating system versions a patch repository applies to. + * The name of the device. */ - products: string[]; - } - - export interface MaintenanceWindowTargetTarget { - key: string; - values: string[]; + deviceName: string; + /** + * Amazon Web Services Internet of Things (IoT) object name. + */ + iotThingName?: string; } - export interface MaintenanceWindowTaskTarget { - key: string; - values: string[]; + export interface DeviceFleetOutputConfig { + /** + * The AWS Key Management Service (AWS KMS) key that Amazon SageMaker uses to encrypt data on the storage volume after compilation job. If you don't provide a KMS key ID, Amazon SageMaker uses the default KMS key for Amazon S3 for your role's account. + */ + kmsKeyId?: string; + /** + * The Amazon Simple Storage (S3) bucker URI. + */ + s3OutputLocation: string; } - export interface MaintenanceWindowTaskTaskInvocationParameters { + export interface DomainDefaultSpaceSettings { /** - * The parameters for an AUTOMATION task type. Documented below. + * The execution role for the space. */ - automationParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersAutomationParameters; + executionRole: string; /** - * The parameters for a LAMBDA task type. Documented below. + * The Jupyter server's app settings. See `jupyterServerAppSettings` Block below. */ - lambdaParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersLambdaParameters; + jupyterServerAppSettings?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettings; /** - * The parameters for a RUN_COMMAND task type. Documented below. + * The kernel gateway app settings. See `kernelGatewayAppSettings` Block below. */ - runCommandParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters; + kernelGatewayAppSettings?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettings; /** - * The parameters for a STEP_FUNCTIONS task type. Documented below. + * The security groups for the Amazon Virtual Private Cloud that the space uses for communication. */ - stepFunctionsParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters; + securityGroups?: string[]; } - export interface MaintenanceWindowTaskTaskInvocationParametersAutomationParameters { + export interface DomainDefaultSpaceSettingsJupyterServerAppSettings { /** - * The version of an Automation document to use during task execution. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. */ - documentVersion?: string; + codeRepositories?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettingsCodeRepository[]; + /** + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. + */ + defaultResourceSpec?: outputs.sagemaker.DomainDefaultSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; + } + + export interface DomainDefaultSpaceSettingsJupyterServerAppSettingsCodeRepository { /** - * The parameters for the RUN_COMMAND task execution. Documented below. + * The URL of the Git repository. */ - parameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter[]; + repositoryUrl: string; } - export interface MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter { + export interface DomainDefaultSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec { /** - * The parameter name. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - name: string; + instanceType?: string; /** - * The array of strings. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - values: string[]; - } - - export interface MaintenanceWindowTaskTaskInvocationParametersLambdaParameters { + lifecycleConfigArn?: string; /** - * Pass client-specific information to the Lambda function that you are invoking. + * The ARN of the SageMaker image that the image version belongs to. */ - clientContext?: string; + sagemakerImageArn?: string; /** - * JSON to provide to your Lambda function as input. + * The SageMaker Image Version Alias. */ - payload?: string; + sagemakerImageVersionAlias?: string; /** - * Specify a Lambda function version or alias name. + * The ARN of the image version created on the instance. */ - qualifier?: string; + sagemakerImageVersionArn?: string; } - export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters { - /** - * Configuration options for sending command output to CloudWatch Logs. Documented below. - */ - cloudwatchConfig?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig; + export interface DomainDefaultSpaceSettingsKernelGatewayAppSettings { /** - * Information about the command(s) to execute. + * A list of custom SageMaker images that are configured to run as a KernelGateway app. see `customImage` Block below. */ - comment?: string; + customImages?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettingsCustomImage[]; /** - * The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - documentHash?: string; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec; /** - * SHA-256 or SHA-1. SHA-1 hashes have been deprecated. Valid values: `Sha256` and `Sha1` + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. */ - documentHashType?: string; - documentVersion?: string; + lifecycleConfigArns?: string[]; + } + + export interface DomainDefaultSpaceSettingsKernelGatewayAppSettingsCustomImage { /** - * Configurations for sending notifications about command status changes on a per-instance basis. Documented below. + * The name of the App Image Config. */ - notificationConfig?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig; + appImageConfigName: string; /** - * The name of the Amazon S3 bucket. + * The name of the Custom Image. */ - outputS3Bucket?: string; + imageName: string; /** - * The Amazon S3 bucket subfolder. + * The version number of the Custom Image. */ - outputS3KeyPrefix?: string; + imageVersionNumber?: number; + } + + export interface DomainDefaultSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec { /** - * The parameters for the RUN_COMMAND task execution. Documented below. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - parameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter[]; + instanceType?: string; /** - * The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - serviceRoleArn?: string; + lifecycleConfigArn?: string; /** - * If this time is reached and the command has not already started executing, it doesn't run. + * The ARN of the SageMaker image that the image version belongs to. */ - timeoutSeconds?: number; - } - - export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig { + sagemakerImageArn?: string; /** - * The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName. + * The SageMaker Image Version Alias. */ - cloudwatchLogGroupName: string; + sagemakerImageVersionAlias?: string; /** - * Enables Systems Manager to send command output to CloudWatch Logs. + * The ARN of the image version created on the instance. */ - cloudwatchOutputEnabled?: boolean; + sagemakerImageVersionArn?: string; } - export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig { + export interface DomainDefaultUserSettings { /** - * An Amazon Resource Name (ARN) for a Simple Notification Service (SNS) topic. Run Command pushes notifications about command status changes to this topic. + * The Canvas app settings. See `canvasAppSettings` Block below. */ - notificationArn?: string; + canvasAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettings; /** - * The different events for which you can receive notifications. Valid values: `All`, `InProgress`, `Success`, `TimedOut`, `Cancelled`, and `Failed` + * The Code Editor application settings. See `codeEditorAppSettings` Block below. */ - notificationEvents?: string[]; + codeEditorAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsCodeEditorAppSettings; /** - * When specified with `Command`, receive notification when the status of a command changes. When specified with `Invocation`, for commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. Valid values: `Command` and `Invocation` + * The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio. See `customFileSystemConfig` Block below. */ - notificationType?: string; - } - - export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter { + customFileSystemConfigs?: outputs.sagemaker.DomainDefaultUserSettingsCustomFileSystemConfig[]; /** - * The parameter name. + * Details about the POSIX identity that is used for file system operations. See `customPosixUserConfig` Block below. */ - name: string; + customPosixUserConfig?: outputs.sagemaker.DomainDefaultUserSettingsCustomPosixUserConfig; /** - * The array of strings. + * The default experience that the user is directed to when accessing the domain. The supported values are: `studio::`: Indicates that Studio is the default experience. This value can only be passed if StudioWebPortal is set to ENABLED. `app:JupyterServer:`: Indicates that Studio Classic is the default experience. */ - values: string[]; - } - - export interface MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters { + defaultLandingUri: string; /** - * The inputs for the STEP_FUNCTION task. + * The execution role ARN for the user. */ - input?: string; + executionRole: string; /** - * The name of the STEP_FUNCTION task. + * The settings for the JupyterLab application. See `jupyterLabAppSettings` Block below. */ - name?: string; - } - - export interface PatchBaselineApprovalRule { + jupyterLabAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettings; /** - * Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approveUntilDate`. + * The Jupyter server's app settings. See `jupyterServerAppSettings` Block below. */ - approveAfterDays?: number; + jupyterServerAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettings; /** - * Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approveAfterDays` + * The kernel gateway app settings. See `kernelGatewayAppSettings` Block below. */ - approveUntilDate?: string; + kernelGatewayAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettings; /** - * Compliance level for patches approved by this rule. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, and `UNSPECIFIED`. The default value is `UNSPECIFIED`. + * The RSession app settings. See `rSessionAppSettings` Block below. */ - complianceLevel?: string; + rSessionAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettings; /** - * Boolean enabling the application of non-security updates. The default value is `false`. Valid for Linux instances only. + * A collection of settings that configure user interaction with the RStudioServerPro app. See `rStudioServerProAppSettings` Block below. */ - enableNonSecurity?: boolean; + rStudioServerProAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsRStudioServerProAppSettings; /** - * Patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and the `operatingSystem` value can be found in the [SSM DescribePatchProperties API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html). Valid Values are exact values for the patch property given as the key, or a wildcard `*`, which matches all values. `PATCH_SET` defaults to `OS` if unspecified + * A list of security group IDs that will be attached to the user. */ - patchFilters: outputs.ssm.PatchBaselineApprovalRulePatchFilter[]; - } - - export interface PatchBaselineApprovalRulePatchFilter { - key: string; - values: string[]; - } - - export interface PatchBaselineGlobalFilter { - key: string; - values: string[]; - } - - export interface PatchBaselineSource { + securityGroups?: string[]; /** - * Value of the yum repo configuration. For information about other options available for your yum repository configuration, see the [`dnf.conf` documentation](https://man7.org/linux/man-pages/man5/dnf.conf.5.html) + * The sharing settings. See `sharingSettings` Block below. */ - configuration: string; + sharingSettings?: outputs.sagemaker.DomainDefaultUserSettingsSharingSettings; /** - * Name specified to identify the patch source. + * The storage settings for a private space. See `spaceStorageSettings` Block below. */ - name: string; + spaceStorageSettings: outputs.sagemaker.DomainDefaultUserSettingsSpaceStorageSettings; /** - * Specific operating system versions a patch repository applies to, such as `"Ubuntu16.04"`, `"AmazonLinux2016.09"`, `"RedhatEnterpriseLinux7.2"` or `"Suse12.7"`. For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html). + * Whether the user can access Studio. If this value is set to `DISABLED`, the user cannot access Studio, even if that is the default experience for the domain. Valid values are `ENABLED` and `DISABLED`. */ - products: string[]; + studioWebPortal: string; + /** + * The TensorBoard app settings. See `tensorBoardAppSettings` Block below. + */ + tensorBoardAppSettings?: outputs.sagemaker.DomainDefaultUserSettingsTensorBoardAppSettings; } - export interface ResourceDataSyncS3Destination { + export interface DomainDefaultUserSettingsCanvasAppSettings { /** - * Name of S3 bucket where the aggregated data is stored. + * The model deployment settings for the SageMaker Canvas application. See `directDeploySettings` Block below. */ - bucketName: string; + directDeploySettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsDirectDeploySettings; /** - * ARN of an encryption key for a destination in Amazon S3. + * The settings for connecting to an external data source with OAuth. See `identityProviderOauthSettings` Block below. */ - kmsKeyArn?: string; + identityProviderOauthSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsIdentityProviderOauthSetting[]; /** - * Prefix for the bucket. + * The settings for document querying. See `kendraSettings` Block below. */ - prefix?: string; + kendraSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsKendraSettings; /** - * Region with the bucket targeted by the Resource Data Sync. + * The model registry settings for the SageMaker Canvas application. See `modelRegisterSettings` Block below. */ - region: string; + modelRegisterSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsModelRegisterSettings; /** - * A supported sync format. Only JsonSerDe is currently supported. Defaults to JsonSerDe. + * Time series forecast settings for the Canvas app. See `timeSeriesForecastingSettings` Block below. */ - syncFormat?: string; - } - -} - -export namespace ssmcontacts { - export interface ContactChannelDeliveryAddress { + timeSeriesForecastingSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings; /** - * Details to engage this contact channel. The expected format depends on the contact channel type and is described in the [`ContactChannelAddress` section of the SSM Contacts API Reference](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_ContactChannelAddress.html). + * The workspace settings for the SageMaker Canvas application. See `workspaceSettings` Block below. */ - simpleAddress: string; - } - - export interface GetContactChannelDeliveryAddress { - simpleAddress: string; - } - - export interface GetPlanStage { - durationInMinutes: number; - targets: outputs.ssmcontacts.GetPlanStageTarget[]; - } - - export interface GetPlanStageTarget { - channelTargetInfos: outputs.ssmcontacts.GetPlanStageTargetChannelTargetInfo[]; - contactTargetInfos: outputs.ssmcontacts.GetPlanStageTargetContactTargetInfo[]; - } - - export interface GetPlanStageTargetChannelTargetInfo { - contactChannelId: string; - retryIntervalInMinutes: number; + workspaceSettings?: outputs.sagemaker.DomainDefaultUserSettingsCanvasAppSettingsWorkspaceSettings; } - export interface GetPlanStageTargetContactTargetInfo { + export interface DomainDefaultUserSettingsCanvasAppSettingsDirectDeploySettings { /** - * The Amazon Resource Name (ARN) of the contact or escalation plan. + * Describes whether model deployment permissions are enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - contactId: string; - isEssential: boolean; + status?: string; } - export interface PlanStage { - /** - * The time to wait until beginning the next stage. The duration can only be set to 0 if a target is specified. - */ - durationInMinutes: number; + export interface DomainDefaultUserSettingsCanvasAppSettingsIdentityProviderOauthSetting { /** - * One or more configuration blocks for specifying the contacts or contact methods that the escalation plan or engagement plan is engaging. See Target below for more details. + * The name of the data source that you're connecting to. Canvas currently supports OAuth for Snowflake and Salesforce Data Cloud. Valid values are `SalesforceGenie` and `Snowflake`. */ - targets?: outputs.ssmcontacts.PlanStageTarget[]; - } - - export interface PlanStageTarget { + dataSourceName?: string; /** - * A configuration block for specifying information about the contact channel that Incident Manager engages. See Channel Target Info for more details. + * The ARN of an Amazon Web Services Secrets Manager secret that stores the credentials from your identity provider, such as the client ID and secret, authorization URL, and token URL. */ - channelTargetInfo?: outputs.ssmcontacts.PlanStageTargetChannelTargetInfo; + secretArn: string; /** - * A configuration block for specifying information about the contact that Incident Manager engages. See Contact Target Info for more details. + * Describes whether OAuth for a data source is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - contactTargetInfo?: outputs.ssmcontacts.PlanStageTargetContactTargetInfo; + status?: string; } - export interface PlanStageTargetChannelTargetInfo { - /** - * The Amazon Resource Name (ARN) of the contact channel. - */ - contactChannelId: string; + export interface DomainDefaultUserSettingsCanvasAppSettingsKendraSettings { /** - * The number of minutes to wait before retrying to send engagement if the engagement initially failed. + * Describes whether the document querying feature is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - retryIntervalInMinutes?: number; + status?: string; } - export interface PlanStageTargetContactTargetInfo { + export interface DomainDefaultUserSettingsCanvasAppSettingsModelRegisterSettings { /** - * The Amazon Resource Name (ARN) of the contact. + * The Amazon Resource Name (ARN) of the SageMaker model registry account. Required only to register model versions created by a different SageMaker Canvas AWS account than the AWS account in which SageMaker model registry is set up. */ - contactId?: string; + crossAccountModelRegisterRoleArn?: string; /** - * A Boolean value determining if the contact's acknowledgement stops the progress of stages in the plan. + * Describes whether the integration to the model registry is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - isEssential: boolean; + status?: string; } -} - -export namespace ssmincidents { - export interface GetReplicationSetRegion { + export interface DomainDefaultUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings { /** - * The ARN of the AWS Key Management Service (AWS KMS) encryption key. + * The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the [AmazonSageMakerCanvasForecastAccess](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol-canvas.html#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) policy attached and forecast.amazonaws.com added in the trust relationship as a service principal. */ - kmsKeyArn: string; + amazonForecastRoleArn?: string; /** - * The name of the Region. + * Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are `ENABLED` and `DISABLED`. */ - name: string; + status?: string; + } + + export interface DomainDefaultUserSettingsCanvasAppSettingsWorkspaceSettings { /** - * The current status of the Region. - * * Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED` + * The Amazon S3 bucket used to store artifacts generated by Canvas. Updating the Amazon S3 location impacts existing configuration settings, and Canvas users no longer have access to their artifacts. Canvas users must log out and log back in to apply the new location. */ - status: string; + s3ArtifactPath?: string; /** - * More information about the status of a Region. + * The Amazon Web Services Key Management Service (KMS) encryption key ID that is used to encrypt artifacts generated by Canvas in the Amazon S3 bucket. */ - statusMessage: string; + s3KmsKeyId?: string; } - export interface GetResponsePlanAction { + export interface DomainDefaultUserSettingsCodeEditorAppSettings { /** - * The Systems Manager automation document to start as the runbook at the beginning of the incident. The following values are supported: + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - ssmAutomations: outputs.ssmincidents.GetResponsePlanActionSsmAutomation[]; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsCodeEditorAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface GetResponsePlanActionSsmAutomation { + export interface DomainDefaultUserSettingsCodeEditorAppSettingsDefaultResourceSpec { /** - * The automation document's name. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - documentName: string; + instanceType?: string; /** - * The version of the automation document to use at runtime. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - documentVersion: string; + lifecycleConfigArn?: string; /** - * The key-value pair used to resolve dynamic parameter values when processing a Systems Manager Automation runbook. + * The ARN of the SageMaker image that the image version belongs to. */ - dynamicParameters: {[key: string]: string}; + sagemakerImageArn?: string; /** - * The key-value pair parameters used when the automation document runs. The following values are supported: + * The SageMaker Image Version Alias. */ - parameters: outputs.ssmincidents.GetResponsePlanActionSsmAutomationParameter[]; + sagemakerImageVersionAlias?: string; /** - * The Amazon Resource Name (ARN) of the role that the automation document assumes when it runs commands. + * The ARN of the image version created on the instance. */ - roleArn: string; + sagemakerImageVersionArn?: string; + } + + export interface DomainDefaultUserSettingsCustomFileSystemConfig { /** - * The account that runs the automation document. This can be in either the management account or an application account. + * The default EBS storage settings for a private space. See `efsFileSystemConfig` Block below. */ - targetAccount: string; + efsFileSystemConfig?: outputs.sagemaker.DomainDefaultUserSettingsCustomFileSystemConfigEfsFileSystemConfig; } - export interface GetResponsePlanActionSsmAutomationParameter { + export interface DomainDefaultUserSettingsCustomFileSystemConfigEfsFileSystemConfig { /** - * The name of the PagerDuty configuration. + * The ID of your Amazon EFS file system. */ - name: string; + fileSystemId: string; /** - * The values for the associated parameter name. + * The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below. */ - values: string[]; + fileSystemPath: string; } - export interface GetResponsePlanIncidentTemplate { - /** - * A string used to stop Incident Manager from creating multiple incident records for the same incident. - */ - dedupeString: string; + export interface DomainDefaultUserSettingsCustomPosixUserConfig { /** - * The impact value of a generated incident. The following values are supported: + * The POSIX group ID. */ - impact: number; + gid: number; /** - * The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident. + * The POSIX user ID. */ - incidentTags: {[key: string]: string}; + uid: number; + } + + export interface DomainDefaultUserSettingsJupyterLabAppSettings { /** - * The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notificationTarget` configuration block supports the following argument: + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. */ - notificationTargets: outputs.ssmincidents.GetResponsePlanIncidentTemplateNotificationTarget[]; + codeRepositories?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsCodeRepository[]; /** - * The summary of an incident. + * A list of custom SageMaker images that are configured to run as a JupyterLab app. see `customImage` Block below. */ - summary: string; + customImages?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsCustomImage[]; /** - * The title of a generated incident. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - title: string; - } - - export interface GetResponsePlanIncidentTemplateNotificationTarget { + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsJupyterLabAppSettingsDefaultResourceSpec; /** - * The ARN of the Amazon SNS topic. + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. */ - snsTopicArn: string; + lifecycleConfigArns?: string[]; } - export interface GetResponsePlanIntegration { + export interface DomainDefaultUserSettingsJupyterLabAppSettingsCodeRepository { /** - * Details about the PagerDuty configuration for a response plan. The following values are supported: + * The URL of the Git repository. */ - pagerduties: outputs.ssmincidents.GetResponsePlanIntegrationPagerduty[]; + repositoryUrl: string; } - export interface GetResponsePlanIntegrationPagerduty { + export interface DomainDefaultUserSettingsJupyterLabAppSettingsCustomImage { /** - * The name of the PagerDuty configuration. + * The name of the App Image Config. */ - name: string; + appImageConfigName: string; /** - * The ID of the AWS Secrets Manager secret that stores your PagerDuty key — either a General Access REST API Key or User Token REST API Key — and other user credentials. + * The name of the Custom Image. */ - secretId: string; + imageName: string; /** - * The ID of the PagerDuty service that the response plan associates with an incident when it launches. + * The version number of the Custom Image. */ - serviceId: string; + imageVersionNumber?: number; } - export interface ReplicationSetRegion { + export interface DomainDefaultUserSettingsJupyterLabAppSettingsDefaultResourceSpec { /** - * The Amazon Resource name (ARN) of the customer managed key. If omitted, AWS manages the AWS KMS keys for you, using an AWS owned key, as indicated by a default value of `DefaultKey`. - * - * The following arguments are optional: + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - kmsKeyArn?: string; + instanceType?: string; /** - * The name of the Region, such as `ap-southeast-2`. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - name: string; + lifecycleConfigArn?: string; /** - * The current status of the Region. - * * Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED` + * The ARN of the SageMaker image that the image version belongs to. */ - status: string; + sagemakerImageArn?: string; /** - * More information about the status of a Region. + * The SageMaker Image Version Alias. */ - statusMessage: string; - } - - export interface ResponsePlanAction { - ssmAutomations?: outputs.ssmincidents.ResponsePlanActionSsmAutomation[]; - } - - export interface ResponsePlanActionSsmAutomation { - documentName: string; - documentVersion?: string; - dynamicParameters?: {[key: string]: string}; - parameters?: outputs.ssmincidents.ResponsePlanActionSsmAutomationParameter[]; - roleArn: string; - targetAccount?: string; - } - - export interface ResponsePlanActionSsmAutomationParameter { + sagemakerImageVersionAlias?: string; /** - * The name of the response plan. + * The ARN of the image version created on the instance. */ - name: string; - values: string[]; + sagemakerImageVersionArn?: string; } - export interface ResponsePlanIncidentTemplate { + export interface DomainDefaultUserSettingsJupyterServerAppSettings { /** - * A string used to stop Incident Manager from creating multiple incident records for the same incident. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see `codeRepository` Block below. */ - dedupeString?: string; + codeRepositories?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettingsCodeRepository[]; /** - * The impact value of a generated incident. The following values are supported: + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - impact: number; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsJupyterServerAppSettingsDefaultResourceSpec; /** - * The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident. + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. */ - incidentTags?: {[key: string]: string}; + lifecycleConfigArns?: string[]; + } + + export interface DomainDefaultUserSettingsJupyterServerAppSettingsCodeRepository { /** - * The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notificationTarget` configuration block supports the following argument: + * The URL of the Git repository. */ - notificationTargets?: outputs.ssmincidents.ResponsePlanIncidentTemplateNotificationTarget[]; + repositoryUrl: string; + } + + export interface DomainDefaultUserSettingsJupyterServerAppSettingsDefaultResourceSpec { /** - * The summary of an incident. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - summary?: string; + instanceType?: string; /** - * The title of a generated incident. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - title: string; - } - - export interface ResponsePlanIncidentTemplateNotificationTarget { + lifecycleConfigArn?: string; /** - * The ARN of the Amazon SNS topic. - * - * The following arguments are optional: + * The ARN of the SageMaker image that the image version belongs to. */ - snsTopicArn: string; - } - - export interface ResponsePlanIntegration { - pagerduties?: outputs.ssmincidents.ResponsePlanIntegrationPagerduty[]; - } - - export interface ResponsePlanIntegrationPagerduty { + sagemakerImageArn?: string; /** - * The name of the response plan. + * The SageMaker Image Version Alias. */ - name: string; - secretId: string; - serviceId: string; + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } -} - -export namespace ssoadmin { - export interface ApplicationPortalOptions { + export interface DomainDefaultUserSettingsKernelGatewayAppSettings { /** - * Sign-in options for the access portal. See `signInOptions` below. + * A list of custom SageMaker images that are configured to run as a KernelGateway app. see `customImage` Block below. */ - signInOptions?: outputs.ssoadmin.ApplicationPortalOptionsSignInOptions; + customImages?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettingsCustomImage[]; /** - * Indicates whether this application is visible in the access portal. Valid values are `ENABLED` and `DISABLED`. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - visibility: string; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface ApplicationPortalOptionsSignInOptions { + export interface DomainDefaultUserSettingsKernelGatewayAppSettingsCustomImage { /** - * URL that accepts authentication requests for an application. + * The name of the App Image Config. */ - applicationUrl?: string; + appImageConfigName: string; /** - * Determines how IAM Identity Center navigates the user to the target application. - * Valid values are `APPLICATION` and `IDENTITY_CENTER`. - * If `APPLICATION` is set, IAM Identity Center redirects the customer to the configured `applicationUrl`. - * If `IDENTITY_CENTER` is set, IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application. + * The name of the Custom Image. */ - origin: string; + imageName: string; + /** + * The version number of the Custom Image. + */ + imageVersionNumber?: number; } - export interface CustomerManagedPolicyAttachmentCustomerManagedPolicyReference { + export interface DomainDefaultUserSettingsKernelGatewayAppSettingsDefaultResourceSpec { /** - * Name of the customer managed IAM Policy to be attached. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - name: string; + instanceType?: string; /** - * The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - path?: string; - } - - export interface GetApplicationAssignmentsApplicationAssignment { + lifecycleConfigArn?: string; /** - * ARN of the application. + * The ARN of the SageMaker image that the image version belongs to. */ - applicationArn: string; + sagemakerImageArn?: string; /** - * An identifier for an object in IAM Identity Center, such as a user or group. + * The SageMaker Image Version Alias. */ - principalId: string; + sagemakerImageVersionAlias?: string; /** - * Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`. + * The ARN of the image version created on the instance. */ - principalType: string; - } - - export interface GetApplicationPortalOption { - signInOptions?: outputs.ssoadmin.GetApplicationPortalOptionSignInOption[]; - visibility: string; - } - - export interface GetApplicationPortalOptionSignInOption { - applicationUrl: string; - origin: string; + sagemakerImageVersionArn?: string; } - export interface GetApplicationProvidersApplicationProvider { - /** - * ARN of the application provider. - */ - applicationProviderArn: string; + export interface DomainDefaultUserSettingsRSessionAppSettings { /** - * An object describing how IAM Identity Center represents the application provider in the portal. See `displayData` below. + * A list of custom SageMaker images that are configured to run as a RSession app. see `customImage` Block below. */ - displayDatas?: outputs.ssoadmin.GetApplicationProvidersApplicationProviderDisplayData[]; + customImages?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettingsCustomImage[]; /** - * Protocol that the application provider uses to perform federation. Valid values are `SAML` and `OAUTH`. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block above. */ - federationProtocol: string; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsRSessionAppSettingsDefaultResourceSpec; } - export interface GetApplicationProvidersApplicationProviderDisplayData { + export interface DomainDefaultUserSettingsRSessionAppSettingsCustomImage { /** - * Description of the application provider. + * The name of the App Image Config. */ - description: string; + appImageConfigName: string; /** - * Name of the application provider. + * The name of the Custom Image. */ - displayName: string; + imageName: string; /** - * URL that points to an icon that represents the application provider. + * The version number of the Custom Image. */ - iconUrl: string; + imageVersionNumber?: number; } - export interface GetPrincipalApplicationAssignmentsApplicationAssignment { + export interface DomainDefaultUserSettingsRSessionAppSettingsDefaultResourceSpec { /** - * ARN of the application. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - applicationArn: string; + instanceType?: string; /** - * An identifier for an object in IAM Identity Center, such as a user or group. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - principalId: string; + lifecycleConfigArn?: string; /** - * Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`. + * The ARN of the SageMaker image that the image version belongs to. */ - principalType: string; - } - - export interface InstanceAccessControlAttributesAttribute { - key: string; - values: outputs.ssoadmin.InstanceAccessControlAttributesAttributeValue[]; - } - - export interface InstanceAccessControlAttributesAttributeValue { - sources: string[]; - } - - export interface PermissionsBoundaryAttachmentPermissionsBoundary { + sagemakerImageArn?: string; /** - * Specifies the name and path of a customer managed policy. See below. + * The SageMaker Image Version Alias. */ - customerManagedPolicyReference?: outputs.ssoadmin.PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference; + sagemakerImageVersionAlias?: string; /** - * AWS-managed IAM policy ARN to use as the permissions boundary. + * The ARN of the image version created on the instance. */ - managedPolicyArn?: string; + sagemakerImageVersionArn?: string; } - export interface PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference { - /** - * Name of the customer managed IAM Policy to be attached. - */ - name: string; + export interface DomainDefaultUserSettingsRStudioServerProAppSettings { /** - * The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information. + * Indicates whether the current user has access to the RStudioServerPro app. Valid values are `ENABLED` and `DISABLED`. */ - path?: string; - } - - export interface TrustedTokenIssuerTrustedTokenIssuerConfiguration { + accessStatus?: string; /** - * A block that describes the settings for a trusted token issuer that works with OpenID Connect (OIDC) by using JSON Web Tokens (JWT). See Documented below below. + * The level of permissions that the user has within the RStudioServerPro app. This value defaults to `R_STUDIO_USER`. The `R_STUDIO_ADMIN` value allows the user access to the RStudio Administrative Dashboard. Valid values are `R_STUDIO_USER` and `R_STUDIO_ADMIN`. */ - oidcJwtConfiguration?: outputs.ssoadmin.TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration; + userGroup?: string; } - export interface TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration { + export interface DomainDefaultUserSettingsSharingSettings { /** - * Specifies the path of the source attribute in the JWT from the trusted token issuer. + * Whether to include the notebook cell output when sharing the notebook. The default is `Disabled`. Valid values are `Allowed` and `Disabled`. */ - claimAttributePath: string; + notebookOutputOption?: string; /** - * Specifies path of the destination attribute in a JWT from IAM Identity Center. The attribute mapped by this JMESPath expression is compared against the attribute mapped by `claimAttributePath` when a trusted token issuer token is exchanged for an IAM Identity Center token. + * When `notebookOutputOption` is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket. */ - identityStoreAttributePath: string; + s3KmsKeyId?: string; /** - * Specifies the URL that IAM Identity Center uses for OpenID Discovery. OpenID Discovery is used to obtain the information required to verify the tokens that the trusted token issuer generates. + * When `notebookOutputOption` is Allowed, the Amazon S3 bucket used to save the notebook cell output. */ - issuerUrl: string; + s3OutputPath?: string; + } + + export interface DomainDefaultUserSettingsSpaceStorageSettings { /** - * The method that the trusted token issuer can use to retrieve the JSON Web Key Set used to verify a JWT. Valid values are `OPEN_ID_DISCOVERY` + * The default EBS storage settings for a private space. See `defaultEbsStorageSettings` Block below. */ - jwksRetrievalOption: string; + defaultEbsStorageSettings?: outputs.sagemaker.DomainDefaultUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings; } -} - -export namespace storagegateway { - export interface FileSystemAssociationCacheAttributes { + export interface DomainDefaultUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings { /** - * Refreshes a file share's cache by using Time To Live (TTL). - * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway - * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: `0` or `300` to `2592000` seconds (5 minutes to 30 days). Defaults to `0` + * The default size of the EBS storage volume for a private space. */ - cacheStaleTimeoutInSeconds?: number; + defaultEbsVolumeSizeInGb: number; + /** + * The maximum size of the EBS storage volume for a private space. + */ + maximumEbsVolumeSizeInGb: number; } - export interface GatewayGatewayNetworkInterface { + export interface DomainDefaultUserSettingsTensorBoardAppSettings { /** - * The Internet Protocol version 4 (IPv4) address of the interface. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block below. */ - ipv4Address: string; + defaultResourceSpec?: outputs.sagemaker.DomainDefaultUserSettingsTensorBoardAppSettingsDefaultResourceSpec; } - export interface GatewayMaintenanceStartTime { + export interface DomainDefaultUserSettingsTensorBoardAppSettingsDefaultResourceSpec { /** - * The day of the month component of the maintenance start time represented as an ordinal number from 1 to 28, where 1 represents the first day of the month and 28 represents the last day of the month. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - dayOfMonth?: string; + instanceType?: string; /** - * The day of the week component of the maintenance start time week represented as an ordinal number from 0 to 6, where 0 represents Sunday and 6 Saturday. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - dayOfWeek?: string; + lifecycleConfigArn?: string; /** - * The hour component of the maintenance start time represented as _hh_, where _hh_ is the hour (00 to 23). The hour of the day is in the time zone of the gateway. + * The ARN of the SageMaker image that the image version belongs to. */ - hourOfDay: number; + sagemakerImageArn?: string; /** - * The minute component of the maintenance start time represented as _mm_, where _mm_ is the minute (00 to 59). The minute of the hour is in the time zone of the gateway. + * The SageMaker Image Version Alias. */ - minuteOfHour?: number; + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface GatewaySmbActiveDirectorySettings { - activeDirectoryStatus: string; + export interface DomainDomainSettings { /** - * List of IPv4 addresses, NetBIOS names, or host names of your domain server. - * If you need to specify the port number include it after the colon (“:”). For example, `mydc.mydomain.com:389`. + * The configuration for attaching a SageMaker user profile name to the execution role as a sts:SourceIdentity key [AWS Docs](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html). Valid values are `USER_PROFILE_NAME` and `DISABLED`. */ - domainControllers?: string[]; + executionRoleIdentityConfig?: string; /** - * The name of the domain that you want the gateway to join. + * A collection of settings that configure the RStudioServerPro Domain-level app. see `rStudioServerProDomainSettings` Block below. */ - domainName: string; + rStudioServerProDomainSettings?: outputs.sagemaker.DomainDomainSettingsRStudioServerProDomainSettings; /** - * The organizational unit (OU) is a container in an Active Directory that can hold users, groups, - * computers, and other OUs and this parameter specifies the OU that the gateway will join within the AD domain. + * The security groups for the Amazon Virtual Private Cloud that the Domain uses for communication between Domain-level apps and user apps. */ - organizationalUnit?: string; + securityGroupIds?: string[]; + } + + export interface DomainDomainSettingsRStudioServerProDomainSettings { /** - * The password of the user who has permission to add the gateway to the Active Directory domain. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see `defaultResourceSpec` Block above. */ - password: string; + defaultResourceSpec?: outputs.sagemaker.DomainDomainSettingsRStudioServerProDomainSettingsDefaultResourceSpec; /** - * Specifies the time in seconds, in which the JoinDomain operation must complete. The default is `20` seconds. + * The ARN of the execution role for the RStudioServerPro Domain-level app. */ - timeoutInSeconds?: number; + domainExecutionRoleArn: string; /** - * The user name of user who has permission to add the gateway to the Active Directory domain. + * A URL pointing to an RStudio Connect server. */ - username: string; - } - - export interface NfsFileShareCacheAttributes { + rStudioConnectUrl?: string; /** - * Refreshes a file share's cache by using Time To Live (TTL). - * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway - * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days) + * A URL pointing to an RStudio Package Manager server. */ - cacheStaleTimeoutInSeconds?: number; + rStudioPackageManagerUrl?: string; } - export interface NfsFileShareNfsFileShareDefaults { + export interface DomainDomainSettingsRStudioServerProDomainSettingsDefaultResourceSpec { /** - * The Unix directory mode in the string form "nnnn". Defaults to `"0777"`. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - directoryMode?: string; + instanceType?: string; /** - * The Unix file mode in the string form "nnnn". Defaults to `"0666"`. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - fileMode?: string; + lifecycleConfigArn?: string; /** - * The default group ID for the file share (unless the files have another group ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`. + * The ARN of the SageMaker image that the image version belongs to. */ - groupId?: string; + sagemakerImageArn?: string; /** - * The default owner ID for the file share (unless the files have another owner ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`. + * The SageMaker Image Version Alias. */ - ownerId?: string; - } - - export interface SmbFileShareCacheAttributes { + sagemakerImageVersionAlias?: string; /** - * Refreshes a file share's cache by using Time To Live (TTL). - * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway - * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days) + * The ARN of the image version created on the instance. */ - cacheStaleTimeoutInSeconds?: number; + sagemakerImageVersionArn?: string; } -} - -export namespace synthetics { - export interface CanaryArtifactConfig { + export interface DomainRetentionPolicy { /** - * Configuration of the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3. See S3 Encryption. + * The retention policy for data stored on an Amazon Elastic File System (EFS) volume. Valid values are `Retain` or `Delete`. Default value is `Retain`. */ - s3Encryption?: outputs.synthetics.CanaryArtifactConfigS3Encryption; + homeEfsFileSystem?: string; } - export interface CanaryArtifactConfigS3Encryption { + export interface EndpointConfigurationAsyncInferenceConfig { /** - * The encryption method to use for artifacts created by this canary. Valid values are: `SSE_S3` and `SSE_KMS`. + * Configures the behavior of the client used by Amazon SageMaker to interact with the model container during asynchronous inference. */ - encryptionMode?: string; + clientConfig?: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigClientConfig; /** - * The ARN of the customer-managed KMS key to use, if you specify `SSE_KMS` for `encryptionMode`. + * Specifies the configuration for asynchronous inference invocation outputs. */ - kmsKeyArn?: string; + outputConfig: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigOutputConfig; } - export interface CanaryRunConfig { + export interface EndpointConfigurationAsyncInferenceConfigClientConfig { /** - * Whether this canary is to use active AWS X-Ray tracing when it runs. You can enable active tracing only for canaries that use version syn-nodejs-2.0 or later for their canary runtime. + * The maximum number of concurrent requests sent by the SageMaker client to the model container. If no value is provided, Amazon SageMaker will choose an optimal value for you. */ - activeTracing?: boolean; + maxConcurrentInvocationsPerInstance?: number; + } + + export interface EndpointConfigurationAsyncInferenceConfigOutputConfig { /** - * Map of environment variables that are accessible from the canary during execution. Please see [AWS Docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) for variables reserved for Lambda. + * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that Amazon SageMaker uses to encrypt the asynchronous inference output in Amazon S3. */ - environmentVariables?: {[key: string]: string}; + kmsKeyId?: string; /** - * Maximum amount of memory available to the canary while it is running, in MB. The value you specify must be a multiple of 64. + * Specifies the configuration for notifications of inference results for asynchronous inference. */ - memoryInMb: number; + notificationConfig?: outputs.sagemaker.EndpointConfigurationAsyncInferenceConfigOutputConfigNotificationConfig; /** - * Number of seconds the canary is allowed to run before it must stop. If you omit this field, the frequency of the canary is used, up to a maximum of 840 (14 minutes). + * The Amazon S3 location to upload failure inference responses to. */ - timeoutInSeconds?: number; + s3FailurePath?: string; + /** + * The Amazon S3 location to upload inference responses to. + */ + s3OutputPath: string; } - export interface CanarySchedule { + export interface EndpointConfigurationAsyncInferenceConfigOutputConfigNotificationConfig { /** - * Duration in seconds, for the canary to continue making regular runs according to the schedule in the Expression value. + * Amazon SNS topic to post a notification to when inference fails. If no topic is provided, no notification is sent on failure. */ - durationInSeconds?: number; + errorTopic?: string; /** - * Rate expression or cron expression that defines how often the canary is to run. For rate expression, the syntax is `rate(number unit)`. _unit_ can be `minute`, `minutes`, or `hour`. For cron expression, the syntax is `cron(expression)`. For more information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html). + * The Amazon SNS topics where you want the inference response to be included. Valid values are `SUCCESS_NOTIFICATION_TOPIC` and `ERROR_NOTIFICATION_TOPIC`. */ - expression: string; - } - - export interface CanaryTimeline { + includeInferenceResponseIns?: string[]; /** - * Date and time the canary was created. + * Amazon SNS topic to post a notification to when inference completes successfully. If no topic is provided, no notification is sent on success. */ - created: string; + successTopic?: string; + } + + export interface EndpointConfigurationDataCaptureConfig { /** - * Date and time the canary was most recently modified. + * The content type headers to capture. Fields are documented below. */ - lastModified: string; + captureContentTypeHeader?: outputs.sagemaker.EndpointConfigurationDataCaptureConfigCaptureContentTypeHeader; /** - * Date and time that the canary's most recent run started. + * Specifies what data to capture. Fields are documented below. */ - lastStarted: string; + captureOptions: outputs.sagemaker.EndpointConfigurationDataCaptureConfigCaptureOption[]; /** - * Date and time that the canary's most recent run ended. + * The URL for S3 location where the captured data is stored. */ - lastStopped: string; - } - - export interface CanaryVpcConfig { + destinationS3Uri: string; /** - * IDs of the security groups for this canary. + * Flag to enable data capture. Defaults to `false`. */ - securityGroupIds?: string[]; + enableCapture?: boolean; /** - * IDs of the subnets where this canary is to run. + * Portion of data to capture. Should be between 0 and 100. */ - subnetIds?: string[]; + initialSamplingPercentage: number; /** - * ID of the VPC where this canary is to run. + * Amazon Resource Name (ARN) of a AWS Key Management Service key that Amazon SageMaker uses to encrypt the captured data on Amazon S3. */ - vpcId: string; + kmsKeyId?: string; } -} - -export namespace timestreamwrite { - export interface TableMagneticStoreWriteProperties { + export interface EndpointConfigurationDataCaptureConfigCaptureContentTypeHeader { /** - * A flag to enable magnetic store writes. + * The CSV content type headers to capture. */ - enableMagneticStoreWrites?: boolean; + csvContentTypes?: string[]; /** - * The location to write error reports for records rejected asynchronously during magnetic store writes. See Magnetic Store Rejected Data Location below for more details. + * The JSON content type headers to capture. */ - magneticStoreRejectedDataLocation?: outputs.timestreamwrite.TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation; + jsonContentTypes?: string[]; } - export interface TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation { + export interface EndpointConfigurationDataCaptureConfigCaptureOption { /** - * Configuration of an S3 location to write error reports for records rejected, asynchronously, during magnetic store writes. See S3 Configuration below for more details. + * Specifies the data to be captured. Should be one of `Input` or `Output`. */ - s3Configuration?: outputs.timestreamwrite.TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration; + captureMode: string; } - export interface TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration { + export interface EndpointConfigurationProductionVariant { /** - * Bucket name of the customer S3 bucket. + * The size of the Elastic Inference (EI) instance to use for the production variant. */ - bucketName?: string; + acceleratorType?: string; /** - * Encryption option for the customer s3 location. Options are S3 server side encryption with an S3-managed key or KMS managed key. Valid values are `SSE_KMS` and `SSE_S3`. + * The timeout value, in seconds, for your inference container to pass health check by SageMaker Hosting. For more information about health check, see [How Your Container Should Respond to Health Check (Ping) Requests](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-inference-code.html#your-algorithms-inference-algo-ping-requests). Valid values between `60` and `3600`. */ - encryptionOption?: string; + containerStartupHealthCheckTimeoutInSeconds?: number; /** - * KMS key arn for the customer s3 location when encrypting with a KMS managed key. + * Specifies configuration for a core dump from the model container when the process crashes. Fields are documented below. */ - kmsKeyId?: string; + coreDumpConfig?: outputs.sagemaker.EndpointConfigurationProductionVariantCoreDumpConfig; /** - * Object key prefix for the customer S3 location. + * You can use this parameter to turn on native Amazon Web Services Systems Manager (SSM) access for a production variant behind an endpoint. By default, SSM access is disabled for all production variants behind an endpoints. */ - objectKeyPrefix?: string; - } - - export interface TableRetentionProperties { + enableSsmAccess?: boolean; /** - * The duration for which data must be stored in the magnetic store. Minimum value of 1. Maximum value of 73000. + * Initial number of instances used for auto-scaling. */ - magneticStoreRetentionPeriodInDays: number; + initialInstanceCount?: number; /** - * The duration for which data must be stored in the memory store. Minimum value of 1. Maximum value of 8766. + * Determines initial traffic distribution among all of the models that you specify in the endpoint configuration. If unspecified, it defaults to `1.0`. */ - memoryStoreRetentionPeriodInHours: number; - } - - export interface TableSchema { + initialVariantWeight?: number; /** - * A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed. See Composite Partition Key below for more details. + * The type of instance to start. */ - compositePartitionKey: outputs.timestreamwrite.TableSchemaCompositePartitionKey; - } - - export interface TableSchemaCompositePartitionKey { + instanceType?: string; /** - * The level of enforcement for the specification of a dimension key in ingested records. Valid values: `REQUIRED`, `OPTIONAL`. + * The timeout value, in seconds, to download and extract the model that you want to host from Amazon S3 to the individual inference instance associated with this production variant. Valid values between `60` and `3600`. */ - enforcementInRecord?: string; + modelDataDownloadTimeoutInSeconds?: number; /** - * The name of the attribute used for a dimension key. + * The name of the model to use. */ - name?: string; + modelName: string; /** - * The type of the partition key. Valid values: `DIMENSION`, `MEASURE`. + * Sets how the endpoint routes incoming traffic. See routingConfig below. */ - type: string; - } - -} - -export namespace transcribe { - export interface LanguageModelInputDataConfig { + routingConfigs?: outputs.sagemaker.EndpointConfigurationProductionVariantRoutingConfig[]; /** - * IAM role with access to S3 bucket. + * Specifies configuration for how an endpoint performs asynchronous inference. */ - dataAccessRoleArn: string; + serverlessConfig?: outputs.sagemaker.EndpointConfigurationProductionVariantServerlessConfig; /** - * S3 URI where training data is located. + * The name of the variant. If omitted, this provider will assign a random, unique name. */ - s3Uri: string; + variantName: string; /** - * S3 URI where tuning data is located. - * - * The following arguments are optional: + * The size, in GB, of the ML storage volume attached to individual inference instance associated with the production variant. Valid values between `1` and `512`. */ - tuningDataS3Uri: string; + volumeSizeInGb: number; } -} - -export namespace transfer { - export interface AccessHomeDirectoryMapping { + export interface EndpointConfigurationProductionVariantCoreDumpConfig { /** - * Represents an entry and a target. + * The Amazon S3 bucket to send the core dump to. */ - entry: string; + destinationS3Uri: string; /** - * Represents the map target. + * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption. */ - target: string; + kmsKeyId?: string; } - export interface AccessPosixProfile { + export interface EndpointConfigurationProductionVariantRoutingConfig { /** - * The POSIX group ID used for all EFS operations by this user. + * Sets how the endpoint routes incoming traffic. Valid values are `LEAST_OUTSTANDING_REQUESTS` and `RANDOM`. `LEAST_OUTSTANDING_REQUESTS` routes requests to the specific instances that have more capacity to process them. `RANDOM` routes each request to a randomly chosen instance. */ - gid: number; + routingStrategy: string; + } + + export interface EndpointConfigurationProductionVariantServerlessConfig { /** - * The secondary POSIX group IDs used for all EFS operations by this user. + * The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between `1` and `200`. */ - secondaryGids?: number[]; + maxConcurrency: number; /** - * The POSIX user ID used for all EFS operations by this user. + * The memory size of your serverless endpoint. Valid values are in 1 GB increments: `1024` MB, `2048` MB, `3072` MB, `4096` MB, `5120` MB, or `6144` MB. */ - uid: number; - } - - export interface ConnectorAs2Config { - compression: string; - encryptionAlgorithm: string; - localProfileId: string; - mdnResponse: string; - mdnSigningAlgorithm?: string; - messageSubject?: string; - partnerProfileId: string; - signingAlgorithm: string; + memorySizeInMb: number; + /** + * The amount of provisioned concurrency to allocate for the serverless endpoint. Should be less than or equal to `maxConcurrency`. Valid values are between `1` and `200`. + */ + provisionedConcurrency?: number; } - export interface ConnectorSftpConfig { - trustedHostKeys?: string[]; - userSecretId?: string; + export interface EndpointConfigurationShadowProductionVariant { + acceleratorType?: string; + containerStartupHealthCheckTimeoutInSeconds?: number; + coreDumpConfig?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantCoreDumpConfig; + enableSsmAccess?: boolean; + initialInstanceCount?: number; + initialVariantWeight?: number; + instanceType?: string; + modelDataDownloadTimeoutInSeconds?: number; + modelName: string; + routingConfigs?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantRoutingConfig[]; + serverlessConfig?: outputs.sagemaker.EndpointConfigurationShadowProductionVariantServerlessConfig; + variantName: string; + volumeSizeInGb?: number; } - export interface ServerEndpointDetails { + export interface EndpointConfigurationShadowProductionVariantCoreDumpConfig { /** - * A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when `endpointType` is set to `VPC`. + * The Amazon S3 bucket to send the core dump to. */ - addressAllocationIds?: string[]; + destinationS3Uri: string; /** - * A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when `endpointType` is set to `VPC`. + * The Amazon Web Services Key Management Service (Amazon Web Services KMS) key that SageMaker uses to encrypt the core dump data at rest using Amazon S3 server-side encryption. */ - securityGroupIds: string[]; + kmsKeyId: string; + } + + export interface EndpointConfigurationShadowProductionVariantRoutingConfig { /** - * A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when `endpointType` is set to `VPC`. + * Sets how the endpoint routes incoming traffic. Valid values are `LEAST_OUTSTANDING_REQUESTS` and `RANDOM`. `LEAST_OUTSTANDING_REQUESTS` routes requests to the specific instances that have more capacity to process them. `RANDOM` routes each request to a randomly chosen instance. */ - subnetIds?: string[]; + routingStrategy: string; + } + + export interface EndpointConfigurationShadowProductionVariantServerlessConfig { /** - * The ID of the VPC endpoint. This property can only be used when `endpointType` is set to `VPC_ENDPOINT` + * The maximum number of concurrent invocations your serverless endpoint can process. Valid values are between `1` and `200`. */ - vpcEndpointId: string; + maxConcurrency: number; /** - * The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpointType` is set to `VPC`. + * The memory size of your serverless endpoint. Valid values are in 1 GB increments: `1024` MB, `2048` MB, `3072` MB, `4096` MB, `5120` MB, or `6144` MB. */ - vpcId?: string; - } - - export interface ServerProtocolDetails { + memorySizeInMb: number; /** - * Indicates the transport method for the AS2 messages. Currently, only `HTTP` is supported. + * The amount of provisioned concurrency to allocate for the serverless endpoint. Should be less than or equal to `maxConcurrency`. Valid values are between `1` and `200`. */ - as2Transports: string[]; + provisionedConcurrency?: number; + } + + export interface EndpointDeploymentConfig { /** - * Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. + * Automatic rollback configuration for handling endpoint deployment failures and recovery. See Auto Rollback Configuration. */ - passiveIp: string; + autoRollbackConfiguration?: outputs.sagemaker.EndpointDeploymentConfigAutoRollbackConfiguration; /** - * Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`. + * Update policy for a blue/green deployment. If this update policy is specified, SageMaker creates a new fleet during the deployment while maintaining the old fleet. SageMaker flips traffic to the new fleet according to the specified traffic routing configuration. Only one update policy should be used in the deployment configuration. If no update policy is specified, SageMaker uses a blue/green deployment strategy with all at once traffic shifting by default. See Blue Green Update Config. */ - setStatOption: string; + blueGreenUpdatePolicy?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicy; /** - * A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`. + * Specifies a rolling deployment strategy for updating a SageMaker endpoint. See Rolling Update Policy. */ - tlsSessionResumptionMode: string; + rollingUpdatePolicy?: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicy; } - export interface ServerS3StorageOptions { + export interface EndpointDeploymentConfigAutoRollbackConfiguration { /** - * Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are `DISABLED`, `ENABLED`. - * - * By default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details. + * List of CloudWatch alarms in your account that are configured to monitor metrics on an endpoint. If any alarms are tripped during a deployment, SageMaker rolls back the deployment. See Alarms. */ - directoryListingOptimization: string; + alarms?: outputs.sagemaker.EndpointDeploymentConfigAutoRollbackConfigurationAlarm[]; } - export interface ServerWorkflowDetails { - /** - * A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See `onPartialUpload` block below for details. - */ - onPartialUpload?: outputs.transfer.ServerWorkflowDetailsOnPartialUpload; + export interface EndpointDeploymentConfigAutoRollbackConfigurationAlarm { /** - * A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See `onUpload` block below for details. + * The name of a CloudWatch alarm in your account. */ - onUpload?: outputs.transfer.ServerWorkflowDetailsOnUpload; + alarmName: string; } - export interface ServerWorkflowDetailsOnPartialUpload { + export interface EndpointDeploymentConfigBlueGreenUpdatePolicy { + maximumExecutionTimeoutInSeconds?: number; + terminationWaitInSeconds?: number; + trafficRoutingConfiguration: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfiguration; + } + + export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfiguration { /** - * Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources. + * Batch size for the first step to turn on traffic on the new endpoint fleet. Value must be less than or equal to 50% of the variant's total instance count. See Canary Size. */ - executionRole: string; + canarySize?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationCanarySize; /** - * A unique identifier for the workflow. + * Batch size for each step to turn on traffic on the new endpoint fleet. Value must be 10-50% of the variant's total instance count. See Linear Step Size. */ - workflowId: string; - } - - export interface ServerWorkflowDetailsOnUpload { + linearStepSize?: outputs.sagemaker.EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationLinearStepSize; /** - * Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources. + * Traffic routing strategy type. Valid values are: `ALL_AT_ONCE`, `CANARY`, and `LINEAR`. */ - executionRole: string; + type: string; /** - * A unique identifier for the workflow. + * The waiting time (in seconds) between incremental steps to turn on traffic on the new endpoint fleet. Valid values are between `0` and `3600`. */ - workflowId: string; + waitIntervalInSeconds: number; } - export interface UserHomeDirectoryMapping { + export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationCanarySize { /** - * Represents an entry and a target. + * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. */ - entry: string; + type: string; /** - * Represents the map target. - * - * The `Restricted` option is achieved using the following mapping: - * - * ``` - * home_directory_mappings { - * entry = "/" - * target = "/${aws_s3_bucket.foo.id}/$${Transfer:UserName}" - * } - * ``` + * Defines the capacity size, either as a number of instances or a capacity percentage. */ - target: string; + value: number; } - export interface UserPosixProfile { - /** - * The POSIX group ID used for all EFS operations by this user. - */ - gid: number; + export interface EndpointDeploymentConfigBlueGreenUpdatePolicyTrafficRoutingConfigurationLinearStepSize { /** - * The secondary POSIX group IDs used for all EFS operations by this user. + * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. */ - secondaryGids?: number[]; + type: string; /** - * The POSIX user ID used for all EFS operations by this user. + * Defines the capacity size, either as a number of instances or a capacity percentage. */ - uid: number; - } - - export interface WorkflowOnExceptionStep { - copyStepDetails?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetails; - customStepDetails?: outputs.transfer.WorkflowOnExceptionStepCustomStepDetails; - decryptStepDetails?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetails; - deleteStepDetails?: outputs.transfer.WorkflowOnExceptionStepDeleteStepDetails; - tagStepDetails?: outputs.transfer.WorkflowOnExceptionStepTagStepDetails; - type: string; + value: number; } - export interface WorkflowOnExceptionStepCopyStepDetails { + export interface EndpointDeploymentConfigRollingUpdatePolicy { /** - * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. + * Batch size for each rolling step to provision capacity and turn on traffic on the new endpoint fleet, and terminate capacity on the old endpoint fleet. Value must be between 5% to 50% of the variant's total instance count. See Maximum Batch Size. */ - destinationFileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation; + maximumBatchSize: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicyMaximumBatchSize; /** - * The name of the step, used as an identifier. + * The time limit for the total deployment. Exceeding this limit causes a timeout. Valid values are between `600` and `14400`. */ - name?: string; + maximumExecutionTimeoutInSeconds?: number; /** - * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + * Batch size for rollback to the old endpoint fleet. Each rolling step to provision capacity and turn on traffic on the old endpoint fleet, and terminate capacity on the new endpoint fleet. If this field is absent, the default value will be set to 100% of total capacity which means to bring up the whole capacity of the old fleet at once during rollback. See Rollback Maximum Batch Size. */ - overwriteExisting?: string; + rollbackMaximumBatchSize?: outputs.sagemaker.EndpointDeploymentConfigRollingUpdatePolicyRollbackMaximumBatchSize; /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The length of the baking period, during which SageMaker monitors alarms for each batch on the new fleet. Valid values are between `0` and `3600`. */ - sourceFileLocation?: string; + waitIntervalInSeconds: number; } - export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation { + export interface EndpointDeploymentConfigRollingUpdatePolicyMaximumBatchSize { /** - * Specifies the details for the EFS file being copied. + * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. */ - efsFileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation; + type: string; /** - * Specifies the details for the S3 file being copied. + * Defines the capacity size, either as a number of instances or a capacity percentage. */ - s3FileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation; + value: number; } - export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation { + export interface EndpointDeploymentConfigRollingUpdatePolicyRollbackMaximumBatchSize { /** - * The ID of the file system, assigned by Amazon EFS. + * Specifies the endpoint capacity type. Valid values are: `INSTANCE_COUNT`, or `CAPACITY_PERCENT`. */ - fileSystemId?: string; + type: string; /** - * The pathname for the folder being used by a workflow. + * Defines the capacity size, either as a number of instances or a capacity percentage. */ - path?: string; + value: number; } - export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation { + export interface FeatureGroupFeatureDefinition { /** - * Specifies the S3 bucket for the customer input file. + * The name of a feature. `featureName` cannot be any of the following: `isDeleted`, `writeTime`, `apiInvocationTime`. */ - bucket?: string; + featureName?: string; /** - * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + * The value type of a feature. Valid values are `Integral`, `Fractional`, or `String`. */ - key?: string; + featureType?: string; } - export interface WorkflowOnExceptionStepCustomStepDetails { - /** - * The name of the step, used as an identifier. - */ - name?: string; + export interface FeatureGroupOfflineStoreConfig { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The meta data of the Glue table that is autogenerated when an OfflineStore is created. See Data Catalog Config Below. */ - sourceFileLocation?: string; + dataCatalogConfig: outputs.sagemaker.FeatureGroupOfflineStoreConfigDataCatalogConfig; + disableGlueTableCreation?: boolean; /** - * The ARN for the lambda function that is being called. + * The Amazon Simple Storage (Amazon S3) location of OfflineStore. See S3 Storage Config Below. */ - target?: string; + s3StorageConfig: outputs.sagemaker.FeatureGroupOfflineStoreConfigS3StorageConfig; /** - * Timeout, in seconds, for the step. + * Format for the offline store table. Supported formats are `Glue` (Default) and Apache `Iceberg` (https://iceberg.apache.org/). */ - timeoutSeconds?: number; + tableFormat?: string; } - export interface WorkflowOnExceptionStepDecryptStepDetails { + export interface FeatureGroupOfflineStoreConfigDataCatalogConfig { /** - * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. + * The name of the Glue table catalog. */ - destinationFileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation; + catalog: string; /** - * The name of the step, used as an identifier. + * The name of the Glue table database. */ - name?: string; + database: string; /** - * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + * The name of the Glue table. */ - overwriteExisting?: string; + tableName: string; + } + + export interface FeatureGroupOfflineStoreConfigS3StorageConfig { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The AWS Key Management Service (KMS) key ID of the key used to encrypt any objects written into the OfflineStore S3 location. */ - sourceFileLocation?: string; + kmsKeyId?: string; /** - * The type of encryption used. Currently, this value must be `"PGP"`. + * The S3 path where offline records are written. */ - type: string; + resolvedOutputS3Uri: string; + /** + * The S3 URI, or location in Amazon S3, of OfflineStore. + */ + s3Uri: string; } - export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation { + export interface FeatureGroupOnlineStoreConfig { + enableOnlineStore?: boolean; /** - * Specifies the details for the EFS file being copied. + * Security config for at-rest encryption of your OnlineStore. See Security Config Below. */ - efsFileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation; + securityConfig?: outputs.sagemaker.FeatureGroupOnlineStoreConfigSecurityConfig; /** - * Specifies the details for the S3 file being copied. + * Option for different tiers of low latency storage for real-time data retrieval. Valid values are `Standard`, or `InMemory`. */ - s3FileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation; - } - - export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation { + storageType?: string; /** - * The ID of the file system, assigned by Amazon EFS. + * Time to live duration, where the record is hard deleted after the expiration time is reached; ExpiresAt = EventTime + TtlDuration.. See TTl Duration Below. */ - fileSystemId?: string; + ttlDuration?: outputs.sagemaker.FeatureGroupOnlineStoreConfigTtlDuration; + } + + export interface FeatureGroupOnlineStoreConfigSecurityConfig { /** - * The pathname for the folder being used by a workflow. + * The ID of the AWS Key Management Service (AWS KMS) key that SageMaker Feature Store uses to encrypt the Amazon S3 objects at rest using Amazon S3 server-side encryption. */ - path?: string; + kmsKeyId?: string; } - export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation { + export interface FeatureGroupOnlineStoreConfigTtlDuration { /** - * Specifies the S3 bucket for the customer input file. + * TtlDuration time unit. Valid values are `Seconds`, `Minutes`, `Hours`, `Days`, or `Weeks`. */ - bucket?: string; + unit?: string; /** - * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + * TtlDuration time value. */ - key?: string; + value?: number; } - export interface WorkflowOnExceptionStepDeleteStepDetails { + export interface FlowDefinitionHumanLoopActivationConfig { /** - * The name of the step, used as an identifier. + * defines under what conditions SageMaker creates a human loop. See Human Loop Activation Conditions Config details below. */ - name?: string; + humanLoopActivationConditionsConfig?: outputs.sagemaker.FlowDefinitionHumanLoopActivationConfigHumanLoopActivationConditionsConfig; + } + + export interface FlowDefinitionHumanLoopActivationConfigHumanLoopActivationConditionsConfig { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * A JSON expressing use-case specific conditions declaratively. If any condition is matched, atomic tasks are created against the configured work team. For more information about how to structure the JSON, see [JSON Schema for Human Loop Activation Conditions in Amazon Augmented AI](https://docs.aws.amazon.com/sagemaker/latest/dg/a2i-human-fallback-conditions-json-schema.html). */ - sourceFileLocation?: string; + humanLoopActivationConditions: string; } - export interface WorkflowOnExceptionStepTagStepDetails { + export interface FlowDefinitionHumanLoopConfig { /** - * The name of the step, used as an identifier. + * The Amazon Resource Name (ARN) of the human task user interface. */ - name?: string; + humanTaskUiArn: string; /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * Defines the amount of money paid to an Amazon Mechanical Turk worker for each task performed. See Public Workforce Task Price details below. */ - sourceFileLocation?: string; + publicWorkforceTaskPrice?: outputs.sagemaker.FlowDefinitionHumanLoopConfigPublicWorkforceTaskPrice; /** - * Array that contains from 1 to 10 key/value pairs. See S3 Tags below. + * The length of time that a task remains available for review by human workers. Valid value range between `1` and `864000`. */ - tags?: outputs.transfer.WorkflowOnExceptionStepTagStepDetailsTag[]; - } - - export interface WorkflowOnExceptionStepTagStepDetailsTag { - key: string; - value: string; - } - - export interface WorkflowStep { - copyStepDetails?: outputs.transfer.WorkflowStepCopyStepDetails; - customStepDetails?: outputs.transfer.WorkflowStepCustomStepDetails; - decryptStepDetails?: outputs.transfer.WorkflowStepDecryptStepDetails; - deleteStepDetails?: outputs.transfer.WorkflowStepDeleteStepDetails; - tagStepDetails?: outputs.transfer.WorkflowStepTagStepDetails; - type: string; - } - - export interface WorkflowStepCopyStepDetails { + taskAvailabilityLifetimeInSeconds?: number; /** - * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. + * The number of distinct workers who will perform the same task on each object. Valid value range between `1` and `3`. */ - destinationFileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocation; + taskCount: number; /** - * The name of the step, used as an identifier. + * A description for the human worker task. */ - name?: string; + taskDescription: string; /** - * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + * An array of keywords used to describe the task so that workers can discover the task. */ - overwriteExisting?: string; + taskKeywords?: string[]; /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The amount of time that a worker has to complete a task. The default value is `3600` seconds. */ - sourceFileLocation?: string; - } - - export interface WorkflowStepCopyStepDetailsDestinationFileLocation { + taskTimeLimitInSeconds?: number; /** - * Specifies the details for the EFS file being copied. + * A title for the human worker task. */ - efsFileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation; + taskTitle: string; /** - * Specifies the details for the S3 file being copied. + * The Amazon Resource Name (ARN) of the human task user interface. Amazon Resource Name (ARN) of a team of workers. For Public workforces see [AWS Docs](https://docs.aws.amazon.com/sagemaker/latest/dg/sms-workforce-management-public.html). */ - s3FileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation; + workteamArn: string; } - export interface WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation { - /** - * The ID of the file system, assigned by Amazon EFS. - */ - fileSystemId?: string; + export interface FlowDefinitionHumanLoopConfigPublicWorkforceTaskPrice { /** - * The pathname for the folder being used by a workflow. + * Defines the amount of money paid to an Amazon Mechanical Turk worker in United States dollars. See Amount In Usd details below. */ - path?: string; + amountInUsd?: outputs.sagemaker.FlowDefinitionHumanLoopConfigPublicWorkforceTaskPriceAmountInUsd; } - export interface WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation { + export interface FlowDefinitionHumanLoopConfigPublicWorkforceTaskPriceAmountInUsd { /** - * Specifies the S3 bucket for the customer input file. + * The fractional portion, in cents, of the amount. Valid value range between `0` and `99`. */ - bucket?: string; + cents?: number; /** - * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + * The whole number of dollars in the amount. Valid value range between `0` and `2`. */ - key?: string; - } - - export interface WorkflowStepCustomStepDetails { + dollars?: number; /** - * The name of the step, used as an identifier. + * Fractions of a cent, in tenths. Valid value range between `0` and `9`. */ - name?: string; + tenthFractionsOfACent?: number; + } + + export interface FlowDefinitionHumanLoopRequestSource { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * Specifies whether Amazon Rekognition or Amazon Textract are used as the integration source. Valid values are: `AWS/Rekognition/DetectModerationLabels/Image/V3` and `AWS/Textract/AnalyzeDocument/Forms/V1`. */ - sourceFileLocation?: string; + awsManagedHumanLoopRequestSource: string; + } + + export interface FlowDefinitionOutputConfig { /** - * The ARN for the lambda function that is being called. + * The Amazon Key Management Service (KMS) key ARN for server-side encryption. */ - target?: string; + kmsKeyId?: string; /** - * Timeout, in seconds, for the step. + * The Amazon S3 path where the object containing human output will be made available. */ - timeoutSeconds?: number; + s3OutputPath: string; } - export interface WorkflowStepDecryptStepDetails { + export interface HumanTaskUIUiTemplate { /** - * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. + * The content of the Liquid template for the worker user interface. */ - destinationFileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocation; + content?: string; /** - * The name of the step, used as an identifier. + * The SHA-256 digest of the contents of the template. */ - name?: string; + contentSha256: string; /** - * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + * The URL for the user interface template. */ - overwriteExisting?: string; + url: string; + } + + export interface ModelContainer { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The DNS host name for the container. */ - sourceFileLocation?: string; + containerHostname?: string; /** - * The type of encryption used. Currently, this value must be `"PGP"`. + * Environment variables for the Docker container. + * A list of key value pairs. */ - type: string; - } - - export interface WorkflowStepDecryptStepDetailsDestinationFileLocation { + environment?: {[key: string]: string}; /** - * Specifies the details for the EFS file being copied. + * The registry path where the inference code image is stored in Amazon ECR. */ - efsFileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation; + image?: string; /** - * Specifies the details for the S3 file being copied. + * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). For more information see [Using a Private Docker Registry for Real-Time Inference Containers](https://docs.aws.amazon.com/sagemaker/latest/dg/your-algorithms-containers-inference-private.html). see Image Config. */ - s3FileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation; - } - - export interface WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation { + imageConfig?: outputs.sagemaker.ModelContainerImageConfig; /** - * The ID of the file system, assigned by Amazon EFS. + * The container hosts value `SingleModel/MultiModel`. The default value is `SingleModel`. */ - fileSystemId?: string; + mode?: string; /** - * The pathname for the folder being used by a workflow. + * The location of model data to deploy. Use this for uncompressed model deployment. For information about how to deploy an uncompressed model, see [Deploying uncompressed models](https://docs.aws.amazon.com/sagemaker/latest/dg/large-model-inference-uncompressed.html) in the _AWS SageMaker Developer Guide_. */ - path?: string; + modelDataSource: outputs.sagemaker.ModelContainerModelDataSource; + /** + * The URL for the S3 location where model artifacts are stored. + */ + modelDataUrl?: string; + /** + * The Amazon Resource Name (ARN) of the model package to use to create the model. + */ + modelPackageName?: string; } - export interface WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation { + export interface ModelContainerImageConfig { /** - * Specifies the S3 bucket for the customer input file. + * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`. */ - bucket?: string; + repositoryAccessMode: string; /** - * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + * Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config. */ - key?: string; + repositoryAuthConfig?: outputs.sagemaker.ModelContainerImageConfigRepositoryAuthConfig; } - export interface WorkflowStepDeleteStepDetails { + export interface ModelContainerImageConfigRepositoryAuthConfig { /** - * The name of the step, used as an identifier. + * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_. */ - name?: string; + repositoryCredentialsProviderArn: string; + } + + export interface ModelContainerModelDataSource { /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The S3 location of model data to deploy. */ - sourceFileLocation?: string; + s3DataSources: outputs.sagemaker.ModelContainerModelDataSourceS3DataSource[]; } - export interface WorkflowStepTagStepDetails { + export interface ModelContainerModelDataSourceS3DataSource { /** - * The name of the step, used as an identifier. + * How the model data is prepared. Allowed values are: `None` and `Gzip`. */ - name?: string; + compressionType: string; /** - * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`. */ - sourceFileLocation?: string; + s3DataType: string; /** - * Array that contains from 1 to 10 key/value pairs. See S3 Tags below. + * The S3 path of model data to deploy. */ - tags?: outputs.transfer.WorkflowStepTagStepDetailsTag[]; - } - - export interface WorkflowStepTagStepDetailsTag { - key: string; - value: string; - } - -} - -export namespace verifiedaccess { - export interface EndpointLoadBalancerOptions { - loadBalancerArn?: string; - port?: number; - protocol?: string; - subnetIds?: string[]; + s3Uri: string; } - export interface EndpointNetworkInterfaceOptions { - networkInterfaceId?: string; - port?: number; - protocol?: string; + export interface ModelInferenceExecutionConfig { + mode: string; } - export interface EndpointSseSpecification { - customerManagedKeyEnabled?: boolean; - kmsKeyArn?: string; + export interface ModelPrimaryContainer { + containerHostname?: string; + environment?: {[key: string]: string}; + image?: string; + imageConfig?: outputs.sagemaker.ModelPrimaryContainerImageConfig; + mode?: string; + modelDataSource: outputs.sagemaker.ModelPrimaryContainerModelDataSource; + modelDataUrl?: string; + modelPackageName?: string; } - export interface GroupSseConfiguration { - customerManagedKeyEnabled?: boolean; + export interface ModelPrimaryContainerImageConfig { /** - * ARN of the KMS key to use. + * Specifies whether the model container is in Amazon ECR or a private Docker registry accessible from your Amazon Virtual Private Cloud (VPC). Allowed values are: `Platform` and `Vpc`. */ - kmsKeyArn?: string; + repositoryAccessMode: string; + /** + * Specifies an authentication configuration for the private docker registry where your model image is hosted. Specify a value for this property only if you specified Vpc as the value for the RepositoryAccessMode field, and the private Docker registry where the model image is hosted requires authentication. see Repository Auth Config. + */ + repositoryAuthConfig?: outputs.sagemaker.ModelPrimaryContainerImageConfigRepositoryAuthConfig; } - export interface InstanceLoggingConfigurationAccessLogs { + export interface ModelPrimaryContainerImageConfigRepositoryAuthConfig { /** - * A block that specifies configures sending Verified Access logs to CloudWatch Logs. Detailed below. + * The Amazon Resource Name (ARN) of an AWS Lambda function that provides credentials to authenticate to the private Docker registry where your model image is hosted. For information about how to create an AWS Lambda function, see [Create a Lambda function with the console](https://docs.aws.amazon.com/lambda/latest/dg/getting-started-create-function.html) in the _AWS Lambda Developer Guide_. */ - cloudwatchLogs?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogs; + repositoryCredentialsProviderArn: string; + } + + export interface ModelPrimaryContainerModelDataSource { /** - * Include trust data sent by trust providers into the logs. + * The S3 location of model data to deploy. */ - includeTrustContext: boolean; + s3DataSources: outputs.sagemaker.ModelPrimaryContainerModelDataSourceS3DataSource[]; + } + + export interface ModelPrimaryContainerModelDataSourceS3DataSource { /** - * A block that specifies configures sending Verified Access logs to Kinesis. Detailed below. + * How the model data is prepared. Allowed values are: `None` and `Gzip`. */ - kinesisDataFirehose?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehose; + compressionType: string; /** - * The logging version to use. Refer to [VerifiedAccessLogOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VerifiedAccessLogOptions.html) for the allowed values. + * The type of model data to deploy. Allowed values are: `S3Object` and `S3Prefix`. */ - logVersion: string; + s3DataType: string; /** - * A block that specifies configures sending Verified Access logs to S3. Detailed below. + * The S3 path of model data to deploy. */ - s3?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsS3; + s3Uri: string; } - export interface InstanceLoggingConfigurationAccessLogsCloudwatchLogs { + export interface ModelVpcConfig { + securityGroupIds: string[]; + subnets: string[]; + } + + export interface MonitoringScheduleMonitoringScheduleConfig { /** - * Indicates whether logging is enabled. + * The name of the monitoring job definition to schedule. */ - enabled: boolean; + monitoringJobDefinitionName: string; /** - * The name of the CloudWatch Logs Log Group. + * The type of the monitoring job definition to schedule. Valid values are `DataQuality`, `ModelQuality`, `ModelBias` or `ModelExplainability` */ - logGroup?: string; + monitoringType: string; + /** + * Configures the monitoring schedule. Fields are documented below. + */ + scheduleConfig: outputs.sagemaker.MonitoringScheduleMonitoringScheduleConfigScheduleConfig; } - export interface InstanceLoggingConfigurationAccessLogsKinesisDataFirehose { + export interface MonitoringScheduleMonitoringScheduleConfigScheduleConfig { /** - * The name of the delivery stream. + * A cron expression that describes details about the monitoring schedule. For example, and hourly schedule would be `cron(0 * ? * * *)`. */ - deliveryStream?: string; + scheduleExpression: string; + } + + export interface NotebookInstanceInstanceMetadataServiceConfiguration { /** - * Indicates whether logging is enabled. + * Indicates the minimum IMDS version that the notebook instance supports. When passed "1" is passed. This means that both IMDSv1 and IMDSv2 are supported. Valid values are `1` and `2`. */ - enabled: boolean; + minimumInstanceMetadataServiceVersion: string; } - export interface InstanceLoggingConfigurationAccessLogsS3 { + export interface PipelineParallelismConfiguration { /** - * The name of S3 bucket. + * The max number of steps that can be executed in parallel. */ - bucketName?: string; + maxParallelExecutionSteps: number; + } + + export interface PipelinePipelineDefinitionS3Location { /** - * The ID of the AWS account that owns the Amazon S3 bucket. + * Name of the S3 bucket. */ - bucketOwner: string; + bucket: string; /** - * Indicates whether logging is enabled. + * The object key (or key name) uniquely identifies the object in an S3 bucket. */ - enabled: boolean; + objectKey: string; /** - * The bucket prefix. + * Version Id of the pipeline definition file. If not specified, Amazon SageMaker will retrieve the latest version. */ - prefix?: string; + versionId?: string; } - export interface InstanceVerifiedAccessTrustProvider { - /** - * A description for the AWS Verified Access Instance. - */ - description: string; + export interface ProjectServiceCatalogProvisioningDetails { /** - * The type of device-based trust provider. + * The path identifier of the product. This value is optional if the product has a default path, and required if the product has more than one path. */ - deviceTrustProviderType: string; + pathId?: string; /** - * The type of trust provider (user- or device-based). + * The ID of the product to provision. */ - trustProviderType: string; + productId: string; /** - * The type of user-based trust provider. + * The ID of the provisioning artifact. */ - userTrustProviderType: string; + provisioningArtifactId: string; /** - * The ID of the trust provider. + * A list of key value pairs that you specify when you provision a product. See Provisioning Parameter below. */ - verifiedAccessTrustProviderId: string; - } - - export interface TrustProviderDeviceOptions { - tenantId?: string; + provisioningParameters?: outputs.sagemaker.ProjectServiceCatalogProvisioningDetailsProvisioningParameter[]; } - export interface TrustProviderOidcOptions { - authorizationEndpoint?: string; - clientId?: string; - clientSecret: string; - issuer?: string; - scope?: string; - tokenEndpoint?: string; - userInfoEndpoint?: string; + export interface ProjectServiceCatalogProvisioningDetailsProvisioningParameter { + /** + * The key that identifies a provisioning parameter. + */ + key: string; + /** + * The value of the provisioning parameter. + */ + value?: string; } -} - -export namespace verifiedpermissions { - export interface GetPolicyStoreValidationSetting { - mode: string; + export interface SpaceOwnershipSettings { + /** + * The user profile who is the owner of the private space. + */ + ownerUserProfileName: string; } - export interface PolicyDefinition { + export interface SpaceSpaceSettings { /** - * The static policy statement. See Static below. + * The type of app created within the space. */ - static?: outputs.verifiedpermissions.PolicyDefinitionStatic; + appType?: string; /** - * The template linked policy. See Template Linked below. + * The Code Editor application settings. See Code Editor App Settings below. */ - templateLinked?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinked; - } - - export interface PolicyDefinitionStatic { + codeEditorAppSettings?: outputs.sagemaker.SpaceSpaceSettingsCodeEditorAppSettings; /** - * The description of the static policy. + * A file system, created by you, that you assign to a space for an Amazon SageMaker Domain. See Custom File System below. */ - description?: string; + customFileSystems?: outputs.sagemaker.SpaceSpaceSettingsCustomFileSystem[]; /** - * The statement of the static policy. + * The settings for the JupyterLab application. See Jupyter Lab App Settings below. */ - statement: string; - } - - export interface PolicyDefinitionTemplateLinked { + jupyterLabAppSettings?: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettings; /** - * The ID of the template. + * The Jupyter server's app settings. See Jupyter Server App Settings below. */ - policyTemplateId: string; + jupyterServerAppSettings?: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettings; /** - * The principal of the template linked policy. + * The kernel gateway app settings. See Kernel Gateway App Settings below. */ - principal?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinkedPrincipal; + kernelGatewayAppSettings?: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettings; + spaceStorageSettings: outputs.sagemaker.SpaceSpaceSettingsSpaceStorageSettings; + } + + export interface SpaceSpaceSettingsCodeEditorAppSettings { /** - * The resource of the template linked policy. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - resource?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinkedResource; + defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsCodeEditorAppSettingsDefaultResourceSpec; } - export interface PolicyDefinitionTemplateLinkedPrincipal { + export interface SpaceSpaceSettingsCodeEditorAppSettingsDefaultResourceSpec { /** - * The entity ID of the principal. + * The instance type. */ - entityId: string; + instanceType?: string; /** - * The entity type of the principal. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - entityType: string; - } - - export interface PolicyDefinitionTemplateLinkedResource { + lifecycleConfigArn?: string; /** - * The entity ID of the resource. + * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. */ - entityId: string; + sagemakerImageArn?: string; /** - * The entity type of the resource. + * The SageMaker Image Version Alias. */ - entityType: string; - } - - export interface PolicyStoreValidationSettings { + sagemakerImageVersionAlias?: string; /** - * The mode for the validation settings. Valid values: `OFF`, `STRICT`. - * - * The following arguments are optional: + * The ARN of the image version created on the instance. */ - mode: string; + sagemakerImageVersionArn?: string; } - export interface SchemaDefinition { + export interface SpaceSpaceSettingsCustomFileSystem { /** - * A JSON string representation of the schema. + * A custom file system in Amazon EFS. see EFS File System below. */ - value: string; + efsFileSystem: outputs.sagemaker.SpaceSpaceSettingsCustomFileSystemEfsFileSystem; } -} - -export namespace vpc { - export interface EndpointServicePrivateDnsVerificationTimeouts { + export interface SpaceSpaceSettingsCustomFileSystemEfsFileSystem { /** - * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + * The ID of your Amazon EFS file system. */ - create?: string; + fileSystemId: string; } - export interface GetSecurityGroupRuleFilter { + export interface SpaceSpaceSettingsJupyterLabAppSettings { /** - * Name of the filter field. Valid values can be found in the EC2 [`DescribeSecurityGroupRules`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html) API Reference. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. */ - name: string; + codeRepositories?: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettingsCodeRepository[]; /** - * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - values: string[]; + defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsJupyterLabAppSettingsDefaultResourceSpec; } - export interface GetSecurityGroupRulesFilter { - /** - * Name of the field to filter by, as defined by - * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html). - */ - name: string; + export interface SpaceSpaceSettingsJupyterLabAppSettingsCodeRepository { /** - * Set of values that are accepted for the given field. - * Security group rule IDs will be selected if any one of the given values match. + * The URL of the Git repository. */ - values: string[]; - } - -} - -export namespace vpclattice { - export interface GetListenerDefaultAction { - fixedResponses: outputs.vpclattice.GetListenerDefaultActionFixedResponse[]; - forwards: outputs.vpclattice.GetListenerDefaultActionForward[]; - } - - export interface GetListenerDefaultActionFixedResponse { - statusCode: number; - } - - export interface GetListenerDefaultActionForward { - targetGroups: outputs.vpclattice.GetListenerDefaultActionForwardTargetGroup[]; - } - - export interface GetListenerDefaultActionForwardTargetGroup { - targetGroupIdentifier: string; - weight: number; - } - - export interface GetServiceDnsEntry { - domainName: string; - hostedZoneId: string; + repositoryUrl: string; } - export interface ListenerDefaultAction { - fixedResponse?: outputs.vpclattice.ListenerDefaultActionFixedResponse; + export interface SpaceSpaceSettingsJupyterLabAppSettingsDefaultResourceSpec { /** - * Route requests to one or more target groups. See Forward blocks below. - * - * > **NOTE:** You must specify exactly one of the following argument blocks: `fixedResponse` or `forward`. + * The instance type. */ - forwards?: outputs.vpclattice.ListenerDefaultActionForward[]; - } - - export interface ListenerDefaultActionFixedResponse { + instanceType?: string; /** - * Custom HTTP status code to return, e.g. a 404 response code. See [Listeners](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html) in the AWS documentation for a list of supported codes. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - statusCode: number; - } - - export interface ListenerDefaultActionForward { + lifecycleConfigArn?: string; /** - * One or more target group blocks. + * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. */ - targetGroups?: outputs.vpclattice.ListenerDefaultActionForwardTargetGroup[]; - } - - export interface ListenerDefaultActionForwardTargetGroup { - targetGroupIdentifier?: string; - weight?: number; - } - - export interface ListenerRuleAction { + sagemakerImageArn?: string; /** - * Describes the rule action that returns a custom HTTP response. + * The SageMaker Image Version Alias. */ - fixedResponse?: outputs.vpclattice.ListenerRuleActionFixedResponse; + sagemakerImageVersionAlias?: string; /** - * The forward action. Traffic that matches the rule is forwarded to the specified target groups. + * The ARN of the image version created on the instance. */ - forward?: outputs.vpclattice.ListenerRuleActionForward; + sagemakerImageVersionArn?: string; } - export interface ListenerRuleActionFixedResponse { + export interface SpaceSpaceSettingsJupyterServerAppSettings { /** - * The HTTP response code. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. */ - statusCode: number; - } - - export interface ListenerRuleActionForward { + codeRepositories?: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettingsCodeRepository[]; /** - * The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic. - * - * The default value is 1 with maximum number of 2. If only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - targetGroups: outputs.vpclattice.ListenerRuleActionForwardTargetGroup[]; - } - - export interface ListenerRuleActionForwardTargetGroup { - targetGroupIdentifier: string; - weight?: number; + defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface ListenerRuleMatch { + export interface SpaceSpaceSettingsJupyterServerAppSettingsCodeRepository { /** - * The HTTP criteria that a rule must match. + * The URL of the Git repository. */ - httpMatch?: outputs.vpclattice.ListenerRuleMatchHttpMatch; + repositoryUrl: string; } - export interface ListenerRuleMatchHttpMatch { + export interface SpaceSpaceSettingsJupyterServerAppSettingsDefaultResourceSpec { /** - * The header matches. Matches incoming requests with rule based on request header value before applying rule action. + * The instance type. */ - headerMatches?: outputs.vpclattice.ListenerRuleMatchHttpMatchHeaderMatch[]; + instanceType?: string; /** - * The HTTP method type. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - method?: string; + lifecycleConfigArn?: string; /** - * The path match. + * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. */ - pathMatch?: outputs.vpclattice.ListenerRuleMatchHttpMatchPathMatch; + sagemakerImageArn?: string; + /** + * The SageMaker Image Version Alias. + */ + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface ListenerRuleMatchHttpMatchHeaderMatch { + export interface SpaceSpaceSettingsKernelGatewayAppSettings { /** - * Indicates whether the match is case sensitive. Defaults to false. + * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. */ - caseSensitive?: boolean; + customImages?: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettingsCustomImage[]; /** - * The header match type. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - match: outputs.vpclattice.ListenerRuleMatchHttpMatchHeaderMatchMatch; + defaultResourceSpec: outputs.sagemaker.SpaceSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec; /** - * The name of the header. + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. */ - name: string; + lifecycleConfigArns?: string[]; } - export interface ListenerRuleMatchHttpMatchHeaderMatchMatch { + export interface SpaceSpaceSettingsKernelGatewayAppSettingsCustomImage { /** - * Specifies a contains type match. + * The name of the App Image Config. */ - contains?: string; + appImageConfigName: string; /** - * Specifies an exact type match. + * The name of the Custom Image. */ - exact?: string; + imageName: string; /** - * Specifies a prefix type match. Matches the value with the prefix. + * The version number of the Custom Image. */ - prefix?: string; + imageVersionNumber?: number; } - export interface ListenerRuleMatchHttpMatchPathMatch { + export interface SpaceSpaceSettingsKernelGatewayAppSettingsDefaultResourceSpec { /** - * Indicates whether the match is case sensitive. Defaults to false. + * The instance type. */ - caseSensitive?: boolean; + instanceType?: string; /** - * The header match type. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - match: outputs.vpclattice.ListenerRuleMatchHttpMatchPathMatchMatch; - } - - export interface ListenerRuleMatchHttpMatchPathMatchMatch { + lifecycleConfigArn?: string; /** - * Specifies an exact type match. + * The Amazon Resource Name (ARN) of the SageMaker image created on the instance. */ - exact?: string; + sagemakerImageArn?: string; /** - * Specifies a prefix type match. Matches the value with the prefix. + * The SageMaker Image Version Alias. */ - prefix?: string; + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface ServiceDnsEntry { - domainName: string; - hostedZoneId: string; + export interface SpaceSpaceSettingsSpaceStorageSettings { + ebsStorageSettings: outputs.sagemaker.SpaceSpaceSettingsSpaceStorageSettingsEbsStorageSettings; } - export interface ServiceNetworkServiceAssociationDnsEntry { - /** - * The domain name of the service. - */ - domainName: string; + export interface SpaceSpaceSettingsSpaceStorageSettingsEbsStorageSettings { + ebsVolumeSizeInGb: number; + } + + export interface SpaceSpaceSharingSettings { /** - * The ID of the hosted zone. + * Specifies the sharing type of the space. Valid values are `Private` and `Shared`. */ - hostedZoneId: string; + sharingType: string; } - export interface TargetGroupAttachmentTarget { + export interface UserProfileUserSettings { /** - * The ID of the target. If the target type of the target group is INSTANCE, this is an instance ID. If the target type is IP , this is an IP address. If the target type is LAMBDA, this is the ARN of the Lambda function. If the target type is ALB, this is the ARN of the Application Load Balancer. + * The Canvas app settings. See Canvas App Settings below. */ - id: string; + canvasAppSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettings; /** - * This port is used for routing traffic to the target, and defaults to the target group port. However, you can override the default and specify a custom port. + * The Code Editor application settings. See Code Editor App Settings below. */ - port: number; - } - - export interface TargetGroupConfig { + codeEditorAppSettings?: outputs.sagemaker.UserProfileUserSettingsCodeEditorAppSettings; /** - * The health check configuration. + * The settings for assigning a custom file system to a user profile. Permitted users can access this file system in Amazon SageMaker Studio. See Custom File System Config below. */ - healthCheck?: outputs.vpclattice.TargetGroupConfigHealthCheck; + customFileSystemConfigs?: outputs.sagemaker.UserProfileUserSettingsCustomFileSystemConfig[]; /** - * The type of IP address used for the target group. Valid values: `IPV4` | `IPV6`. + * Details about the POSIX identity that is used for file system operations. See Custom Posix User Config below. */ - ipAddressType: string; + customPosixUserConfig?: outputs.sagemaker.UserProfileUserSettingsCustomPosixUserConfig; /** - * The version of the event structure that the Lambda function receives. Supported only if `type` is `LAMBDA`. Valid Values are `V1` | `V2`. + * The default experience that the user is directed to when accessing the domain. The supported values are: `studio::`: Indicates that Studio is the default experience. This value can only be passed if StudioWebPortal is set to ENABLED. `app:JupyterServer:`: Indicates that Studio Classic is the default experience. */ - lambdaEventStructureVersion: string; + defaultLandingUri?: string; /** - * The port on which the targets are listening. + * The execution role ARN for the user. */ - port: number; + executionRole: string; /** - * The protocol to use for routing traffic to the targets. Valid Values are `HTTP` | `HTTPS`. + * The settings for the JupyterLab application. See Jupyter Lab App Settings below. */ - protocol: string; + jupyterLabAppSettings?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettings; /** - * The protocol version. Valid Values are `HTTP1` | `HTTP2` | `GRPC`. Default value is `HTTP1`. + * The Jupyter server's app settings. See Jupyter Server App Settings below. */ - protocolVersion: string; + jupyterServerAppSettings?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettings; /** - * The ID of the VPC. + * The kernel gateway app settings. See Kernel Gateway App Settings below. */ - vpcIdentifier?: string; - } - - export interface TargetGroupConfigHealthCheck { + kernelGatewayAppSettings?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettings; /** - * Indicates whether health checking is enabled. Defaults to `true`. + * The RSession app settings. See RSession App Settings below. */ - enabled?: boolean; + rSessionAppSettings?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettings; + /** + * A collection of settings that configure user interaction with the RStudioServerPro app. See RStudioServerProAppSettings below. + */ + rStudioServerProAppSettings?: outputs.sagemaker.UserProfileUserSettingsRStudioServerProAppSettings; + /** + * A list of security group IDs that will be attached to the user. + */ + securityGroups?: string[]; + /** + * The sharing settings. See Sharing Settings below. + */ + sharingSettings?: outputs.sagemaker.UserProfileUserSettingsSharingSettings; + /** + * The storage settings for a private space. See Space Storage Settings below. + */ + spaceStorageSettings: outputs.sagemaker.UserProfileUserSettingsSpaceStorageSettings; /** - * The approximate amount of time, in seconds, between health checks of an individual target. The range is 5–300 seconds. The default is 30 seconds. + * Whether the user can access Studio. If this value is set to `DISABLED`, the user cannot access Studio, even if that is the default experience for the domain. Valid values are `ENABLED` and `DISABLED`. */ - healthCheckIntervalSeconds?: number; + studioWebPortal: string; /** - * The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1–120 seconds. The default is 5 seconds. - * * `healthyThresholdCount ` - (Optional) The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2–10. The default is 5. + * The TensorBoard app settings. See TensorBoard App Settings below. */ - healthCheckTimeoutSeconds?: number; - healthyThresholdCount?: number; + tensorBoardAppSettings?: outputs.sagemaker.UserProfileUserSettingsTensorBoardAppSettings; + } + + export interface UserProfileUserSettingsCanvasAppSettings { /** - * The codes to use when checking for a successful response from a target. These are called _Success codes_ in the console. + * The model deployment settings for the SageMaker Canvas application. See Direct Deploy Settings below. */ - matcher?: outputs.vpclattice.TargetGroupConfigHealthCheckMatcher; + directDeploySettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsDirectDeploySettings; /** - * The destination for health checks on the targets. If the protocol version is HTTP/1.1 or HTTP/2, specify a valid URI (for example, /path?query). The default path is `/`. Health checks are not supported if the protocol version is gRPC, however, you can choose HTTP/1.1 or HTTP/2 and specify a valid URI. + * The settings for connecting to an external data source with OAuth. See Identity Provider OAuth Settings below. */ - path?: string; + identityProviderOauthSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsIdentityProviderOauthSetting[]; /** - * The port used when performing health checks on targets. The default setting is the port that a target receives traffic on. + * The settings for document querying. See Kendra Settings below. */ - port: number; + kendraSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsKendraSettings; /** - * The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS`. + * The model registry settings for the SageMaker Canvas application. See Model Register Settings below. */ - protocol: string; + modelRegisterSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsModelRegisterSettings; /** - * The protocol version used when performing health checks on targets. The possible protocol versions are `HTTP1` and `HTTP2`. The default is `HTTP1`. + * Time series forecast settings for the Canvas app. See Time Series Forecasting Settings below. */ - protocolVersion?: string; + timeSeriesForecastingSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings; /** - * The number of consecutive failed health checks required before considering a target unhealthy. The range is 2–10. The default is 2. + * The workspace settings for the SageMaker Canvas application. See Workspace Settings below. */ - unhealthyThresholdCount?: number; + workspaceSettings?: outputs.sagemaker.UserProfileUserSettingsCanvasAppSettingsWorkspaceSettings; } - export interface TargetGroupConfigHealthCheckMatcher { + export interface UserProfileUserSettingsCanvasAppSettingsDirectDeploySettings { /** - * The HTTP codes to use when checking for a successful response from a target. + * Describes whether model deployment permissions are enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - value?: string; - } - -} - -export namespace waf { - export interface ByteMatchSetByteMatchTuple { - fieldToMatch: outputs.waf.ByteMatchSetByteMatchTupleFieldToMatch; - positionalConstraint: string; - targetString?: string; - textTransformation: string; - } - - export interface ByteMatchSetByteMatchTupleFieldToMatch { - data?: string; - type: string; - } - - export interface GeoMatchSetGeoMatchConstraint { - type: string; - value: string; - } - - export interface IpSetIpSetDescriptor { - type: string; - value: string; - } - - export interface RateBasedRulePredicate { - dataId: string; - negated: boolean; - type: string; + status?: string; } - export interface RegexMatchSetRegexMatchTuple { + export interface UserProfileUserSettingsCanvasAppSettingsIdentityProviderOauthSetting { /** - * The part of a web request that you want to search, such as a specified header or a query string. + * The name of the data source that you're connecting to. Canvas currently supports OAuth for Snowflake and Salesforce Data Cloud. Valid values are `SalesforceGenie` and `Snowflake`. */ - fieldToMatch: outputs.waf.RegexMatchSetRegexMatchTupleFieldToMatch; + dataSourceName?: string; /** - * The ID of a Regex Pattern Set. + * The ARN of an Amazon Web Services Secrets Manager secret that stores the credentials from your identity provider, such as the client ID and secret, authorization URL, and token URL. */ - regexPatternSetId: string; + secretArn: string; /** - * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. - * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation) - * for all supported values. + * Describes whether OAuth for a data source is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - textTransformation: string; + status?: string; } - export interface RegexMatchSetRegexMatchTupleFieldToMatch { - /** - * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. - * If `type` is any other value, omit this field. - */ - data?: string; + export interface UserProfileUserSettingsCanvasAppSettingsKendraSettings { /** - * The part of the web request that you want AWS WAF to search for a specified string. - * e.g., `HEADER`, `METHOD` or `BODY`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html) - * for all supported values. + * Describes whether the document querying feature is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. */ - type: string; - } - - export interface RuleGroupActivatedRule { - action: outputs.waf.RuleGroupActivatedRuleAction; - priority: number; - ruleId: string; - type?: string; - } - - export interface RuleGroupActivatedRuleAction { - type: string; - } - - export interface RulePredicate { - dataId: string; - negated: boolean; - type: string; - } - - export interface SizeConstraintSetSizeConstraint { - comparisonOperator: string; - fieldToMatch: outputs.waf.SizeConstraintSetSizeConstraintFieldToMatch; - size: number; - textTransformation: string; + status?: string; } - export interface SizeConstraintSetSizeConstraintFieldToMatch { - data?: string; - type: string; + export interface UserProfileUserSettingsCanvasAppSettingsModelRegisterSettings { + /** + * The Amazon Resource Name (ARN) of the SageMaker model registry account. Required only to register model versions created by a different SageMaker Canvas AWS account than the AWS account in which SageMaker model registry is set up. + */ + crossAccountModelRegisterRoleArn?: string; + /** + * Describes whether the integration to the model registry is enabled or disabled in the Canvas application. Valid values are `ENABLED` and `DISABLED`. + */ + status?: string; } - export interface SqlInjectionMatchSetSqlInjectionMatchTuple { + export interface UserProfileUserSettingsCanvasAppSettingsTimeSeriesForecastingSettings { /** - * Specifies where in a web request to look for snippets of malicious SQL code. + * The IAM role that Canvas passes to Amazon Forecast for time series forecasting. By default, Canvas uses the execution role specified in the UserProfile that launches the Canvas app. If an execution role is not specified in the UserProfile, Canvas uses the execution role specified in the Domain that owns the UserProfile. To allow time series forecasting, this IAM role should have the [AmazonSageMakerCanvasForecastAccess](https://docs.aws.amazon.com/sagemaker/latest/dg/security-iam-awsmanpol-canvas.html#security-iam-awsmanpol-AmazonSageMakerCanvasForecastAccess) policy attached and forecast.amazonaws.com added in the trust relationship as a service principal. */ - fieldToMatch: outputs.waf.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch; + amazonForecastRoleArn?: string; /** - * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. - * If you specify a transformation, AWS WAF performs the transformation on `fieldToMatch` before inspecting a request for a match. - * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_SqlInjectionMatchTuple.html#WAF-Type-SqlInjectionMatchTuple-TextTransformation) - * for all supported values. + * Describes whether time series forecasting is enabled or disabled in the Canvas app. Valid values are `ENABLED` and `DISABLED`. */ - textTransformation: string; + status?: string; } - export interface SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch { - data?: string; - type: string; + export interface UserProfileUserSettingsCanvasAppSettingsWorkspaceSettings { + /** + * The Amazon S3 bucket used to store artifacts generated by Canvas. Updating the Amazon S3 location impacts existing configuration settings, and Canvas users no longer have access to their artifacts. Canvas users must log out and log back in to apply the new location. + */ + s3ArtifactPath?: string; + /** + * The Amazon Web Services Key Management Service (KMS) encryption key ID that is used to encrypt artifacts generated by Canvas in the Amazon S3 bucket. + */ + s3KmsKeyId?: string; } - export interface WebAclDefaultAction { + export interface UserProfileUserSettingsCodeEditorAppSettings { /** - * Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the `rules`. - * e.g., `ALLOW` or `BLOCK` + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - type: string; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsCodeEditorAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface WebAclLoggingConfiguration { + export interface UserProfileUserSettingsCodeEditorAppSettingsDefaultResourceSpec { /** - * Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - logDestination: string; + instanceType?: string; /** - * Configuration block containing parts of the request that you want redacted from the logs. Detailed below. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - redactedFields?: outputs.waf.WebAclLoggingConfigurationRedactedFields; + lifecycleConfigArn?: string; + /** + * The ARN of the SageMaker image that the image version belongs to. + */ + sagemakerImageArn?: string; + /** + * The SageMaker Image Version Alias. + */ + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface WebAclLoggingConfigurationRedactedFields { + export interface UserProfileUserSettingsCustomFileSystemConfig { /** - * Set of configuration blocks for fields to redact. Detailed below. + * The default EBS storage settings for a private space. See EFS File System Config below. */ - fieldToMatches: outputs.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatch[]; + efsFileSystemConfigs?: outputs.sagemaker.UserProfileUserSettingsCustomFileSystemConfigEfsFileSystemConfig[]; } - export interface WebAclLoggingConfigurationRedactedFieldsFieldToMatch { + export interface UserProfileUserSettingsCustomFileSystemConfigEfsFileSystemConfig { /** - * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. + * The ID of your Amazon EFS file system. */ - data?: string; + fileSystemId: string; /** - * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` + * The path to the file system directory that is accessible in Amazon SageMaker Studio. Permitted users can access only this directory and below. */ - type: string; + fileSystemPath?: string; } - export interface WebAclRule { + export interface UserProfileUserSettingsCustomPosixUserConfig { /** - * The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. + * The POSIX group ID. */ - action?: outputs.waf.WebAclRuleAction; + gid: number; /** - * Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. + * The POSIX user ID. */ - overrideAction?: outputs.waf.WebAclRuleOverrideAction; + uid: number; + } + + export interface UserProfileUserSettingsJupyterLabAppSettings { /** - * Specifies the order in which the rules in a WebACL are evaluated. - * Rules with a lower value are evaluated before rules with a higher value. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. */ - priority: number; + codeRepositories?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsCodeRepository[]; + customImages?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsCustomImage[]; /** - * ID of the associated WAF (Global) rule (e.g., `aws.waf.Rule`). WAF (Regional) rules cannot be used. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - ruleId: string; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsJupyterLabAppSettingsDefaultResourceSpec; /** - * The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`. + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. */ - type?: string; + lifecycleConfigArns?: string[]; } - export interface WebAclRuleAction { + export interface UserProfileUserSettingsJupyterLabAppSettingsCodeRepository { /** - * valid values are: `BLOCK`, `ALLOW`, or `COUNT` + * The URL of the Git repository. */ - type: string; + repositoryUrl: string; } - export interface WebAclRuleOverrideAction { + export interface UserProfileUserSettingsJupyterLabAppSettingsCustomImage { /** - * valid values are: `NONE` or `COUNT` + * The name of the App Image Config. */ - type: string; - } - - export interface XssMatchSetXssMatchTuple { + appImageConfigName: string; /** - * Specifies where in a web request to look for cross-site scripting attacks. + * The name of the Custom Image. */ - fieldToMatch: outputs.waf.XssMatchSetXssMatchTupleFieldToMatch; + imageName: string; /** - * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. - * If you specify a transformation, AWS WAF performs the transformation on `targetString` before inspecting a request for a match. - * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_XssMatchTuple.html#WAF-Type-XssMatchTuple-TextTransformation) - * for all supported values. + * The version number of the Custom Image. */ - textTransformation: string; - } - - export interface XssMatchSetXssMatchTupleFieldToMatch { - data?: string; - type: string; + imageVersionNumber?: number; } -} - -export namespace wafregional { - export interface ByteMatchSetByteMatchTuple { + export interface UserProfileUserSettingsJupyterLabAppSettingsDefaultResourceSpec { /** - * Settings for the ByteMatchTuple. FieldToMatch documented below. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - fieldToMatch: outputs.wafregional.ByteMatchSetByteMatchTupleFieldToMatch; + instanceType?: string; /** - * Within the portion of a web request that you want to search. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - positionalConstraint: string; + lifecycleConfigArn?: string; /** - * The value that you want AWS WAF to search for. The maximum length of the value is 50 bytes. + * The ARN of the SageMaker image that the image version belongs to. */ - targetString?: string; + sagemakerImageArn?: string; /** - * The formatting way for web request. - * - * FieldToMatch(field_to_match) support following: + * The SageMaker Image Version Alias. */ - textTransformation: string; + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface ByteMatchSetByteMatchTupleFieldToMatch { + export interface UserProfileUserSettingsJupyterServerAppSettings { /** - * When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. If the value of Type is any other value, omit Data. + * A list of Git repositories that SageMaker automatically displays to users for cloning in the JupyterServer application. see Code Repository below. */ - data?: string; + codeRepositories?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettingsCodeRepository[]; /** - * The part of the web request that you want AWS WAF to search for a specified string. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - type: string; - } - - export interface GeoMatchSetGeoMatchConstraint { - type: string; - value: string; - } - - export interface IpSetIpSetDescriptor { - type: string; - value: string; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsJupyterServerAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface RateBasedRulePredicate { - dataId: string; - negated: boolean; - type: string; + export interface UserProfileUserSettingsJupyterServerAppSettingsCodeRepository { + /** + * The URL of the Git repository. + */ + repositoryUrl: string; } - export interface RegexMatchSetRegexMatchTuple { + export interface UserProfileUserSettingsJupyterServerAppSettingsDefaultResourceSpec { /** - * The part of a web request that you want to search, such as a specified header or a query string. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - fieldToMatch: outputs.wafregional.RegexMatchSetRegexMatchTupleFieldToMatch; + instanceType?: string; /** - * The ID of a Regex Pattern Set. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - regexPatternSetId: string; + lifecycleConfigArn?: string; /** - * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. - * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation) - * for all supported values. + * The ARN of the SageMaker image that the image version belongs to. */ - textTransformation: string; - } - - export interface RegexMatchSetRegexMatchTupleFieldToMatch { + sagemakerImageArn?: string; /** - * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. - * If `type` is any other value, omit this field. + * The SageMaker Image Version Alias. */ - data?: string; + sagemakerImageVersionAlias?: string; /** - * The part of the web request that you want AWS WAF to search for a specified string. - * e.g., `HEADER`, `METHOD` or `BODY`. - * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html) - * for all supported values. + * The ARN of the image version created on the instance. */ - type: string; - } - - export interface RuleGroupActivatedRule { - action: outputs.wafregional.RuleGroupActivatedRuleAction; - priority: number; - ruleId: string; - type?: string; - } - - export interface RuleGroupActivatedRuleAction { - type: string; - } - - export interface RulePredicate { - dataId: string; - negated: boolean; - type: string; - } - - export interface SizeConstraintSetSizeConstraint { - comparisonOperator: string; - fieldToMatch: outputs.wafregional.SizeConstraintSetSizeConstraintFieldToMatch; - size: number; - textTransformation: string; - } - - export interface SizeConstraintSetSizeConstraintFieldToMatch { - data?: string; - type: string; + sagemakerImageVersionArn?: string; } - export interface SqlInjectionMatchSetSqlInjectionMatchTuple { + export interface UserProfileUserSettingsKernelGatewayAppSettings { /** - * Specifies where in a web request to look for snippets of malicious SQL code. + * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. */ - fieldToMatch: outputs.wafregional.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch; + customImages?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettingsCustomImage[]; /** - * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. - * If you specify a transformation, AWS WAF performs the transformation on `fieldToMatch` before inspecting a request for a match. - * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. - * See [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_SqlInjectionMatchTuple.html#WAF-Type-regional_SqlInjectionMatchTuple-TextTransformation) - * for all supported values. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - textTransformation: string; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsKernelGatewayAppSettingsDefaultResourceSpec; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configurations. + */ + lifecycleConfigArns?: string[]; } - export interface SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch { + export interface UserProfileUserSettingsKernelGatewayAppSettingsCustomImage { /** - * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. - * If `type` is any other value, omit this field. + * The name of the App Image Config. */ - data?: string; + appImageConfigName: string; /** - * The part of the web request that you want AWS WAF to search for a specified string. - * e.g., `HEADER`, `METHOD` or `BODY`. - * See [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html) - * for all supported values. + * The name of the Custom Image. */ - type: string; - } - - export interface WebAclDefaultAction { + imageName: string; /** - * Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., `ALLOW`, `BLOCK` or `COUNT` + * The version number of the Custom Image. */ - type: string; + imageVersionNumber?: number; } - export interface WebAclLoggingConfiguration { + export interface UserProfileUserSettingsKernelGatewayAppSettingsDefaultResourceSpec { /** - * Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - logDestination: string; + instanceType?: string; /** - * Configuration block containing parts of the request that you want redacted from the logs. Detailed below. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - redactedFields?: outputs.wafregional.WebAclLoggingConfigurationRedactedFields; - } - - export interface WebAclLoggingConfigurationRedactedFields { + lifecycleConfigArn?: string; /** - * Set of configuration blocks for fields to redact. Detailed below. + * The ARN of the SageMaker image that the image version belongs to. */ - fieldToMatches: outputs.wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatch[]; - } - - export interface WebAclLoggingConfigurationRedactedFieldsFieldToMatch { + sagemakerImageArn?: string; /** - * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. + * The SageMaker Image Version Alias. */ - data?: string; + sagemakerImageVersionAlias?: string; /** - * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` + * The ARN of the image version created on the instance. */ - type: string; + sagemakerImageVersionArn?: string; } - export interface WebAclRule { + export interface UserProfileUserSettingsRSessionAppSettings { /** - * Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. Detailed below. + * A list of custom SageMaker images that are configured to run as a KernelGateway app. see Custom Image below. */ - action?: outputs.wafregional.WebAclRuleAction; + customImages?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettingsCustomImage[]; /** - * Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. Detailed below. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - overrideAction?: outputs.wafregional.WebAclRuleOverrideAction; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsRSessionAppSettingsDefaultResourceSpec; + } + + export interface UserProfileUserSettingsRSessionAppSettingsCustomImage { /** - * Specifies the order in which the rules in a WebACL are evaluated. - * Rules with a lower value are evaluated before rules with a higher value. + * The name of the App Image Config. */ - priority: number; + appImageConfigName: string; /** - * ID of the associated WAF (Regional) rule (e.g., `aws.wafregional.Rule`). WAF (Global) rules cannot be used. + * The name of the Custom Image. */ - ruleId: string; + imageName: string; /** - * The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`. + * The version number of the Custom Image. */ - type?: string; + imageVersionNumber?: number; } - export interface WebAclRuleAction { + export interface UserProfileUserSettingsRSessionAppSettingsDefaultResourceSpec { /** - * Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for `action` are `ALLOW`, `BLOCK` or `COUNT`. Valid values for `overrideAction` are `COUNT` and `NONE`. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - type: string; - } - - export interface WebAclRuleOverrideAction { - type: string; + instanceType?: string; + /** + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. + */ + lifecycleConfigArn?: string; + /** + * The ARN of the SageMaker image that the image version belongs to. + */ + sagemakerImageArn?: string; + /** + * The SageMaker Image Version Alias. + */ + sagemakerImageVersionAlias?: string; + /** + * The ARN of the image version created on the instance. + */ + sagemakerImageVersionArn?: string; } - export interface XssMatchSetXssMatchTuple { + export interface UserProfileUserSettingsRStudioServerProAppSettings { /** - * Specifies where in a web request to look for cross-site scripting attacks. + * Indicates whether the current user has access to the RStudioServerPro app. Valid values are `ENABLED` and `DISABLED`. */ - fieldToMatch: outputs.wafregional.XssMatchSetXssMatchTupleFieldToMatch; + accessStatus?: string; /** - * Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks. + * The level of permissions that the user has within the RStudioServerPro app. This value defaults to `R_STUDIO_USER`. The `R_STUDIO_ADMIN` value allows the user access to the RStudio Administrative Dashboard. Valid values are `R_STUDIO_USER` and `R_STUDIO_ADMIN`. */ - textTransformation: string; + userGroup?: string; } - export interface XssMatchSetXssMatchTupleFieldToMatch { + export interface UserProfileUserSettingsSharingSettings { /** - * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. + * Whether to include the notebook cell output when sharing the notebook. The default is `Disabled`. Valid values are `Allowed` and `Disabled`. */ - data?: string; + notebookOutputOption?: string; /** - * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` + * When `notebookOutputOption` is Allowed, the AWS Key Management Service (KMS) encryption key ID used to encrypt the notebook cell output in the Amazon S3 bucket. */ - type: string; - } - -} - -export namespace wafv2 { - export interface GetRegexPatternSetRegularExpression { + s3KmsKeyId?: string; /** - * (Required) String representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information. + * When `notebookOutputOption` is Allowed, the Amazon S3 bucket used to save the notebook cell output. */ - regexString: string; + s3OutputPath?: string; } - export interface RegexPatternSetRegularExpression { + export interface UserProfileUserSettingsSpaceStorageSettings { /** - * The string representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information. + * The default EBS storage settings for a private space. See Default EBS Storage Settings below. */ - regexString: string; + defaultEbsStorageSettings?: outputs.sagemaker.UserProfileUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings; } - export interface RuleGroupCustomResponseBody { + export interface UserProfileUserSettingsSpaceStorageSettingsDefaultEbsStorageSettings { /** - * The payload of the custom response. + * The default size of the EBS storage volume for a private space. */ - content: string; + defaultEbsVolumeSizeInGb: number; /** - * The type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. + * The maximum size of the EBS storage volume for a private space. */ - contentType: string; + maximumEbsVolumeSizeInGb: number; + } + + export interface UserProfileUserSettingsTensorBoardAppSettings { /** - * A unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the Custom Response block. + * The default instance type and the Amazon Resource Name (ARN) of the SageMaker image created on the instance. see Default Resource Spec below. */ - key: string; + defaultResourceSpec?: outputs.sagemaker.UserProfileUserSettingsTensorBoardAppSettingsDefaultResourceSpec; } - export interface RuleGroupRule { + export interface UserProfileUserSettingsTensorBoardAppSettingsDefaultResourceSpec { /** - * The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the `aws.wafv2.WebAcl` level can override the rule action setting. See Action below for details. + * The instance type that the image version runs on.. For valid values see [SageMaker Instance Types](https://docs.aws.amazon.com/sagemaker/latest/dg/notebooks-available-instance-types.html). */ - action: outputs.wafv2.RuleGroupRuleAction; + instanceType?: string; /** - * Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details. + * The Amazon Resource Name (ARN) of the Lifecycle Configuration attached to the Resource. */ - captchaConfig?: outputs.wafv2.RuleGroupRuleCaptchaConfig; + lifecycleConfigArn?: string; /** - * A friendly name of the rule. + * The ARN of the SageMaker image that the image version belongs to. */ - name: string; + sagemakerImageArn?: string; /** - * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. + * The SageMaker Image Version Alias. */ - priority: number; + sagemakerImageVersionAlias?: string; /** - * Labels to apply to web requests that match the rule match statement. See Rule Label below for details. + * The ARN of the image version created on the instance. */ - ruleLabels?: outputs.wafv2.RuleGroupRuleRuleLabel[]; + sagemakerImageVersionArn?: string; + } + + export interface WorkforceCognitoConfig { /** - * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See Statement below for details. + * The client ID for your Amazon Cognito user pool. */ - statement: outputs.wafv2.RuleGroupRuleStatement; + clientId: string; /** - * Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details. + * ID for your Amazon Cognito user pool. */ - visibilityConfig: outputs.wafv2.RuleGroupRuleVisibilityConfig; + userPool: string; } - export interface RuleGroupRuleAction { + export interface WorkforceOidcConfig { /** - * Instructs AWS WAF to allow the web request. See Allow below for details. + * The OIDC IdP authorization endpoint used to configure your private workforce. */ - allow?: outputs.wafv2.RuleGroupRuleActionAllow; + authorizationEndpoint: string; /** - * Instructs AWS WAF to block the web request. See Block below for details. + * The OIDC IdP client ID used to configure your private workforce. */ - block?: outputs.wafv2.RuleGroupRuleActionBlock; + clientId: string; /** - * Instructs AWS WAF to run a `CAPTCHA` check against the web request. See Captcha below for details. + * The OIDC IdP client secret used to configure your private workforce. */ - captcha?: outputs.wafv2.RuleGroupRuleActionCaptcha; + clientSecret: string; /** - * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See Challenge below for details. + * The OIDC IdP issuer used to configure your private workforce. */ - challenge?: outputs.wafv2.RuleGroupRuleActionChallenge; + issuer: string; /** - * Instructs AWS WAF to count the web request and allow it. See Count below for details. + * The OIDC IdP JSON Web Key Set (Jwks) URI used to configure your private workforce. */ - count?: outputs.wafv2.RuleGroupRuleActionCount; - } - - export interface RuleGroupRuleActionAllow { + jwksUri: string; /** - * Defines custom handling for the web request. See Custom Request Handling below for details. + * The OIDC IdP logout endpoint used to configure your private workforce. */ - customRequestHandling?: outputs.wafv2.RuleGroupRuleActionAllowCustomRequestHandling; - } - - export interface RuleGroupRuleActionAllowCustomRequestHandling { + logoutEndpoint: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. + * The OIDC IdP token endpoint used to configure your private workforce. */ - insertHeaders: outputs.wafv2.RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader[]; - } - - export interface RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader { + tokenEndpoint: string; /** - * A friendly name of the rule group. + * The OIDC IdP user information endpoint used to configure your private workforce. */ - name: string; - value: string; + userInfoEndpoint: string; } - export interface RuleGroupRuleActionBlock { + export interface WorkforceSourceIpConfig { /** - * Defines a custom response for the web request. See Custom Response below for details. + * A list of up to 10 CIDR values. */ - customResponse?: outputs.wafv2.RuleGroupRuleActionBlockCustomResponse; + cidrs: string[]; } - export interface RuleGroupRuleActionBlockCustomResponse { + export interface WorkforceWorkforceVpcConfig { /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * The VPC security group IDs. The security groups must be for the same VPC as specified in the subnet. */ - customResponseBodyKey?: string; + securityGroupIds?: string[]; /** - * The HTTP status code to return to the client. + * The ID of the subnets in the VPC that you want to connect. */ - responseCode: number; + subnets?: string[]; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details. + * The IDs for the VPC service endpoints of your VPC workforce. */ - responseHeaders?: outputs.wafv2.RuleGroupRuleActionBlockCustomResponseResponseHeader[]; - } - - export interface RuleGroupRuleActionBlockCustomResponseResponseHeader { + vpcEndpointId: string; /** - * A friendly name of the rule group. + * The ID of the VPC that the workforce uses for communication. */ - name: string; - value: string; + vpcId?: string; } - export interface RuleGroupRuleActionCaptcha { + export interface WorkteamMemberDefinition { /** - * Defines custom handling for the web request. See Custom Request Handling below for details. + * The Amazon Cognito user group that is part of the work team. See Cognito Member Definition details below. */ - customRequestHandling?: outputs.wafv2.RuleGroupRuleActionCaptchaCustomRequestHandling; - } - - export interface RuleGroupRuleActionCaptchaCustomRequestHandling { + cognitoMemberDefinition?: outputs.sagemaker.WorkteamMemberDefinitionCognitoMemberDefinition; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. + * A list user groups that exist in your OIDC Identity Provider (IdP). One to ten groups can be used to create a single private work team. See Cognito Member Definition details below. */ - insertHeaders: outputs.wafv2.RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader[]; + oidcMemberDefinition?: outputs.sagemaker.WorkteamMemberDefinitionOidcMemberDefinition; } - export interface RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader { + export interface WorkteamMemberDefinitionCognitoMemberDefinition { /** - * A friendly name of the rule group. + * An identifier for an application client. You must create the app client ID using Amazon Cognito. */ - name: string; - value: string; - } - - export interface RuleGroupRuleActionChallenge { + clientId: string; /** - * Defines custom handling for the web request. See Custom Request Handling below for details. + * An identifier for a user group. */ - customRequestHandling?: outputs.wafv2.RuleGroupRuleActionChallengeCustomRequestHandling; - } - - export interface RuleGroupRuleActionChallengeCustomRequestHandling { + userGroup: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. + * An identifier for a user pool. The user pool must be in the same region as the service that you are calling. */ - insertHeaders: outputs.wafv2.RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader[]; + userPool: string; } - export interface RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader { + export interface WorkteamMemberDefinitionOidcMemberDefinition { /** - * A friendly name of the rule group. + * A list of comma separated strings that identifies user groups in your OIDC IdP. Each user group is made up of a group of private workers. */ - name: string; - value: string; + groups: string[]; } - export interface RuleGroupRuleActionCount { + export interface WorkteamNotificationConfiguration { /** - * Defines custom handling for the web request. See Custom Request Handling below for details. + * The ARN for the SNS topic to which notifications should be published. */ - customRequestHandling?: outputs.wafv2.RuleGroupRuleActionCountCustomRequestHandling; + notificationTopicArn?: string; } - export interface RuleGroupRuleActionCountCustomRequestHandling { +} + +export namespace scheduler { + export interface ScheduleFlexibleTimeWindow { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. + * Maximum time window during which a schedule can be invoked. Ranges from `1` to `1440` minutes. */ - insertHeaders: outputs.wafv2.RuleGroupRuleActionCountCustomRequestHandlingInsertHeader[]; - } - - export interface RuleGroupRuleActionCountCustomRequestHandlingInsertHeader { + maximumWindowInMinutes?: number; /** - * A friendly name of the rule group. + * Determines whether the schedule is invoked within a flexible time window. One of: `OFF`, `FLEXIBLE`. */ - name: string; - value: string; + mode: string; } - export interface RuleGroupRuleCaptchaConfig { + export interface ScheduleTarget { /** - * Defines custom immunity time. See Immunity Time Property below for details. + * ARN of the target of this schedule, such as a SQS queue or ECS cluster. For universal targets, this is a [Service ARN specific to the target service](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html#supported-universal-targets). */ - immunityTimeProperty?: outputs.wafv2.RuleGroupRuleCaptchaConfigImmunityTimeProperty; - } - - export interface RuleGroupRuleCaptchaConfigImmunityTimeProperty { + arn: string; /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + * Information about an Amazon SQS queue that EventBridge Scheduler uses as a dead-letter queue for your schedule. If specified, EventBridge Scheduler delivers failed events that could not be successfully delivered to a target to the queue. Detailed below. */ - immunityTime?: number; + deadLetterConfig?: outputs.scheduler.ScheduleTargetDeadLetterConfig; + /** + * Templated target type for the Amazon ECS [`RunTask`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) API operation. Detailed below. + */ + ecsParameters?: outputs.scheduler.ScheduleTargetEcsParameters; + /** + * Templated target type for the EventBridge [`PutEvents`](https://docs.aws.amazon.com/eventbridge/latest/APIReference/API_PutEvents.html) API operation. Detailed below. + */ + eventbridgeParameters?: outputs.scheduler.ScheduleTargetEventbridgeParameters; + /** + * Text, or well-formed JSON, passed to the target. Read more in [Universal target](https://docs.aws.amazon.com/scheduler/latest/UserGuide/managing-targets-universal.html). + */ + input?: string; + /** + * Templated target type for the Amazon Kinesis [`PutRecord`](https://docs.aws.amazon.com/kinesis/latest/APIReference/API_PutRecord.html) API operation. Detailed below. + */ + kinesisParameters?: outputs.scheduler.ScheduleTargetKinesisParameters; + /** + * Information about the retry policy settings. Detailed below. + */ + retryPolicy?: outputs.scheduler.ScheduleTargetRetryPolicy; + /** + * ARN of the IAM role that EventBridge Scheduler will use for this target when the schedule is invoked. Read more in [Set up the execution role](https://docs.aws.amazon.com/scheduler/latest/UserGuide/setting-up.html#setting-up-execution-role). + * + * The following arguments are optional: + */ + roleArn: string; + /** + * Templated target type for the Amazon SageMaker [`StartPipelineExecution`](https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_StartPipelineExecution.html) API operation. Detailed below. + */ + sagemakerPipelineParameters?: outputs.scheduler.ScheduleTargetSagemakerPipelineParameters; + /** + * The templated target type for the Amazon SQS [`SendMessage`](https://docs.aws.amazon.com/AWSSimpleQueueService/latest/APIReference/API_SendMessage.html) API operation. Detailed below. + */ + sqsParameters?: outputs.scheduler.ScheduleTargetSqsParameters; } - export interface RuleGroupRuleRuleLabel { + export interface ScheduleTargetDeadLetterConfig { /** - * The label string. + * ARN of the SQS queue specified as the destination for the dead-letter queue. */ - name: string; + arn: string; } - export interface RuleGroupRuleStatement { + export interface ScheduleTargetEcsParameters { /** - * A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details. + * Up to `6` capacity provider strategies to use for the task. Detailed below. */ - andStatement?: outputs.wafv2.RuleGroupRuleStatementAndStatement; + capacityProviderStrategies?: outputs.scheduler.ScheduleTargetEcsParametersCapacityProviderStrategy[]; /** - * A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details. + * Specifies whether to enable Amazon ECS managed tags for the task. For more information, see [Tagging Your Amazon ECS Resources](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-using-tags.html) in the Amazon ECS Developer Guide. */ - byteMatchStatement?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatement; + enableEcsManagedTags?: boolean; /** - * A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details. + * Specifies whether to enable the execute command functionality for the containers in this task. */ - geoMatchStatement?: outputs.wafv2.RuleGroupRuleStatementGeoMatchStatement; + enableExecuteCommand?: boolean; /** - * A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details. + * Specifies an ECS task group for the task. At most 255 characters. */ - ipSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatement; + group?: string; /** - * A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details. + * Specifies the launch type on which your task is running. The launch type that you specify here must match one of the launch type (compatibilities) of the target task. One of: `EC2`, `FARGATE`, `EXTERNAL`. */ - labelMatchStatement?: outputs.wafv2.RuleGroupRuleStatementLabelMatchStatement; + launchType?: string; /** - * A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details. + * Configures the networking associated with the task. Detailed below. */ - notStatement?: outputs.wafv2.RuleGroupRuleStatementNotStatement; + networkConfiguration?: outputs.scheduler.ScheduleTargetEcsParametersNetworkConfiguration; /** - * A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details. + * A set of up to 10 placement constraints to use for the task. Detailed below. */ - orStatement?: outputs.wafv2.RuleGroupRuleStatementOrStatement; + placementConstraints?: outputs.scheduler.ScheduleTargetEcsParametersPlacementConstraint[]; /** - * A rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See Rate Based Statement below for details. + * A set of up to 5 placement strategies. Detailed below. */ - rateBasedStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatement; + placementStrategies?: outputs.scheduler.ScheduleTargetEcsParametersPlacementStrategy[]; /** - * A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details. + * Specifies the platform version for the task. Specify only the numeric portion of the platform version, such as `1.1.0`. */ - regexMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatement; + platformVersion?: string; /** - * A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details. + * Specifies whether to propagate the tags from the task definition to the task. One of: `TASK_DEFINITION`. */ - regexPatternSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; + propagateTags?: string; /** - * A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See Size Constraint Statement below for more details. + * Reference ID to use for the task. */ - sizeConstraintStatement?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatement; + referenceId?: string; /** - * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details. + * The metadata that you apply to the task. Each tag consists of a key and an optional value. For more information, see [`RunTask`](https://docs.aws.amazon.com/AmazonECS/latest/APIReference/API_RunTask.html) in the Amazon ECS API Reference. */ - sqliMatchStatement?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatement; + tags?: {[key: string]: string}; /** - * A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details. + * The number of tasks to create. Ranges from `1` (default) to `10`. + */ + taskCount?: number; + /** + * ARN of the task definition to use. + * + * The following arguments are optional: */ - xssMatchStatement?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatement; + taskDefinitionArn: string; } - export interface RuleGroupRuleStatementAndStatement { + export interface ScheduleTargetEcsParametersCapacityProviderStrategy { /** - * The statements to combine. + * How many tasks, at a minimum, to run on the specified capacity provider. Only one capacity provider in a capacity provider strategy can have a base defined. Ranges from `0` (default) to `100000`. */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; + base?: number; + /** + * Short name of the capacity provider. + */ + capacityProvider: string; + /** + * Designates the relative percentage of the total number of tasks launched that should use the specified capacity provider. The weight value is taken into consideration after the base value, if defined, is satisfied. Ranges from from `0` to `1000`. + */ + weight?: number; } - export interface RuleGroupRuleStatementByteMatchStatement { + export interface ScheduleTargetEcsParametersNetworkConfiguration { /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * Specifies whether the task's elastic network interface receives a public IP address. This attribute is a boolean type, where `true` maps to `ENABLED` and `false` to `DISABLED`. You can specify `true` only when the `launchType` is set to `FARGATE`. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatch; + assignPublicIp?: boolean; /** - * The area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. + * Set of 1 to 5 Security Group ID-s to be associated with the task. These security groups must all be in the same VPC. */ - positionalConstraint: string; + securityGroups?: string[]; /** - * A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. + * Set of 1 to 16 subnets to be associated with the task. These subnets must all be in the same VPC. */ - searchString: string; + subnets: string[]; + } + + export interface ScheduleTargetEcsParametersPlacementConstraint { /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * A cluster query language expression to apply to the constraint. You cannot specify an expression if the constraint type is `distinctInstance`. For more information, see [Cluster query language](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/cluster-query-language.html) in the Amazon ECS Developer Guide. + */ + expression?: string; + /** + * The type of constraint. One of: `distinctInstance`, `memberOf`. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementTextTransformation[]; + type: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatch { + export interface ScheduleTargetEcsParametersPlacementStrategy { /** - * Inspect all query arguments. + * The field to apply the placement strategy against. */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments; + field?: string; /** - * Inspect the request body, which immediately follows the request headers. + * The type of placement strategy. One of: `random`, `spread`, `binpack`. */ - body?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchBody; + type: string; + } + + export interface ScheduleTargetEventbridgeParameters { /** - * Inspect the cookies in the web request. See Cookies below for details. + * Free-form string used to decide what fields to expect in the event detail. Up to 128 characters. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies; + detailType: string; /** - * Inspect the request headers. See Header Order below for details. + * Source of the event. */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder[]; + source: string; + } + + export interface ScheduleTargetKinesisParameters { /** - * Inspect the request headers. See Headers below for details. + * Specifies the shard to which EventBridge Scheduler sends the event. Up to 256 characters. */ - headers?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint; + partitionKey: string; + } + + export interface ScheduleTargetRetryPolicy { /** - * Inspect the request body as JSON. See JSON Body for details. + * Maximum amount of time, in seconds, to continue to make retry attempts. Ranges from `60` to `86400` (default). */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody; + maximumEventAgeInSeconds?: number; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Maximum number of retry attempts to make before the request fails. Ranges from `0` to `185` (default). */ - method?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod; + maximumRetryAttempts?: number; + } + + export interface ScheduleTargetSagemakerPipelineParameters { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Set of up to 200 parameter names and values to use when executing the SageMaker Model Building Pipeline. Detailed below. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString; + pipelineParameters?: outputs.scheduler.ScheduleTargetSagemakerPipelineParametersPipelineParameter[]; + } + + export interface ScheduleTargetSagemakerPipelineParametersPipelineParameter { /** - * Inspect a single header. See Single Header below for details. + * Name of parameter to start execution of a SageMaker Model Building Pipeline. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader; + name: string; /** - * Inspect a single query argument. See Single Query Argument below for details. + * Value of parameter to start execution of a SageMaker Model Building Pipeline. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument; + value: string; + } + + export interface ScheduleTargetSqsParameters { /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * FIFO message group ID to use as the target. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath; + messageGroupId?: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchAllQueryArguments { +} + +export namespace secretsmanager { + export interface GetSecretRotationRotationRule { + automaticallyAfterDays: number; + duration: string; + scheduleExpression: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface GetSecretsFilter { + /** + * Name of the filter field. Valid values can be found in the [Secrets Manager ListSecrets API Reference](https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_ListSecrets.html). + */ + name: string; + /** + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. + */ + values: string[]; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookies { + export interface SecretReplica { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * ARN, Key ID, or Alias of the AWS KMS key within the region secret is replicated to. If one is not specified, then Secrets Manager defaults to using the AWS account's default KMS key (`aws/secretsmanager`) in the region or creates one for use if non-existent. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern[]; + kmsKeyId: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Date that you last accessed the secret in the Region. */ - matchScope: string; + lastAccessedDate: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * Region for replicating the secret. */ - oversizeHandling: string; + region: string; + /** + * Status can be `InProgress`, `Failed`, or `InSync`. + */ + status: string; + /** + * Message such as `Replication succeeded` or `Secret with this name already exists in this region`. + */ + statusMessage: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface SecretRotationRotationRules { + /** + * Specifies the number of days between automatic scheduled rotations of the secret. Either `automaticallyAfterDays` or `scheduleExpression` must be specified. + */ + automaticallyAfterDays?: number; + /** + * The length of the rotation window in hours. For example, `3h` for a three hour window. + */ + duration?: string; + /** + * A `cron()` or `rate()` expression that defines the schedule for rotating your secret. Either `automaticallyAfterDays` or `scheduleExpression` must be specified. + */ + scheduleExpression?: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { +} + +export namespace securityhub { + export interface AutomationRuleAction { + /** + * A block that specifies that the automation rule action is an update to a finding field. Documented below. + */ + findingFieldsUpdate?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdate; + /** + * Specifies that the rule action should update the `Types` finding field. The `Types` finding field classifies findings in the format of namespace/category/classifier. + */ + type?: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeader { + export interface AutomationRuleActionFindingFieldsUpdate { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * The rule action updates the `Confidence` field of a finding. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern; + confidence?: number; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The rule action updates the `Criticality` field of a finding. */ - matchScope: string; + criticality?: number; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A resource block that updates the note. Documented below. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern { + note?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateNote; + /** + * A resource block that the rule action updates the `RelatedFindings` field of a finding. Documented below. + */ + relatedFindings?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateRelatedFinding[]; + /** + * A resource block that updates to the severity information for a finding. Documented below. + */ + severity?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateSeverity; /** - * An empty configuration block that is used for inspecting all headers. + * The rule action updates the `Types` field of a finding. */ - all?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll; + types?: string[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The rule action updates the `UserDefinedFields` field of a finding. */ - excludedHeaders?: string[]; + userDefinedFields?: {[key: string]: string}; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The rule action updates the `VerificationState` field of a finding. The allowed values are the following `UNKNOWN`, `TRUE_POSITIVE`, `FALSE_POSITIVE` and `BENIGN_POSITIVE`. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchHeaderOrder { + verificationState?: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A resource block that is used to update information about the investigation into the finding. Documented below. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + workflow?: outputs.securityhub.AutomationRuleActionFindingFieldsUpdateWorkflow; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBody { + export interface AutomationRuleActionFindingFieldsUpdateNote { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The updated note text. */ - invalidFallbackBehavior?: string; + text: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The principal that updated the note. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern; + updatedBy: string; + } + + export interface AutomationRuleActionFindingFieldsUpdateRelatedFinding { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The product-generated identifier for a related finding. */ - matchScope: string; + id: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The ARN of the product that generated a related finding. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchQueryString { + productArn: string; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleHeader { + export interface AutomationRuleActionFindingFieldsUpdateSeverity { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The severity value of the finding. The allowed values are the following `INFORMATIONAL`, `LOW`, `MEDIUM`, `HIGH` and `CRITICAL`. */ - name: string; - } - - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument { + label: string; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The native severity as defined by the AWS service or integrated partner product that generated the finding. */ - name: string; + product?: number; } - export interface RuleGroupRuleStatementByteMatchStatementFieldToMatchUriPath { + export interface AutomationRuleActionFindingFieldsUpdateWorkflow { + /** + * The status of the investigation into the finding. The allowed values are the following `NEW`, `NOTIFIED`, `RESOLVED` and `SUPPRESSED`. + */ + status?: string; } - export interface RuleGroupRuleStatementByteMatchStatementTextTransformation { + export interface AutomationRuleCriteria { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The AWS account ID in which a finding was generated. Documented below. */ - priority: number; + awsAccountIds?: outputs.securityhub.AutomationRuleCriteriaAwsAccountId[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The name of the AWS account in which a finding was generated. Documented below. */ - type: string; - } - - export interface RuleGroupRuleStatementGeoMatchStatement { + awsAccountNames?: outputs.securityhub.AutomationRuleCriteriaAwsAccountName[]; /** - * An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * The name of the company for the product that generated the finding. For control-based findings, the company is AWS. Documented below. */ - countryCodes: string[]; + companyNames?: outputs.securityhub.AutomationRuleCriteriaCompanyName[]; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details. + * The unique identifier of a standard in which a control is enabled. Documented below. */ - forwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig; - } - - export interface RuleGroupRuleStatementGeoMatchStatementForwardedIpConfig { + complianceAssociatedStandardsIds?: outputs.securityhub.AutomationRuleCriteriaComplianceAssociatedStandardsId[]; /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The security control ID for which a finding was generated. Security control IDs are the same across standards. Documented below. */ - fallbackBehavior: string; + complianceSecurityControlIds?: outputs.securityhub.AutomationRuleCriteriaComplianceSecurityControlId[]; /** - * The name of the HTTP header to use for the IP address. + * The result of a security check. This field is only used for findings generated from controls. Documented below. */ - headerName: string; - } - - export interface RuleGroupRuleStatementIpSetReferenceStatement { + complianceStatuses?: outputs.securityhub.AutomationRuleCriteriaComplianceStatus[]; /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. + * The likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. `Confidence` is scored on a 0–100 basis using a ratio scale. A value of `0` means 0 percent confidence, and a value of `100` means 100 percent confidence. Documented below. */ - arn: string; + confidences?: outputs.securityhub.AutomationRuleCriteriaConfidence[]; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details. + * A timestamp that indicates when this finding record was created. Documented below. */ - ipSetForwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; - } - - export interface RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { + createdAts?: outputs.securityhub.AutomationRuleCriteriaCreatedAt[]; /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The level of importance that is assigned to the resources that are associated with a finding. Documented below. */ - fallbackBehavior: string; + criticalities?: outputs.securityhub.AutomationRuleCriteriaCriticality[]; /** - * The name of the HTTP header to use for the IP address. + * A finding's description. Documented below. */ - headerName: string; + descriptions?: outputs.securityhub.AutomationRuleCriteriaDescription[]; /** - * The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * A timestamp that indicates when the potential security issue captured by a finding was first observed by the security findings product. Documented below. */ - position: string; - } - - export interface RuleGroupRuleStatementLabelMatchStatement { + firstObservedAts?: outputs.securityhub.AutomationRuleCriteriaFirstObservedAt[]; /** - * The string to match against. + * The identifier for the solution-specific component that generated a finding. Documented below. */ - key: string; + generatorIds?: outputs.securityhub.AutomationRuleCriteriaGeneratorId[]; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * The product-specific identifier for a finding. Documented below. */ - scope: string; - } - - export interface RuleGroupRuleStatementNotStatement { + ids?: outputs.securityhub.AutomationRuleCriteriaId[]; /** - * The statements to combine. + * A timestamp that indicates when the potential security issue captured by a finding was most recently observed by the security findings product. Documented below. */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; - } - - export interface RuleGroupRuleStatementOrStatement { + lastObservedAts?: outputs.securityhub.AutomationRuleCriteriaLastObservedAt[]; /** - * The statements to combine. + * The text of a user-defined note that's added to a finding. Documented below. */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; - } - - export interface RuleGroupRuleStatementRateBasedStatement { + noteTexts?: outputs.securityhub.AutomationRuleCriteriaNoteText[]; /** - * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP` or `IP`. Default: `IP`. + * The timestamp of when the note was updated. Documented below. */ - aggregateKeyType?: string; + noteUpdatedAts?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedAt[]; /** - * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. + * The principal that created a note. Documented below. */ - customKeys?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKey[]; + noteUpdatedBies?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedBy[]; /** - * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). - * - * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. + * The Amazon Resource Name (ARN) for a third-party product that generated a finding in Security Hub. Documented below. */ - evaluationWindowSec?: number; + productArns?: outputs.securityhub.AutomationRuleCriteriaProductArn[]; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See Forwarded IP Config below for details. + * Provides the name of the product that generated the finding. For control-based findings, the product name is Security Hub. Documented below. */ - forwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementForwardedIpConfig; + productNames?: outputs.securityhub.AutomationRuleCriteriaProductName[]; /** - * The limit on requests per 5-minute period for a single originating IP address. + * Provides the current state of a finding. Documented below. */ - limit: number; + recordStates?: outputs.securityhub.AutomationRuleCriteriaRecordState[]; /** - * An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. + * The product-generated identifier for a related finding. Documented below. */ - scopeDownStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatement; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKey { + relatedFindingsIds?: outputs.securityhub.AutomationRuleCriteriaRelatedFindingsId[]; /** - * (Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. + * The ARN for the product that generated a related finding. Documented below. */ - cookie?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyCookie; + relatedFindingsProductArns?: outputs.securityhub.AutomationRuleCriteriaRelatedFindingsProductArn[]; /** - * (Optional) Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. + * The Amazon Resource Name (ARN) of the application that is related to a finding. Documented below. */ - forwardedIp?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp; + resourceApplicationArns?: outputs.securityhub.AutomationRuleCriteriaResourceApplicationArn[]; /** - * (Optional) Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. + * The name of the application that is related to a finding. Documented below. */ - header?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; + resourceApplicationNames?: outputs.securityhub.AutomationRuleCriteriaResourceApplicationName[]; /** - * (Optional) Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. + * Custom fields and values about the resource that a finding pertains to. Documented below. */ - httpMethod?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod; + resourceDetailsOthers?: outputs.securityhub.AutomationRuleCriteriaResourceDetailsOther[]; /** - * (Optional) Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. + * The identifier for the given resource type. For AWS resources that are identified by Amazon Resource Names (ARNs), this is the ARN. For AWS resources that lack ARNs, this is the identifier as defined by the AWS service that created the resource. For non-AWS resources, this is a unique identifier that is associated with the resource. Documented below. */ - ip?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; + resourceIds?: outputs.securityhub.AutomationRuleCriteriaResourceId[]; /** - * (Optional) Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. + * The partition in which the resource that the finding pertains to is located. A partition is a group of AWS Regions. Each AWS account is scoped to one partition. Documented below. */ - labelNamespace?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace; + resourcePartitions?: outputs.securityhub.AutomationRuleCriteriaResourcePartition[]; /** - * (Optional) Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. + * The AWS Region where the resource that a finding pertains to is located. Documented below. */ - queryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument; + resourceRegions?: outputs.securityhub.AutomationRuleCriteriaResourceRegion[]; /** - * (Optional) Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. + * A list of AWS tags associated with a resource at the time the finding was processed. Documented below. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString; + resourceTags?: outputs.securityhub.AutomationRuleCriteriaResourceTag[]; /** - * (Optional) Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. + * The type of resource that the finding pertains to. Documented below. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyCookie { + resourceTypes?: outputs.securityhub.AutomationRuleCriteriaResourceType[]; /** - * A friendly name of the rule group. + * The severity value of the finding. Documented below. */ - name: string; + severityLabels?: outputs.securityhub.AutomationRuleCriteriaSeverityLabel[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + * Provides a URL that links to a page about the current finding in the finding product. Documented below. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyCookieTextTransformation { + sourceUrls?: outputs.securityhub.AutomationRuleCriteriaSourceUrl[]; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * A finding's title. Documented below. */ - priority: number; + titles?: outputs.securityhub.AutomationRuleCriteriaTitle[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * One or more finding types in the format of namespace/category/classifier that classify a finding. Documented below. */ - type: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyForwardedIp { - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeader { + types?: outputs.securityhub.AutomationRuleCriteriaType[]; /** - * A friendly name of the rule group. + * A timestamp that indicates when the finding record was most recently updated. Documented below. */ - name: string; + updatedAts?: outputs.securityhub.AutomationRuleCriteriaUpdatedAt[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + * A list of user-defined name and value string pairs added to a finding. Documented below. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation { + userDefinedFields?: outputs.securityhub.AutomationRuleCriteriaUserDefinedField[]; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Provides the veracity of a finding. Documented below. */ - priority: number; + verificationStates?: outputs.securityhub.AutomationRuleCriteriaVerificationState[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Provides information about the status of the investigation into a finding. Documented below. */ - type: string; + workflowStatuses?: outputs.securityhub.AutomationRuleCriteriaWorkflowStatus[]; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHttpMethod { + export interface AutomationRuleCriteriaAwsAccountId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyIp { + export interface AutomationRuleCriteriaAwsAccountName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace { - /** - * The namespace to use for aggregation - */ - namespace: string; + export interface AutomationRuleCriteriaCompanyName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgument { - /** - * A friendly name of the rule group. - */ - name: string; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation[]; + export interface AutomationRuleCriteriaComplianceAssociatedStandardsId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface AutomationRuleCriteriaComplianceSecurityControlId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryString { - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation[]; + export interface AutomationRuleCriteriaComplianceStatus { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface AutomationRuleCriteriaConfidence { + eq?: number; + gt?: number; + gte?: number; + lt?: number; + lte?: number; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyUriPath { - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation[]; + export interface AutomationRuleCriteriaCreatedAt { + dateRange?: outputs.securityhub.AutomationRuleCriteriaCreatedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation { + export interface AutomationRuleCriteriaCreatedAtDateRange { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * A date range unit for the date filter. Valid values: `DAYS`. */ - priority: number; + unit: string; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * A date range value for the date filter, provided as an Integer. */ - type: string; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementForwardedIpConfig { - /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: string; - /** - * The name of the HTTP header to use for the IP address. - */ - headerName: string; + export interface AutomationRuleCriteriaCriticality { + eq?: number; + gt?: number; + gte?: number; + lt?: number; + lte?: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatement { - andStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement; - byteMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement; - geoMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement; - ipSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement; - labelMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement; - notStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement; - orStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement; - regexMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement; - regexPatternSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement; - sizeConstraintStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement; - sqliMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement; - xssMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement; + export interface AutomationRuleCriteriaDescription { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementAndStatement { - /** - * The statements to combine. - */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; + export interface AutomationRuleCriteriaFirstObservedAt { + dateRange?: outputs.securityhub.AutomationRuleCriteriaFirstObservedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch; - /** - * The area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. - */ - positionalConstraint: string; + export interface AutomationRuleCriteriaFirstObservedAtDateRange { /** - * A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. + * A date range unit for the date filter. Valid values: `DAYS`. */ - searchString: string; + unit: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * A date range value for the date filter, provided as an Integer. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation[]; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader; + export interface AutomationRuleCriteriaGeneratorId { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaId { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaLastObservedAt { + dateRange?: outputs.securityhub.AutomationRuleCriteriaLastObservedAtDateRange; + end?: string; + start?: string; + } + + export interface AutomationRuleCriteriaLastObservedAtDateRange { /** - * Inspect a single query argument. See Single Query Argument below for details. + * A date range unit for the date filter. Valid values: `DAYS`. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument; + unit: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A date range value for the date filter, provided as an Integer. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { + export interface AutomationRuleCriteriaNoteText { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface AutomationRuleCriteriaNoteUpdatedAt { + dateRange?: outputs.securityhub.AutomationRuleCriteriaNoteUpdatedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern[]; + export interface AutomationRuleCriteriaNoteUpdatedAtDateRange { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling: string; + value: number; + } + + export interface AutomationRuleCriteriaNoteUpdatedBy { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaProductArn { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaProductName { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaRecordState { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaRelatedFindingsId { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaRelatedFindingsProductArn { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceApplicationArn { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceApplicationName { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceDetailsOther { + comparison: string; + key: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceId { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourcePartition { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceRegion { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceTag { + comparison: string; + key: string; + value: string; + } + + export interface AutomationRuleCriteriaResourceType { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaSeverityLabel { + comparison: string; + value: string; + } + + export interface AutomationRuleCriteriaSourceUrl { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface AutomationRuleCriteriaTitle { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface AutomationRuleCriteriaType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface AutomationRuleCriteriaUpdatedAt { + dateRange?: outputs.securityhub.AutomationRuleCriteriaUpdatedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll; + export interface AutomationRuleCriteriaUpdatedAtDateRange { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * A date range unit for the date filter. Valid values: `DAYS`. */ - excludedHeaders?: string[]; + unit: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * A date range value for the date filter, provided as an Integer. */ - includedHeaders?: string[]; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface AutomationRuleCriteriaUserDefinedField { + comparison: string; + key: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface AutomationRuleCriteriaVerificationState { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface AutomationRuleCriteriaWorkflowStatus { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern; + export interface ConfigurationPolicyConfigurationPolicy { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * A list that defines which security standards are enabled in the configuration policy. It must be defined if `serviceEnabled` is set to true. */ - matchScope: string; + enabledStandardArns?: string[]; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Defines which security controls are enabled in the configuration policy and any customizations to parameters affecting them. See below. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { + securityControlsConfiguration?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfiguration; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Indicates whether Security Hub is enabled in the policy. */ - name: string; + serviceEnabled: boolean; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfiguration { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * A list of security controls that are disabled in the configuration policy Security Hub enables all other controls (including newly released controls) other than the listed controls. Conflicts with `enabledControlIdentifiers`. */ - name: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation { + disabledControlIdentifiers?: string[]; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * A list of security controls that are enabled in the configuration policy. Security Hub disables all other controls (including newly released controls) other than the listed controls. Conflicts with `disabledControlIdentifiers`. */ - priority: number; + enabledControlIdentifiers?: string[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * A list of control parameter customizations that are included in a configuration policy. Include multiple blocks to define multiple control custom parameters. See below. */ - type: string; + securityControlCustomParameters?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameter[]; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement { + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameter { /** - * An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * An object that specifies parameter values for a control in a configuration policy. See below. */ - countryCodes: string[]; + parameters: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameter[]; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details. + * The ID of the security control. For more information see the [Security Hub controls reference] documentation. */ - forwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig; + securityControlId: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameter { /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The bool `value` for a Boolean-typed Security Hub Control Parameter. */ - fallbackBehavior: string; + bool?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBool; /** - * The name of the HTTP header to use for the IP address. + * The float `value` for a Double-typed Security Hub Control Parameter. */ - headerName: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement { + double?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterDouble; /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. + * The string `value` for a Enum-typed Security Hub Control Parameter. */ - arn: string; + enum?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnum; /** - * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details. + * The string list `value` for a EnumList-typed Security Hub Control Parameter. */ - ipSetForwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { + enumList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumList; /** - * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The int `value` for a Int-typed Security Hub Control Parameter. */ - fallbackBehavior: string; + int?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterInt; /** - * The name of the HTTP header to use for the IP address. + * The int list `value` for a IntList-typed Security Hub Control Parameter. */ - headerName: string; + intList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntList; /** - * The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * The name of the control parameter. For more information see the [Security Hub controls reference] documentation. */ - position: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement { + name: string; /** - * The string to match against. + * The string `value` for a String-typed Security Hub Control Parameter. */ - key: string; + string?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterString; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * The string list `value` for a StringList-typed Security Hub Control Parameter. */ - scope: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementNotStatement { + stringList?: outputs.securityhub.ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterStringList; /** - * The statements to combine. + * Identifies whether a control parameter uses a custom user-defined value or subscribes to the default Security Hub behavior. Valid values: `DEFAULT`, `CUSTOM`. */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; + valueType: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementOrStatement { - /** - * The statements to combine. - */ - statements: outputs.wafv2.RuleGroupRuleStatement[]; + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterBool { + value: boolean; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterDouble { + value: number; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnum { + value: string; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterEnumList { + values: string[]; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterInt { + value: number; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterIntList { + values: number[]; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterString { + value: string; + } + + export interface ConfigurationPolicyConfigurationPolicySecurityControlsConfigurationSecurityControlCustomParameterParameterStringList { + values: string[]; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement { + export interface InsightFilters { /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * AWS account ID that a finding is generated in. See String_Filter below for more details. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch; + awsAccountIds?: outputs.securityhub.InsightFiltersAwsAccountId[]; /** - * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. + * The name of the findings provider (company) that owns the solution (product) that generates findings. See String_Filter below for more details. */ - regexString: string; + companyNames?: outputs.securityhub.InsightFiltersCompanyName[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * Exclusive to findings that are generated as the result of a check run against a specific rule in a supported standard, such as CIS AWS Foundations. Contains security standard-related finding details. See String Filter below for more details. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch { + complianceStatuses?: outputs.securityhub.InsightFiltersComplianceStatus[]; /** - * Inspect all query arguments. + * A finding's confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details. */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments; + confidences?: outputs.securityhub.InsightFiltersConfidence[]; /** - * Inspect the request body, which immediately follows the request headers. + * An ISO8601-formatted timestamp that indicates when the security-findings provider captured the potential security issue that a finding captured. See Date Filter below for more details. */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody; + createdAts?: outputs.securityhub.InsightFiltersCreatedAt[]; /** - * Inspect the cookies in the web request. See Cookies below for details. + * The level of importance assigned to the resources associated with the finding. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies; + criticalities?: outputs.securityhub.InsightFiltersCriticality[]; /** - * Inspect the request headers. See Header Order below for details. + * A finding's description. See String Filter below for more details. */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder[]; + descriptions?: outputs.securityhub.InsightFiltersDescription[]; /** - * Inspect the request headers. See Headers below for details. + * The finding provider value for the finding confidence. Confidence is defined as the likelihood that a finding accurately identifies the behavior or issue that it was intended to identify. Confidence is scored on a 0-100 basis using a ratio scale, where 0 means zero percent confidence and 100 means 100 percent confidence. See Number Filter below for more details. */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint; + findingProviderFieldsConfidences?: outputs.securityhub.InsightFiltersFindingProviderFieldsConfidence[]; /** - * Inspect the request body as JSON. See JSON Body for details. + * The finding provider value for the level of importance assigned to the resources associated with the findings. A score of 0 means that the underlying resources have no criticality, and a score of 100 is reserved for the most critical resources. See Number Filter below for more details. */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody; + findingProviderFieldsCriticalities?: outputs.securityhub.InsightFiltersFindingProviderFieldsCriticality[]; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The finding identifier of a related finding that is identified by the finding provider. See String Filter below for more details. */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod; + findingProviderFieldsRelatedFindingsIds?: outputs.securityhub.InsightFiltersFindingProviderFieldsRelatedFindingsId[]; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The ARN of the solution that generated a related finding that is identified by the finding provider. See String Filter below for more details. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString; + findingProviderFieldsRelatedFindingsProductArns?: outputs.securityhub.InsightFiltersFindingProviderFieldsRelatedFindingsProductArn[]; /** - * Inspect a single header. See Single Header below for details. + * The finding provider value for the severity label. See String Filter below for more details. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader; + findingProviderFieldsSeverityLabels?: outputs.securityhub.InsightFiltersFindingProviderFieldsSeverityLabel[]; /** - * Inspect a single query argument. See Single Query Argument below for details. + * The finding provider's original value for the severity. See String Filter below for more details. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument; + findingProviderFieldsSeverityOriginals?: outputs.securityhub.InsightFiltersFindingProviderFieldsSeverityOriginal[]; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * One or more finding types that the finding provider assigned to the finding. Uses the format of `namespace/category/classifier` that classify a finding. Valid namespace values include: `Software and Configuration Checks`, `TTPs`, `Effects`, `Unusual Behaviors`, and `Sensitive Data Identifications`. See String Filter below for more details. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { + findingProviderFieldsTypes?: outputs.securityhub.InsightFiltersFindingProviderFieldsType[]; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * An ISO8601-formatted timestamp that indicates when the security-findings provider first observed the potential security issue that a finding captured. See Date Filter below for more details. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern[]; + firstObservedAts?: outputs.securityhub.InsightFiltersFirstObservedAt[]; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The identifier for the solution-specific component (a discrete unit of logic) that generated a finding. See String Filter below for more details. */ - matchScope: string; + generatorIds?: outputs.securityhub.InsightFiltersGeneratorId[]; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The security findings provider-specific identifier for a finding. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { + ids?: outputs.securityhub.InsightFiltersId[]; /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * A keyword for a finding. See Keyword Filter below for more details. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern; + keywords?: outputs.securityhub.InsightFiltersKeyword[]; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * An ISO8601-formatted timestamp that indicates when the security-findings provider most recently observed the potential security issue that a finding captured. See Date Filter below for more details. */ - matchScope: string; + lastObservedAts?: outputs.securityhub.InsightFiltersLastObservedAt[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The name of the malware that was observed. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { + malwareNames?: outputs.securityhub.InsightFiltersMalwareName[]; /** - * An empty configuration block that is used for inspecting all headers. + * The filesystem path of the malware that was observed. See String Filter below for more details. */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll; + malwarePaths?: outputs.securityhub.InsightFiltersMalwarePath[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The state of the malware that was observed. See String Filter below for more details. */ - excludedHeaders?: string[]; + malwareStates?: outputs.securityhub.InsightFiltersMalwareState[]; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The type of the malware that was observed. See String Filter below for more details. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { + malwareTypes?: outputs.securityhub.InsightFiltersMalwareType[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The destination domain of network-related information about a finding. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { + networkDestinationDomains?: outputs.securityhub.InsightFiltersNetworkDestinationDomain[]; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The destination IPv4 address of network-related information about a finding. See Ip Filter below for more details. */ - invalidFallbackBehavior?: string; + networkDestinationIpv4s?: outputs.securityhub.InsightFiltersNetworkDestinationIpv4[]; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The destination IPv6 address of network-related information about a finding. See Ip Filter below for more details. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern; + networkDestinationIpv6s?: outputs.securityhub.InsightFiltersNetworkDestinationIpv6[]; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The destination port of network-related information about a finding. See Number Filter below for more details. */ - matchScope: string; + networkDestinationPorts?: outputs.securityhub.InsightFiltersNetworkDestinationPort[]; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Indicates the direction of network traffic associated with a finding. See String Filter below for more details. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { + networkDirections?: outputs.securityhub.InsightFiltersNetworkDirection[]; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The protocol of network-related information about a finding. See String Filter below for more details. */ - name: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + networkProtocols?: outputs.securityhub.InsightFiltersNetworkProtocol[]; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The source domain of network-related information about a finding. See String Filter below for more details. */ - name: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation { + networkSourceDomains?: outputs.securityhub.InsightFiltersNetworkSourceDomain[]; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The source IPv4 address of network-related information about a finding. See Ip Filter below for more details. */ - priority: number; + networkSourceIpv4s?: outputs.securityhub.InsightFiltersNetworkSourceIpv4[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The source IPv6 address of network-related information about a finding. See Ip Filter below for more details. */ - type: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement { + networkSourceIpv6s?: outputs.securityhub.InsightFiltersNetworkSourceIpv6[]; /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + * The source media access control (MAC) address of network-related information about a finding. See String Filter below for more details. */ - arn: string; + networkSourceMacs?: outputs.securityhub.InsightFiltersNetworkSourceMac[]; /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * The source port of network-related information about a finding. See Number Filter below for more details. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch; + networkSourcePorts?: outputs.securityhub.InsightFiltersNetworkSourcePort[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * The text of a note. See String Filter below for more details. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { + noteTexts?: outputs.securityhub.InsightFiltersNoteText[]; /** - * Inspect all query arguments. + * The timestamp of when the note was updated. See Date Filter below for more details. */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments; + noteUpdatedAts?: outputs.securityhub.InsightFiltersNoteUpdatedAt[]; /** - * Inspect the request body, which immediately follows the request headers. + * The principal that created a note. See String Filter below for more details. */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody; + noteUpdatedBies?: outputs.securityhub.InsightFiltersNoteUpdatedBy[]; /** - * Inspect the cookies in the web request. See Cookies below for details. + * The date/time that the process was launched. See Date Filter below for more details. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies; + processLaunchedAts?: outputs.securityhub.InsightFiltersProcessLaunchedAt[]; /** - * Inspect the request headers. See Header Order below for details. + * The name of the process. See String Filter below for more details. */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder[]; + processNames?: outputs.securityhub.InsightFiltersProcessName[]; /** - * Inspect the request headers. See Headers below for details. + * The parent process ID. See Number Filter below for more details. */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint; + processParentPids?: outputs.securityhub.InsightFiltersProcessParentPid[]; /** - * Inspect the request body as JSON. See JSON Body for details. + * The path to the process executable. See String Filter below for more details. */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody; + processPaths?: outputs.securityhub.InsightFiltersProcessPath[]; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The process ID. See Number Filter below for more details. */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod; + processPids?: outputs.securityhub.InsightFiltersProcessPid[]; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The date/time that the process was terminated. See Date Filter below for more details. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString; + processTerminatedAts?: outputs.securityhub.InsightFiltersProcessTerminatedAt[]; /** - * Inspect a single header. See Single Header below for details. + * The ARN generated by Security Hub that uniquely identifies a third-party company (security findings provider) after this provider's product (solution that generates findings) is registered with Security Hub. See String Filter below for more details. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader; + productArns?: outputs.securityhub.InsightFiltersProductArn[]; /** - * Inspect a single query argument. See Single Query Argument below for details. + * A data type where security-findings providers can include additional solution-specific details that aren't part of the defined `AwsSecurityFinding` format. See Map Filter below for more details. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument; + productFields?: outputs.securityhub.InsightFiltersProductField[]; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The name of the solution (product) that generates findings. See String Filter below for more details. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { + productNames?: outputs.securityhub.InsightFiltersProductName[]; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The recommendation of what to do about the issue described in a finding. See String Filter below for more details. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern[]; + recommendationTexts?: outputs.securityhub.InsightFiltersRecommendationText[]; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The updated record state for the finding. See String Filter below for more details. */ - matchScope: string; + recordStates?: outputs.securityhub.InsightFiltersRecordState[]; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The solution-generated identifier for a related finding. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { + relatedFindingsIds?: outputs.securityhub.InsightFiltersRelatedFindingsId[]; /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * The ARN of the solution that generated a related finding. See String Filter below for more details. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern; + relatedFindingsProductArns?: outputs.securityhub.InsightFiltersRelatedFindingsProductArn[]; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The IAM profile ARN of the instance. See String Filter below for more details. */ - matchScope: string; + resourceAwsEc2InstanceIamInstanceProfileArns?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The Amazon Machine Image (AMI) ID of the instance. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { + resourceAwsEc2InstanceImageIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceImageId[]; /** - * An empty configuration block that is used for inspecting all headers. + * The IPv4 addresses associated with the instance. See Ip Filter below for more details. */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll; + resourceAwsEc2InstanceIpv4Addresses?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIpv4Address[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The IPv6 addresses associated with the instance. See Ip Filter below for more details. */ - excludedHeaders?: string[]; + resourceAwsEc2InstanceIpv6Addresses?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceIpv6Address[]; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The key name associated with the instance. See String Filter below for more details. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { + resourceAwsEc2InstanceKeyNames?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceKeyName[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The date and time the instance was launched. See Date Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + resourceAwsEc2InstanceLaunchedAts?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceLaunchedAt[]; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The identifier of the subnet that the instance was launched in. See String Filter below for more details. */ - invalidFallbackBehavior?: string; + resourceAwsEc2InstanceSubnetIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceSubnetId[]; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The instance type of the instance. See String Filter below for more details. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern; + resourceAwsEc2InstanceTypes?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceType[]; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The identifier of the VPC that the instance was launched in. See String Filter below for more details. */ - matchScope: string; + resourceAwsEc2InstanceVpcIds?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceVpcId[]; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The creation date/time of the IAM access key related to a finding. See Date Filter below for more details. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { + resourceAwsIamAccessKeyCreatedAts?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyCreatedAt[]; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The status of the IAM access key related to a finding. See String Filter below for more details. */ - name: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + resourceAwsIamAccessKeyStatuses?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyStatus[]; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The user associated with the IAM access key related to a finding. See String Filter below for more details. */ - name: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { + resourceAwsIamAccessKeyUserNames?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyUserName[]; /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The canonical user ID of the owner of the S3 bucket. See String Filter below for more details. */ - priority: number; + resourceAwsS3BucketOwnerIds?: outputs.securityhub.InsightFiltersResourceAwsS3BucketOwnerId[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The display name of the owner of the S3 bucket. See String Filter below for more details. */ - type: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement { + resourceAwsS3BucketOwnerNames?: outputs.securityhub.InsightFiltersResourceAwsS3BucketOwnerName[]; /** - * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * The identifier of the image related to a finding. See String Filter below for more details. */ - comparisonOperator: string; + resourceContainerImageIds?: outputs.securityhub.InsightFiltersResourceContainerImageId[]; /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * The name of the image related to a finding. See String Filter below for more details. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch; + resourceContainerImageNames?: outputs.securityhub.InsightFiltersResourceContainerImageName[]; /** - * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * The date/time that the container was started. See Date Filter below for more details. */ - size: number; + resourceContainerLaunchedAts?: outputs.securityhub.InsightFiltersResourceContainerLaunchedAt[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * The name of the container related to a finding. See String Filter below for more details. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch { + resourceContainerNames?: outputs.securityhub.InsightFiltersResourceContainerName[]; /** - * Inspect all query arguments. + * The details of a resource that doesn't have a specific subfield for the resource type defined. See Map Filter below for more details. */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments; + resourceDetailsOthers?: outputs.securityhub.InsightFiltersResourceDetailsOther[]; /** - * Inspect the request body, which immediately follows the request headers. + * The canonical identifier for the given resource type. See String Filter below for more details. */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody; + resourceIds?: outputs.securityhub.InsightFiltersResourceId[]; /** - * Inspect the cookies in the web request. See Cookies below for details. + * The canonical AWS partition name that the Region is assigned to. See String Filter below for more details. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies; + resourcePartitions?: outputs.securityhub.InsightFiltersResourcePartition[]; /** - * Inspect the request headers. See Header Order below for details. + * The canonical AWS external Region name where this resource is located. See String Filter below for more details. */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder[]; + resourceRegions?: outputs.securityhub.InsightFiltersResourceRegion[]; /** - * Inspect the request headers. See Headers below for details. + * A list of AWS tags associated with a resource at the time the finding was processed. See Map Filter below for more details. */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint; + resourceTags?: outputs.securityhub.InsightFiltersResourceTag[]; /** - * Inspect the request body as JSON. See JSON Body for details. + * Specifies the type of the resource that details are provided for. See String Filter below for more details. */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody; + resourceTypes?: outputs.securityhub.InsightFiltersResourceType[]; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The label of a finding's severity. See String Filter below for more details. */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod; + severityLabels?: outputs.securityhub.InsightFiltersSeverityLabel[]; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * A URL that links to a page about the current finding in the security-findings provider's solution. See String Filter below for more details. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString; + sourceUrls?: outputs.securityhub.InsightFiltersSourceUrl[]; /** - * Inspect a single header. See Single Header below for details. + * The category of a threat intelligence indicator. See String Filter below for more details. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader; + threatIntelIndicatorCategories?: outputs.securityhub.InsightFiltersThreatIntelIndicatorCategory[]; /** - * Inspect a single query argument. See Single Query Argument below for details. + * The date/time of the last observation of a threat intelligence indicator. See Date Filter below for more details. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument; + threatIntelIndicatorLastObservedAts?: outputs.securityhub.InsightFiltersThreatIntelIndicatorLastObservedAt[]; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The URL for more details from the source of the threat intelligence. See String Filter below for more details. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { + threatIntelIndicatorSourceUrls?: outputs.securityhub.InsightFiltersThreatIntelIndicatorSourceUrl[]; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The source of the threat intelligence. See String Filter below for more details. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern[]; + threatIntelIndicatorSources?: outputs.securityhub.InsightFiltersThreatIntelIndicatorSource[]; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The type of a threat intelligence indicator. See String Filter below for more details. */ - matchScope: string; + threatIntelIndicatorTypes?: outputs.securityhub.InsightFiltersThreatIntelIndicatorType[]; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The value of a threat intelligence indicator. See String Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { + threatIntelIndicatorValues?: outputs.securityhub.InsightFiltersThreatIntelIndicatorValue[]; /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * A finding's title. See String Filter below for more details. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern; + titles?: outputs.securityhub.InsightFiltersTitle[]; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * A finding type in the format of `namespace/category/classifier` that classifies a finding. See String Filter below for more details. */ - matchScope: string; + types?: outputs.securityhub.InsightFiltersType[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * An ISO8601-formatted timestamp that indicates when the security-findings provider last updated the finding record. See Date Filter below for more details. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { + updatedAts?: outputs.securityhub.InsightFiltersUpdatedAt[]; /** - * An empty configuration block that is used for inspecting all headers. + * A list of name/value string pairs associated with the finding. These are custom, user-defined fields added to a finding. See Map Filter below for more details. */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll; + userDefinedValues?: outputs.securityhub.InsightFiltersUserDefinedValue[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The veracity of a finding. See String Filter below for more details. */ - excludedHeaders?: string[]; + verificationStates?: outputs.securityhub.InsightFiltersVerificationState[]; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The status of the investigation into a finding. See Workflow Status Filter below for more details. */ - includedHeaders?: string[]; + workflowStatuses?: outputs.securityhub.InsightFiltersWorkflowStatus[]; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { + export interface InsightFiltersAwsAccountId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersCompanyName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface InsightFiltersComplianceStatus { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern; + export interface InsightFiltersConfidence { + eq?: string; + gte?: string; + lte?: string; + } + + export interface InsightFiltersCreatedAt { + dateRange?: outputs.securityhub.InsightFiltersCreatedAtDateRange; + end?: string; + start?: string; + } + + export interface InsightFiltersCreatedAtDateRange { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling?: string; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface InsightFiltersCriticality { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { + export interface InsightFiltersDescription { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { + export interface InsightFiltersFindingProviderFieldsConfidence { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { + export interface InsightFiltersFindingProviderFieldsCriticality { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersFindingProviderFieldsRelatedFindingsId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersFindingProviderFieldsRelatedFindingsProductArn { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { + export interface InsightFiltersFindingProviderFieldsSeverityLabel { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface InsightFiltersFindingProviderFieldsSeverityOriginal { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation[]; + export interface InsightFiltersFindingProviderFieldsType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader; + export interface InsightFiltersFirstObservedAt { + dateRange?: outputs.securityhub.InsightFiltersFirstObservedAtDateRange; + end?: string; + start?: string; + } + + export interface InsightFiltersFirstObservedAtDateRange { /** - * Inspect a single query argument. See Single Query Argument below for details. + * A date range unit for the date filter. Valid values: `DAYS`. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument; + unit: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A date range value for the date filter, provided as an Integer. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { + export interface InsightFiltersGeneratorId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface InsightFiltersId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { + export interface InsightFiltersKeyword { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * A value for the keyword. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern[]; + value: string; + } + + export interface InsightFiltersLastObservedAt { + dateRange?: outputs.securityhub.InsightFiltersLastObservedAtDateRange; + end?: string; + start?: string; + } + + export interface InsightFiltersLastObservedAtDateRange { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling: string; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface InsightFiltersMalwareName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface InsightFiltersMalwarePath { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersMalwareState { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: string[]; + export interface InsightFiltersMalwareType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface InsightFiltersNetworkDestinationDomain { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersNetworkDestinationIpv4 { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface InsightFiltersNetworkDestinationIpv6 { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: string; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: string; + export interface InsightFiltersNetworkDestinationPort { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface InsightFiltersNetworkDirection { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface InsightFiltersNetworkProtocol { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { + export interface InsightFiltersNetworkSourceDomain { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { + export interface InsightFiltersNetworkSourceIpv4 { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersNetworkSourceIpv6 { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersNetworkSourceMac { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { + export interface InsightFiltersNetworkSourcePort { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface InsightFiltersNoteText { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation[]; + export interface InsightFiltersNoteUpdatedAt { + dateRange?: outputs.securityhub.InsightFiltersNoteUpdatedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader; + export interface InsightFiltersNoteUpdatedAtDateRange { /** - * Inspect a single query argument. See Single Query Argument below for details. + * A date range unit for the date filter. Valid values: `DAYS`. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument; + unit: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A date range value for the date filter, provided as an Integer. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { + export interface InsightFiltersNoteUpdatedBy { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface InsightFiltersProcessLaunchedAt { + dateRange?: outputs.securityhub.InsightFiltersProcessLaunchedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern[]; + export interface InsightFiltersProcessLaunchedAtDateRange { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling: string; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface InsightFiltersProcessName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface InsightFiltersProcessParentPid { + eq?: string; + gte?: string; + lte?: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersProcessPath { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll; + export interface InsightFiltersProcessPid { + eq?: string; + gte?: string; + lte?: string; + } + + export interface InsightFiltersProcessTerminatedAt { + dateRange?: outputs.securityhub.InsightFiltersProcessTerminatedAtDateRange; + end?: string; + start?: string; + } + + export interface InsightFiltersProcessTerminatedAtDateRange { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * A date range unit for the date filter. Valid values: `DAYS`. */ - excludedHeaders?: string[]; + unit: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * A date range value for the date filter, provided as an Integer. */ - includedHeaders?: string[]; + value: number; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface InsightFiltersProductArn { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersProductField { + comparison: string; + key: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface InsightFiltersProductName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: string; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: string; + export interface InsightFiltersRecommendationText { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface InsightFiltersRecordState { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface InsightFiltersRelatedFindingsId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { + export interface InsightFiltersRelatedFindingsProductArn { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { + export interface InsightFiltersResourceAwsEc2InstanceIamInstanceProfileArn { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersResourceAwsEc2InstanceImageId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersResourceAwsEc2InstanceIpv4Address { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { + export interface InsightFiltersResourceAwsEc2InstanceIpv6Address { + cidr: string; } - export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface InsightFiltersResourceAwsEc2InstanceKeyName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatch; - /** - * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. - */ - regexString: string; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementTextTransformation[]; + export interface InsightFiltersResourceAwsEc2InstanceLaunchedAt { + dateRange?: outputs.securityhub.InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader; + export interface InsightFiltersResourceAwsEc2InstanceLaunchedAtDateRange { /** - * Inspect a single query argument. See Single Query Argument below for details. + * A date range unit for the date filter. Valid values: `DAYS`. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument; + unit: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A date range value for the date filter, provided as an Integer. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath; + value: number; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments { + export interface InsightFiltersResourceAwsEc2InstanceSubnetId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface InsightFiltersResourceAwsEc2InstanceType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern[]; + export interface InsightFiltersResourceAwsEc2InstanceVpcId { + comparison: string; + value: string; + } + + export interface InsightFiltersResourceAwsIamAccessKeyCreatedAt { + dateRange?: outputs.securityhub.InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange; + end?: string; + start?: string; + } + + export interface InsightFiltersResourceAwsIamAccessKeyCreatedAtDateRange { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling: string; + value: number; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface InsightFiltersResourceAwsIamAccessKeyStatus { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface InsightFiltersResourceAwsIamAccessKeyUserName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersResourceAwsS3BucketOwnerId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: string[]; + export interface InsightFiltersResourceAwsS3BucketOwnerName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface InsightFiltersResourceContainerImageId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersResourceContainerImageName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface InsightFiltersResourceContainerLaunchedAt { + dateRange?: outputs.securityhub.InsightFiltersResourceContainerLaunchedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern; + export interface InsightFiltersResourceContainerLaunchedAtDateRange { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + value: number; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface InsightFiltersResourceContainerName { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchMethod { + export interface InsightFiltersResourceDetailsOther { + comparison: string; + key: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchQueryString { + export interface InsightFiltersResourceId { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersResourcePartition { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersResourceRegion { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementFieldToMatchUriPath { + export interface InsightFiltersResourceTag { + comparison: string; + key: string; + value: string; } - export interface RuleGroupRuleStatementRegexMatchStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; + export interface InsightFiltersResourceType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. - */ - arn: string; - /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. - */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. - */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation[]; + export interface InsightFiltersSeverityLabel { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString; - /** - * Inspect a single header. See Single Header below for details. - */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader; - /** - * Inspect a single query argument. See Single Query Argument below for details. - */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath; + export interface InsightFiltersSourceUrl { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { + export interface InsightFiltersThreatIntelIndicatorCategory { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody { - oversizeHandling?: string; + export interface InsightFiltersThreatIntelIndicatorLastObservedAt { + dateRange?: outputs.securityhub.InsightFiltersThreatIntelIndicatorLastObservedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern[]; + export interface InsightFiltersThreatIntelIndicatorLastObservedAtDateRange { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling: string; + value: number; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface InsightFiltersThreatIntelIndicatorSource { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + export interface InsightFiltersThreatIntelIndicatorSourceUrl { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersThreatIntelIndicatorType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: string[]; + export interface InsightFiltersThreatIntelIndicatorValue { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { + export interface InsightFiltersTitle { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface InsightFiltersType { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface InsightFiltersUpdatedAt { + dateRange?: outputs.securityhub.InsightFiltersUpdatedAtDateRange; + end?: string; + start?: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern; + export interface InsightFiltersUpdatedAtDateRange { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * A date range unit for the date filter. Valid values: `DAYS`. */ - matchScope: string; + unit: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * A date range value for the date filter, provided as an Integer. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { + value: number; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod { + export interface InsightFiltersUserDefinedValue { + comparison: string; + key: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { + export interface InsightFiltersVerificationState { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { - /** - * The name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface InsightFiltersWorkflowStatus { + comparison: string; + value: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + export interface OrganizationConfigurationOrganizationConfiguration { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Indicates whether the organization uses local or central configuration. If using central configuration, `autoEnable` must be set to `false` and `autoEnableStandards` set to `NONE`. More information can be found in the [documentation for central configuration](https://docs.aws.amazon.com/securityhub/latest/userguide/central-configuration-intro.html). Valid values: `LOCAL`, `CENTRAL`. */ - name: string; - } - - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { + configurationType: string; } - export interface RuleGroupRuleStatementRegexPatternSetReferenceStatementTextTransformation { - /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; - /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. - */ - type: string; - } +} - export interface RuleGroupRuleStatementSizeConstraintStatement { +export namespace securitylake { + export interface AwsLogSourceSource { /** - * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * Specify the AWS account information where you want to enable Security Lake. + * If not specified, uses all accounts included in the Security Lake. */ - comparisonOperator: string; + accounts: string[]; /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * Specify the Regions where you want to enable Security Lake. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatch; + regions: string[]; /** - * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * The name for a AWS source. This must be a Regionally unique value. Valid values: `ROUTE53`, `VPC_FLOW`, `SH_FINDINGS`, `CLOUD_TRAIL_MGMT`, `LAMBDA_EXECUTION`, `S3_DATA`. */ - size: number; + sourceName: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * The version for a AWS source. + * If not specified, the version will be the default. + * This must be a Regionally unique value. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementTextTransformation[]; + sourceVersion: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. - */ - body?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See Cookies below for details. - */ - cookies?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies; - /** - * Inspect the request headers. See Header Order below for details. - */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See Headers below for details. - */ - headers?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See JSON Body for details. - */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString; + export interface CustomLogSourceAttribute { /** - * Inspect a single header. See Single Header below for details. + * The ARN of the AWS Glue crawler. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader; + crawlerArn: string; /** - * Inspect a single query argument. See Single Query Argument below for details. + * The ARN of the AWS Glue database where results are written. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument; + databaseArn: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The ARN of the AWS Glue table. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchBody { - oversizeHandling?: string; + tableArn: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern[]; + export interface CustomLogSourceConfiguration { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The configuration for the Glue Crawler for the third-party custom source. */ - matchScope: string; + crawlerConfiguration?: outputs.securitylake.CustomLogSourceConfigurationCrawlerConfiguration; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The identity of the log provider for the third-party custom source. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { + providerIdentity?: outputs.securitylake.CustomLogSourceConfigurationProviderIdentity; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; + export interface CustomLogSourceConfigurationCrawlerConfiguration { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) role to be used by the AWS Glue crawler. */ - oversizeHandling: string; + roleArn: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; + export interface CustomLogSourceConfigurationProviderIdentity { /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The external ID used to estalish trust relationship with the AWS identity. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder { + externalId: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The AWS identity principal. */ - oversizeHandling: string; + principal: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + export interface CustomLogSourceProviderDetail { + /** + * The location of the partition in the Amazon S3 bucket for Security Lake. + */ + location: string; + /** + * The ARN of the IAM role to be used by the entity putting logs into your custom source partition. + */ + roleArn: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBody { + export interface DataLakeConfiguration { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Provides encryption details of Amazon Security Lake object. */ - invalidFallbackBehavior?: string; + encryptionConfigurations: outputs.securitylake.DataLakeConfigurationEncryptionConfiguration[]; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Provides lifecycle details of Amazon Security Lake object. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern; + lifecycleConfiguration?: outputs.securitylake.DataLakeConfigurationLifecycleConfiguration; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The AWS Regions where Security Lake is automatically enabled. */ - matchScope: string; + region: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Provides replication details of Amazon Security Lake object. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchMethod { - } - - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchQueryString { + replicationConfiguration?: outputs.securitylake.DataLakeConfigurationReplicationConfiguration; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleHeader { + export interface DataLakeConfigurationEncryptionConfiguration { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The id of KMS encryption key used by Amazon Security Lake to encrypt the Security Lake object. */ - name: string; + kmsKeyId: string; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { + export interface DataLakeConfigurationLifecycleConfiguration { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Provides data expiration details of Amazon Security Lake object. */ - name: string; + expiration?: outputs.securitylake.DataLakeConfigurationLifecycleConfigurationExpiration; + /** + * Provides data storage transition details of Amazon Security Lake object. + */ + transitions?: outputs.securitylake.DataLakeConfigurationLifecycleConfigurationTransition[]; } - export interface RuleGroupRuleStatementSizeConstraintStatementFieldToMatchUriPath { + export interface DataLakeConfigurationLifecycleConfigurationExpiration { + /** + * Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object. + */ + days?: number; } - export interface RuleGroupRuleStatementSizeConstraintStatementTextTransformation { + export interface DataLakeConfigurationLifecycleConfigurationTransition { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Number of days before data transition to a different S3 Storage Class in the Amazon Security Lake object. */ - priority: number; + days?: number; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The range of storage classes that you can choose from based on the data access, resiliency, and cost requirements of your workloads. */ - type: string; + storageClass?: string; } - export interface RuleGroupRuleStatementSqliMatchStatement { + export interface DataLakeConfigurationReplicationConfiguration { /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * Replication enables automatic, asynchronous copying of objects across Amazon S3 buckets. Amazon S3 buckets that are configured for object replication can be owned by the same AWS account or by different accounts. You can replicate objects to a single destination bucket or to multiple destination buckets. The destination buckets can be in different AWS Regions or within the same Region as the source bucket. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatch; + regions?: string[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * Replication settings for the Amazon S3 buckets. This parameter uses the AWS Identity and Access Management (IAM) role you created that is managed by Security Lake, to ensure the replication setting is correct. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementTextTransformation[]; + roleArn?: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments; + export interface DataLakeTimeouts { /** - * Inspect the request body, which immediately follows the request headers. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - body?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody; + create?: string; /** - * Inspect the cookies in the web request. See Cookies below for details. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies; + delete?: string; /** - * Inspect the request headers. See Header Order below for details. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder[]; + update?: string; + } + + export interface SubscriberNotificationConfiguration { /** - * Inspect the request headers. See Headers below for details. + * The configurations for HTTPS subscriber notification. */ - headers?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint; + httpsNotificationConfiguration?: outputs.securitylake.SubscriberNotificationConfigurationHttpsNotificationConfiguration; /** - * Inspect the request body as JSON. See JSON Body for details. + * The configurations for SQS subscriber notification. + * There are no parameters within `sqsNotificationConfiguration`. */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody; + sqsNotificationConfiguration?: outputs.securitylake.SubscriberNotificationConfigurationSqsNotificationConfiguration; + } + + export interface SubscriberNotificationConfigurationHttpsNotificationConfiguration { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The API key name for the notification subscription. */ - method?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod; + authorizationApiKeyName?: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The API key value for the notification subscription. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString; + authorizationApiKeyValue?: string; /** - * Inspect a single header. See Single Header below for details. + * The subscription endpoint in Security Lake. + * If you prefer notification with an HTTPS endpoint, populate this field. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader; + endpoint: string; /** - * Inspect a single query argument. See Single Query Argument below for details. + * The HTTP method used for the notification subscription. + * Valid values are `POST` and `PUT`. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument; + httpMethod?: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The Amazon Resource Name (ARN) of the EventBridge API destinations IAM role that you created. + * For more information about ARNs and how to use them in policies, see Managing data access and AWS Managed Policies in the Amazon Security Lake User Guide. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments { + targetRoleArn: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchBody { - oversizeHandling?: string; + export interface SubscriberNotificationConfigurationSqsNotificationConfiguration { } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern[]; + export interface SubscriberSource { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Amazon Security Lake supports log and event collection for natively supported AWS services. */ - matchScope: string; + awsLogSourceResource?: outputs.securitylake.SubscriberSourceAwsLogSourceResource; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * Amazon Security Lake supports custom source types. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + customLogSourceResource?: outputs.securitylake.SubscriberSourceCustomLogSourceResource; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface SubscriberSourceAwsLogSourceResource { + /** + * The name for a third-party custom source. This must be a Regionally unique value. + */ + sourceName: string; + /** + * The version for a third-party custom source. This must be a Regionally unique value. + */ + sourceVersion: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeader { + export interface SubscriberSourceCustomLogSourceResource { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * The attributes of a third-party custom source. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern; + attributes: outputs.securitylake.SubscriberSourceCustomLogSourceResourceAttribute[]; + providers: outputs.securitylake.SubscriberSourceCustomLogSourceResourceProvider[]; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The name for a third-party custom source. This must be a Regionally unique value. */ - matchScope: string; + sourceName: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The version for a third-party custom source. This must be a Regionally unique value. */ - oversizeHandling: string; + sourceVersion: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { + export interface SubscriberSourceCustomLogSourceResourceAttribute { /** - * An empty configuration block that is used for inspecting all headers. + * The ARN of the AWS Glue crawler. */ - all?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll; + crawlerArn: string; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The ARN of the AWS Glue database where results are written. */ - excludedHeaders?: string[]; + databaseArn: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The ARN of the AWS Glue table. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { + tableArn: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchHeaderOrder { + export interface SubscriberSourceCustomLogSourceResourceProvider { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The location of the partition in the Amazon S3 bucket for Security Lake. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + location: string; + /** + * The ARN of the IAM role to be used by the entity putting logs into your custom source partition. + */ + roleArn: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBody { + export interface SubscriberSubscriberIdentity { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The AWS Regions where Security Lake is automatically enabled. */ - invalidFallbackBehavior?: string; + externalId: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Provides encryption details of Amazon Security Lake object. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern; + principal: string; + } + + export interface SubscriberTimeouts { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - matchScope: string; + create?: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchMethod { + delete?: string; + /** + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + */ + update?: string; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchQueryString { - } +} - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleHeader { +export namespace servicecatalog { + export interface GetLaunchPathsSummary { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Block for constraints on the portfolio-product relationship. See details below. */ - name: string; - } - - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument { + constraintSummaries: outputs.servicecatalog.GetLaunchPathsSummaryConstraintSummary[]; /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Name of the portfolio to which the path was assigned. */ name: string; + /** + * Identifier of the product path. + */ + pathId: string; + /** + * Tags associated with this product path. + */ + tags: {[key: string]: string}; } - export interface RuleGroupRuleStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface RuleGroupRuleStatementSqliMatchStatementTextTransformation { + export interface GetLaunchPathsSummaryConstraintSummary { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Description of the constraint. */ - priority: number; + description: string; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`. */ type: string; } - export interface RuleGroupRuleStatementXssMatchStatement { + export interface GetPortfolioConstraintsDetail { /** - * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + * Identifier of the constraint. */ - fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatch; + constraintId: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. - * At least one required. - * See Text Transformation below for details. + * Description of the constraint. */ - textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; + description: string; + owner: string; + /** + * Portfolio identifier. + * + * The following arguments are optional: + */ + portfolioId: string; + /** + * Product identifier. + */ + productId: string; + /** + * Type of constraint. Valid values are `LAUNCH`, `NOTIFICATION`, `STACKSET`, and `TEMPLATE`. + */ + type: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatch { + export interface GetProvisioningArtifactsProvisioningArtifactDetail { /** - * Inspect all query arguments. + * Indicates whether the product version is active. */ - allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments; + active: boolean; /** - * Inspect the request body, which immediately follows the request headers. + * The UTC time stamp of the creation time. */ - body?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchBody; + createdTime: string; /** - * Inspect the cookies in the web request. See Cookies below for details. + * The description of the provisioning artifact. */ - cookies?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies; + description: string; /** - * Inspect the request headers. See Header Order below for details. + * Information set by the administrator to provide guidance to end users about which provisioning artifacts to use. */ - headerOrders?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder[]; + guidance: string; /** - * Inspect the request headers. See Headers below for details. + * The identifier of the provisioning artifact. */ - headers?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader[]; - ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint; + id: string; /** - * Inspect the request body as JSON. See JSON Body for details. + * The name of the provisioning artifact. */ - jsonBody?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody; + name: string; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The type of provisioning artifact. */ - method?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod; + type: string; + } + + export interface ProductProvisioningArtifactParameters { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Description of the provisioning artifact (i.e., version), including how it differs from the previous provisioning artifact. */ - queryString?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString; + description?: string; /** - * Inspect a single header. See Single Header below for details. + * Whether AWS Service Catalog stops validating the specified provisioning artifact template even if it is invalid. */ - singleHeader?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader; + disableTemplateValidation?: boolean; /** - * Inspect a single query argument. See Single Query Argument below for details. + * Name of the provisioning artifact (for example, `v1`, `v2beta`). No spaces are allowed. */ - singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument; + name?: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Template source as the physical ID of the resource that contains the template. Currently only supports CloudFormation stack ARN. Specify the physical ID as `arn:[partition]:cloudformation:[region]:[account ID]:stack/[stack name]/[resource ID]`. */ - uriPath?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchBody { - oversizeHandling?: string; + templatePhysicalId?: string; + /** + * Template source as URL of the CloudFormation template in Amazon S3. + */ + templateUrl?: string; + /** + * Type of provisioning artifact. See [AWS Docs](https://docs.aws.amazon.com/servicecatalog/latest/dg/API_ProvisioningArtifactProperties.html) for valid list of values. + */ + type?: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies { + export interface ProvisionedProductOutput { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The description of the output. */ - matchPatterns: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern[]; + description: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The output key. */ - matchScope: string; + key: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` + * The output value. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { + value: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader { + export interface ProvisionedProductProvisioningParameter { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Parameter key. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern; + key: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Whether to ignore `value` and keep the previous parameter value. Ignored when initially provisioning a product. */ - matchScope: string; + usePreviousValue?: boolean; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Parameter value. */ - oversizeHandling: string; + value?: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern { + export interface ProvisionedProductStackSetProvisioningPreferences { /** - * An empty configuration block that is used for inspecting all headers. + * One or more AWS accounts that will have access to the provisioned product. The AWS accounts specified should be within the list of accounts in the STACKSET constraint. To get the list of accounts in the STACKSET constraint, use the `awsServicecatalogProvisioningParameters` data source. If no values are specified, the default value is all accounts from the STACKSET constraint. */ - all?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll; + accounts?: string[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Number of accounts, per region, for which this operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. You must specify either `failureToleranceCount` or `failureTolerancePercentage`, but not both. The default value is 0 if no value is specified. */ - excludedHeaders?: string[]; + failureToleranceCount?: number; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Percentage of accounts, per region, for which this stack operation can fail before AWS Service Catalog stops the operation in that region. If the operation is stopped in a region, AWS Service Catalog doesn't attempt the operation in any subsequent regions. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. You must specify either `failureToleranceCount` or `failureTolerancePercentage`, but not both. */ - includedHeaders?: string[]; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderOrder { + failureTolerancePercentage?: number; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Maximum number of accounts in which to perform this operation at one time. This is dependent on the value of `failureToleranceCount`. `maxConcurrencyCount` is at most one more than the `failureToleranceCount`. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `maxConcurrencyCount` or `maxConcurrencyPercentage`, but not both. */ - oversizeHandling: string; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { - fallbackBehavior: string; + maxConcurrencyCount?: number; + /** + * Maximum percentage of accounts in which to perform this operation at one time. When calculating the number of accounts based on the specified percentage, AWS Service Catalog rounds down to the next whole number. This is true except in cases where rounding down would result is zero. In this case, AWS Service Catalog sets the number as 1 instead. Note that this setting lets you specify the maximum for operations. For large deployments, under certain circumstances the actual number of accounts acted upon concurrently may be lower due to service throttling. You must specify either `maxConcurrencyCount` or `maxConcurrencyPercentage`, but not both. + */ + maxConcurrencyPercentage?: number; + /** + * One or more AWS Regions where the provisioned product will be available. The specified regions should be within the list of regions from the STACKSET constraint. To get the list of regions in the STACKSET constraint, use the `awsServicecatalogProvisioningParameters` data source. If no values are specified, the default value is all regions from the STACKSET constraint. + */ + regions?: string[]; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody { + export interface ServiceActionDefinition { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * ARN of the role that performs the self-service actions on your behalf. For example, `arn:aws:iam::12345678910:role/ActionRole`. To reuse the provisioned product launch role, set to `LAUNCH_ROLE`. */ - invalidFallbackBehavior?: string; + assumeRole?: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Name of the SSM document. For example, `AWS-RestartEC2Instance`. If you are using a shared SSM document, you must provide the ARN instead of the name. */ - matchPattern: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern; + name: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * List of parameters in JSON format. For example: `[{\"Name\":\"InstanceId\",\"Type\":\"TARGET\"}]` or `[{\"Name\":\"InstanceId\",\"Type\":\"TEXT_VALUE\"}]`. */ - matchScope: string; + parameters?: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Service action definition type. Valid value is `SSM_AUTOMATION`. Default is `SSM_AUTOMATION`. */ - oversizeHandling?: string; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { + type?: string; + /** + * SSM document version. For example, `1`. + */ + version: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchMethod { - } +} - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchQueryString { +export namespace servicediscovery { + export interface GetServiceDnsConfig { + /** + * An array that contains one DnsRecord object for each resource record set. + */ + dnsRecords: outputs.servicediscovery.GetServiceDnsConfigDnsRecord[]; + /** + * ID of the namespace that the service belongs to. + */ + namespaceId: string; + /** + * Routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED + */ + routingPolicy: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader { + export interface GetServiceDnsConfigDnsRecord { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * Amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set. */ - name: string; + ttl: number; + /** + * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP + */ + type: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument { + export interface GetServiceHealthCheckConfig { /** - * The name of the query header to inspect. This setting must be provided as lower case characters. + * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. */ - name: string; + failureThreshold: number; + /** + * Path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /. + */ + resourcePath: string; + /** + * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP + */ + type: string; } - export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchUriPath { + export interface GetServiceHealthCheckCustomConfig { + /** + * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. + */ + failureThreshold: number; } - export interface RuleGroupRuleStatementXssMatchStatementTextTransformation { + export interface ServiceDnsConfig { /** - * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * An array that contains one DnsRecord object for each resource record set. */ - priority: number; + dnsRecords: outputs.servicediscovery.ServiceDnsConfigDnsRecord[]; /** - * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The ID of the namespace to use for DNS configuration. */ - type: string; - } - - export interface RuleGroupRuleVisibilityConfig { + namespaceId: string; /** - * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). + * The routing policy that you want to apply to all records that Route 53 creates when you register an instance and specify the service. Valid Values: MULTIVALUE, WEIGHTED */ - cloudwatchMetricsEnabled: boolean; + routingPolicy?: string; + } + + export interface ServiceDnsConfigDnsRecord { /** - * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. + * The amount of time, in seconds, that you want DNS resolvers to cache the settings for this resource record set. */ - metricName: string; + ttl: number; /** - * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. + * The type of the resource, which indicates the value that Amazon Route 53 returns in response to DNS queries. Valid Values: A, AAAA, SRV, CNAME */ - sampledRequestsEnabled: boolean; + type: string; } - export interface RuleGroupVisibilityConfig { + export interface ServiceHealthCheckConfig { /** - * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). + * The number of consecutive health checks. Maximum value of 10. */ - cloudwatchMetricsEnabled: boolean; + failureThreshold?: number; /** - * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. + * The path that you want Route 53 to request when performing health checks. Route 53 automatically adds the DNS name for the service. If you don't specify a value, the default value is /. */ - metricName: string; + resourcePath?: string; /** - * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. + * The type of health check that you want to create, which indicates how Route 53 determines whether an endpoint is healthy. Valid Values: HTTP, HTTPS, TCP */ - sampledRequestsEnabled: boolean; + type?: string; } - export interface WebAclAssociationConfig { + export interface ServiceHealthCheckCustomConfig { /** - * Customizes the request body that your protected resource forward to AWS WAF for inspection. See `requestBody` below for details. + * The number of 30-second intervals that you want service discovery to wait before it changes the health status of a service instance. Maximum value of 10. */ - requestBodies?: outputs.wafv2.WebAclAssociationConfigRequestBody[]; + failureThreshold?: number; } - export interface WebAclAssociationConfigRequestBody { - /** - * Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `apiGateway` below for details. - */ - apiGateways?: outputs.wafv2.WebAclAssociationConfigRequestBodyApiGateway[]; +} + +export namespace servicequotas { + export interface GetServiceQuotaUsageMetric { /** - * Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `appRunnerService` below for details. + * The metric dimensions. */ - appRunnerServices?: outputs.wafv2.WebAclAssociationConfigRequestBodyAppRunnerService[]; + metricDimensions: outputs.servicequotas.GetServiceQuotaUsageMetricMetricDimension[]; /** - * Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details. + * The name of the metric. */ - cloudfronts?: outputs.wafv2.WebAclAssociationConfigRequestBodyCloudfront[]; + metricName: string; /** - * Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognitoUserPool` below for details. + * The namespace of the metric. */ - cognitoUserPools?: outputs.wafv2.WebAclAssociationConfigRequestBodyCognitoUserPool[]; + metricNamespace: string; /** - * Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verifiedAccessInstance` below for details. + * The metric statistic that AWS recommend you use when determining quota usage. */ - verifiedAccessInstances?: outputs.wafv2.WebAclAssociationConfigRequestBodyVerifiedAccessInstance[]; + metricStatisticRecommendation: string; } - export interface WebAclAssociationConfigRequestBodyApiGateway { - /** - * Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. - */ - defaultSizeInspectionLimit: string; + export interface GetServiceQuotaUsageMetricMetricDimension { + class: string; + resource: string; + service: string; + type: string; } - export interface WebAclAssociationConfigRequestBodyAppRunnerService { + export interface GetTemplatesTemplate { /** - * Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + * Indicates whether the quota is global. */ - defaultSizeInspectionLimit: string; - } - - export interface WebAclAssociationConfigRequestBodyCloudfront { + globalQuota: boolean; /** - * Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + * Quota identifier. */ - defaultSizeInspectionLimit: string; - } - - export interface WebAclAssociationConfigRequestBodyCognitoUserPool { + quotaCode: string; /** - * Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + * Quota name. */ - defaultSizeInspectionLimit: string; - } - - export interface WebAclAssociationConfigRequestBodyVerifiedAccessInstance { + quotaName: string; /** - * Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + * AWS Region to which the quota increases apply. */ - defaultSizeInspectionLimit: string; - } - - export interface WebAclCaptchaConfig { + region: string; /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. + * (Required) Service identifier. */ - immunityTimeProperty?: outputs.wafv2.WebAclCaptchaConfigImmunityTimeProperty; - } - - export interface WebAclCaptchaConfigImmunityTimeProperty { + serviceCode: string; /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + * Service name. */ - immunityTime?: number; - } - - export interface WebAclChallengeConfig { + serviceName: string; /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. + * Unit of measurement. */ - immunityTimeProperty?: outputs.wafv2.WebAclChallengeConfigImmunityTimeProperty; - } - - export interface WebAclChallengeConfigImmunityTimeProperty { + unit: string; /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + * (Required) The new, increased value for the quota. */ - immunityTime?: number; + value: number; } - export interface WebAclCustomResponseBody { - /** - * Payload of the custom response. - */ - content: string; + export interface ServiceQuotaUsageMetric { /** - * Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. + * The metric dimensions. */ - contentType: string; + metricDimensions: outputs.servicequotas.ServiceQuotaUsageMetricMetricDimension[]; /** - * Unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the `customResponse` block. + * The name of the metric. */ - key: string; - } - - export interface WebAclDefaultAction { + metricName: string; /** - * Specifies that AWS WAF should allow requests by default. See `allow` below for details. + * The namespace of the metric. */ - allow?: outputs.wafv2.WebAclDefaultActionAllow; + metricNamespace: string; /** - * Specifies that AWS WAF should block requests by default. See `block` below for details. + * The metric statistic that AWS recommend you use when determining quota usage. */ - block?: outputs.wafv2.WebAclDefaultActionBlock; + metricStatisticRecommendation: string; } - export interface WebAclDefaultActionAllow { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: outputs.wafv2.WebAclDefaultActionAllowCustomRequestHandling; + export interface ServiceQuotaUsageMetricMetricDimension { + class: string; + resource: string; + service: string; + type: string; } - export interface WebAclDefaultActionAllowCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: outputs.wafv2.WebAclDefaultActionAllowCustomRequestHandlingInsertHeader[]; - } +} - export interface WebAclDefaultActionAllowCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: string; +export namespace ses { + export interface ConfigurationSetDeliveryOptions { /** - * Value of the custom header. + * Whether messages that use the configuration set are required to use Transport Layer Security (TLS). If the value is `Require`, messages are only delivered if a TLS connection can be established. If the value is `Optional`, messages can be delivered in plain text if a TLS connection can't be established. Valid values: `Require` or `Optional`. Defaults to `Optional`. */ - value: string; + tlsPolicy?: string; } - export interface WebAclDefaultActionBlock { + export interface ConfigurationSetTrackingOptions { /** - * Defines a custom response for the web request. See `customResponse` below for details. + * Custom subdomain that is used to redirect email recipients to the Amazon SES event tracking domain. */ - customResponse?: outputs.wafv2.WebAclDefaultActionBlockCustomResponse; + customRedirectDomain?: string; } - export interface WebAclDefaultActionBlockCustomResponse { + export interface EventDestinationCloudwatchDestination { /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * The default value for the event */ - customResponseBodyKey?: string; + defaultValue: string; /** - * The HTTP status code to return to the client. + * The name for the dimension */ - responseCode: number; + dimensionName: string; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + * The source for the value. May be any of `"messageTag"`, `"emailHeader"` or `"linkTag"`. */ - responseHeaders?: outputs.wafv2.WebAclDefaultActionBlockCustomResponseResponseHeader[]; + valueSource: string; } - export interface WebAclDefaultActionBlockCustomResponseResponseHeader { + export interface EventDestinationKinesisDestination { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * The ARN of the role that has permissions to access the Kinesis Stream */ - name: string; + roleArn: string; /** - * Value of the custom header. + * The ARN of the Kinesis Stream */ - value: string; + streamArn: string; } - export interface WebAclLoggingConfigurationLoggingFilter { - /** - * Default handling for logs that don't match any of the specified filtering conditions. Valid values for `defaultBehavior` are `KEEP` or `DROP`. - */ - defaultBehavior: string; + export interface EventDestinationSnsDestination { /** - * Filter(s) that you want to apply to the logs. See Filter below for more details. + * The ARN of the SNS topic */ - filters: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilter[]; + topicArn: string; } - export interface WebAclLoggingConfigurationLoggingFilterFilter { + export interface ReceiptRuleAddHeaderAction { /** - * Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`. + * The name of the header to add */ - behavior: string; + headerName: string; /** - * Match condition(s) for the filter. See Condition below for more details. + * The value of the header to add */ - conditions: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterCondition[]; + headerValue: string; /** - * Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`. + * The position of the action in the receipt rule */ - requirement: string; + position: number; } - export interface WebAclLoggingConfigurationLoggingFilterFilterCondition { + export interface ReceiptRuleBounceAction { /** - * Configuration for a single action condition. See Action Condition below for more details. + * The message to send */ - actionCondition?: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition; + message: string; /** - * Condition for a single label name. See Label Name Condition below for more details. + * The position of the action in the receipt rule */ - labelNameCondition?: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition { + position: number; /** - * Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`. + * The email address of the sender */ - action: string; - } - - export interface WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition { + sender: string; /** - * Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label. + * The RFC 5321 SMTP reply code */ - labelName: string; - } - - export interface WebAclLoggingConfigurationRedactedField { + smtpReplyCode: string; /** - * HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform. + * The RFC 3463 SMTP enhanced status code */ - method?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldMethod; + statusCode?: string; /** - * Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any. + * The ARN of an SNS topic to notify */ - queryString?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldQueryString; + topicArn?: string; + } + + export interface ReceiptRuleLambdaAction { /** - * "singleHeader" refers to the redaction of a single header. For more information, please see the details below under Single Header. + * The ARN of the Lambda function to invoke */ - singleHeader?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldSingleHeader; + functionArn: string; /** - * Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`. + * `Event` or `RequestResponse` */ - uriPath?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldUriPath; - } - - export interface WebAclLoggingConfigurationRedactedFieldMethod { - } - - export interface WebAclLoggingConfigurationRedactedFieldQueryString { - } - - export interface WebAclLoggingConfigurationRedactedFieldSingleHeader { + invocationType?: string; /** - * Name of the query header to redact. This setting must be provided in lowercase characters. + * The position of the action in the receipt rule */ - name: string; - } - - export interface WebAclLoggingConfigurationRedactedFieldUriPath { + position: number; + /** + * The ARN of an SNS topic to notify + */ + topicArn?: string; } - export interface WebAclRule { + export interface ReceiptRuleS3Action { /** - * Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details. + * The name of the S3 bucket */ - action?: outputs.wafv2.WebAclRuleAction; + bucketName: string; /** - * Specifies how AWS WAF should handle CAPTCHA evaluations. See `captchaConfig` below for details. + * The ARN of the KMS key */ - captchaConfig?: outputs.wafv2.WebAclRuleCaptchaConfig; + kmsKeyArn?: string; /** - * Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup___.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors. + * The key prefix of the S3 bucket */ - name: string; + objectKeyPrefix?: string; /** - * Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `ruleGroupReferenceStatement` and `managedRuleGroupStatement`. See `overrideAction` below for details. + * The position of the action in the receipt rule */ - overrideAction?: outputs.wafv2.WebAclRuleOverrideAction; + position: number; /** - * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. + * The ARN of an SNS topic to notify */ - priority: number; + topicArn?: string; + } + + export interface ReceiptRuleSnsAction { /** - * Labels to apply to web requests that match the rule match statement. See `ruleLabel` below for details. + * The encoding to use for the email within the Amazon SNS notification. Default value is `UTF-8`. */ - ruleLabels?: outputs.wafv2.WebAclRuleRuleLabel[]; + encoding?: string; /** - * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See `statement` below for details. + * The position of the action in the receipt rule */ - statement: outputs.wafv2.WebAclRuleStatement; + position: number; /** - * Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibilityConfig` below for details. + * The ARN of an SNS topic to notify */ - visibilityConfig: outputs.wafv2.WebAclRuleVisibilityConfig; + topicArn: string; } - export interface WebAclRuleAction { + export interface ReceiptRuleStopAction { /** - * Instructs AWS WAF to allow the web request. See `allow` below for details. + * The position of the action in the receipt rule */ - allow?: outputs.wafv2.WebAclRuleActionAllow; + position: number; /** - * Instructs AWS WAF to block the web request. See `block` below for details. + * The scope to apply. The only acceptable value is `RuleSet`. */ - block?: outputs.wafv2.WebAclRuleActionBlock; + scope: string; /** - * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details. + * The ARN of an SNS topic to notify */ - captcha?: outputs.wafv2.WebAclRuleActionCaptcha; + topicArn?: string; + } + + export interface ReceiptRuleWorkmailAction { /** - * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details. + * The ARN of the WorkMail organization */ - challenge?: outputs.wafv2.WebAclRuleActionChallenge; + organizationArn: string; /** - * Instructs AWS WAF to count the web request and allow it. See `count` below for details. + * The position of the action in the receipt rule */ - count?: outputs.wafv2.WebAclRuleActionCount; + position: number; + /** + * The ARN of an SNS topic to notify + */ + topicArn?: string; } - export interface WebAclRuleActionAllow { +} + +export namespace sesv2 { + export interface AccountVdmAttributesDashboardAttributes { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`. */ - customRequestHandling?: outputs.wafv2.WebAclRuleActionAllowCustomRequestHandling; + engagementMetrics?: string; } - export interface WebAclRuleActionAllowCustomRequestHandling { + export interface AccountVdmAttributesGuardianAttributes { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`. */ - insertHeaders: outputs.wafv2.WebAclRuleActionAllowCustomRequestHandlingInsertHeader[]; + optimizedSharedDelivery?: string; } - export interface WebAclRuleActionAllowCustomRequestHandlingInsertHeader { + export interface ConfigurationSetDeliveryOptions { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * The name of the dedicated IP pool to associate with the configuration set. */ - name: string; + sendingPoolName?: string; /** - * Value of the custom header. + * Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). Valid values: `REQUIRE`, `OPTIONAL`. */ - value: string; + tlsPolicy?: string; } - export interface WebAclRuleActionBlock { + export interface ConfigurationSetEventDestinationEventDestination { /** - * Defines a custom response for the web request. See `customResponse` below for details. + * An object that defines an Amazon CloudWatch destination for email events. See cloudWatchDestination below */ - customResponse?: outputs.wafv2.WebAclRuleActionBlockCustomResponse; - } - - export interface WebAclRuleActionBlockCustomResponse { + cloudWatchDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationCloudWatchDestination; /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * When the event destination is enabled, the specified event types are sent to the destinations. Default: `false`. */ - customResponseBodyKey?: string; + enabled?: boolean; /** - * The HTTP status code to return to the client. + * An object that defines an Amazon Kinesis Data Firehose destination for email events. See kinesisFirehoseDestination below. */ - responseCode: number; + kinesisFirehoseDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + * An array that specifies which events the Amazon SES API v2 should send to the destinations. Valid values: `SEND`, `REJECT`, `BOUNCE`, `COMPLAINT`, `DELIVERY`, `OPEN`, `CLICK`, `RENDERING_FAILURE`, `DELIVERY_DELAY`, `SUBSCRIPTION`. + * + * The following arguments are optional: */ - responseHeaders?: outputs.wafv2.WebAclRuleActionBlockCustomResponseResponseHeader[]; - } - - export interface WebAclRuleActionBlockCustomResponseResponseHeader { + matchingEventTypes: string[]; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * An object that defines an Amazon Pinpoint project destination for email events. See pinpointDestination below. */ - name: string; + pinpointDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationPinpointDestination; /** - * Value of the custom header. + * An object that defines an Amazon SNS destination for email events. See snsDestination below. */ - value: string; + snsDestination?: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationSnsDestination; } - export interface WebAclRuleActionCaptcha { + export interface ConfigurationSetEventDestinationEventDestinationCloudWatchDestination { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * An array of objects that define the dimensions to use when you send email events to Amazon CloudWatch. See dimensionConfiguration below. */ - customRequestHandling?: outputs.wafv2.WebAclRuleActionCaptchaCustomRequestHandling; + dimensionConfigurations: outputs.sesv2.ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration[]; } - export interface WebAclRuleActionCaptchaCustomRequestHandling { + export interface ConfigurationSetEventDestinationEventDestinationCloudWatchDestinationDimensionConfiguration { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * The default value of the dimension that is published to Amazon CloudWatch if you don't provide the value of the dimension when you send an email. */ - insertHeaders: outputs.wafv2.WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader[]; - } - - export interface WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader { + defaultDimensionValue: string; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * The name of an Amazon CloudWatch dimension associated with an email sending metric. */ - name: string; + dimensionName: string; /** - * Value of the custom header. + * The location where the Amazon SES API v2 finds the value of a dimension to publish to Amazon CloudWatch. Valid values: `MESSAGE_TAG`, `EMAIL_HEADER`, `LINK_TAG`. */ - value: string; + dimensionValueSource: string; } - export interface WebAclRuleActionChallenge { + export interface ConfigurationSetEventDestinationEventDestinationKinesisFirehoseDestination { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The Amazon Resource Name (ARN) of the Amazon Kinesis Data Firehose stream that the Amazon SES API v2 sends email events to. */ - customRequestHandling?: outputs.wafv2.WebAclRuleActionChallengeCustomRequestHandling; - } - - export interface WebAclRuleActionChallengeCustomRequestHandling { + deliveryStreamArn: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * The Amazon Resource Name (ARN) of the IAM role that the Amazon SES API v2 uses to send email events to the Amazon Kinesis Data Firehose stream. */ - insertHeaders: outputs.wafv2.WebAclRuleActionChallengeCustomRequestHandlingInsertHeader[]; + iamRoleArn: string; } - export interface WebAclRuleActionChallengeCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: string; - /** - * Value of the custom header. - */ - value: string; + export interface ConfigurationSetEventDestinationEventDestinationPinpointDestination { + applicationArn: string; } - export interface WebAclRuleActionCount { + export interface ConfigurationSetEventDestinationEventDestinationSnsDestination { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The Amazon Resource Name (ARN) of the Amazon SNS topic to publish email events to. */ - customRequestHandling?: outputs.wafv2.WebAclRuleActionCountCustomRequestHandling; + topicArn: string; } - export interface WebAclRuleActionCountCustomRequestHandling { + export interface ConfigurationSetReputationOptions { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * The date and time (in Unix time) when the reputation metrics were last given a fresh start. When your account is given a fresh start, your reputation metrics are calculated starting from the date of the fresh start. */ - insertHeaders: outputs.wafv2.WebAclRuleActionCountCustomRequestHandlingInsertHeader[]; - } - - export interface WebAclRuleActionCountCustomRequestHandlingInsertHeader { + lastFreshStart: string; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * If `true`, tracking of reputation metrics is enabled for the configuration set. If `false`, tracking of reputation metrics is disabled for the configuration set. */ - name: string; + reputationMetricsEnabled: boolean; + } + + export interface ConfigurationSetSendingOptions { /** - * Value of the custom header. + * If `true`, email sending is enabled for the configuration set. If `false`, email sending is disabled for the configuration set. */ - value: string; + sendingEnabled: boolean; } - export interface WebAclRuleCaptchaConfig { + export interface ConfigurationSetSuppressionOptions { /** - * Defines custom immunity time. See `immunityTimeProperty` below for details. + * A list that contains the reasons that email addresses are automatically added to the suppression list for your account. Valid values: `BOUNCE`, `COMPLAINT`. */ - immunityTimeProperty?: outputs.wafv2.WebAclRuleCaptchaConfigImmunityTimeProperty; + suppressedReasons?: string[]; } - export interface WebAclRuleCaptchaConfigImmunityTimeProperty { + export interface ConfigurationSetTrackingOptions { /** - * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + * The domain to use for tracking open and click events. */ - immunityTime?: number; + customRedirectDomain: string; } - export interface WebAclRuleOverrideAction { + export interface ConfigurationSetVdmOptions { /** - * Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`. + * Specifies additional settings for your VDM configuration as applicable to the Dashboard. */ - count?: outputs.wafv2.WebAclRuleOverrideActionCount; + dashboardOptions?: outputs.sesv2.ConfigurationSetVdmOptionsDashboardOptions; /** - * Don't override the rule action setting. Configured as an empty block `{}`. + * Specifies additional settings for your VDM configuration as applicable to the Guardian. */ - none?: outputs.wafv2.WebAclRuleOverrideActionNone; - } - - export interface WebAclRuleOverrideActionCount { + guardianOptions?: outputs.sesv2.ConfigurationSetVdmOptionsGuardianOptions; } - export interface WebAclRuleOverrideActionNone { + export interface ConfigurationSetVdmOptionsDashboardOptions { + /** + * Specifies the status of your VDM engagement metrics collection. Valid values: `ENABLED`, `DISABLED`. + */ + engagementMetrics?: string; } - export interface WebAclRuleRuleLabel { + export interface ConfigurationSetVdmOptionsGuardianOptions { /** - * Label string. + * Specifies the status of your VDM optimized shared delivery. Valid values: `ENABLED`, `DISABLED`. */ - name: string; + optimizedSharedDelivery?: string; } - export interface WebAclRuleStatement { + export interface ContactListTopic { + /** + * Default subscription status to be applied to a contact if the contact has not noted their preference for subscribing to a topic. + */ + defaultSubscriptionStatus: string; /** - * Logical rule statement used to combine other rule statements with AND logic. See `andStatement` below for details. + * Description of what the topic is about, which the contact will see. */ - andStatement?: outputs.wafv2.WebAclRuleStatementAndStatement; + description?: string; /** - * Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byteMatchStatement` below for details. + * Name of the topic the contact will see. */ - byteMatchStatement?: outputs.wafv2.WebAclRuleStatementByteMatchStatement; + displayName: string; /** - * Rule statement used to identify web requests based on country of origin. See `geoMatchStatement` below for details. + * Name of the topic. + * + * The following arguments are optional: */ - geoMatchStatement?: outputs.wafv2.WebAclRuleStatementGeoMatchStatement; + topicName: string; + } + + export interface EmailIdentityDkimSigningAttributes { /** - * Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ipSetReferenceStatement` below for details. + * [Easy DKIM] The key length of the DKIM key pair in use. */ - ipSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatement; + currentSigningKeyLength: string; /** - * Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `labelMatchStatement` below for details. + * [Bring Your Own DKIM] A private key that's used to generate a DKIM signature. The private key must use 1024 or 2048-bit RSA encryption, and must be encoded using base64 encoding. + * + * > **NOTE:** You have to delete the first and last lines ('-----BEGIN PRIVATE KEY-----' and '-----END PRIVATE KEY-----', respectively) of the generated private key. Additionally, you have to remove the line breaks in the generated private key. The resulting value is a string of characters with no spaces or line breaks. */ - labelMatchStatement?: outputs.wafv2.WebAclRuleStatementLabelMatchStatement; + domainSigningPrivateKey?: string; /** - * Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managedRuleGroupStatement` below for details. + * [Bring Your Own DKIM] A string that's used to identify a public key in the DNS configuration for a domain. */ - managedRuleGroupStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatement; + domainSigningSelector?: string; /** - * Logical rule statement used to negate the results of another rule statement. See `notStatement` below for details. + * [Easy DKIM] The last time a key pair was generated for this identity. */ - notStatement?: outputs.wafv2.WebAclRuleStatementNotStatement; + lastKeyGenerationTimestamp: string; /** - * Logical rule statement used to combine other rule statements with OR logic. See `orStatement` below for details. + * [Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. Valid values: `RSA_1024_BIT`, `RSA_2048_BIT`. */ - orStatement?: outputs.wafv2.WebAclRuleStatementOrStatement; + nextSigningKeyLength: string; /** - * Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rateBasedStatement` below for details. + * A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM). */ - rateBasedStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatement; + signingAttributesOrigin: string; /** - * Rule statement used to search web request components for a match against a single regular expression. See `regexMatchStatement` below for details. + * Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses. */ - regexMatchStatement?: outputs.wafv2.WebAclRuleStatementRegexMatchStatement; + status: string; /** - * Rule statement used to search web request components for matches with regular expressions. See `regexPatternSetReferenceStatement` below for details. + * If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key. */ - regexPatternSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatement; + tokens: string[]; + } + + export interface GetConfigurationSetDeliveryOption { /** - * Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `ruleGroupReferenceStatement` below for details. + * The name of the dedicated IP pool to associate with the configuration set. */ - ruleGroupReferenceStatement?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatement; + sendingPoolName: string; /** - * Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See `sizeConstraintStatement` below for more details. + * Specifies whether messages that use the configuration set are required to use Transport Layer Security (TLS). */ - sizeConstraintStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; + tlsPolicy: string; + } + + export interface GetConfigurationSetReputationOption { /** - * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqliMatchStatement` below for details. + * The date and time (in Unix time) when the reputation metrics were last given a fresh start. */ - sqliMatchStatement?: outputs.wafv2.WebAclRuleStatementSqliMatchStatement; + lastFreshStart: string; /** - * Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xssMatchStatement` below for details. + * Specifies whether tracking of reputation metrics is enabled. */ - xssMatchStatement?: outputs.wafv2.WebAclRuleStatementXssMatchStatement; + reputationMetricsEnabled: boolean; } - export interface WebAclRuleStatementAndStatement { + export interface GetConfigurationSetSendingOption { /** - * The statements to combine. + * Specifies whether email sending is enabled. */ - statements: outputs.wafv2.WebAclRuleStatement[]; + sendingEnabled: boolean; } - export interface WebAclRuleStatementByteMatchStatement { + export interface GetConfigurationSetSuppressionOption { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * A list that contains the reasons that email addresses are automatically added to the suppression list for your account. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatch; + suppressedReasons: string[]; + } + + export interface GetConfigurationSetTrackingOption { /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. + * The domain to use for tracking open and click events. */ - positionalConstraint: string; + customRedirectDomain: string; + } + + export interface GetConfigurationSetVdmOption { /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. + * Specifies additional settings for your VDM configuration as applicable to the Dashboard. */ - searchString: string; + dashboardOptions: outputs.sesv2.GetConfigurationSetVdmOptionDashboardOption[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Specifies additional settings for your VDM configuration as applicable to the Guardian. */ - textTransformations: outputs.wafv2.WebAclRuleStatementByteMatchStatementTextTransformation[]; + guardianOptions: outputs.sesv2.GetConfigurationSetVdmOptionGuardianOption[]; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments; + export interface GetConfigurationSetVdmOptionDashboardOption { /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Specifies the status of your VDM engagement metrics collection. */ - body?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchBody; + engagementMetrics: string; + } + + export interface GetConfigurationSetVdmOptionGuardianOption { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Specifies the status of your VDM optimized shared delivery. */ - cookies?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchCookies; + optimizedSharedDelivery: string; + } + + export interface GetDedicatedIpPoolDedicatedIp { /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * IPv4 address. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder[]; + ip: string; /** - * Inspect the request headers. See `headers` below for details. + * Indicates how complete the dedicated IP warm-up process is. When this value equals `1`, the address has completed the warm-up process and is ready for use. */ - headers?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchHeader[]; + warmupPercentage: number; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The warm-up status of a dedicated IP address. Valid values: `IN_PROGRESS`, `DONE`. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint; + warmupStatus: string; + } + + export interface GetEmailIdentityDkimSigningAttribute { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * [Easy DKIM] The key length of the DKIM key pair in use. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody; + currentSigningKeyLength: string; + domainSigningPrivateKey: string; + domainSigningSelector: string; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * [Easy DKIM] The last time a key pair was generated for this identity. */ - method?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchMethod; + lastKeyGenerationTimestamp: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * [Easy DKIM] The key length of the future DKIM key pair to be generated. This can be changed at most once per day. */ - queryString?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchQueryString; + nextSigningKeyLength: string; /** - * Inspect a single header. See `singleHeader` below for details. + * A string that indicates how DKIM was configured for the identity. `AWS_SES` indicates that DKIM was configured for the identity by using Easy DKIM. `EXTERNAL` indicates that DKIM was configured for the identity by using Bring Your Own DKIM (BYODKIM). */ - singleHeader?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader; + signingAttributesOrigin: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Describes whether or not Amazon SES has successfully located the DKIM records in the DNS records for the domain. See the [AWS SES API v2 Reference](https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_DkimAttributes.html#SES-Type-DkimAttributes-Status) for supported statuses. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument; + status: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * If you used Easy DKIM to configure DKIM authentication for the domain, then this object contains a set of unique strings that you use to create a set of CNAME records that you add to the DNS configuration for your domain. When Amazon SES detects these records in the DNS configuration for your domain, the DKIM authentication process is complete. If you configured DKIM authentication for the domain by providing your own public-private key pair, then this object contains the selector for the public key. */ - uriPath?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchUriPath; + tokens: string[]; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchAllQueryArguments { - } +} - export interface WebAclRuleStatementByteMatchStatementFieldToMatchBody { +export namespace sfn { + export interface AliasRoutingConfiguration { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The Amazon Resource Name (ARN) of the state machine version. */ - oversizeHandling?: string; + stateMachineVersionArn: string; + /** + * Percentage of traffic routed to the state machine version. + */ + weight: number; + } + + export interface GetAliasRoutingConfiguration { + stateMachineVersionArn: string; + weight: number; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookies { + export interface StateMachineLoggingConfiguration { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Determines whether execution data is included in your log. When set to `false`, data is excluded. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern[]; + includeExecutionData?: boolean; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Defines which category of execution history events are logged. Valid values: `ALL`, `ERROR`, `FATAL`, `OFF` */ - matchScope: string; + level?: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Amazon Resource Name (ARN) of a CloudWatch log group. Make sure the State Machine has the correct IAM policies for logging. The ARN must end with `:*` */ - oversizeHandling: string; + logDestination?: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface StateMachineTracingConfiguration { + /** + * When set to `true`, AWS X-Ray tracing is enabled. Make sure the State Machine has the correct IAM policies for logging. See the [AWS Step Functions Developer Guide](https://docs.aws.amazon.com/step-functions/latest/dg/xray-iam.html) for details. + */ + enabled?: boolean; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { - } +} - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeader { +export namespace shield { + export interface ApplicationLayerAutomaticResponseTimeouts { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - matchPattern: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern; + create?: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - matchScope: string; + delete?: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - oversizeHandling: string; + update?: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPattern { + export interface DrtAccessLogBucketAssociationTimeouts { /** - * An empty configuration block that is used for inspecting all headers. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - all?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll; + create?: string; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. */ - excludedHeaders?: string[]; + delete?: string; + } + + export interface DrtAccessRoleArnAssociationTimeouts { /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - includedHeaders?: string[]; + create?: string; + /** + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). Setting a timeout for a Delete operation is only applicable if changes are saved into state before the destroy operation occurs. + */ + delete?: string; + /** + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). + */ + update?: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface ProactiveEngagementEmergencyContact { + contactNotes?: string; + emailAddress: string; + phoneNumber?: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; +} + +export namespace signer { + export interface GetSigningJobRevocationRecord { + reason: string; + revokedAt: string; + revokedBy: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: string; + export interface GetSigningJobSignedObject { + s3s: outputs.signer.GetSigningJobSignedObjectS3[]; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern; - /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. - */ - matchScope: string; - /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. - */ - oversizeHandling?: string; + export interface GetSigningJobSignedObjectS3 { + bucket: string; + key: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface GetSigningJobSource { + s3s: outputs.signer.GetSigningJobSourceS3[]; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface GetSigningJobSourceS3 { + bucket: string; + key: string; + version: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchMethod { + export interface GetSigningProfileRevocationRecord { + revocationEffectiveFrom: string; + revokedAt: string; + revokedBy: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchQueryString { + export interface GetSigningProfileSignatureValidityPeriod { + type: string; + value: number; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchSingleHeader { + export interface SigningJobDestination { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * A configuration block describing the S3 Destination object: See S3 Destination below for details. */ - name: string; + s3: outputs.signer.SigningJobDestinationS3; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface SigningJobDestinationS3 { + bucket: string; + prefix?: string; + } + + export interface SigningJobRevocationRecord { + reason: string; + revokedAt: string; + revokedBy: string; } - export interface WebAclRuleStatementByteMatchStatementFieldToMatchUriPath { + export interface SigningJobSignedObject { + s3s: outputs.signer.SigningJobSignedObjectS3[]; } - export interface WebAclRuleStatementByteMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; + export interface SigningJobSignedObjectS3 { + bucket: string; + key: string; + } + + export interface SigningJobSource { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * A configuration block describing the S3 Source object: See S3 Source below for details. */ - type: string; + s3: outputs.signer.SigningJobSourceS3; } - export interface WebAclRuleStatementGeoMatchStatement { + export interface SigningJobSourceS3 { + bucket: string; + key: string; + version: string; + } + + export interface SigningProfileRevocationRecord { /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * The time when revocation becomes effective. */ - countryCodes: string[]; + revocationEffectiveFrom: string; /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. + * The time when the signing profile was revoked. + */ + revokedAt: string; + /** + * The identity of the revoker. */ - forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementGeoMatchStatementForwardedIpConfig; + revokedBy: string; } - export interface WebAclRuleStatementGeoMatchStatementForwardedIpConfig { + export interface SigningProfileSignatureValidityPeriod { /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The time unit for signature validity. Valid values: `DAYS`, `MONTHS`, `YEARS`. */ - fallbackBehavior: string; + type: string; /** - * Name of the HTTP header to use for the IP address. + * The numerical value of the time unit for signature validity. */ - headerName: string; + value: number; } - export interface WebAclRuleStatementIpSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. - */ - arn: string; + export interface SigningProfileSigningMaterial { /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. + * The Amazon Resource Name (ARN) of the certificates that is used to sign your code. */ - ipSetForwardedIpConfig?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; + certificateArn: string; } - export interface WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { +} + +export namespace ssm { + export interface AssociationOutputLocation { /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The S3 bucket name. */ - fallbackBehavior: string; + s3BucketName: string; /** - * Name of the HTTP header to use for the IP address. + * The S3 bucket prefix. Results stored in the root if not configured. */ - headerName: string; + s3KeyPrefix?: string; /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * The S3 bucket region. + * + * Targets specify what instance IDs or tags to apply the document to and has these keys: */ - position: string; + s3Region?: string; } - export interface WebAclRuleStatementLabelMatchStatement { + export interface AssociationTarget { /** - * String to match against. + * Either `InstanceIds` or `tag:Tag Name` to specify an EC2 tag. */ key: string; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * A list of instance IDs or tag values. AWS currently limits this list size to one value. */ - scope: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatement { - /** - * Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managedRuleGroupConfigs` for more details - */ - managedRuleGroupConfigs?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig[]; + export interface ContactsRotationRecurrence { + dailySettings?: outputs.ssm.ContactsRotationRecurrenceDailySetting[]; /** - * Name of the managed rule group. + * (Optional) Information about on-call rotations that recur monthly. See Monthly Settings for more details. */ - name: string; + monthlySettings?: outputs.ssm.ContactsRotationRecurrenceMonthlySetting[]; /** - * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. + * (Required) The number of contacts, or shift team members designated to be on call concurrently during a shift. */ - ruleActionOverrides?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride[]; + numberOfOnCalls: number; /** - * Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. + * (Required) The number of days, weeks, or months a single rotation lasts. */ - scopeDownStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement; + recurrenceMultiplier: number; /** - * Name of the managed rule group vendor. + * (Optional) Information about the days of the week that the on-call rotation coverage includes. See Shift Coverages for more details. */ - vendorName: string; + shiftCoverages?: outputs.ssm.ContactsRotationRecurrenceShiftCoverage[]; /** - * Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything. + * (Optional) Information about on-call rotations that recur weekly. See Weekly Settings for more details. */ - version?: string; + weeklySettings?: outputs.ssm.ContactsRotationRecurrenceWeeklySetting[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig { - /** - * Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client. - */ - awsManagedRulesAcfpRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet; + export interface ContactsRotationRecurrenceDailySetting { /** - * Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client. + * (Required) The hour of the day. */ - awsManagedRulesAtpRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet; + hourOfDay: number; /** - * Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `awsManagedRulesBotControlRuleSet` for more details + * (Required) The minutes of the hour. */ - awsManagedRulesBotControlRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet; + minuteOfHour: number; + } + + export interface ContactsRotationRecurrenceMonthlySetting { /** - * The path of the login endpoint for your application. + * (Required) The day of the month when monthly recurring on-call rotations begin. */ - loginPath?: string; + dayOfMonth: number; /** - * Details about your login page password field. See `passwordField` for more details. + * (Required) The hand off time. See Hand Off Time for more details. */ - passwordField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField; + handOffTime?: outputs.ssm.ContactsRotationRecurrenceMonthlySettingHandOffTime; + } + + export interface ContactsRotationRecurrenceMonthlySettingHandOffTime { /** - * The payload type for your login endpoint, either JSON or form encoded. + * (Required) The hour of the day. */ - payloadType?: string; + hourOfDay: number; /** - * Details about your login page username field. See `usernameField` for more details. + * (Required) The minutes of the hour. */ - usernameField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField; + minuteOfHour: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet { + export interface ContactsRotationRecurrenceShiftCoverage { /** - * The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests. + * (Required) Information about when an on-call shift begins and ends. See Coverage Times for more details. */ - creationPath: string; + coverageTimes?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTime[]; + mapBlockKey: string; + } + + export interface ContactsRotationRecurrenceShiftCoverageCoverageTime { /** - * Whether or not to allow the use of regular expressions in the login page path. + * (Required) The end time of the on-call shift. See Hand Off Time for more details. */ - enableRegexInPath: boolean; + end?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd; /** - * The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests. + * (Required) The start time of the on-call shift. See Hand Off Time for more details. */ - registrationPagePath: string; + start?: outputs.ssm.ContactsRotationRecurrenceShiftCoverageCoverageTimeStart; + } + + export interface ContactsRotationRecurrenceShiftCoverageCoverageTimeEnd { /** - * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. + * (Required) The hour of the day. */ - requestInspection: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection; + hourOfDay: number; /** - * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. + * (Required) The minutes of the hour. */ - responseInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection; + minuteOfHour: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection { + export interface ContactsRotationRecurrenceShiftCoverageCoverageTimeStart { /** - * The names of the fields in the request payload that contain your customer's primary physical address. See `addressFields` for more details. + * (Required) The hour of the day. */ - addressFields?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields; + hourOfDay: number; /** - * The name of the field in the request payload that contains your customer's email. See `emailField` for more details. + * (Required) The minutes of the hour. */ - emailField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField; + minuteOfHour: number; + } + + export interface ContactsRotationRecurrenceWeeklySetting { /** - * Details about your login page password field. See `passwordField` for more details. + * (Required) The day of the week when the shift coverage occurs. */ - passwordField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField; + dayOfWeek: string; /** - * The payload type for your login endpoint, either JSON or form encoded. + * (Required) The hand off time. See Hand Off Time for more details. */ - payloadType: string; + handOffTime?: outputs.ssm.ContactsRotationRecurrenceWeeklySettingHandOffTime; + } + + export interface ContactsRotationRecurrenceWeeklySettingHandOffTime { /** - * The names of the fields in the request payload that contain your customer's primary phone number. See `phoneNumberFields` for more details. + * (Required) The hour of the day. */ - phoneNumberFields?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields; + hourOfDay: number; /** - * Details about your login page username field. See `usernameField` for more details. + * (Required) The minutes of the hour. */ - usernameField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields { - identifiers: string[]; + minuteOfHour: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField { + export interface DocumentAttachmentsSource { /** - * The name of the field in the request payload that contains your customer's email. + * The key of a key-value pair that identifies the location of an attachment to the document. Valid values: `SourceUrl`, `S3FileUrl`, `AttachmentReference`. */ - identifier: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPasswordField { + key: string; /** - * The name of the password field. + * The name of the document attachment file. */ - identifier: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionPhoneNumberFields { - identifiers: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionUsernameField { + name?: string; /** - * The name of the username field. + * The value of a key-value pair that identifies the location of an attachment to the document. The argument format is a list of a single string that depends on the type of key you specify - see the [API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_AttachmentsSource.html) for details. */ - identifier: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspection { + export interface DocumentParameter { /** - * Configures inspection of the response body. See `bodyContains` for more details. + * If specified, the default values for the parameters. Parameters without a default value are required. Parameters with a default value are optional. */ - bodyContains?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains; + defaultValue: string; /** - * Configures inspection of the response header.See `header` for more details. + * A description of what the parameter does, how to use it, the default value, and whether or not the parameter is optional. */ - header?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader; + description: string; /** - * Configures inspection of the response JSON. See `json` for more details. + * The name of the document. */ - json?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson; + name: string; /** - * Configures inspection of the response status code.See `statusCode` for more details. + * The type of parameter. Valid values: `String`, `StringList`. */ - statusCode?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode; + type: string; + } + + export interface GetContactsRotationRecurrence { + dailySettings: any[]; + monthlySettings: any[]; + numberOfOnCalls: number; + recurrenceMultiplier: number; + shiftCoverages: any[]; + weeklySettings: any[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionBodyContains { + export interface GetInstancesFilter { /** - * Strings in the body of the response that indicate a failed login attempt. + * Name of the filter field. Valid values can be found in the [SSM InstanceInformationStringFilter API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_InstanceInformationStringFilter.html). */ - failureStrings: string[]; + name: string; /** - * Strings in the body of the response that indicate a successful login attempt. + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. */ - successStrings: string[]; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionHeader { - /** - * Values in the response header with the specified name that indicate a failed login attempt. - */ - failureValues: string[]; + export interface GetMaintenanceWindowsFilter { /** - * The name of the header to use. + * Name of the filter field. Valid values can be found in the [SSM DescribeMaintenanceWindows API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribeMaintenanceWindows.html#API_DescribeMaintenanceWindows_RequestSyntax). */ name: string; /** - * Values in the response header with the specified name that indicate a successful login attempt. + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. */ - successValues: string[]; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionJson { - failureValues: string[]; + export interface GetPatchBaselineApprovalRule { /** - * The identifier for the value to match against in the JSON. + * Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. */ - identifier: string; - successValues: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetResponseInspectionStatusCode { + approveAfterDays: number; /** - * Status codes in the response that indicate a failed login attempt. + * Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approveAfterDays` */ - failureCodes: number[]; + approveUntilDate: string; /** - * Status codes in the response that indicate a successful login attempt. + * Compliance level for patches approved by this rule. */ - successCodes: number[]; + complianceLevel: string; + /** + * Boolean enabling the application of non-security updates. + */ + enableNonSecurity: boolean; + /** + * Patch filter group that defines the criteria for the rule. + */ + patchFilters: outputs.ssm.GetPatchBaselineApprovalRulePatchFilter[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet { + export interface GetPatchBaselineApprovalRulePatchFilter { /** - * Whether or not to allow the use of regular expressions in the login page path. + * Key for the filter. */ - enableRegexInPath: boolean; + key: string; /** - * The path of the login endpoint for your application. + * Value for the filter. */ - loginPath: string; + values: string[]; + } + + export interface GetPatchBaselineGlobalFilter { /** - * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. + * Key for the filter. */ - requestInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection; + key: string; /** - * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. + * Value for the filter. */ - responseInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection { + export interface GetPatchBaselineSource { /** - * Details about your login page password field. See `passwordField` for more details. + * Value of the yum repo configuration. */ - passwordField: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField; + configuration: string; /** - * The payload type for your login endpoint, either JSON or form encoded. + * Name specified to identify the patch source. */ - payloadType: string; + name: string; /** - * Details about your login page username field. See `usernameField` for more details. + * Specific operating system versions a patch repository applies to. */ - usernameField: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField; + products: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionPasswordField { - /** - * The name of the password field. - */ - identifier: string; + export interface MaintenanceWindowTargetTarget { + key: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspectionUsernameField { - /** - * The name of the username field. - */ - identifier: string; + export interface MaintenanceWindowTaskTarget { + key: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection { + export interface MaintenanceWindowTaskTaskInvocationParameters { /** - * Configures inspection of the response body. See `bodyContains` for more details. + * The parameters for an AUTOMATION task type. Documented below. */ - bodyContains?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains; + automationParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersAutomationParameters; /** - * Configures inspection of the response header.See `header` for more details. + * The parameters for a LAMBDA task type. Documented below. */ - header?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader; + lambdaParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersLambdaParameters; /** - * Configures inspection of the response JSON. See `json` for more details. + * The parameters for a RUN_COMMAND task type. Documented below. */ - json?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson; + runCommandParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters; /** - * Configures inspection of the response status code.See `statusCode` for more details. + * The parameters for a STEP_FUNCTIONS task type. Documented below. */ - statusCode?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode; + stepFunctionsParameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains { + export interface MaintenanceWindowTaskTaskInvocationParametersAutomationParameters { /** - * Strings in the body of the response that indicate a failed login attempt. + * The version of an Automation document to use during task execution. */ - failureStrings: string[]; + documentVersion?: string; /** - * Strings in the body of the response that indicate a successful login attempt. + * The parameters for the RUN_COMMAND task execution. Documented below. */ - successStrings: string[]; + parameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader { - /** - * Values in the response header with the specified name that indicate a failed login attempt. - */ - failureValues: string[]; + export interface MaintenanceWindowTaskTaskInvocationParametersAutomationParametersParameter { /** - * The name of the header to use. + * The parameter name. */ name: string; /** - * Values in the response header with the specified name that indicate a successful login attempt. + * The array of strings. */ - successValues: string[]; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson { - failureValues: string[]; + export interface MaintenanceWindowTaskTaskInvocationParametersLambdaParameters { /** - * The identifier for the value to match against in the JSON. + * Pass client-specific information to the Lambda function that you are invoking. */ - identifier: string; - successValues: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode { + clientContext?: string; /** - * Status codes in the response that indicate a failed login attempt. + * JSON to provide to your Lambda function as input. */ - failureCodes: number[]; + payload?: string; /** - * Status codes in the response that indicate a successful login attempt. + * Specify a Lambda function version or alias name. */ - successCodes: number[]; + qualifier?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet { + export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParameters { /** - * The inspection level to use for the Bot Control rule group. + * Configuration options for sending command output to CloudWatch Logs. Documented below. */ - inspectionLevel: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField { + cloudwatchConfig?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig; /** - * The name of the password field. + * Information about the command(s) to execute. */ - identifier: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField { + comment?: string; /** - * The name of the username field. + * The SHA-256 or SHA-1 hash created by the system when the document was created. SHA-1 hashes have been deprecated. */ - identifier: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride { + documentHash?: string; /** - * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. + * SHA-256 or SHA-1. SHA-1 hashes have been deprecated. Valid values: `Sha256` and `Sha1` */ - actionToUse: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse; + documentHashType?: string; + documentVersion?: string; /** - * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. + * Configurations for sending notifications about command status changes on a per-instance basis. Documented below. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse { - allow?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow; - block?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock; - captcha?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha; - challenge?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge; - count?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow { + notificationConfig?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The name of the Amazon S3 bucket. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { + outputS3Bucket?: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * The Amazon S3 bucket subfolder. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader { + outputS3KeyPrefix?: string; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * The parameters for the RUN_COMMAND task execution. Documented below. */ - name: string; + parameters?: outputs.ssm.MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter[]; /** - * Value of the custom header. + * The Amazon Resource Name (ARN) of the AWS Identity and Access Management (IAM) service role to use to publish Amazon Simple Notification Service (Amazon SNS) notifications for maintenance window Run Command tasks. */ - value: string; + serviceRoleArn?: string; + /** + * If this time is reached and the command has not already started executing, it doesn't run. + */ + timeoutSeconds?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock { + export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersCloudwatchConfig { /** - * Defines a custom response for the web request. See `customResponse` below for details. + * The name of the CloudWatch log group where you want to send command output. If you don't specify a group name, Systems Manager automatically creates a log group for you. The log group uses the following naming format: aws/ssm/SystemsManagerDocumentName. */ - customResponse?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse; + cloudwatchLogGroupName: string; + /** + * Enables Systems Manager to send command output to CloudWatch Logs. + */ + cloudwatchOutputEnabled?: boolean; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse { + export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersNotificationConfig { /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * An Amazon Resource Name (ARN) for a Simple Notification Service (SNS) topic. Run Command pushes notifications about command status changes to this topic. */ - customResponseBodyKey?: string; + notificationArn?: string; /** - * The HTTP status code to return to the client. + * The different events for which you can receive notifications. Valid values: `All`, `InProgress`, `Success`, `TimedOut`, `Cancelled`, and `Failed` */ - responseCode: number; + notificationEvents?: string[]; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + * When specified with `Command`, receive notification when the status of a command changes. When specified with `Invocation`, for commands sent to multiple instances, receive notification on a per-instance basis when the status of a command changes. Valid values: `Command` and `Invocation` */ - responseHeaders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader[]; + notificationType?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { + export interface MaintenanceWindowTaskTaskInvocationParametersRunCommandParametersParameter { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * The parameter name. */ name: string; /** - * Value of the custom header. + * The array of strings. */ - value: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptcha { + export interface MaintenanceWindowTaskTaskInvocationParametersStepFunctionsParameters { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The inputs for the STEP_FUNCTION task. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling { + input?: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * The name of the STEP_FUNCTION task. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader[]; + name?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader { - /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. - */ - name: string; + export interface PatchBaselineApprovalRule { /** - * Value of the custom header. + * Number of days after the release date of each patch matched by the rule the patch is marked as approved in the patch baseline. Valid Range: 0 to 100. Conflicts with `approveUntilDate`. */ - value: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallenge { + approveAfterDays?: number; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Cutoff date for auto approval of released patches. Any patches released on or before this date are installed automatically. Date is formatted as `YYYY-MM-DD`. Conflicts with `approveAfterDays` */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling { + approveUntilDate?: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Compliance level for patches approved by this rule. Valid values are `CRITICAL`, `HIGH`, `MEDIUM`, `LOW`, `INFORMATIONAL`, and `UNSPECIFIED`. The default value is `UNSPECIFIED`. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader { + complianceLevel?: string; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Boolean enabling the application of non-security updates. The default value is `false`. Valid for Linux instances only. */ - name: string; + enableNonSecurity?: boolean; /** - * Value of the custom header. + * Patch filter group that defines the criteria for the rule. Up to 5 patch filters can be specified per approval rule using Key/Value pairs. Valid combinations of these Keys and the `operatingSystem` value can be found in the [SSM DescribePatchProperties API Reference](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_DescribePatchProperties.html). Valid Values are exact values for the patch property given as the key, or a wildcard `*`, which matches all values. `PATCH_SET` defaults to `OS` if unspecified */ - value: string; + patchFilters: outputs.ssm.PatchBaselineApprovalRulePatchFilter[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCount { - /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. - */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling; + export interface PatchBaselineApprovalRulePatchFilter { + key: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandling { - /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. - */ - insertHeaders: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader[]; + export interface PatchBaselineGlobalFilter { + key: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader { + export interface PatchBaselineSource { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Value of the yum repo configuration. For information about other options available for your yum repository configuration, see the [`dnf.conf` documentation](https://man7.org/linux/man-pages/man5/dnf.conf.5.html) + */ + configuration: string; + /** + * Name specified to identify the patch source. */ name: string; /** - * Value of the custom header. + * Specific operating system versions a patch repository applies to, such as `"Ubuntu16.04"`, `"AmazonLinux2016.09"`, `"RedhatEnterpriseLinux7.2"` or `"Suse12.7"`. For lists of supported product values, see [PatchFilter](https://docs.aws.amazon.com/systems-manager/latest/APIReference/API_PatchFilter.html). */ - value: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatement { - andStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement; - byteMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement; - geoMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement; - ipSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement; - labelMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement; - notStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement; - orStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement; - regexMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement; - regexPatternSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement; - sizeConstraintStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement; - sqliMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement; - xssMatchStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement; + products: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementAndStatement { + export interface ResourceDataSyncS3Destination { /** - * The statements to combine. + * Name of S3 bucket where the aggregated data is stored. */ - statements: outputs.wafv2.WebAclRuleStatement[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatement { + bucketName: string; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * ARN of an encryption key for a destination in Amazon S3. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch; + kmsKeyArn?: string; /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. + * Prefix for the bucket. */ - positionalConstraint: string; + prefix?: string; /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. + * Region with the bucket targeted by the Resource Data Sync. */ - searchString: string; + region: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * A supported sync format. Only JsonSerDe is currently supported. Defaults to JsonSerDe. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation[]; + syncFormat?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody; +} + +export namespace ssmcontacts { + export interface ContactChannelDeliveryAddress { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Details to engage this contact channel. The expected format depends on the contact channel type and is described in the [`ContactChannelAddress` section of the SSM Contacts API Reference](https://docs.aws.amazon.com/incident-manager/latest/APIReference/API_SSMContacts_ContactChannelAddress.html). */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies; + simpleAddress: string; + } + + export interface GetContactChannelDeliveryAddress { + simpleAddress: string; + } + + export interface GetPlanStage { + durationInMinutes: number; + targets: outputs.ssmcontacts.GetPlanStageTarget[]; + } + + export interface GetPlanStageTarget { + channelTargetInfos: outputs.ssmcontacts.GetPlanStageTargetChannelTargetInfo[]; + contactTargetInfos: outputs.ssmcontacts.GetPlanStageTargetContactTargetInfo[]; + } + + export interface GetPlanStageTargetChannelTargetInfo { + contactChannelId: string; + retryIntervalInMinutes: number; + } + + export interface GetPlanStageTargetContactTargetInfo { /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The Amazon Resource Name (ARN) of the contact or escalation plan. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder[]; + contactId: string; + isEssential: boolean; + } + + export interface PlanStage { /** - * Inspect the request headers. See `headers` below for details. + * The time to wait until beginning the next stage. The duration can only be set to 0 if a target is specified. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader[]; + durationInMinutes: number; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * One or more configuration blocks for specifying the contacts or contact methods that the escalation plan or engagement plan is engaging. See Target below for more details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint; + targets?: outputs.ssmcontacts.PlanStageTarget[]; + } + + export interface PlanStageTarget { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * A configuration block for specifying information about the contact channel that Incident Manager engages. See Channel Target Info for more details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody; + channelTargetInfo?: outputs.ssmcontacts.PlanStageTargetChannelTargetInfo; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * A configuration block for specifying information about the contact that Incident Manager engages. See Contact Target Info for more details. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod; + contactTargetInfo?: outputs.ssmcontacts.PlanStageTargetContactTargetInfo; + } + + export interface PlanStageTargetChannelTargetInfo { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The Amazon Resource Name (ARN) of the contact channel. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString; + contactChannelId: string; /** - * Inspect a single header. See `singleHeader` below for details. + * The number of minutes to wait before retrying to send engagement if the engagement initially failed. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader; + retryIntervalInMinutes?: number; + } + + export interface PlanStageTargetContactTargetInfo { /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The Amazon Resource Name (ARN) of the contact. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument; + contactId?: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A Boolean value determining if the contact's acknowledgement stops the progress of stages in the plan. */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath; + isEssential: boolean; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { - } +} - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchBody { +export namespace ssmincidents { + export interface GetReplicationSetRegion { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The ARN of the AWS Key Management Service (AWS KMS) encryption key. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { + kmsKeyArn: string; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The name of the Region. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern[]; + name: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The current status of the Region. + * * Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED` */ - matchScope: string; + status: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * More information about the status of a Region. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + statusMessage: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface GetResponsePlanAction { + /** + * The Systems Manager automation document to start as the runbook at the beginning of the incident. The following values are supported: + */ + ssmAutomations: outputs.ssmincidents.GetResponsePlanActionSsmAutomation[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { + export interface GetResponsePlanActionSsmAutomation { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * The automation document's name. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern; + documentName: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The version of the automation document to use at runtime. */ - matchScope: string; + documentVersion: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The key-value pair used to resolve dynamic parameter values when processing a Systems Manager Automation runbook. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { + dynamicParameters: {[key: string]: string}; /** - * An empty configuration block that is used for inspecting all headers. + * The key-value pair parameters used when the automation document runs. The following values are supported: */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll; + parameters: outputs.ssmincidents.GetResponsePlanActionSsmAutomationParameter[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The Amazon Resource Name (ARN) of the role that the automation document assumes when it runs commands. */ - excludedHeaders?: string[]; + roleArn: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The account that runs the automation document. This can be in either the management account or an application account. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { + targetAccount: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { + export interface GetResponsePlanActionSsmAutomationParameter { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The name of the PagerDuty configuration. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { + name: string; /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * The values for the associated parameter name. */ - fallbackBehavior: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { + export interface GetResponsePlanIncidentTemplate { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * A string used to stop Incident Manager from creating multiple incident records for the same incident. */ - invalidFallbackBehavior?: string; + dedupeString: string; + /** + * The impact value of a generated incident. The following values are supported: + */ + impact: number; + /** + * The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident. + */ + incidentTags: {[key: string]: string}; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notificationTarget` configuration block supports the following argument: */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern; + notificationTargets: outputs.ssmincidents.GetResponsePlanIncidentTemplateNotificationTarget[]; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The summary of an incident. */ - matchScope: string; + summary: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The title of a generated incident. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { + title: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { + export interface GetResponsePlanIncidentTemplateNotificationTarget { + /** + * The ARN of the Amazon SNS topic. + */ + snsTopicArn: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { + export interface GetResponsePlanIntegration { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Details about the PagerDuty configuration for a response plan. The following values are supported: */ - name: string; + pagerduties: outputs.ssmincidents.GetResponsePlanIntegrationPagerduty[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { + export interface GetResponsePlanIntegrationPagerduty { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The name of the PagerDuty configuration. */ name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementByteMatchStatementTextTransformation { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The ID of the AWS Secrets Manager secret that stores your PagerDuty key — either a General Access REST API Key or User Token REST API Key — and other user credentials. */ - priority: number; + secretId: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The ID of the PagerDuty service that the response plan associates with an incident when it launches. */ - type: string; + serviceId: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatement { + export interface ReplicationSetRegion { /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * The Amazon Resource name (ARN) of the customer managed key. If omitted, AWS manages the AWS KMS keys for you, using an AWS owned key, as indicated by a default value of `DefaultKey`. + * + * The following arguments are optional: */ - countryCodes: string[]; + kmsKeyArn?: string; /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. + * The name of the Region, such as `ap-southeast-2`. */ - forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { + name: string; /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The current status of the Region. + * * Valid Values: `ACTIVE` | `CREATING` | `UPDATING` | `DELETING` | `FAILED` */ - fallbackBehavior: string; + status: string; /** - * Name of the HTTP header to use for the IP address. + * More information about the status of a Region. */ - headerName: string; + statusMessage: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatement { - /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. - */ - arn: string; + export interface ResponsePlanAction { + ssmAutomations?: outputs.ssmincidents.ResponsePlanActionSsmAutomation[]; + } + + export interface ResponsePlanActionSsmAutomation { + documentName: string; + documentVersion?: string; + dynamicParameters?: {[key: string]: string}; + parameters?: outputs.ssmincidents.ResponsePlanActionSsmAutomationParameter[]; + roleArn: string; + targetAccount?: string; + } + + export interface ResponsePlanActionSsmAutomationParameter { /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. + * The name of the response plan. */ - ipSetForwardedIpConfig?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig; + name: string; + values: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { + export interface ResponsePlanIncidentTemplate { /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * A string used to stop Incident Manager from creating multiple incident records for the same incident. */ - fallbackBehavior: string; + dedupeString?: string; /** - * Name of the HTTP header to use for the IP address. + * The impact value of a generated incident. The following values are supported: */ - headerName: string; + impact: number; /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * The tags assigned to an incident template. When an incident starts, Incident Manager assigns the tags specified in the template to the incident. */ - position: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementLabelMatchStatement { + incidentTags?: {[key: string]: string}; /** - * String to match against. + * The Amazon Simple Notification Service (Amazon SNS) targets that this incident notifies when it is updated. The `notificationTarget` configuration block supports the following argument: */ - key: string; + notificationTargets?: outputs.ssmincidents.ResponsePlanIncidentTemplateNotificationTarget[]; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * The summary of an incident. */ - scope: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementNotStatement { + summary?: string; /** - * The statements to combine. + * The title of a generated incident. */ - statements: outputs.wafv2.WebAclRuleStatement[]; + title: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementOrStatement { + export interface ResponsePlanIncidentTemplateNotificationTarget { /** - * The statements to combine. + * The ARN of the Amazon SNS topic. + * + * The following arguments are optional: */ - statements: outputs.wafv2.WebAclRuleStatement[]; + snsTopicArn: string; + } + + export interface ResponsePlanIntegration { + pagerduties?: outputs.ssmincidents.ResponsePlanIntegrationPagerduty[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatement { + export interface ResponsePlanIntegrationPagerduty { /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The name of the response plan. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch; + name: string; + secretId: string; + serviceId: string; + } + +} + +export namespace ssoadmin { + export interface ApplicationPortalOptions { /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. + * Sign-in options for the access portal. See `signInOptions` below. */ - regexString: string; + signInOptions?: outputs.ssoadmin.ApplicationPortalOptionsSignInOptions; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Indicates whether this application is visible in the access portal. Valid values are `ENABLED` and `DISABLED`. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation[]; + visibility: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatch { + export interface ApplicationPortalOptionsSignInOptions { /** - * Inspect all query arguments. + * URL that accepts authentication requests for an application. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments; + applicationUrl?: string; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Determines how IAM Identity Center navigates the user to the target application. + * Valid values are `APPLICATION` and `IDENTITY_CENTER`. + * If `APPLICATION` is set, IAM Identity Center redirects the customer to the configured `applicationUrl`. + * If `IDENTITY_CENTER` is set, IAM Identity Center uses SAML identity-provider initiated authentication to sign the customer directly into a SAML-based application. */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody; + origin: string; + } + + export interface CustomerManagedPolicyAttachmentCustomerManagedPolicyReference { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Name of the customer managed IAM Policy to be attached. */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies; + name: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder[]; + path?: string; + } + + export interface GetApplicationAssignmentsApplicationAssignment { /** - * Inspect the request headers. See `headers` below for details. + * ARN of the application. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader[]; + applicationArn: string; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * An identifier for an object in IAM Identity Center, such as a user or group. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint; + principalId: string; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody; + principalType: string; + } + + export interface GetApplicationPortalOption { + signInOptions?: outputs.ssoadmin.GetApplicationPortalOptionSignInOption[]; + visibility: string; + } + + export interface GetApplicationPortalOptionSignInOption { + applicationUrl: string; + origin: string; + } + + export interface GetApplicationProvidersApplicationProvider { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * ARN of the application provider. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod; + applicationProviderArn: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * An object describing how IAM Identity Center represents the application provider in the portal. See `displayData` below. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString; + displayDatas?: outputs.ssoadmin.GetApplicationProvidersApplicationProviderDisplayData[]; /** - * Inspect a single header. See `singleHeader` below for details. + * Protocol that the application provider uses to perform federation. Valid values are `SAML` and `OAUTH`. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader; + federationProtocol: string; + } + + export interface GetApplicationProvidersApplicationProviderDisplayData { /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Description of the application provider. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument; + description: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Name of the application provider. */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { + displayName: string; /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * URL that points to an icon that represents the application provider. */ - oversizeHandling?: string; + iconUrl: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { + export interface GetPrincipalApplicationAssignmentsApplicationAssignment { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * ARN of the application. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern[]; + applicationArn: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * An identifier for an object in IAM Identity Center, such as a user or group. */ - matchScope: string; + principalId: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Entity type for which the assignment will be created. Valid values are `USER` or `GROUP`. */ - oversizeHandling: string; + principalType: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface InstanceAccessControlAttributesAttribute { + key: string; + values: outputs.ssoadmin.InstanceAccessControlAttributesAttributeValue[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface InstanceAccessControlAttributesAttributeValue { + sources: string[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern; + export interface PermissionsBoundaryAttachmentPermissionsBoundary { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Specifies the name and path of a customer managed policy. See below. */ - matchScope: string; + customerManagedPolicyReference?: outputs.ssoadmin.PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * AWS-managed IAM policy ARN to use as the permissions boundary. */ - oversizeHandling: string; + managedPolicyArn?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; + export interface PermissionsBoundaryAttachmentPermissionsBoundaryCustomerManagedPolicyReference { /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Name of the customer managed IAM Policy to be attached. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { + name: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The path to the IAM policy to be attached. The default is `/`. See [IAM Identifiers](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html#identifiers-friendly-names) for more information. */ - oversizeHandling: string; + path?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { + export interface TrustedTokenIssuerTrustedTokenIssuerConfiguration { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * A block that describes the settings for a trusted token issuer that works with OpenID Connect (OIDC) by using JSON Web Tokens (JWT). See Documented below below. */ - fallbackBehavior: string; + oidcJwtConfiguration?: outputs.ssoadmin.TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { + export interface TrustedTokenIssuerTrustedTokenIssuerConfigurationOidcJwtConfiguration { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Specifies the path of the source attribute in the JWT from the trusted token issuer. */ - invalidFallbackBehavior?: string; + claimAttributePath: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Specifies path of the destination attribute in a JWT from IAM Identity Center. The attribute mapped by this JMESPath expression is compared against the attribute mapped by `claimAttributePath` when a trusted token issuer token is exchanged for an IAM Identity Center token. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern; + identityStoreAttributePath: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Specifies the URL that IAM Identity Center uses for OpenID Discovery. OpenID Discovery is used to obtain the information required to verify the tokens that the trusted token issuer generates. */ - matchScope: string; + issuerUrl: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The method that the trusted token issuer can use to retrieve the JSON Web Key Set used to verify a JWT. Valid values are `OPEN_ID_DISCOVERY` */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { + jwksRetrievalOption: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { - } +} - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { +export namespace storagegateway { + export interface FileSystemAssociationCacheAttributes { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Refreshes a file share's cache by using Time To Live (TTL). + * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway + * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: `0` or `300` to `2592000` seconds (5 minutes to 30 days). Defaults to `0` */ - name: string; + cacheStaleTimeoutInSeconds?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + export interface GatewayGatewayNetworkInterface { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The Internet Protocol version 4 (IPv4) address of the interface. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { + ipv4Address: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; + export interface GatewayMaintenanceStartTime { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The day of the month component of the maintenance start time represented as an ordinal number from 1 to 28, where 1 represents the first day of the month and 28 represents the last day of the month. */ - type: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatement { + dayOfMonth?: string; /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + * The day of the week component of the maintenance start time week represented as an ordinal number from 0 to 6, where 0 represents Sunday and 6 Saturday. */ - arn: string; + dayOfWeek?: string; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The hour component of the maintenance start time represented as _hh_, where _hh_ is the hour (00 to 23). The hour of the day is in the time zone of the gateway. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch; + hourOfDay: number; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The minute component of the maintenance start time represented as _mm_, where _mm_ is the minute (00 to 59). The minute of the hour is in the time zone of the gateway. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation[]; + minuteOfHour?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { + export interface GatewaySmbActiveDirectorySettings { + activeDirectoryStatus: string; /** - * Inspect all query arguments. + * List of IPv4 addresses, NetBIOS names, or host names of your domain server. + * If you need to specify the port number include it after the colon (“:”). For example, `mydc.mydomain.com:389`. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments; + domainControllers?: string[]; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The name of the domain that you want the gateway to join. */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody; + domainName: string; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The organizational unit (OU) is a container in an Active Directory that can hold users, groups, + * computers, and other OUs and this parameter specifies the OU that the gateway will join within the AD domain. */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies; + organizationalUnit?: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The password of the user who has permission to add the gateway to the Active Directory domain. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder[]; + password: string; /** - * Inspect the request headers. See `headers` below for details. + * Specifies the time in seconds, in which the JoinDomain operation must complete. The default is `20` seconds. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader[]; + timeoutInSeconds?: number; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The user name of user who has permission to add the gateway to the Active Directory domain. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint; + username: string; + } + + export interface NfsFileShareCacheAttributes { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Refreshes a file share's cache by using Time To Live (TTL). + * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway + * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days) */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody; + cacheStaleTimeoutInSeconds?: number; + } + + export interface NfsFileShareNfsFileShareDefaults { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The Unix directory mode in the string form "nnnn". Defaults to `"0777"`. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod; + directoryMode?: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The Unix file mode in the string form "nnnn". Defaults to `"0666"`. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString; + fileMode?: string; /** - * Inspect a single header. See `singleHeader` below for details. + * The default group ID for the file share (unless the files have another group ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader; + groupId?: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The default owner ID for the file share (unless the files have another owner ID specified). Defaults to `65534` (`nfsnobody`). Valid values: `0` through `4294967294`. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument; + ownerId?: string; + } + + export interface SmbFileShareCacheAttributes { /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Refreshes a file share's cache by using Time To Live (TTL). + * TTL is the length of time since the last refresh after which access to the directory would cause the file gateway + * to first refresh that directory's contents from the Amazon S3 bucket. Valid Values: 300 to 2,592,000 seconds (5 minutes to 30 days) */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath; + cacheStaleTimeoutInSeconds?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { +} + +export namespace synthetics { + export interface CanaryArtifactConfig { + /** + * Configuration of the encryption-at-rest settings for artifacts that the canary uploads to Amazon S3. See S3 Encryption. + */ + s3Encryption?: outputs.synthetics.CanaryArtifactConfigS3Encryption; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { + export interface CanaryArtifactConfigS3Encryption { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The encryption method to use for artifacts created by this canary. Valid values are: `SSE_S3` and `SSE_KMS`. */ - oversizeHandling?: string; + encryptionMode?: string; + /** + * The ARN of the customer-managed KMS key to use, if you specify `SSE_KMS` for `encryptionMode`. + */ + kmsKeyArn?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { + export interface CanaryRunConfig { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Whether this canary is to use active AWS X-Ray tracing when it runs. You can enable active tracing only for canaries that use version syn-nodejs-2.0 or later for their canary runtime. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern[]; + activeTracing?: boolean; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Map of environment variables that are accessible from the canary during execution. Please see [AWS Docs](https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime) for variables reserved for Lambda. */ - matchScope: string; + environmentVariables?: {[key: string]: string}; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Maximum amount of memory available to the canary while it is running, in MB. The value you specify must be a multiple of 64. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + memoryInMb: number; + /** + * Number of seconds the canary is allowed to run before it must stop. If you omit this field, the frequency of the canary is used, up to a maximum of 840 (14 minutes). + */ + timeoutInSeconds?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + export interface CanarySchedule { + /** + * Duration in seconds, for the canary to continue making regular runs according to the schedule in the Expression value. + */ + durationInSeconds?: number; + /** + * Rate expression or cron expression that defines how often the canary is to run. For rate expression, the syntax is `rate(number unit)`. _unit_ can be `minute`, `minutes`, or `hour`. For cron expression, the syntax is `cron(expression)`. For more information about the syntax for cron expressions, see [Scheduling canary runs using cron](https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/CloudWatch_Synthetics_Canaries_cron.html). + */ + expression: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { + export interface CanaryTimeline { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Date and time the canary was created. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern; + created: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Date and time the canary was most recently modified. */ - matchScope: string; + lastModified: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Date and time that the canary's most recent run started. */ - oversizeHandling: string; + lastStarted: string; + /** + * Date and time that the canary's most recent run ended. + */ + lastStopped: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { + export interface CanaryVpcConfig { /** - * An empty configuration block that is used for inspecting all headers. + * IDs of the security groups for this canary. */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll; + securityGroupIds?: string[]; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * IDs of the subnets where this canary is to run. */ - excludedHeaders?: string[]; + subnetIds?: string[]; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * ID of the VPC where this canary is to run. */ - includedHeaders?: string[]; + vpcId: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { - } +} - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { +export namespace timestreamwrite { + export interface TableMagneticStoreWriteProperties { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A flag to enable magnetic store writes. */ - oversizeHandling: string; + enableMagneticStoreWrites?: boolean; + /** + * The location to write error reports for records rejected asynchronously during magnetic store writes. See Magnetic Store Rejected Data Location below for more details. + */ + magneticStoreRejectedDataLocation?: outputs.timestreamwrite.TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { + export interface TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocation { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Configuration of an S3 location to write error reports for records rejected, asynchronously, during magnetic store writes. See S3 Configuration below for more details. */ - fallbackBehavior: string; + s3Configuration?: outputs.timestreamwrite.TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + export interface TableMagneticStoreWritePropertiesMagneticStoreRejectedDataLocationS3Configuration { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Bucket name of the customer S3 bucket. */ - invalidFallbackBehavior?: string; + bucketName?: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Encryption option for the customer s3 location. Options are S3 server side encryption with an S3-managed key or KMS managed key. Valid values are `SSE_KMS` and `SSE_S3`. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern; + encryptionOption?: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * KMS key arn for the customer s3 location when encrypting with a KMS managed key. */ - matchScope: string; + kmsKeyId?: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Object key prefix for the customer S3 location. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { + objectKeyPrefix?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { + export interface TableRetentionProperties { + /** + * The duration for which data must be stored in the magnetic store. Minimum value of 1. Maximum value of 73000. + */ + magneticStoreRetentionPeriodInDays: number; + /** + * The duration for which data must be stored in the memory store. Minimum value of 1. Maximum value of 8766. + */ + memoryStoreRetentionPeriodInHours: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { + export interface TableSchema { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * A non-empty list of partition keys defining the attributes used to partition the table data. The order of the list determines the partition hierarchy. The name and type of each partition key as well as the partition key order cannot be changed after the table is created. However, the enforcement level of each partition key can be changed. See Composite Partition Key below for more details. */ - name: string; + compositePartitionKey: outputs.timestreamwrite.TableSchemaCompositePartitionKey; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + export interface TableSchemaCompositePartitionKey { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The level of enforcement for the specification of a dimension key in ingested records. Valid values: `REQUIRED`, `OPTIONAL`. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { + enforcementInRecord?: string; /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The name of the attribute used for a dimension key. */ - priority: number; + name?: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The type of the partition key. Valid values: `DIMENSION`, `MEASURE`. */ type: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatement { +} + +export namespace transcribe { + export interface LanguageModelInputDataConfig { /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * IAM role with access to S3 bucket. */ - comparisonOperator: string; + dataAccessRoleArn: string; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * S3 URI where training data is located. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch; + s3Uri: string; /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * S3 URI where tuning data is located. + * + * The following arguments are optional: */ - size: number; + tuningDataS3Uri: string; + } + +} + +export namespace transfer { + export interface AccessHomeDirectoryMapping { /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Represents an entry and a target. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation[]; + entry: string; + /** + * Represents the map target. + */ + target: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatch { + export interface AccessPosixProfile { /** - * Inspect all query arguments. + * The POSIX group ID used for all EFS operations by this user. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments; + gid: number; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The secondary POSIX group IDs used for all EFS operations by this user. */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody; + secondaryGids?: number[]; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The POSIX user ID used for all EFS operations by this user. */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies; + uid: number; + } + + export interface ConnectorAs2Config { + compression: string; + encryptionAlgorithm: string; + localProfileId: string; + mdnResponse: string; + mdnSigningAlgorithm?: string; + messageSubject?: string; + partnerProfileId: string; + signingAlgorithm: string; + } + + export interface ConnectorSftpConfig { + trustedHostKeys?: string[]; + userSecretId?: string; + } + + export interface ServerEndpointDetails { /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * A list of address allocation IDs that are required to attach an Elastic IP address to your SFTP server's endpoint. This property can only be used when `endpointType` is set to `VPC`. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder[]; + addressAllocationIds?: string[]; /** - * Inspect the request headers. See `headers` below for details. + * A list of security groups IDs that are available to attach to your server's endpoint. If no security groups are specified, the VPC's default security groups are automatically assigned to your endpoint. This property can only be used when `endpointType` is set to `VPC`. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader[]; + securityGroupIds: string[]; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * A list of subnet IDs that are required to host your SFTP server endpoint in your VPC. This property can only be used when `endpointType` is set to `VPC`. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint; + subnetIds?: string[]; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * The ID of the VPC endpoint. This property can only be used when `endpointType` is set to `VPC_ENDPOINT` */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody; + vpcEndpointId: string; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The VPC ID of the virtual private cloud in which the SFTP server's endpoint will be hosted. This property can only be used when `endpointType` is set to `VPC`. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod; + vpcId?: string; + } + + export interface ServerProtocolDetails { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Indicates the transport method for the AS2 messages. Currently, only `HTTP` is supported. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString; + as2Transports: string[]; /** - * Inspect a single header. See `singleHeader` below for details. + * Indicates passive mode, for FTP and FTPS protocols. Enter a single IPv4 address, such as the public IP address of a firewall, router, or load balancer. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader; + passiveIp: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Use to ignore the error that is generated when the client attempts to use `SETSTAT` on a file you are uploading to an S3 bucket. Valid values: `DEFAULT`, `ENABLE_NO_OP`. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument; + setStatOption: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * A property used with Transfer Family servers that use the FTPS protocol. Provides a mechanism to resume or share a negotiated secret key between the control and data connection for an FTPS session. Valid values: `DISABLED`, `ENABLED`, `ENFORCED`. */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { + tlsSessionResumptionMode: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { + export interface ServerS3StorageOptions { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Specifies whether or not performance for your Amazon S3 directories is optimized. Valid values are `DISABLED`, `ENABLED`. + * + * By default, home directory mappings have a `TYPE` of `DIRECTORY`. If you enable this option, you would then need to explicitly set the `HomeDirectoryMapEntry` Type to `FILE` if you want a mapping to have a file target. See [Using logical directories to simplify your Transfer Family directory structures](https://docs.aws.amazon.com/transfer/latest/userguide/logical-dir-mappings.html) for details. */ - oversizeHandling?: string; + directoryListingOptimization: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern[]; + export interface ServerWorkflowDetails { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * A trigger that starts a workflow if a file is only partially uploaded. See Workflow Detail below. See `onPartialUpload` block below for details. */ - matchScope: string; + onPartialUpload?: outputs.transfer.ServerWorkflowDetailsOnPartialUpload; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * A trigger that starts a workflow: the workflow begins to execute after a file is uploaded. See `onUpload` block below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { + onUpload?: outputs.transfer.ServerWorkflowDetailsOnUpload; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern; + export interface ServerWorkflowDetailsOnPartialUpload { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources. */ - matchScope: string; + executionRole: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A unique identifier for the workflow. */ - oversizeHandling: string; + workflowId: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll; + export interface ServerWorkflowDetailsOnUpload { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Includes the necessary permissions for S3, EFS, and Lambda operations that Transfer can assume, so that all workflow steps can operate on the required resources. */ - excludedHeaders?: string[]; + executionRole: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * A unique identifier for the workflow. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { + workflowId: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { + export interface UserHomeDirectoryMapping { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Represents an entry and a target. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { + entry: string; /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Represents the map target. + * + * The `Restricted` option is achieved using the following mapping: + * + * ``` + * home_directory_mappings { + * entry = "/" + * target = "/${aws_s3_bucket.foo.id}/$${Transfer:UserName}" + * } + * ``` */ - fallbackBehavior: string; + target: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; + export interface UserPosixProfile { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The POSIX group ID used for all EFS operations by this user. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern; + gid: number; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The secondary POSIX group IDs used for all EFS operations by this user. */ - matchScope: string; + secondaryGids?: number[]; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The POSIX user ID used for all EFS operations by this user. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { + uid: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { + export interface WorkflowOnExceptionStep { + copyStepDetails?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetails; + customStepDetails?: outputs.transfer.WorkflowOnExceptionStepCustomStepDetails; + decryptStepDetails?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetails; + deleteStepDetails?: outputs.transfer.WorkflowOnExceptionStepDeleteStepDetails; + tagStepDetails?: outputs.transfer.WorkflowOnExceptionStepTagStepDetails; + type: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { + export interface WorkflowOnExceptionStepCopyStepDetails { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { + destinationFileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The name of the step, used as an identifier. */ - name: string; + name?: string; + /** + * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + */ + overwriteExisting?: string; + /** + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + */ + sourceFileLocation?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { + export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocation { + /** + * Specifies the details for the EFS file being copied. + */ + efsFileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation; + /** + * Specifies the details for the S3 file being copied. + */ + s3FileLocation?: outputs.transfer.WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSizeConstraintStatementTextTransformation { + export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationEfsFileLocation { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The ID of the file system, assigned by Amazon EFS. */ - priority: number; + fileSystemId?: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The pathname for the folder being used by a workflow. */ - type: string; + path?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatement { + export interface WorkflowOnExceptionStepCopyStepDetailsDestinationFileLocationS3FileLocation { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * Specifies the S3 bucket for the customer input file. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch; + bucket?: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation[]; + key?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatch { + export interface WorkflowOnExceptionStepCustomStepDetails { /** - * Inspect all query arguments. + * The name of the step, used as an identifier. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments; + name?: string; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody; + sourceFileLocation?: string; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The ARN for the lambda function that is being called. */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies; + target?: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Timeout, in seconds, for the step. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder[]; + timeoutSeconds?: number; + } + + export interface WorkflowOnExceptionStepDecryptStepDetails { /** - * Inspect the request headers. See `headers` below for details. + * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader[]; + destinationFileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The name of the step, used as an identifier. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint; + name?: string; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody; + overwriteExisting?: string; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod; + sourceFileLocation?: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The type of encryption used. Currently, this value must be `"PGP"`. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString; + type: string; + } + + export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocation { /** - * Inspect a single header. See `singleHeader` below for details. + * Specifies the details for the EFS file being copied. + */ + efsFileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation; + /** + * Specifies the details for the S3 file being copied. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader; + s3FileLocation?: outputs.transfer.WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation; + } + + export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationEfsFileLocation { /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The ID of the file system, assigned by Amazon EFS. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument; + fileSystemId?: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The pathname for the folder being used by a workflow. */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath; + path?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { + export interface WorkflowOnExceptionStepDecryptStepDetailsDestinationFileLocationS3FileLocation { + /** + * Specifies the S3 bucket for the customer input file. + */ + bucket?: string; + /** + * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + */ + key?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { + export interface WorkflowOnExceptionStepDeleteStepDetails { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The name of the step, used as an identifier. */ - oversizeHandling?: string; + name?: string; + /** + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + */ + sourceFileLocation?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { + export interface WorkflowOnExceptionStepTagStepDetails { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The name of the step, used as an identifier. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern[]; + name?: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - matchScope: string; + sourceFileLocation?: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Array that contains from 1 to 10 key/value pairs. See S3 Tags below. */ - oversizeHandling: string; + tags?: outputs.transfer.WorkflowOnExceptionStepTagStepDetailsTag[]; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface WorkflowOnExceptionStepTagStepDetailsTag { + key: string; + value: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface WorkflowStep { + copyStepDetails?: outputs.transfer.WorkflowStepCopyStepDetails; + customStepDetails?: outputs.transfer.WorkflowStepCustomStepDetails; + decryptStepDetails?: outputs.transfer.WorkflowStepDecryptStepDetails; + deleteStepDetails?: outputs.transfer.WorkflowStepDeleteStepDetails; + tagStepDetails?: outputs.transfer.WorkflowStepTagStepDetails; + type: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { + export interface WorkflowStepCopyStepDetails { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern; + destinationFileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocation; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The name of the step, used as an identifier. */ - matchScope: string; + name?: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { + overwriteExisting?: string; /** - * An empty configuration block that is used for inspecting all headers. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll; + sourceFileLocation?: string; + } + + export interface WorkflowStepCopyStepDetailsDestinationFileLocation { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Specifies the details for the EFS file being copied. */ - excludedHeaders?: string[]; + efsFileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Specifies the details for the S3 file being copied. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { + s3FileLocation?: outputs.transfer.WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { + export interface WorkflowStepCopyStepDetailsDestinationFileLocationEfsFileLocation { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The ID of the file system, assigned by Amazon EFS. */ - oversizeHandling: string; + fileSystemId?: string; + /** + * The pathname for the folder being used by a workflow. + */ + path?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { + export interface WorkflowStepCopyStepDetailsDestinationFileLocationS3FileLocation { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Specifies the S3 bucket for the customer input file. */ - fallbackBehavior: string; + bucket?: string; + /** + * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. + */ + key?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { + export interface WorkflowStepCustomStepDetails { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The name of the step, used as an identifier. */ - invalidFallbackBehavior?: string; + name?: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern; + sourceFileLocation?: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The ARN for the lambda function that is being called. */ - matchScope: string; + target?: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Timeout, in seconds, for the step. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { + timeoutSeconds?: number; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { + export interface WorkflowStepDecryptStepDetails { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Specifies the location for the file being copied. Use ${Transfer:username} in this field to parametrize the destination prefix by username. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { + destinationFileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocation; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The name of the step, used as an identifier. */ - name: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { + name?: string; + /** + * A flag that indicates whether or not to overwrite an existing file of the same name. The default is `FALSE`. Valid values are `TRUE` and `FALSE`. + */ + overwriteExisting?: string; + /** + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. + */ + sourceFileLocation?: string; + /** + * The type of encryption used. Currently, this value must be `"PGP"`. + */ + type: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementSqliMatchStatementTextTransformation { + export interface WorkflowStepDecryptStepDetailsDestinationFileLocation { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Specifies the details for the EFS file being copied. */ - priority: number; + efsFileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Specifies the details for the S3 file being copied. */ - type: string; + s3FileLocation?: outputs.transfer.WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatement { + export interface WorkflowStepDecryptStepDetailsDestinationFileLocationEfsFileLocation { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The ID of the file system, assigned by Amazon EFS. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch; + fileSystemId?: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The pathname for the folder being used by a workflow. */ - textTransformations: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation[]; + path?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatch { + export interface WorkflowStepDecryptStepDetailsDestinationFileLocationS3FileLocation { /** - * Inspect all query arguments. + * Specifies the S3 bucket for the customer input file. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments; + bucket?: string; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The name assigned to the file when it was created in S3. You use the object key to retrieve the object. */ - body?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody; + key?: string; + } + + export interface WorkflowStepDeleteStepDetails { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The name of the step, used as an identifier. */ - cookies?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies; + name?: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder[]; + sourceFileLocation?: string; + } + + export interface WorkflowStepTagStepDetails { /** - * Inspect the request headers. See `headers` below for details. + * The name of the step, used as an identifier. */ - headers?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader[]; + name?: string; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * Specifies which file to use as input to the workflow step: either the output from the previous step, or the originally uploaded file for the workflow. Enter ${previous.file} to use the previous file as the input. In this case, this workflow step uses the output file from the previous workflow step as input. This is the default value. Enter ${original.file} to use the originally-uploaded file location as input for this step. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint; + sourceFileLocation?: string; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Array that contains from 1 to 10 key/value pairs. See S3 Tags below. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody; + tags?: outputs.transfer.WorkflowStepTagStepDetailsTag[]; + } + + export interface WorkflowStepTagStepDetailsTag { + key: string; + value: string; + } + +} + +export namespace verifiedaccess { + export interface EndpointLoadBalancerOptions { + loadBalancerArn?: string; + port?: number; + protocol?: string; + subnetIds?: string[]; + } + + export interface EndpointNetworkInterfaceOptions { + networkInterfaceId?: string; + port?: number; + protocol?: string; + } + + export interface EndpointSseSpecification { + customerManagedKeyEnabled?: boolean; + kmsKeyArn?: string; + } + + export interface GroupSseConfiguration { + customerManagedKeyEnabled?: boolean; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * ARN of the KMS key to use. */ - method?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod; + kmsKeyArn?: string; + } + + export interface InstanceLoggingConfigurationAccessLogs { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * A block that specifies configures sending Verified Access logs to CloudWatch Logs. Detailed below. */ - queryString?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString; + cloudwatchLogs?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsCloudwatchLogs; /** - * Inspect a single header. See `singleHeader` below for details. + * Include trust data sent by trust providers into the logs. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader; + includeTrustContext: boolean; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * A block that specifies configures sending Verified Access logs to Kinesis. Detailed below. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument; + kinesisDataFirehose?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsKinesisDataFirehose; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The logging version to use. Refer to [VerifiedAccessLogOptions](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_VerifiedAccessLogOptions.html) for the allowed values. */ - uriPath?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchBody { + logVersion: string; /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * A block that specifies configures sending Verified Access logs to S3. Detailed below. */ - oversizeHandling?: string; + s3?: outputs.verifiedaccess.InstanceLoggingConfigurationAccessLogsS3; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern[]; + export interface InstanceLoggingConfigurationAccessLogsCloudwatchLogs { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Indicates whether logging is enabled. */ - matchScope: string; + enabled: boolean; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The name of the CloudWatch Logs Log Group. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { + logGroup?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern; + export interface InstanceLoggingConfigurationAccessLogsKinesisDataFirehose { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The name of the delivery stream. */ - matchScope: string; + deliveryStream?: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Indicates whether logging is enabled. */ - oversizeHandling: string; + enabled: boolean; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { + export interface InstanceLoggingConfigurationAccessLogsS3 { /** - * An empty configuration block that is used for inspecting all headers. + * The name of S3 bucket. */ - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll; + bucketName?: string; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The ID of the AWS account that owns the Amazon S3 bucket. */ - excludedHeaders?: string[]; + bucketOwner: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Indicates whether logging is enabled. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { + enabled: boolean; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The bucket prefix. */ - oversizeHandling: string; + prefix?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { + export interface InstanceVerifiedAccessTrustProvider { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * A description for the AWS Verified Access Instance. */ - fallbackBehavior: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { + description: string; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The type of device-based trust provider. */ - invalidFallbackBehavior?: string; + deviceTrustProviderType: string; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The type of trust provider (user- or device-based). */ - matchPattern: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern; + trustProviderType: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The type of user-based trust provider. */ - matchScope: string; + userTrustProviderType: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * The ID of the trust provider. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { + verifiedAccessTrustProviderId: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { + export interface TrustProviderDeviceOptions { + tenantId?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface TrustProviderOidcOptions { + authorizationEndpoint?: string; + clientId?: string; + clientSecret: string; + issuer?: string; + scope?: string; + tokenEndpoint?: string; + userInfoEndpoint?: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; - } +} - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { +export namespace verifiedpermissions { + export interface GetPolicyStoreValidationSetting { + mode: string; } - export interface WebAclRuleStatementManagedRuleGroupStatementScopeDownStatementXssMatchStatementTextTransformation { + export interface PolicyDefinition { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The static policy statement. See Static below. */ - priority: number; + static?: outputs.verifiedpermissions.PolicyDefinitionStatic; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The template linked policy. See Template Linked below. */ - type: string; + templateLinked?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinked; } - export interface WebAclRuleStatementNotStatement { + export interface PolicyDefinitionStatic { /** - * The statements to combine. + * The description of the static policy. */ - statements: outputs.wafv2.WebAclRuleStatement[]; - } - - export interface WebAclRuleStatementOrStatement { + description?: string; /** - * The statements to combine. + * The statement of the static policy. */ - statements: outputs.wafv2.WebAclRuleStatement[]; + statement: string; } - export interface WebAclRuleStatementRateBasedStatement { - /** - * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`. - */ - aggregateKeyType?: string; + export interface PolicyDefinitionTemplateLinked { /** - * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. + * The ID of the template. */ - customKeys?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKey[]; + policyTemplateId: string; /** - * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). - * - * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. + * The principal of the template linked policy. */ - evaluationWindowSec?: number; + principal?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinkedPrincipal; /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See `forwardedIpConfig` below for details. + * The resource of the template linked policy. */ - forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementRateBasedStatementForwardedIpConfig; + resource?: outputs.verifiedpermissions.PolicyDefinitionTemplateLinkedResource; + } + + export interface PolicyDefinitionTemplateLinkedPrincipal { /** - * Limit on requests per 5-minute period for a single originating IP address. + * The entity ID of the principal. */ - limit: number; + entityId: string; /** - * Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. + * The entity type of the principal. */ - scopeDownStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatement; + entityType: string; } - export interface WebAclRuleStatementRateBasedStatementCustomKey { + export interface PolicyDefinitionTemplateLinkedResource { /** - * Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. + * The entity ID of the resource. */ - cookie?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyCookie; + entityId: string; /** - * Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. + * The entity type of the resource. */ - forwardedIp?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp; + entityType: string; + } + + export interface PolicyStoreValidationSettings { /** - * Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. + * The mode for the validation settings. Valid values: `OFF`, `STRICT`. + * + * The following arguments are optional: */ - header?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyHeader; + mode: string; + } + + export interface SchemaDefinition { /** - * Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. + * A JSON string representation of the schema. */ - httpMethod?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod; + value: string; + } + +} + +export namespace vpc { + export interface EndpointServicePrivateDnsVerificationTimeouts { /** - * Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. + * A string that can be [parsed as a duration](https://pkg.go.dev/time#ParseDuration) consisting of numbers and unit suffixes, such as "30s" or "2h45m". Valid time units are "s" (seconds), "m" (minutes), "h" (hours). */ - ip?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; + create?: string; + } + + export interface GetSecurityGroupRuleFilter { /** - * Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. + * Name of the filter field. Valid values can be found in the EC2 [`DescribeSecurityGroupRules`](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html) API Reference. */ - labelNamespace?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace; + name: string; /** - * Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. + * Set of values that are accepted for the given filter field. Results will be selected if any given value matches. */ - queryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument; + values: string[]; + } + + export interface GetSecurityGroupRulesFilter { /** - * Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. + * Name of the field to filter by, as defined by + * [the underlying AWS API](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeSecurityGroupRules.html). */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyQueryString; + name: string; /** - * Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. + * Set of values that are accepted for the given field. + * Security group rule IDs will be selected if any one of the given values match. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyUriPath; + values: string[]; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyCookie { - /** - * The name of the cookie to use. - */ - name: string; +} + +export namespace vpclattice { + export interface GetListenerDefaultAction { + fixedResponses: outputs.vpclattice.GetListenerDefaultActionFixedResponse[]; + forwards: outputs.vpclattice.GetListenerDefaultActionForward[]; + } + + export interface GetListenerDefaultActionFixedResponse { + statusCode: number; + } + + export interface GetListenerDefaultActionForward { + targetGroups: outputs.vpclattice.GetListenerDefaultActionForwardTargetGroup[]; + } + + export interface GetListenerDefaultActionForwardTargetGroup { + targetGroupIdentifier: string; + weight: number; + } + + export interface GetServiceDnsEntry { + domainName: string; + hostedZoneId: string; + } + + export interface ListenerDefaultAction { + fixedResponse?: outputs.vpclattice.ListenerDefaultActionFixedResponse; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + * Route requests to one or more target groups. See Forward blocks below. + * + * > **NOTE:** You must specify exactly one of the following argument blocks: `fixedResponse` or `forward`. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation[]; + forwards?: outputs.vpclattice.ListenerDefaultActionForward[]; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyCookieTextTransformation { + export interface ListenerDefaultActionFixedResponse { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Custom HTTP status code to return, e.g. a 404 response code. See [Listeners](https://docs.aws.amazon.com/vpc-lattice/latest/ug/listeners.html) in the AWS documentation for a list of supported codes. */ - priority: number; + statusCode: number; + } + + export interface ListenerDefaultActionForward { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * One or more target group blocks. */ - type: string; + targetGroups?: outputs.vpclattice.ListenerDefaultActionForwardTargetGroup[]; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyForwardedIp { + export interface ListenerDefaultActionForwardTargetGroup { + targetGroupIdentifier?: string; + weight?: number; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyHeader { + export interface ListenerRuleAction { /** - * The name of the header to use. + * Describes the rule action that returns a custom HTTP response. */ - name: string; + fixedResponse?: outputs.vpclattice.ListenerRuleActionFixedResponse; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + * The forward action. Traffic that matches the rule is forwarded to the specified target groups. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation[]; + forward?: outputs.vpclattice.ListenerRuleActionForward; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyHeaderTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; + export interface ListenerRuleActionFixedResponse { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The HTTP response code. */ - type: string; + statusCode: number; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyHttpMethod { + export interface ListenerRuleActionForward { + /** + * The target groups. Traffic matching the rule is forwarded to the specified target groups. With forward actions, you can assign a weight that controls the prioritization and selection of each target group. This means that requests are distributed to individual target groups based on their weights. For example, if two target groups have the same weight, each target group receives half of the traffic. + * + * The default value is 1 with maximum number of 2. If only one target group is provided, there is no need to set the weight; 100% of traffic will go to that target group. + */ + targetGroups: outputs.vpclattice.ListenerRuleActionForwardTargetGroup[]; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyIp { + export interface ListenerRuleActionForwardTargetGroup { + targetGroupIdentifier: string; + weight?: number; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace { + export interface ListenerRuleMatch { /** - * The namespace to use for aggregation + * The HTTP criteria that a rule must match. */ - namespace: string; + httpMatch?: outputs.vpclattice.ListenerRuleMatchHttpMatch; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument { + export interface ListenerRuleMatchHttpMatch { /** - * The name of the query argument to use. + * The header matches. Matches incoming requests with rule based on request header value before applying rule action. */ - name: string; + headerMatches?: outputs.vpclattice.ListenerRuleMatchHttpMatchHeaderMatch[]; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + * The HTTP method type. + */ + method?: string; + /** + * The path match. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation[]; + pathMatch?: outputs.vpclattice.ListenerRuleMatchHttpMatchPathMatch; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgumentTextTransformation { + export interface ListenerRuleMatchHttpMatchHeaderMatch { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Indicates whether the match is case sensitive. Defaults to false. */ - priority: number; + caseSensitive?: boolean; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The header match type. */ - type: string; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryString { + match: outputs.vpclattice.ListenerRuleMatchHttpMatchHeaderMatchMatch; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + * The name of the header. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation[]; + name: string; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryStringTextTransformation { + export interface ListenerRuleMatchHttpMatchHeaderMatchMatch { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Specifies a contains type match. */ - priority: number; + contains?: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Specifies an exact type match. */ - type: string; - } - - export interface WebAclRuleStatementRateBasedStatementCustomKeyUriPath { + exact?: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + * Specifies a prefix type match. Matches the value with the prefix. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation[]; + prefix?: string; } - export interface WebAclRuleStatementRateBasedStatementCustomKeyUriPathTextTransformation { + export interface ListenerRuleMatchHttpMatchPathMatch { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Indicates whether the match is case sensitive. Defaults to false. */ - priority: number; + caseSensitive?: boolean; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The header match type. */ - type: string; + match: outputs.vpclattice.ListenerRuleMatchHttpMatchPathMatchMatch; } - export interface WebAclRuleStatementRateBasedStatementForwardedIpConfig { + export interface ListenerRuleMatchHttpMatchPathMatchMatch { /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * Specifies an exact type match. */ - fallbackBehavior: string; + exact?: string; /** - * Name of the HTTP header to use for the IP address. + * Specifies a prefix type match. Matches the value with the prefix. */ - headerName: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatement { - andStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement; - byteMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement; - geoMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement; - ipSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement; - labelMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement; - notStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement; - orStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement; - regexMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement; - regexPatternSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement; - sizeConstraintStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement; - sqliMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement; - xssMatchStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement; + prefix?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementAndStatement { - /** - * The statements to combine. - */ - statements: outputs.wafv2.WebAclRuleStatement[]; + export interface ServiceDnsEntry { + domainName: string; + hostedZoneId: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatement { + export interface ServiceNetworkServiceAssociationDnsEntry { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The domain name of the service. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch; + domainName: string; /** - * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. + * The ID of the hosted zone. */ - positionalConstraint: string; + hostedZoneId: string; + } + + export interface TargetGroupAttachmentTarget { /** - * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. + * The ID of the target. If the target type of the target group is INSTANCE, this is an instance ID. If the target type is IP , this is an IP address. If the target type is LAMBDA, this is the ARN of the Lambda function. If the target type is ALB, this is the ARN of the Application Load Balancer. */ - searchString: string; + id: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * This port is used for routing traffic to the target, and defaults to the target group port. However, you can override the default and specify a custom port. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation[]; + port: number; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatch { + export interface TargetGroupConfig { /** - * Inspect all query arguments. + * The health check configuration. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments; + healthCheck?: outputs.vpclattice.TargetGroupConfigHealthCheck; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The type of IP address used for the target group. Valid values: `IPV4` | `IPV6`. */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody; + ipAddressType: string; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The version of the event structure that the Lambda function receives. Supported only if `type` is `LAMBDA`. Valid Values are `V1` | `V2`. */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies; + lambdaEventStructureVersion: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The port on which the targets are listening. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder[]; + port: number; /** - * Inspect the request headers. See `headers` below for details. + * The protocol to use for routing traffic to the targets. Valid Values are `HTTP` | `HTTPS`. */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader[]; + protocol: string; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The protocol version. Valid Values are `HTTP1` | `HTTP2` | `GRPC`. Default value is `HTTP1`. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint; + protocolVersion: string; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * The ID of the VPC. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody; + vpcIdentifier?: string; + } + + export interface TargetGroupConfigHealthCheck { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Indicates whether health checking is enabled. Defaults to `true`. */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod; + enabled?: boolean; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The approximate amount of time, in seconds, between health checks of an individual target. The range is 5–300 seconds. The default is 30 seconds. */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString; + healthCheckIntervalSeconds?: number; /** - * Inspect a single header. See `singleHeader` below for details. + * The amount of time, in seconds, to wait before reporting a target as unhealthy. The range is 1–120 seconds. The default is 5 seconds. + * * `healthyThresholdCount ` - (Optional) The number of consecutive successful health checks required before considering an unhealthy target healthy. The range is 2–10. The default is 5. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader; + healthCheckTimeoutSeconds?: number; + healthyThresholdCount?: number; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The codes to use when checking for a successful response from a target. These are called _Success codes_ in the console. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument; + matcher?: outputs.vpclattice.TargetGroupConfigHealthCheckMatcher; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The destination for health checks on the targets. If the protocol version is HTTP/1.1 or HTTP/2, specify a valid URI (for example, /path?query). The default path is `/`. Health checks are not supported if the protocol version is gRPC, however, you can choose HTTP/1.1 or HTTP/2 and specify a valid URI. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchBody { + path?: string; /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The port used when performing health checks on targets. The default setting is the port that a target receives traffic on. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookies { + port: number; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The protocol used when performing health checks on targets. The possible protocols are `HTTP` and `HTTPS`. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern[]; + protocol: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The protocol version used when performing health checks on targets. The possible protocol versions are `HTTP1` and `HTTP2`. The default is `HTTP1`. */ - matchScope: string; + protocolVersion?: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The number of consecutive failed health checks required before considering a target unhealthy. The range is 2–10. The default is 2. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchCookiesMatchPatternAll { + unhealthyThresholdCount?: number; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern; - /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. - */ - matchScope: string; + export interface TargetGroupConfigHealthCheckMatcher { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The HTTP codes to use when checking for a successful response from a target. */ - oversizeHandling: string; + value?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll; - /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. - */ - excludedHeaders?: string[]; - /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. - */ - includedHeaders?: string[]; +} + +export namespace waf { + export interface ByteMatchSetByteMatchTuple { + fieldToMatch: outputs.waf.ByteMatchSetByteMatchTupleFieldToMatch; + positionalConstraint: string; + targetString?: string; + textTransformation: string; + } + + export interface ByteMatchSetByteMatchTupleFieldToMatch { + data?: string; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface GeoMatchSetGeoMatchConstraint { + type: string; + value: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; + export interface IpSetIpSetDescriptor { + type: string; + value: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: string; + export interface RateBasedRulePredicate { + dataId: string; + negated: boolean; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBody { + export interface RegexMatchSetRegexMatchTuple { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The part of a web request that you want to search, such as a specified header or a query string. */ - invalidFallbackBehavior?: string; + fieldToMatch: outputs.waf.RegexMatchSetRegexMatchTupleFieldToMatch; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * The ID of a Regex Pattern Set. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern; + regexPatternSetId: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation) + * for all supported values. */ - matchScope: string; + textTransformation: string; + } + + export interface RegexMatchSetRegexMatchTupleFieldToMatch { /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. + * If `type` is any other value, omit this field. */ - oversizeHandling?: string; + data?: string; + /** + * The part of the web request that you want AWS WAF to search for a specified string. + * e.g., `HEADER`, `METHOD` or `BODY`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html) + * for all supported values. + */ + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface RuleGroupActivatedRule { + action: outputs.waf.RuleGroupActivatedRuleAction; + priority: number; + ruleId: string; + type?: string; + } + + export interface RuleGroupActivatedRuleAction { + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface RulePredicate { + dataId: string; + negated: boolean; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchMethod { + export interface SizeConstraintSetSizeConstraint { + comparisonOperator: string; + fieldToMatch: outputs.waf.SizeConstraintSetSizeConstraintFieldToMatch; + size: number; + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchQueryString { + export interface SizeConstraintSetSizeConstraintFieldToMatch { + data?: string; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleHeader { + export interface SqlInjectionMatchSetSqlInjectionMatchTuple { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Specifies where in a web request to look for snippets of malicious SQL code. */ - name: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchSingleQueryArgument { + fieldToMatch: outputs.waf.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + * If you specify a transformation, AWS WAF performs the transformation on `fieldToMatch` before inspecting a request for a match. + * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_SqlInjectionMatchTuple.html#WAF-Type-SqlInjectionMatchTuple-TextTransformation) + * for all supported values. */ - name: string; + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementFieldToMatchUriPath { + export interface SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch { + data?: string; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementByteMatchStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; + export interface WebAclDefaultAction { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Specifies how you want AWS WAF to respond to requests that don't match the criteria in any of the `rules`. + * e.g., `ALLOW` or `BLOCK` */ type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatement { + export interface WebAclLoggingConfiguration { /** - * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + * Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream */ - countryCodes: string[]; + logDestination: string; /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. + * Configuration block containing parts of the request that you want redacted from the logs. Detailed below. */ - forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig; + redactedFields?: outputs.waf.WebAclLoggingConfigurationRedactedFields; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementGeoMatchStatementForwardedIpConfig { - /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. - */ - fallbackBehavior: string; + export interface WebAclLoggingConfigurationRedactedFields { /** - * Name of the HTTP header to use for the IP address. + * Set of configuration blocks for fields to redact. Detailed below. */ - headerName: string; + fieldToMatches: outputs.waf.WebAclLoggingConfigurationRedactedFieldsFieldToMatch[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatement { + export interface WebAclLoggingConfigurationRedactedFieldsFieldToMatch { /** - * The Amazon Resource Name (ARN) of the IP Set that this statement references. + * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. */ - arn: string; + data?: string; /** - * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. + * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` */ - ipSetForwardedIpConfig?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementIpSetReferenceStatementIpSetForwardedIpConfig { + export interface WebAclRule { /** - * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. + * The action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. */ - fallbackBehavior: string; + action?: outputs.waf.WebAclRuleAction; /** - * Name of the HTTP header to use for the IP address. + * Override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. */ - headerName: string; + overrideAction?: outputs.waf.WebAclRuleOverrideAction; /** - * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. + * Specifies the order in which the rules in a WebACL are evaluated. + * Rules with a lower value are evaluated before rules with a higher value. */ - position: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementLabelMatchStatement { + priority: number; /** - * String to match against. + * ID of the associated WAF (Global) rule (e.g., `aws.waf.Rule`). WAF (Regional) rules cannot be used. */ - key: string; + ruleId: string; /** - * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + * The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`. */ - scope: string; + type?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementNotStatement { + export interface WebAclRuleAction { /** - * The statements to combine. + * valid values are: `BLOCK`, `ALLOW`, or `COUNT` */ - statements: outputs.wafv2.WebAclRuleStatement[]; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementOrStatement { + export interface WebAclRuleOverrideAction { /** - * The statements to combine. + * valid values are: `NONE` or `COUNT` */ - statements: outputs.wafv2.WebAclRuleStatement[]; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatement { - /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch; + export interface XssMatchSetXssMatchTuple { /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. + * Specifies where in a web request to look for cross-site scripting attacks. */ - regexString: string; + fieldToMatch: outputs.waf.XssMatchSetXssMatchTupleFieldToMatch; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + * If you specify a transformation, AWS WAF performs the transformation on `targetString` before inspecting a request for a match. + * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_XssMatchTuple.html#WAF-Type-XssMatchTuple-TextTransformation) + * for all supported values. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation[]; + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments; + export interface XssMatchSetXssMatchTupleFieldToMatch { + data?: string; + type: string; + } + +} + +export namespace wafregional { + export interface ByteMatchSetByteMatchTuple { /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Settings for the ByteMatchTuple. FieldToMatch documented below. */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody; + fieldToMatch: outputs.wafregional.ByteMatchSetByteMatchTupleFieldToMatch; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Within the portion of a web request that you want to search. */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies; + positionalConstraint: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The value that you want AWS WAF to search for. The maximum length of the value is 50 bytes. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder[]; + targetString?: string; /** - * Inspect the request headers. See `headers` below for details. + * The formatting way for web request. + * + * FieldToMatch(field_to_match) support following: */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader[]; + textTransformation: string; + } + + export interface ByteMatchSetByteMatchTupleFieldToMatch { /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * When the value of Type is HEADER, enter the name of the header that you want AWS WAF to search, for example, User-Agent or Referer. If the value of Type is any other value, omit Data. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint; + data?: string; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * The part of the web request that you want AWS WAF to search for a specified string. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody; + type: string; + } + + export interface GeoMatchSetGeoMatchConstraint { + type: string; + value: string; + } + + export interface IpSetIpSetDescriptor { + type: string; + value: string; + } + + export interface RateBasedRulePredicate { + dataId: string; + negated: boolean; + type: string; + } + + export interface RegexMatchSetRegexMatchTuple { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The part of a web request that you want to search, such as a specified header or a query string. */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod; + fieldToMatch: outputs.wafregional.RegexMatchSetRegexMatchTupleFieldToMatch; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The ID of a Regex Pattern Set. */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString; + regexPatternSetId: string; /** - * Inspect a single header. See `singleHeader` below for details. + * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchTuple.html#WAF-Type-ByteMatchTuple-TextTransformation) + * for all supported values. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader; + textTransformation: string; + } + + export interface RegexMatchSetRegexMatchTupleFieldToMatch { /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. + * If `type` is any other value, omit this field. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument; + data?: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The part of the web request that you want AWS WAF to search for a specified string. + * e.g., `HEADER`, `METHOD` or `BODY`. + * See [docs](http://docs.aws.amazon.com/waf/latest/APIReference/API_FieldToMatch.html) + * for all supported values. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchAllQueryArguments { + export interface RuleGroupActivatedRule { + action: outputs.wafregional.RuleGroupActivatedRuleAction; + priority: number; + ruleId: string; + type?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: string; + export interface RuleGroupActivatedRuleAction { + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern[]; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: string; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: string; + export interface RulePredicate { + dataId: string; + negated: boolean; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface SizeConstraintSetSizeConstraint { + comparisonOperator: string; + fieldToMatch: outputs.wafregional.SizeConstraintSetSizeConstraintFieldToMatch; + size: number; + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { + export interface SizeConstraintSetSizeConstraintFieldToMatch { + data?: string; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern; + export interface SqlInjectionMatchSetSqlInjectionMatchTuple { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Specifies where in a web request to look for snippets of malicious SQL code. */ - matchScope: string; + fieldToMatch: outputs.wafregional.SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Text transformations used to eliminate unusual formatting that attackers use in web requests in an effort to bypass AWS WAF. + * If you specify a transformation, AWS WAF performs the transformation on `fieldToMatch` before inspecting a request for a match. + * e.g., `CMD_LINE`, `HTML_ENTITY_DECODE` or `NONE`. + * See [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_SqlInjectionMatchTuple.html#WAF-Type-regional_SqlInjectionMatchTuple-TextTransformation) + * for all supported values. */ - oversizeHandling: string; + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { + export interface SqlInjectionMatchSetSqlInjectionMatchTupleFieldToMatch { /** - * An empty configuration block that is used for inspecting all headers. + * When `type` is `HEADER`, enter the name of the header that you want to search, e.g., `User-Agent` or `Referer`. + * If `type` is any other value, omit this field. */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll; + data?: string; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The part of the web request that you want AWS WAF to search for a specified string. + * e.g., `HEADER`, `METHOD` or `BODY`. + * See [docs](https://docs.aws.amazon.com/waf/latest/APIReference/API_regional_FieldToMatch.html) + * for all supported values. */ - excludedHeaders?: string[]; + type: string; + } + + export interface WebAclDefaultAction { /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Specifies how you want AWS WAF Regional to respond to requests that match the settings in a ruleE.g., `ALLOW`, `BLOCK` or `COUNT` */ - includedHeaders?: string[]; + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { + export interface WebAclLoggingConfiguration { + /** + * Amazon Resource Name (ARN) of Kinesis Firehose Delivery Stream + */ + logDestination: string; + /** + * Configuration block containing parts of the request that you want redacted from the logs. Detailed below. + */ + redactedFields?: outputs.wafregional.WebAclLoggingConfigurationRedactedFields; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchHeaderOrder { + export interface WebAclLoggingConfigurationRedactedFields { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Set of configuration blocks for fields to redact. Detailed below. */ - oversizeHandling: string; + fieldToMatches: outputs.wafregional.WebAclLoggingConfigurationRedactedFieldsFieldToMatch[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJa3Fingerprint { + export interface WebAclLoggingConfigurationRedactedFieldsFieldToMatch { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. */ - fallbackBehavior: string; + data?: string; + /** + * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` + */ + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBody { + export interface WebAclRule { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Configuration block of the action that CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Not used if `type` is `GROUP`. Detailed below. */ - invalidFallbackBehavior?: string; + action?: outputs.wafregional.WebAclRuleAction; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Configuration block of the override the action that a group requests CloudFront or AWS WAF takes when a web request matches the conditions in the rule. Only used if `type` is `GROUP`. Detailed below. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern; + overrideAction?: outputs.wafregional.WebAclRuleOverrideAction; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Specifies the order in which the rules in a WebACL are evaluated. + * Rules with a lower value are evaluated before rules with a higher value. */ - matchScope: string; + priority: number; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * ID of the associated WAF (Regional) rule (e.g., `aws.wafregional.Rule`). WAF (Global) rules cannot be used. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { + ruleId: string; + /** + * The rule type, either `REGULAR`, as defined by [Rule](http://docs.aws.amazon.com/waf/latest/APIReference/API_Rule.html), `RATE_BASED`, as defined by [RateBasedRule](http://docs.aws.amazon.com/waf/latest/APIReference/API_RateBasedRule.html), or `GROUP`, as defined by [RuleGroup](https://docs.aws.amazon.com/waf/latest/APIReference/API_RuleGroup.html). The default is REGULAR. If you add a RATE_BASED rule, you need to set `type` as `RATE_BASED`. If you add a GROUP rule, you need to set `type` as `GROUP`. + */ + type?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchMethod { + export interface WebAclRuleAction { + /** + * Specifies how you want AWS WAF Regional to respond to requests that match the settings in a rule. Valid values for `action` are `ALLOW`, `BLOCK` or `COUNT`. Valid values for `overrideAction` are `COUNT` and `NONE`. + */ + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchQueryString { + export interface WebAclRuleOverrideAction { + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleHeader { + export interface XssMatchSetXssMatchTuple { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Specifies where in a web request to look for cross-site scripting attacks. */ - name: string; + fieldToMatch: outputs.wafregional.XssMatchSetXssMatchTupleFieldToMatch; + /** + * Which text transformation, if any, to perform on the web request before inspecting the request for cross-site scripting attacks. + */ + textTransformation: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + export interface XssMatchSetXssMatchTupleFieldToMatch { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * When the value of `type` is `HEADER`, enter the name of the header that you want the WAF to search, for example, `User-Agent` or `Referer`. If the value of `type` is any other value, omit `data`. */ - name: string; + data?: string; + /** + * The part of the web request that you want AWS WAF to search for a specified stringE.g., `HEADER` or `METHOD` + */ + type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementFieldToMatchUriPath { - } +} - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexMatchStatementTextTransformation { +export namespace wafv2 { + export interface GetRegexPatternSetRegularExpression { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * (Required) String representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information. */ - priority: number; + regexString: string; + } + + export interface RegexPatternSetRegularExpression { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The string representing the regular expression, see the AWS WAF [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-regex-pattern-set-creating.html) for more information. */ - type: string; + regexString: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatement { + export interface RuleGroupCustomResponseBody { /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + * The payload of the custom response. */ - arn: string; + content: string; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch; + contentType: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * A unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the Custom Response block. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation[]; + key: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatch { + export interface RuleGroupRule { /** - * Inspect all query arguments. + * The action that AWS WAF should take on a web request when it matches the rule's statement. Settings at the `aws.wafv2.WebAcl` level can override the rule action setting. See Action below for details. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments; + action: outputs.wafv2.RuleGroupRuleAction; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * Specifies how AWS WAF should handle CAPTCHA evaluations. See Captcha Configuration below for details. */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody; + captchaConfig?: outputs.wafv2.RuleGroupRuleCaptchaConfig; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * A friendly name of the rule. */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies; + name: string; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder[]; + priority: number; /** - * Inspect the request headers. See `headers` below for details. + * Labels to apply to web requests that match the rule match statement. See Rule Label below for details. */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader[]; + ruleLabels?: outputs.wafv2.RuleGroupRuleRuleLabel[]; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See Statement below for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint; + statement: outputs.wafv2.RuleGroupRuleStatement; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Defines and enables Amazon CloudWatch metrics and web request sample collection. See Visibility Configuration below for details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody; + visibilityConfig: outputs.wafv2.RuleGroupRuleVisibilityConfig; + } + + export interface RuleGroupRuleAction { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Instructs AWS WAF to allow the web request. See Allow below for details. */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod; + allow?: outputs.wafv2.RuleGroupRuleActionAllow; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Instructs AWS WAF to block the web request. See Block below for details. */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString; + block?: outputs.wafv2.RuleGroupRuleActionBlock; /** - * Inspect a single header. See `singleHeader` below for details. + * Instructs AWS WAF to run a `CAPTCHA` check against the web request. See Captcha below for details. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader; + captcha?: outputs.wafv2.RuleGroupRuleActionCaptcha; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See Challenge below for details. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument; + challenge?: outputs.wafv2.RuleGroupRuleActionChallenge; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Instructs AWS WAF to count the web request and allow it. See Count below for details. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { + count?: outputs.wafv2.RuleGroupRuleActionCount; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchBody { + export interface RuleGroupRuleActionAllow { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Defines custom handling for the web request. See Custom Request Handling below for details. */ - oversizeHandling?: string; + customRequestHandling?: outputs.wafv2.RuleGroupRuleActionAllowCustomRequestHandling; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern[]; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: string; + export interface RuleGroupRuleActionAllowCustomRequestHandling { /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + insertHeaders: outputs.wafv2.RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeader { - /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: - */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern; + export interface RuleGroupRuleActionAllowCustomRequestHandlingInsertHeader { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * A friendly name of the rule group. */ - matchScope: string; + name: string; + value: string; + } + + export interface RuleGroupRuleActionBlock { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Defines a custom response for the web request. See Custom Response below for details. */ - oversizeHandling: string; + customResponse?: outputs.wafv2.RuleGroupRuleActionBlockCustomResponse; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { + export interface RuleGroupRuleActionBlockCustomResponse { /** - * An empty configuration block that is used for inspecting all headers. + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll; + customResponseBodyKey?: string; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The HTTP status code to return to the client. */ - excludedHeaders?: string[]; + responseCode: number; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See Custom HTTP Header below for details. */ - includedHeaders?: string[]; + responseHeaders?: outputs.wafv2.RuleGroupRuleActionBlockCustomResponseResponseHeader[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { + export interface RuleGroupRuleActionBlockCustomResponseResponseHeader { + /** + * A friendly name of the rule group. + */ + name: string; + value: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { + export interface RuleGroupRuleActionCaptcha { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Defines custom handling for the web request. See Custom Request Handling below for details. */ - oversizeHandling: string; + customRequestHandling?: outputs.wafv2.RuleGroupRuleActionCaptchaCustomRequestHandling; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { + export interface RuleGroupRuleActionCaptchaCustomRequestHandling { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. */ - fallbackBehavior: string; + insertHeaders: outputs.wafv2.RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + export interface RuleGroupRuleActionCaptchaCustomRequestHandlingInsertHeader { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * A friendly name of the rule group. */ - invalidFallbackBehavior?: string; + name: string; + value: string; + } + + export interface RuleGroupRuleActionChallenge { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Defines custom handling for the web request. See Custom Request Handling below for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern; + customRequestHandling?: outputs.wafv2.RuleGroupRuleActionChallengeCustomRequestHandling; + } + + export interface RuleGroupRuleActionChallengeCustomRequestHandling { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. */ - matchScope: string; + insertHeaders: outputs.wafv2.RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader[]; + } + + export interface RuleGroupRuleActionChallengeCustomRequestHandlingInsertHeader { /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * A friendly name of the rule group. */ - oversizeHandling?: string; + name: string; + value: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface RuleGroupRuleActionCount { + /** + * Defines custom handling for the web request. See Custom Request Handling below for details. + */ + customRequestHandling?: outputs.wafv2.RuleGroupRuleActionCountCustomRequestHandling; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { + export interface RuleGroupRuleActionCountCustomRequestHandling { + /** + * The `insertHeader` blocks used to define HTTP headers added to the request. See Custom HTTP Header below for details. + */ + insertHeaders: outputs.wafv2.RuleGroupRuleActionCountCustomRequestHandlingInsertHeader[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchMethod { + export interface RuleGroupRuleActionCountCustomRequestHandlingInsertHeader { + /** + * A friendly name of the rule group. + */ + name: string; + value: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { + export interface RuleGroupRuleCaptchaConfig { + /** + * Defines custom immunity time. See Immunity Time Property below for details. + */ + immunityTimeProperty?: outputs.wafv2.RuleGroupRuleCaptchaConfigImmunityTimeProperty; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { + export interface RuleGroupRuleCaptchaConfigImmunityTimeProperty { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. */ - name: string; + immunityTime?: number; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + export interface RuleGroupRuleRuleLabel { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The label string. */ name: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementRegexPatternSetReferenceStatementTextTransformation { + export interface RuleGroupRuleStatement { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * A logical rule statement used to combine other rule statements with AND logic. See AND Statement below for details. */ - priority: number; + andStatement?: outputs.wafv2.RuleGroupRuleStatementAndStatement; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * A rule statement that defines a string match search for AWS WAF to apply to web requests. See Byte Match Statement below for details. */ - type: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatement { + byteMatchStatement?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatement; /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * A rule statement used to identify web requests based on country of origin. See GEO Match Statement below for details. */ - comparisonOperator: string; + geoMatchStatement?: outputs.wafv2.RuleGroupRuleStatementGeoMatchStatement; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * A rule statement used to detect web requests coming from particular IP addresses or address ranges. See IP Set Reference Statement below for details. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch; + ipSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatement; /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * A rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See Label Match Statement below for details. */ - size: number; + labelMatchStatement?: outputs.wafv2.RuleGroupRuleStatementLabelMatchStatement; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * A logical rule statement used to negate the results of another rule statement. See NOT Statement below for details. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatch { + notStatement?: outputs.wafv2.RuleGroupRuleStatementNotStatement; /** - * Inspect all query arguments. + * A logical rule statement used to combine other rule statements with OR logic. See OR Statement below for details. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments; + orStatement?: outputs.wafv2.RuleGroupRuleStatementOrStatement; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * A rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See Rate Based Statement below for details. */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody; + rateBasedStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatement; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * A rule statement used to search web request components for a match against a single regular expression. See Regex Match Statement below for details. */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies; + regexMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatement; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * A rule statement used to search web request components for matches with regular expressions. See Regex Pattern Set Reference Statement below for details. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder[]; + regexPatternSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; /** - * Inspect the request headers. See `headers` below for details. + * A rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See Size Constraint Statement below for more details. */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader[]; + sizeConstraintStatement?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatement; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See SQL Injection Match Statement below for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint; + sqliMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * A rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See XSS Match Statement below for details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody; + xssMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; + } + + export interface RuleGroupRuleStatementAndStatement { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The statements to combine with `AND` logic. You can use any statements that can be nested. See Statement above for details. */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod; + statements: outputs.wafv2.RuleGroupRuleStatement[]; + } + + export interface RuleGroupRuleStatementByteMatchStatement { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString; + fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatch; /** - * Inspect a single header. See `singleHeader` below for details. + * The area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader; + positionalConstraint: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * A string value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument; + searchString: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath; + textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchAllQueryArguments { + export interface RuleGroupRuleStatementGeoMatchStatement { + /** + * An array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. + */ + countryCodes: string[]; + /** + * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See Forwarded IP Config below for details. + */ + forwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchBody { + export interface RuleGroupRuleStatementIpSetReferenceStatement { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The Amazon Resource Name (ARN) of the IP Set that this statement references. */ - oversizeHandling?: string; + arn: string; + /** + * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See IPSet Forwarded IP Config below for more details. + */ + ipSetForwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookies { + export interface RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * The match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern[]; + fallbackBehavior: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The name of the HTTP header to use for the IP address. */ - matchScope: string; + headerName: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. */ - oversizeHandling: string; + position: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; + export interface RuleGroupRuleStatementLabelMatchStatement { + /** + * The string to match against. + */ + key: string; + /** + * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. + */ + scope: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { + export interface RuleGroupRuleStatementNotStatement { + /** + * The statement to negate. You can use any statement that can be nested. See Statement above for details. + */ + statements: outputs.wafv2.RuleGroupRuleStatement[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeader { + export interface RuleGroupRuleStatementOrStatement { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * The statements to combine with `OR` logic. You can use any statements that can be nested. See Statement above for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern; + statements: outputs.wafv2.RuleGroupRuleStatement[]; + } + + export interface RuleGroupRuleStatementRateBasedStatement { /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP` or `IP`. Default: `IP`. */ - matchScope: string; + aggregateKeyType?: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { + customKeys?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKey[]; /** - * An empty configuration block that is used for inspecting all headers. + * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). + * + * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll; + evaluationWindowSec?: number; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * The configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See Forwarded IP Config below for details. */ - excludedHeaders?: string[]; + forwardedIpConfig?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * The limit on requests per 5-minute period for a single originating IP address. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchHeaderOrder { + limit: number; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * An optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See Statement above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. */ - oversizeHandling: string; + scopeDownStatement?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementScopeDownStatement; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { + export interface RuleGroupRuleStatementRateBasedStatementCustomKey { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * (Optional) Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. */ - fallbackBehavior: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBody { + cookie?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * (Optional) Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. */ - invalidFallbackBehavior?: string; + forwardedIp?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * (Optional) Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern; + header?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * (Optional) Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. */ - matchScope: string; + httpMethod?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * (Optional) Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. */ - oversizeHandling?: string; + ip?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; + /** + * (Optional) Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. + */ + labelNamespace?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace; + /** + * (Optional) Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. + */ + queryArgument?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; + /** + * (Optional) Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. + */ + queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; + /** + * (Optional) Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. + */ + uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyHeader; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyHeader { + /** + * A friendly name of the rule group. + */ + name: string; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See Text Transformation above for details. + */ + textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyIp { } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchMethod { + export interface RuleGroupRuleStatementRateBasedStatementCustomKeyLabelNamespace { + /** + * The namespace to use for aggregation + */ + namespace: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchQueryString { + export interface RuleGroupRuleStatementRateBasedStatementScopeDownStatement { + andStatement?: outputs.wafv2.RuleGroupRuleStatementAndStatement; + byteMatchStatement?: outputs.wafv2.RuleGroupRuleStatementByteMatchStatement; + geoMatchStatement?: outputs.wafv2.RuleGroupRuleStatementGeoMatchStatement; + ipSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementIpSetReferenceStatement; + labelMatchStatement?: outputs.wafv2.RuleGroupRuleStatementLabelMatchStatement; + notStatement?: outputs.wafv2.RuleGroupRuleStatementNotStatement; + orStatement?: outputs.wafv2.RuleGroupRuleStatementOrStatement; + regexMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexMatchStatement; + regexPatternSetReferenceStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; + sizeConstraintStatement?: outputs.wafv2.RuleGroupRuleStatementSizeConstraintStatement; + sqliMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; + xssMatchStatement?: outputs.wafv2.RuleGroupRuleStatementRegexPatternSetReferenceStatement; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleHeader { + export interface RuleGroupRuleStatementRegexMatchStatement { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - name: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { + fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatch; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The string representing the regular expression. **Note:** The fixed quota for the maximum number of characters in each regex pattern is 200, which can't be changed. See [AWS WAF quotas](https://docs.aws.amazon.com/waf/latest/developerguide/limits.html) for details. */ - name: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementFieldToMatchUriPath { + regexString: string; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. + */ + textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSizeConstraintStatementTextTransformation { + export interface RuleGroupRuleStatementRegexPatternSetReferenceStatement { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. */ - priority: number; + arn: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. */ - type: string; + fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatch; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. + */ + textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatement { + export interface RuleGroupRuleStatementSizeConstraintStatement { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch; + comparisonOperator: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The part of a web request that you want AWS WAF to inspect. See Field to Match below for details. + */ + fieldToMatch?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatch; + /** + * The size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + */ + size: number; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. + * At least one required. + * See Text Transformation below for details. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation[]; + textTransformations: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatch { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatch { /** * Inspect all query arguments. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody; + allQueryArguments?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Inspect the request body, which immediately follows the request headers. */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies; + body?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchBody; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Inspect the cookies in the web request. See Cookies below for details. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder[]; + cookies?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies; /** - * Inspect the request headers. See `headers` below for details. + * Inspect the request headers. See Header Order below for details. */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader[]; + headerOrders?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader[]; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * Inspect the request headers. See Headers below for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint; + headers?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader[]; + ja3Fingerprint?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Inspect the request body as JSON. See JSON Body for details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody; + jsonBody?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody; /** * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod; + method?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString; + queryString?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** - * Inspect a single header. See `singleHeader` below for details. + * Inspect a single header. See Single Header below for details. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader; + singleHeader?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Inspect a single query argument. See Single Query Argument below for details. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument; + singleQueryArgument?: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader; /** * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath; + uriPath?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchBody { oversizeHandling?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookies { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookies { /** * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern[]; + matchPatterns: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern[]; /** * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` */ matchScope: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH` */ oversizeHandling: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll; + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { + all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; excludedCookies?: string[]; includedCookies?: string[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeader { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeader { /** * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern; + matchPattern: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern; /** * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. */ @@ -84237,11 +77053,11 @@ export namespace wafv2 { oversizeHandling: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchHeaderMatchPattern { /** * An empty configuration block that is used for inspecting all headers. */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll; + all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; /** * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. */ @@ -84252,24 +77068,11 @@ export namespace wafv2 { includedHeaders?: string[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJa3Fingerprint { - /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. - */ + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { fallbackBehavior: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBody { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBody { /** * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. */ @@ -84277,7 +77080,7 @@ export namespace wafv2 { /** * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern; + matchPattern: outputs.wafv2.RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern; /** * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. */ @@ -84288,1252 +77091,1187 @@ export namespace wafv2 { oversizeHandling?: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll; + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { + all?: outputs.wafv2.RuleGroupRuleStatementRateBasedStatementCustomKeyIp; includedPaths?: string[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchQueryString { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchSingleQueryArgument { + export interface RuleGroupRuleStatementXssMatchStatementFieldToMatchSingleHeader { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The name of the query header to inspect. This setting must be provided as lower case characters. */ name: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementSqliMatchStatementTextTransformation { + export interface RuleGroupRuleStatementXssMatchStatementTextTransformation { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. */ priority: number; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. */ type: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatement { - /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. - */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch; - /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. - */ - textTransformations: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody; - /** - * Inspect the cookies in the web request. See `cookies` below for details. - */ - cookies?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies; - /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. - */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder[]; - /** - * Inspect the request headers. See `headers` below for details. - */ - headers?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader[]; - /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. - */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint; - /** - * Inspect the request body as JSON. See `jsonBody` for details. - */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody; - /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. - */ - method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod; - /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. - */ - queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString; - /** - * Inspect a single header. See `singleHeader` below for details. - */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader; - /** - * Inspect a single query argument. See `singleQueryArgument` below for details. - */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument; - /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. - */ - uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchBody { - /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookies { - /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) - */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern[]; - /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` - */ - matchScope: string; - /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. - */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeader { + export interface RuleGroupRuleVisibilityConfig { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern; + cloudwatchMetricsEnabled: boolean; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. */ - matchScope: string; + metricName: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. */ - oversizeHandling: string; + sampledRequestsEnabled: boolean; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPattern { + export interface RuleGroupVisibilityConfig { /** - * An empty configuration block that is used for inspecting all headers. + * A boolean indicating whether the associated resource sends metrics to CloudWatch. For the list of available metrics, see [AWS WAF Metrics](https://docs.aws.amazon.com/waf/latest/developerguide/monitoring-cloudwatch.html#waf-metrics). */ - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll; + cloudwatchMetricsEnabled: boolean; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * A friendly name of the CloudWatch metric. The name can contain only alphanumeric characters (A-Z, a-z, 0-9) hyphen(-) and underscore (_), with length from one to 128 characters. It can't contain whitespace or metric names reserved for AWS WAF, for example `All` and `Default_Action`. */ - excludedHeaders?: string[]; + metricName: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * A boolean indicating whether AWS WAF should store a sampling of the web requests that match the rules. You can view the sampled requests through the AWS WAF console. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { + sampledRequestsEnabled: boolean; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchHeaderOrder { + export interface WebAclAssociationConfig { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Customizes the request body that your protected resource forward to AWS WAF for inspection. See `requestBody` below for details. */ - oversizeHandling: string; + requestBodies?: outputs.wafv2.WebAclAssociationConfigRequestBody[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJa3Fingerprint { + export interface WebAclAssociationConfigRequestBody { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Customizes the request body that your protected Amazon API Gateway REST APIs forward to AWS WAF for inspection. Applicable only when `scope` is set to `CLOUDFRONT`. See `apiGateway` below for details. */ - fallbackBehavior: string; - } - - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBody { + apiGateways?: outputs.wafv2.WebAclAssociationConfigRequestBodyApiGateway[]; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Customizes the request body that your protected Amazon App Runner services forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `appRunnerService` below for details. */ - invalidFallbackBehavior?: string; + appRunnerServices?: outputs.wafv2.WebAclAssociationConfigRequestBodyAppRunnerService[]; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Customizes the request body that your protected Amazon CloudFront distributions forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cloudfront` below for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern; + cloudfronts?: outputs.wafv2.WebAclAssociationConfigRequestBodyCloudfront[]; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Customizes the request body that your protected Amazon Cognito user pools forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `cognitoUserPool` below for details. */ - matchScope: string; + cognitoUserPools?: outputs.wafv2.WebAclAssociationConfigRequestBodyCognitoUserPool[]; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Customizes the request body that your protected AWS Verfied Access instances forward to AWS WAF for inspection. Applicable only when `scope` is set to `REGIONAL`. See `verifiedAccessInstance` below for details. */ - oversizeHandling?: string; + verifiedAccessInstances?: outputs.wafv2.WebAclAssociationConfigRequestBodyVerifiedAccessInstance[]; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface WebAclAssociationConfigRequestBodyApiGateway { + /** + * Specifies the maximum size of the web request body component that an associated Amazon API Gateway REST APIs should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + */ + defaultSizeInspectionLimit: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface WebAclAssociationConfigRequestBodyAppRunnerService { + /** + * Specifies the maximum size of the web request body component that an associated Amazon App Runner services should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + */ + defaultSizeInspectionLimit: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchMethod { + export interface WebAclAssociationConfigRequestBodyCloudfront { + /** + * Specifies the maximum size of the web request body component that an associated Amazon CloudFront distribution should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + */ + defaultSizeInspectionLimit: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchQueryString { + export interface WebAclAssociationConfigRequestBodyCognitoUserPool { + /** + * Specifies the maximum size of the web request body component that an associated Amazon Cognito user pools should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. + */ + defaultSizeInspectionLimit: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleHeader { + export interface WebAclAssociationConfigRequestBodyVerifiedAccessInstance { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Specifies the maximum size of the web request body component that an associated AWS Verified Access instances should send to AWS WAF for inspection. This applies to statements in the web ACL that inspect the body or JSON body. Valid values are `KB_16`, `KB_32`, `KB_48` and `KB_64`. */ - name: string; + defaultSizeInspectionLimit: string; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchSingleQueryArgument { + export interface WebAclCaptchaConfig { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - name: string; + immunityTimeProperty?: outputs.wafv2.WebAclCaptchaConfigImmunityTimeProperty; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementFieldToMatchUriPath { + export interface WebAclCaptchaConfigImmunityTimeProperty { + /** + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + */ + immunityTime?: number; } - export interface WebAclRuleStatementRateBasedStatementScopeDownStatementXssMatchStatementTextTransformation { + export interface WebAclChallengeConfig { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - priority: number; + immunityTimeProperty?: outputs.wafv2.WebAclChallengeConfigImmunityTimeProperty; + } + + export interface WebAclChallengeConfigImmunityTimeProperty { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. */ - type: string; + immunityTime?: number; } - export interface WebAclRuleStatementRegexMatchStatement { + export interface WebAclCustomResponseBody { /** - * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * Payload of the custom response. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatch; + content: string; /** - * String representing the regular expression. Minimum of `1` and maximum of `512` characters. + * Type of content in the payload that you are defining in the `content` argument. Valid values are `TEXT_PLAIN`, `TEXT_HTML`, or `APPLICATION_JSON`. */ - regexString: string; + contentType: string; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Unique key identifying the custom response body. This is referenced by the `customResponseBodyKey` argument in the `customResponse` block. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRegexMatchStatementTextTransformation[]; + key: string; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatch { - /** - * Inspect all query arguments. - */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments; - /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. - */ - body?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchBody; + export interface WebAclDefaultAction { /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Specifies that AWS WAF should allow requests by default. See `allow` below for details. */ - cookies?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchCookies; + allow?: outputs.wafv2.WebAclDefaultActionAllow; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Specifies that AWS WAF should block requests by default. See `block` below for details. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder[]; + block?: outputs.wafv2.WebAclDefaultActionBlock; + } + + export interface WebAclDefaultActionAllow { /** - * Inspect the request headers. See `headers` below for details. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - headers?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchHeader[]; + customRequestHandling?: outputs.wafv2.WebAclDefaultActionAllowCustomRequestHandling; + } + + export interface WebAclDefaultActionAllowCustomRequestHandling { /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint; + insertHeaders: outputs.wafv2.WebAclDefaultActionAllowCustomRequestHandlingInsertHeader[]; + } + + export interface WebAclDefaultActionAllowCustomRequestHandlingInsertHeader { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody; + name: string; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Value of the custom header. */ - method?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchMethod; + value: string; + } + + export interface WebAclDefaultActionBlock { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Defines a custom response for the web request. See `customResponse` below for details. */ - queryString?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString; + customResponse?: outputs.wafv2.WebAclDefaultActionBlockCustomResponse; + } + + export interface WebAclDefaultActionBlockCustomResponse { /** - * Inspect a single header. See `singleHeader` below for details. + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader; + customResponseBodyKey?: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The HTTP status code to return to the client. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument; + responseCode: number; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchAllQueryArguments { + responseHeaders?: outputs.wafv2.WebAclDefaultActionBlockCustomResponseResponseHeader[]; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchBody { + export interface WebAclDefaultActionBlockCustomResponseResponseHeader { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookies { + name: string; /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Value of the custom header. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern[]; + value: string; + } + + export interface WebAclLoggingConfigurationLoggingFilter { /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Default handling for logs that don't match any of the specified filtering conditions. Valid values for `defaultBehavior` are `KEEP` or `DROP`. */ - matchScope: string; + defaultBehavior: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Filter(s) that you want to apply to the logs. See Filter below for more details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchCookiesMatchPatternAll { + filters: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilter[]; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeader { + export interface WebAclLoggingConfigurationLoggingFilterFilter { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Parameter that determines how to handle logs that meet the conditions and requirements of the filter. The valid values for `behavior` are `KEEP` or `DROP`. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern; + behavior: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Match condition(s) for the filter. See Condition below for more details. */ - matchScope: string; + conditions: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterCondition[]; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Logic to apply to the filtering conditions. You can specify that a log must match all conditions or at least one condition in order to satisfy the filter. Valid values for `requirement` are `MEETS_ALL` or `MEETS_ANY`. */ - oversizeHandling: string; + requirement: string; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPattern { - /** - * An empty configuration block that is used for inspecting all headers. - */ - all?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll; + export interface WebAclLoggingConfigurationLoggingFilterFilterCondition { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Configuration for a single action condition. See Action Condition below for more details. */ - excludedHeaders?: string[]; + actionCondition?: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Condition for a single label name. See Label Name Condition below for more details. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderMatchPatternAll { + labelNameCondition?: outputs.wafv2.WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchHeaderOrder { + export interface WebAclLoggingConfigurationLoggingFilterFilterConditionActionCondition { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Action setting that a log record must contain in order to meet the condition. Valid values for `action` are `ALLOW`, `BLOCK`, and `COUNT`. */ - oversizeHandling: string; + action: string; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJa3Fingerprint { + export interface WebAclLoggingConfigurationLoggingFilterFilterConditionLabelNameCondition { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Name of the label that a log record must contain in order to meet the condition. It must be a fully qualified label name, which includes a prefix, optional namespaces, and the label name itself. The prefix identifies the rule group or web ACL context of the rule that added the label. */ - fallbackBehavior: string; + labelName: string; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBody { + export interface WebAclLoggingConfigurationRedactedField { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * HTTP method to be redacted. It must be specified as an empty configuration block `{}`. The method indicates the type of operation that the request is asking the origin to perform. */ - invalidFallbackBehavior?: string; + method?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldMethod; /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Whether to redact the query string. It must be specified as an empty configuration block `{}`. The query string is the part of a URL that appears after a `?` character, if any. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern; + queryString?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldQueryString; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * "singleHeader" refers to the redaction of a single header. For more information, please see the details below under Single Header. */ - matchScope: string; + singleHeader?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldSingleHeader; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Configuration block that redacts the request URI path. It should be specified as an empty configuration block `{}`. The URI path is the part of a web request that identifies a resource, such as `/images/daily-ad.jpg`. */ - oversizeHandling?: string; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchMethod { + uriPath?: outputs.wafv2.WebAclLoggingConfigurationRedactedFieldUriPath; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchQueryString { + export interface WebAclLoggingConfigurationRedactedFieldMethod { } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchSingleHeader { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; + export interface WebAclLoggingConfigurationRedactedFieldQueryString { } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchSingleQueryArgument { + export interface WebAclLoggingConfigurationRedactedFieldSingleHeader { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Name of the query header to redact. This setting must be provided in lowercase characters. */ name: string; } - export interface WebAclRuleStatementRegexMatchStatementFieldToMatchUriPath { + export interface WebAclLoggingConfigurationRedactedFieldUriPath { } - export interface WebAclRuleStatementRegexMatchStatementTextTransformation { + export interface WebAclRule { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Action that AWS WAF should take on a web request when it matches the rule's statement. This is used only for rules whose **statements do not reference a rule group**. See `action` for details. */ - priority: number; + action?: outputs.wafv2.WebAclRuleAction; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Specifies how AWS WAF should handle CAPTCHA evaluations. See `captchaConfig` below for details. */ - type: string; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatement { + captchaConfig?: outputs.wafv2.WebAclRuleCaptchaConfig; /** - * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + * Friendly name of the rule. Note that the provider assumes that rules with names matching this pattern, `^ShieldMitigationRuleGroup___.*`, are AWS-added for [automatic application layer DDoS mitigation activities](https://docs.aws.amazon.com/waf/latest/developerguide/ddos-automatic-app-layer-response-rg.html). Such rules will be ignored by the provider unless you explicitly include them in your configuration (for example, by using the AWS CLI to discover their properties and creating matching configuration). However, since these rules are owned and managed by AWS, you may get permission errors. */ - arn: string; + name: string; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * Override action to apply to the rules in a rule group. Used only for rule **statements that reference a rule group**, like `ruleGroupReferenceStatement` and `managedRuleGroupStatement`. See `overrideAction` below for details. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch; + overrideAction?: outputs.wafv2.WebAclRuleOverrideAction; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * If you define more than one Rule in a WebACL, AWS WAF evaluates each request against the `rules` in order based on the value of `priority`. AWS WAF processes rules with lower priority first. */ - textTransformations: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation[]; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatch { + priority: number; /** - * Inspect all query arguments. + * Labels to apply to web requests that match the rule match statement. See `ruleLabel` below for details. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments; + ruleLabels?: outputs.wafv2.WebAclRuleRuleLabel[]; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The AWS WAF processing statement for the rule, for example `byteMatchStatement` or `geoMatchStatement`. See `statement` below for details. */ - body?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody; + statement: outputs.wafv2.WebAclRuleStatement; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Defines and enables Amazon CloudWatch metrics and web request sample collection. See `visibilityConfig` below for details. */ - cookies?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies; + visibilityConfig: outputs.wafv2.WebAclRuleVisibilityConfig; + } + + export interface WebAclRuleAction { /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Instructs AWS WAF to allow the web request. See `allow` below for details. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder[]; + allow?: outputs.wafv2.WebAclRuleActionAllow; /** - * Inspect the request headers. See `headers` below for details. + * Instructs AWS WAF to block the web request. See `block` below for details. */ - headers?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader[]; + block?: outputs.wafv2.WebAclRuleActionBlock; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * Instructs AWS WAF to run a Captcha check against the web request. See `captcha` below for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint; + captcha?: outputs.wafv2.WebAclRuleActionCaptcha; /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Instructs AWS WAF to run a check against the request to verify that the request is coming from a legitimate client session. See `challenge` below for details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody; + challenge?: outputs.wafv2.WebAclRuleActionChallenge; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Instructs AWS WAF to count the web request and allow it. See `count` below for details. */ - method?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod; + count?: outputs.wafv2.WebAclRuleActionCount; + } + + export interface WebAclRuleActionAllow { /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - queryString?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString; + customRequestHandling?: outputs.wafv2.WebAclRuleActionAllowCustomRequestHandling; + } + + export interface WebAclRuleActionAllowCustomRequestHandling { /** - * Inspect a single header. See `singleHeader` below for details. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader; + insertHeaders: outputs.wafv2.WebAclRuleActionAllowCustomRequestHandlingInsertHeader[]; + } + + export interface WebAclRuleActionAllowCustomRequestHandlingInsertHeader { /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument; + name: string; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Value of the custom header. */ - uriPath?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchAllQueryArguments { + value: string; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchBody { + export interface WebAclRuleActionBlock { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Defines a custom response for the web request. See `customResponse` below for details. */ - oversizeHandling?: string; + customResponse?: outputs.wafv2.WebAclRuleActionBlockCustomResponse; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookies { + export interface WebAclRuleActionBlockCustomResponse { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern[]; + customResponseBodyKey?: string; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The HTTP status code to return to the client. */ - matchScope: string; + responseCode: number; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchCookiesMatchPatternAll { + responseHeaders?: outputs.wafv2.WebAclRuleActionBlockCustomResponseResponseHeader[]; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeader { + export interface WebAclRuleActionBlockCustomResponseResponseHeader { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern; + name: string; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Value of the custom header. */ - matchScope: string; + value: string; + } + + export interface WebAclRuleActionCaptcha { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - oversizeHandling: string; + customRequestHandling?: outputs.wafv2.WebAclRuleActionCaptchaCustomRequestHandling; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPattern { + export interface WebAclRuleActionCaptchaCustomRequestHandling { /** - * An empty configuration block that is used for inspecting all headers. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - all?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll; + insertHeaders: outputs.wafv2.WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader[]; + } + + export interface WebAclRuleActionCaptchaCustomRequestHandlingInsertHeader { /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - excludedHeaders?: string[]; + name: string; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Value of the custom header. */ - includedHeaders?: string[]; + value: string; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderMatchPatternAll { + export interface WebAclRuleActionChallenge { + /** + * Defines custom handling for the web request. See `customRequestHandling` below for details. + */ + customRequestHandling?: outputs.wafv2.WebAclRuleActionChallengeCustomRequestHandling; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchHeaderOrder { + export interface WebAclRuleActionChallengeCustomRequestHandling { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - oversizeHandling: string; + insertHeaders: outputs.wafv2.WebAclRuleActionChallengeCustomRequestHandlingInsertHeader[]; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJa3Fingerprint { + export interface WebAclRuleActionChallengeCustomRequestHandlingInsertHeader { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - fallbackBehavior: string; + name: string; + /** + * Value of the custom header. + */ + value: string; + } + + export interface WebAclRuleActionCount { + /** + * Defines custom handling for the web request. See `customRequestHandling` below for details. + */ + customRequestHandling?: outputs.wafv2.WebAclRuleActionCountCustomRequestHandling; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBody { + export interface WebAclRuleActionCountCustomRequestHandling { /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - invalidFallbackBehavior?: string; + insertHeaders: outputs.wafv2.WebAclRuleActionCountCustomRequestHandlingInsertHeader[]; + } + + export interface WebAclRuleActionCountCustomRequestHandlingInsertHeader { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - matchPattern: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern; + name: string; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * Value of the custom header. */ - matchScope: string; + value: string; + } + + export interface WebAclRuleCaptchaConfig { /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Defines custom immunity time. See `immunityTimeProperty` below for details. */ - oversizeHandling?: string; + immunityTimeProperty?: outputs.wafv2.WebAclRuleCaptchaConfigImmunityTimeProperty; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface WebAclRuleCaptchaConfigImmunityTimeProperty { + /** + * The amount of time, in seconds, that a CAPTCHA or challenge timestamp is considered valid by AWS WAF. The default setting is 300. + */ + immunityTime?: number; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchJsonBodyMatchPatternAll { + export interface WebAclRuleOverrideAction { + /** + * Override the rule action setting to count (i.e., only count matches). Configured as an empty block `{}`. + */ + count?: outputs.wafv2.WebAclRuleOverrideActionCount; + /** + * Don't override the rule action setting. Configured as an empty block `{}`. + */ + none?: outputs.wafv2.WebAclRuleOverrideActionNone; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchMethod { + export interface WebAclRuleOverrideActionCount { } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchQueryString { + export interface WebAclRuleOverrideActionNone { } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleHeader { + export interface WebAclRuleRuleLabel { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Label string. */ name: string; } - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchSingleQueryArgument { + export interface WebAclRuleStatement { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Logical rule statement used to combine other rule statements with AND logic. See `andStatement` below for details. */ - name: string; - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementFieldToMatchUriPath { - } - - export interface WebAclRuleStatementRegexPatternSetReferenceStatementTextTransformation { + andStatement?: outputs.wafv2.WebAclRuleStatementAndStatement; /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * Rule statement that defines a string match search for AWS WAF to apply to web requests. See `byteMatchStatement` below for details. */ - priority: number; + byteMatchStatement?: outputs.wafv2.WebAclRuleStatementByteMatchStatement; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Rule statement used to identify web requests based on country of origin. See `geoMatchStatement` below for details. */ - type: string; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatement { + geoMatchStatement?: outputs.wafv2.WebAclRuleStatementGeoMatchStatement; /** - * The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource. + * Rule statement used to detect web requests coming from particular IP addresses or address ranges. See `ipSetReferenceStatement` below for details. */ - arn: string; + ipSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatement; /** - * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. + * Rule statement that defines a string match search against labels that have been added to the web request by rules that have already run in the web ACL. See `labelMatchStatement` below for details. */ - ruleActionOverrides?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride[]; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverride { + labelMatchStatement?: outputs.wafv2.WebAclRuleStatementLabelMatchStatement; /** - * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. + * Rule statement used to run the rules that are defined in a managed rule group. This statement can not be nested. See `managedRuleGroupStatement` below for details. */ - actionToUse: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse; + managedRuleGroupStatement?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatement; /** - * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. + * Logical rule statement used to negate the results of another rule statement. See `notStatement` below for details. */ - name: string; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUse { - allow?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow; - block?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock; - captcha?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha; - challenge?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge; - count?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllow { + notStatement?: outputs.wafv2.WebAclRuleStatementNotStatement; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Logical rule statement used to combine other rule statements with OR logic. See `orStatement` below for details. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { + orStatement?: outputs.wafv2.WebAclRuleStatementOrStatement; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Rate-based rule tracks the rate of requests for each originating `IP address`, and triggers the rule action when the rate exceeds a limit that you specify on the number of requests in any `5-minute` time span. This statement can not be nested. See `rateBasedStatement` below for details. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader[]; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseAllowCustomRequestHandlingInsertHeader { + rateBasedStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatement; /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Rule statement used to search web request components for a match against a single regular expression. See `regexMatchStatement` below for details. */ - name: string; + regexMatchStatement?: outputs.wafv2.WebAclRuleStatementRegexMatchStatement; /** - * Value of the custom header. + * Rule statement used to search web request components for matches with regular expressions. See `regexPatternSetReferenceStatement` below for details. */ - value: string; + regexPatternSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatement; + /** + * Rule statement used to run the rules that are defined in an WAFv2 Rule Group. See `ruleGroupReferenceStatement` below for details. + */ + ruleGroupReferenceStatement?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatement; + /** + * Rule statement that compares a number of bytes against the size of a request component, using a comparison operator, such as greater than (>) or less than (<). See `sizeConstraintStatement` below for more details. + */ + sizeConstraintStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; + /** + * An SQL injection match condition identifies the part of web requests, such as the URI or the query string, that you want AWS WAF to inspect. See `sqliMatchStatement` below for details. + */ + sqliMatchStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; + /** + * Rule statement that defines a cross-site scripting (XSS) match search for AWS WAF to apply to web requests. See `xssMatchStatement` below for details. + */ + xssMatchStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlock { + export interface WebAclRuleStatementAndStatement { /** - * Defines a custom response for the web request. See `customResponse` below for details. + * Statements to combine with `AND` logic. You can use any statements that can be nested. See `statement` above for details. */ - customResponse?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse; + statements: outputs.wafv2.WebAclRuleStatement[]; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponse { + export interface WebAclRuleStatementByteMatchStatement { + /** + * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + */ + fieldToMatch?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatch; /** - * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. + * Area within the portion of a web request that you want AWS WAF to search for `searchString`. Valid values include the following: `EXACTLY`, `STARTS_WITH`, `ENDS_WITH`, `CONTAINS`, `CONTAINS_WORD`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_ByteMatchStatement.html) for more information. */ - customResponseBodyKey?: string; + positionalConstraint: string; /** - * The HTTP status code to return to the client. + * String value that you want AWS WAF to search for. AWS WAF searches only in the part of web requests that you designate for inspection in `fieldToMatch`. The maximum length of the value is 50 bytes. */ - responseCode: number; + searchString: string; /** - * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. */ - responseHeaders?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader[]; + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { + export interface WebAclRuleStatementGeoMatchStatement { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Array of two-character country codes, for example, [ "US", "CN" ], from the alpha-2 country ISO codes of the `ISO 3166` international standard. See the [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_GeoMatchStatement.html) for valid values. */ - name: string; + countryCodes: string[]; /** - * Value of the custom header. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `forwardedIpConfig` below for details. */ - value: string; + forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptcha { + export interface WebAclRuleStatementIpSetReferenceStatement { /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * The Amazon Resource Name (ARN) of the IP Set that this statement references. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandling { + arn: string; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. See `ipSetForwardedIpConfig` below for more details. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader[]; + ipSetForwardedIpConfig?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCaptchaCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Match status to assign to the web request if the request doesn't have a valid IP address in the specified position. Valid values include: `MATCH` or `NO_MATCH`. */ - name: string; + fallbackBehavior: string; /** - * Value of the custom header. + * Name of the HTTP header to use for the IP address. */ - value: string; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallenge { + headerName: string; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Position in the header to search for the IP address. Valid values include: `FIRST`, `LAST`, or `ANY`. If `ANY` is specified and the header contains more than 10 IP addresses, AWS WAFv2 inspects the last 10. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling; + position: string; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandling { + export interface WebAclRuleStatementLabelMatchStatement { /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * String to match against. + */ + key: string; + /** + * Specify whether you want to match using the label name or just the namespace. Valid values are `LABEL` or `NAMESPACE`. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader[]; + scope: string; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseChallengeCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementManagedRuleGroupStatement { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Additional information that's used by a managed rule group. Only one rule attribute is allowed in each config. See `managedRuleGroupConfigs` for more details + */ + managedRuleGroupConfigs?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig[]; + /** + * Name of the managed rule group. */ name: string; /** - * Value of the custom header. + * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. */ - value: string; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCount { + ruleActionOverrides?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride[]; /** - * Defines custom handling for the web request. See `customRequestHandling` below for details. + * Narrows the scope of the statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. */ - customRequestHandling?: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling; - } - - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandling { + scopeDownStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatement; /** - * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. + * Name of the managed rule group vendor. + */ + vendorName: string; + /** + * Version of the managed rule group. You can set `Version_1.0` or `Version_1.1` etc. If you want to use the default version, do not set anything. */ - insertHeaders: outputs.wafv2.WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader[]; + version?: string; } - export interface WebAclRuleStatementRuleGroupReferenceStatementRuleActionOverrideActionToUseCountCustomRequestHandlingInsertHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfig { /** - * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. + * Additional configuration for using the Account Creation Fraud Prevention managed rule group. Use this to specify information such as the registration page of your application and the type of content to accept or reject from the client. */ - name: string; + awsManagedRulesAcfpRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet; /** - * Value of the custom header. + * Additional configuration for using the Account Takeover Protection managed rule group. Use this to specify information such as the sign-in page of your application and the type of content to accept or reject from the client. */ - value: string; - } - - export interface WebAclRuleStatementSizeConstraintStatement { + awsManagedRulesAtpRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet; /** - * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + * Additional configuration for using the Bot Control managed rule group. Use this to specify the inspection level that you want to use. See `awsManagedRulesBotControlRuleSet` for more details */ - comparisonOperator: string; + awsManagedRulesBotControlRuleSet?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet; /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The path of the login endpoint for your application. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatch; + loginPath?: string; /** - * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + * Details about your login page password field. See `passwordField` for more details. */ - size: number; + passwordField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField; /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * The payload type for your login endpoint, either JSON or form encoded. */ - textTransformations: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementTextTransformation[]; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatch { + payloadType?: string; /** - * Inspect all query arguments. + * Details about your login page username field. See `usernameField` for more details. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments; + usernameField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSet { /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The path of the account creation endpoint for your application. This is the page on your website that accepts the completed registration form for a new user. This page must accept POST requests. */ - body?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchBody; + creationPath: string; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * Whether or not to allow the use of regular expressions in the login page path. */ - cookies?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies; + enableRegexInPath: boolean; /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * The path of the account registration endpoint for your application. This is the page on your website that presents the registration form to new users. This page must accept GET text/html requests. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder[]; + registrationPagePath: string; /** - * Inspect the request headers. See `headers` below for details. + * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. */ - headers?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader[]; + requestInspection: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection; /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint; + responseInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspection { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * The names of the fields in the request payload that contain your customer's primary physical address. See `addressFields` for more details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody; + addressFields?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields; /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * The name of the field in the request payload that contains your customer's email. See `emailField` for more details. */ - method?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod; + emailField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Details about your login page password field. See `passwordField` for more details. */ - queryString?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString; + passwordField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField; /** - * Inspect a single header. See `singleHeader` below for details. + * The payload type for your login endpoint, either JSON or form encoded. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader; + payloadType: string; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * The names of the fields in the request payload that contain your customer's primary phone number. See `phoneNumberFields` for more details. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument; + phoneNumberFields?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Details about your login page username field. See `usernameField` for more details. */ - uriPath?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath; + usernameField?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchAllQueryArguments { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionAddressFields { + identifiers: string[]; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchBody { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAcfpRuleSetRequestInspectionEmailField { /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The name of the field in the request payload that contains your customer's email. */ - oversizeHandling?: string; + identifier: string; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookies { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSet { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Whether or not to allow the use of regular expressions in the login page path. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern[]; + enableRegexInPath: boolean; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * The path of the login endpoint for your application. */ - matchScope: string; + loginPath: string; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * The criteria for inspecting login requests, used by the ATP rule group to validate credentials usage. See `requestInspection` for more details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchCookiesMatchPatternAll { + requestInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection; + /** + * The criteria for inspecting responses to login requests, used by the ATP rule group to track login failure rates. Note that Response Inspection is available only on web ACLs that protect CloudFront distributions. See `responseInspection` for more details. + */ + responseInspection?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetRequestInspection { /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Details about your login page password field. See `passwordField` for more details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern; + passwordField: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * The payload type for your login endpoint, either JSON or form encoded. */ - matchScope: string; + payloadType: string; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Details about your login page username field. See `usernameField` for more details. */ - oversizeHandling: string; + usernameField: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPattern { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspection { /** - * An empty configuration block that is used for inspecting all headers. + * Configures inspection of the response body. See `bodyContains` for more details. */ - all?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll; + bodyContains?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Configures inspection of the response header.See `header` for more details. */ - excludedHeaders?: string[]; + header?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Configures inspection of the response JSON. See `json` for more details. */ - includedHeaders?: string[]; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchHeaderOrder { + json?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Configures inspection of the response status code.See `statusCode` for more details. */ - oversizeHandling: string; + statusCode?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJa3Fingerprint { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionBodyContains { /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Strings in the body of the response that indicate a failed login attempt. */ - fallbackBehavior: string; - } - - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBody { + failureStrings: string[]; /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. + * Strings in the body of the response that indicate a successful login attempt. */ - invalidFallbackBehavior?: string; + successStrings: string[]; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionHeader { /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. + * Values in the response header with the specified name that indicate a failed login attempt. */ - matchPattern: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern; + failureValues: string[]; /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The name of the header to use. */ - matchScope: string; + name: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Values in the response header with the specified name that indicate a successful login attempt. */ - oversizeHandling?: string; + successValues: string[]; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionJson { + failureValues: string[]; + /** + * The identifier for the value to match against in the JSON. + */ + identifier: string; + successValues: string[]; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchJsonBodyMatchPatternAll { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesAtpRuleSetResponseInspectionStatusCode { + /** + * Status codes in the response that indicate a failed login attempt. + */ + failureCodes: number[]; + /** + * Status codes in the response that indicate a successful login attempt. + */ + successCodes: number[]; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchMethod { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigAwsManagedRulesBotControlRuleSet { + /** + * The inspection level to use for the Bot Control rule group. + */ + inspectionLevel: string; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchQueryString { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigPasswordField { + /** + * The name of the password field. + */ + identifier: string; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleHeader { + export interface WebAclRuleStatementManagedRuleGroupStatementManagedRuleGroupConfigUsernameField { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The name of the username field. */ - name: string; + identifier: string; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchSingleQueryArgument { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * Override action to use, in place of the configured action of the rule in the rule group. See `action` for details. + */ + actionToUse: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse; + /** + * Name of the rule to override. See the [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/aws-managed-rule-groups-list.html) for a list of names in the appropriate rule group in use. */ name: string; } - export interface WebAclRuleStatementSizeConstraintStatementFieldToMatchUriPath { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUse { + allow?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow; + block?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock; + captcha?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow; + challenge?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow; + count?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow; } - export interface WebAclRuleStatementSizeConstraintStatementTextTransformation { - /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. - */ - priority: number; + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllow { /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Defines custom handling for the web request. See `customRequestHandling` below for details. */ - type: string; + customRequestHandling?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling; } - export interface WebAclRuleStatementSqliMatchStatement { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseAllowCustomRequestHandling { /** - * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + * The `insertHeader` blocks used to define HTTP headers added to the request. See `insertHeader` below for details. */ - fieldToMatch?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatch; + insertHeaders: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader[]; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlock { /** - * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + * Defines a custom response for the web request. See `customResponse` below for details. */ - textTransformations: outputs.wafv2.WebAclRuleStatementSqliMatchStatementTextTransformation[]; + customResponse?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatch { + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponse { /** - * Inspect all query arguments. + * References the response body that you want AWS WAF to return to the web request client. This must reference a `key` defined in a `customResponseBody` block of this resource. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments; + customResponseBodyKey?: string; /** - * Inspect the request body, which immediately follows the request headers. See `body` below for details. + * The HTTP status code to return to the client. */ - body?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchBody; + responseCode: number; /** - * Inspect the cookies in the web request. See `cookies` below for details. + * The `responseHeader` blocks used to define the HTTP response headers added to the response. See `responseHeader` below for details. */ - cookies?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchCookies; + responseHeaders?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader[]; + } + + export interface WebAclRuleStatementManagedRuleGroupStatementRuleActionOverrideActionToUseBlockCustomResponseResponseHeader { /** - * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. + * Name of the custom header. For custom request header insertion, when AWS WAF inserts the header into the request, it prefixes this name `x-amzn-waf-`, to avoid confusion with the headers that are already in the request. For example, for the header name `sample`, AWS WAF inserts the header `x-amzn-waf-sample`. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder[]; + name: string; /** - * Inspect the request headers. See `headers` below for details. + * Value of the custom header. */ - headers?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchHeader[]; + value: string; + } + + export interface WebAclRuleStatementNotStatement { /** - * Inspect the JA3 fingerprint. See `ja3Fingerprint` below for details. + * Statement to negate. You can use any statement that can be nested. See `statement` above for details. */ - ja3Fingerprint?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint; + statements: outputs.wafv2.WebAclRuleStatement[]; + } + + export interface WebAclRuleStatementOrStatement { /** - * Inspect the request body as JSON. See `jsonBody` for details. + * Statements to combine with `OR` logic. You can use any statements that can be nested. See `statement` above for details. */ - jsonBody?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody; + statements: outputs.wafv2.WebAclRuleStatement[]; + } + + export interface WebAclRuleStatementRateBasedStatement { /** - * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. + * Setting that indicates how to aggregate the request counts. Valid values include: `CONSTANT`, `CUSTOM_KEYS`, `FORWARDED_IP`, or `IP`. Default: `IP`. */ - method?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchMethod; + aggregateKeyType?: string; /** - * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. + * Aggregate the request counts using one or more web request components as the aggregate keys. See `customKey` below for details. */ - queryString?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString; + customKeys?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKey[]; /** - * Inspect a single header. See `singleHeader` below for details. + * The amount of time, in seconds, that AWS WAF should include in its request counts, looking back from the current time. Valid values are `60`, `120`, `300`, and `600`. Defaults to `300` (5 minutes). + * + * **NOTE:** This setting doesn't determine how often AWS WAF checks the rate, but how far back it looks each time it checks. AWS WAF checks the rate about every 10 seconds. */ - singleHeader?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader; + evaluationWindowSec?: number; /** - * Inspect a single query argument. See `singleQueryArgument` below for details. + * Configuration for inspecting IP addresses in an HTTP header that you specify, instead of using the IP address that's reported by the web request origin. If `aggregateKeyType` is set to `FORWARDED_IP`, this block is required. See `forwardedIpConfig` below for details. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument; + forwardedIpConfig?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatementIpSetForwardedIpConfig; /** - * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. + * Limit on requests per 5-minute period for a single originating IP address. */ - uriPath?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchAllQueryArguments { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchBody { + limit: number; /** - * What WAF should do if the body is larger than WAF can inspect. WAF does not support inspecting the entire contents of the body of a web request when the body exceeds 8 KB (8192 bytes). Only the first 8 KB of the request body are forwarded to WAF by the underlying host service. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Optional nested statement that narrows the scope of the rate-based statement to matching web requests. This can be any nestable statement, and you can nest statements at any level below this scope-down statement. See `statement` above for details. If `aggregateKeyType` is set to `CONSTANT`, this block is required. */ - oversizeHandling?: string; + scopeDownStatement?: outputs.wafv2.WebAclRuleStatementRateBasedStatementScopeDownStatement; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookies { + export interface WebAclRuleStatementRateBasedStatementCustomKey { /** - * The filter to use to identify the subset of cookies to inspect in a web request. You must specify exactly one setting: either `all`, `includedCookies` or `excludedCookies`. More details: [CookieMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_CookieMatchPattern.html) + * Use the value of a cookie in the request as an aggregate key. See RateLimit `cookie` below for details. */ - matchPatterns: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern[]; + cookie?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyCookie; /** - * The parts of the cookies to inspect with the rule inspection criteria. If you specify All, AWS WAF inspects both keys and values. Valid values: `ALL`, `KEY`, `VALUE` + * Use the first IP address in an HTTP header as an aggregate key. See `forwardedIp` below for details. */ - matchScope: string; + forwardedIp?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** - * What AWS WAF should do if the cookies of the request are larger than AWS WAF can inspect. AWS WAF does not support inspecting the entire contents of request cookies when they exceed 8 KB (8192 bytes) or 200 total cookies. The underlying host service forwards a maximum of 200 cookies and at most 8 KB of cookie contents to AWS WAF. Valid values: `CONTINUE`, `MATCH`, `NO_MATCH`. + * Use the value of a header in the request as an aggregate key. See RateLimit `header` below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll; - excludedCookies?: string[]; - includedCookies?: string[]; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchCookiesMatchPatternAll { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeader { + header?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyHeader; /** - * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: + * Use the request's HTTP method as an aggregate key. See RateLimit `httpMethod` below for details. */ - matchPattern: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern; + httpMethod?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** - * The parts of the headers to inspect with the rule inspection criteria. If you specify `All`, AWS WAF inspects both keys and values. Valid values include the following: `ALL`, `Key`, `Value`. + * Use the request's originating IP address as an aggregate key. See `RateLimit ip` below for details. */ - matchScope: string; + ip?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * Use the specified label namespace as an aggregate key. See RateLimit `labelNamespace` below for details. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPattern { + labelNamespace?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace; /** - * An empty configuration block that is used for inspecting all headers. + * Use the specified query argument as an aggregate key. See RateLimit `queryArgument` below for details. */ - all?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll; + queryArgument?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument; /** - * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. + * Use the request's query string as an aggregate key. See RateLimit `queryString` below for details. */ - excludedHeaders?: string[]; + queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyCookie; /** - * An array of strings that will be used for inspecting headers that have a key that matches one of the provided values. + * Use the request's URI path as an aggregate key. See RateLimit `uriPath` below for details. */ - includedHeaders?: string[]; + uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyCookie; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchHeaderOrder { + export interface WebAclRuleStatementRateBasedStatementCustomKeyCookie { /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. + * The name of the cookie to use. */ - oversizeHandling: string; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJa3Fingerprint { + name: string; /** - * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. */ - fallbackBehavior: string; + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBody { - /** - * What to do when JSON parsing fails. Defaults to evaluating up to the first parsing failure. Valid values are `EVALUATE_AS_STRING`, `MATCH` and `NO_MATCH`. - */ - invalidFallbackBehavior?: string; - /** - * The patterns to look for in the JSON body. You must specify exactly one setting: either `all` or `includedPaths`. See [JsonMatchPattern](https://docs.aws.amazon.com/waf/latest/APIReference/API_JsonMatchPattern.html) for details. - */ - matchPattern: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern; + export interface WebAclRuleStatementRateBasedStatementCustomKeyHeader { /** - * The parts of the JSON to match against using the `matchPattern`. Valid values are `ALL`, `KEY` and `VALUE`. + * The name of the header to use. */ - matchScope: string; + name: string; /** - * What to do if the body is larger than can be inspected. Valid values are `CONTINUE` (default), `MATCH` and `NO_MATCH`. + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. */ - oversizeHandling?: string; + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll; - includedPaths?: string[]; + export interface WebAclRuleStatementRateBasedStatementCustomKeyIp { } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchJsonBodyMatchPatternAll { + export interface WebAclRuleStatementRateBasedStatementCustomKeyLabelNamespace { + /** + * The namespace to use for aggregation + */ + namespace: string; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchMethod { + export interface WebAclRuleStatementRateBasedStatementCustomKeyQueryArgument { + /** + * The name of the query argument to use. + */ + name: string; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. They are used in rate-based rule statements, to transform request components before using them as custom aggregation keys. Atleast one transformation is required. See `textTransformation` above for details. + */ + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchQueryString { + export interface WebAclRuleStatementRateBasedStatementScopeDownStatement { + andStatement?: outputs.wafv2.WebAclRuleStatementAndStatement; + byteMatchStatement?: outputs.wafv2.WebAclRuleStatementByteMatchStatement; + geoMatchStatement?: outputs.wafv2.WebAclRuleStatementGeoMatchStatement; + ipSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementIpSetReferenceStatement; + labelMatchStatement?: outputs.wafv2.WebAclRuleStatementLabelMatchStatement; + notStatement?: outputs.wafv2.WebAclRuleStatementNotStatement; + orStatement?: outputs.wafv2.WebAclRuleStatementOrStatement; + regexMatchStatement?: outputs.wafv2.WebAclRuleStatementRegexMatchStatement; + regexPatternSetReferenceStatement?: outputs.wafv2.WebAclRuleStatementRegexPatternSetReferenceStatement; + sizeConstraintStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; + sqliMatchStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; + xssMatchStatement?: outputs.wafv2.WebAclRuleStatementSizeConstraintStatement; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchSingleHeader { + export interface WebAclRuleStatementRegexMatchStatement { /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * The part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ - name: string; - } - - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchSingleQueryArgument { + fieldToMatch?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatch; /** - * Name of the query header to inspect. This setting must be provided as lower case characters. + * String representing the regular expression. Minimum of `1` and maximum of `512` characters. */ - name: string; + regexString: string; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + */ + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementSqliMatchStatementFieldToMatchUriPath { + export interface WebAclRuleStatementRegexPatternSetReferenceStatement { + /** + * The Amazon Resource Name (ARN) of the Regex Pattern Set that this statement references. + */ + arn: string; + /** + * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. + */ + fieldToMatch?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatch; + /** + * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. + */ + textTransformations: outputs.wafv2.WebAclRuleStatementXssMatchStatementTextTransformation[]; } - export interface WebAclRuleStatementSqliMatchStatementTextTransformation { + export interface WebAclRuleStatementRuleGroupReferenceStatement { /** - * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content. + * The Amazon Resource Name (ARN) of the `aws.wafv2.RuleGroup` resource. */ - priority: number; + arn: string; /** - * Transformation to apply, please refer to the Text Transformation [documentation](https://docs.aws.amazon.com/waf/latest/APIReference/API_TextTransformation.html) for more details. + * Action settings to use in the place of the rule actions that are configured inside the rule group. You specify one override for each rule whose action you want to change. See `ruleActionOverride` below for details. */ - type: string; + ruleActionOverrides?: outputs.wafv2.WebAclRuleStatementManagedRuleGroupStatementRuleActionOverride[]; } - export interface WebAclRuleStatementXssMatchStatement { + export interface WebAclRuleStatementSizeConstraintStatement { + /** + * Operator to use to compare the request part to the size setting. Valid values include: `EQ`, `NE`, `LE`, `LT`, `GE`, or `GT`. + */ + comparisonOperator: string; /** * Part of a web request that you want AWS WAF to inspect. See `fieldToMatch` below for details. */ fieldToMatch?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatch; + /** + * Size, in bytes, to compare to the request part, after any transformations. Valid values are integers between 0 and 21474836480, inclusive. + */ + size: number; /** * Text transformations eliminate some of the unusual formatting that attackers use in web requests in an effort to bypass detection. At least one transformation is required. See `textTransformation` below for details. */ @@ -85544,7 +78282,7 @@ export namespace wafv2 { /** * Inspect all query arguments. */ - allQueryArguments?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments; + allQueryArguments?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** * Inspect the request body, which immediately follows the request headers. See `body` below for details. */ @@ -85556,7 +78294,7 @@ export namespace wafv2 { /** * Inspect a string containing the list of the request's header names, ordered as they appear in the web request that AWS WAF receives for inspection. See `headerOrder` below for details. */ - headerOrders?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder[]; + headerOrders?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchHeader[]; /** * Inspect the request headers. See `headers` below for details. */ @@ -85572,11 +78310,11 @@ export namespace wafv2 { /** * Inspect the HTTP method. The method indicates the type of operation that the request is asking the origin to perform. */ - method?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchMethod; + method?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** * Inspect the query string. This is the part of a URL that appears after a `?` character, if any. */ - queryString?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchQueryString; + queryString?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** * Inspect a single header. See `singleHeader` below for details. */ @@ -85584,14 +78322,11 @@ export namespace wafv2 { /** * Inspect a single query argument. See `singleQueryArgument` below for details. */ - singleQueryArgument?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument; + singleQueryArgument?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader; /** * Inspect the request URI path. This is the part of a web request that identifies a resource, for example, `/images/daily-ad.jpg`. */ - uriPath?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchUriPath; - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchAllQueryArguments { + uriPath?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; } export interface WebAclRuleStatementXssMatchStatementFieldToMatchBody { @@ -85617,14 +78352,11 @@ export namespace wafv2 { } export interface WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll; + all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; excludedCookies?: string[]; includedCookies?: string[]; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchCookiesMatchPatternAll { - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeader { /** * The filter to use to identify the subset of headers to inspect in a web request. The `matchPattern` block supports only one of the following arguments: @@ -85644,7 +78376,7 @@ export namespace wafv2 { /** * An empty configuration block that is used for inspecting all headers. */ - all?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll; + all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; /** * An array of strings that will be used for inspecting headers that do not have a key that matches one of the provided values. */ @@ -85655,16 +78387,6 @@ export namespace wafv2 { includedHeaders?: string[]; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeaderMatchPatternAll { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchHeaderOrder { - /** - * Oversize handling tells AWS WAF what to do with a web request when the request component that the rule inspects is over the limits. Valid values include the following: `CONTINUE`, `MATCH`, `NO_MATCH`. See the AWS [documentation](https://docs.aws.amazon.com/waf/latest/developerguide/waf-rule-statement-oversize-handling.html) for more information. - */ - oversizeHandling: string; - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchJa3Fingerprint { /** * The match status to assign to the web request if the request doesn't have a JA3 fingerprint. Valid values include: `MATCH` or `NO_MATCH`. @@ -85692,19 +78414,10 @@ export namespace wafv2 { } export interface WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPattern { - all?: outputs.wafv2.WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll; + all?: outputs.wafv2.WebAclRuleStatementRateBasedStatementCustomKeyIp; includedPaths?: string[]; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchJsonBodyMatchPatternAll { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchMethod { - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchQueryString { - } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchSingleHeader { /** * Name of the query header to inspect. This setting must be provided as lower case characters. @@ -85712,16 +78425,6 @@ export namespace wafv2 { name: string; } - export interface WebAclRuleStatementXssMatchStatementFieldToMatchSingleQueryArgument { - /** - * Name of the query header to inspect. This setting must be provided as lower case characters. - */ - name: string; - } - - export interface WebAclRuleStatementXssMatchStatementFieldToMatchUriPath { - } - export interface WebAclRuleStatementXssMatchStatementTextTransformation { /** * Relative processing order for multiple transformations that are defined for a rule statement. AWS WAF processes all transformations, from lowest priority to highest, before inspecting the transformed content.