{ "description": "Firewall is the Schema for the Firewalls API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "FirewallSpec defines the desired state of Firewall. \n The firewall defines the configuration settings for an Network Firewall firewall. These settings include the firewall policy, the subnets in your VPC to use for the firewall endpoints, and any tags that are attached to the firewall Amazon Web Services resource. \n The status of the firewall, for example whether it's ready to filter network traffic, is provided in the corresponding FirewallStatus. You can retrieve both objects by calling DescribeFirewall.", "properties": { "deleteProtection": { "description": "A flag indicating whether it is possible to delete the firewall. A setting of TRUE indicates that the firewall is protected against deletion. Use this setting to protect against accidentally deleting a firewall that is in use. When you create a firewall, the operation initializes this flag to TRUE.", "type": "boolean" }, "description": { "description": "A description of the firewall.", "type": "string" }, "encryptionConfiguration": { "description": "A complex type that contains settings for encryption of your firewall resources.", "properties": { "keyID": { "type": "string" }, "type_": { "type": "string" } }, "type": "object", "additionalProperties": false }, "firewallName": { "description": "The descriptive name of the firewall. You can't change the name of a firewall after you create it.", "type": "string" }, "firewallPolicyARN": { "description": "The Amazon Resource Name (ARN) of the FirewallPolicy that you want to use for the firewall.", "type": "string" }, "firewallPolicyChangeProtection": { "description": "A setting indicating whether the firewall is protected against a change to the firewall policy association. Use this setting to protect against accidentally modifying the firewall policy for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.", "type": "boolean" }, "subnetChangeProtection": { "description": "A setting indicating whether the firewall is protected against changes to the subnet associations. Use this setting to protect against accidentally modifying the subnet associations for a firewall that is in use. When you create a firewall, the operation initializes this setting to TRUE.", "type": "boolean" }, "subnetMappings": { "description": "The public subnets to use for your Network Firewall firewalls. Each subnet must belong to a different Availability Zone in the VPC. Network Firewall creates a firewall endpoint in each subnet.", "items": { "description": "The ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall and AssociateSubnets. Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.", "properties": { "subnetID": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "tags": { "description": "The key:value pairs to associate with the resource.", "items": { "description": "A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "vpcID": { "description": "The unique identifier of the VPC where Network Firewall should create the firewall. \n You can't change this setting after you create the firewall.", "type": "string" } }, "required": [ "firewallName", "firewallPolicyARN", "subnetMappings", "vpcID" ], "type": "object", "additionalProperties": false }, "status": { "description": "FirewallStatus defines the observed state of Firewall", "properties": { "ackResourceMetadata": { "description": "All CRs managed by ACK have a common `Status.ACKResourceMetadata` member that is used to contain resource sync state, account ownership, constructed ARN for the resource", "properties": { "arn": { "description": "ARN is the Amazon Resource Name for the resource. This is a globally-unique identifier and is set only by the ACK service controller once the controller has orchestrated the creation of the resource OR when it has verified that an \"adopted\" resource (a resource where the ARN annotation was set by the Kubernetes user on the CR) exists and matches the supplied CR's Spec field values. TODO(vijat@): Find a better strategy for resources that do not have ARN in CreateOutputResponse https://github.com/aws/aws-controllers-k8s/issues/270", "type": "string" }, "ownerAccountID": { "description": "OwnerAccountID is the AWS Account ID of the account that owns the backend AWS service API resource.", "type": "string" }, "region": { "description": "Region is the AWS region in which the resource exists or will exist.", "type": "string" } }, "required": [ "ownerAccountID", "region" ], "type": "object", "additionalProperties": false }, "conditions": { "description": "All CRS managed by ACK have a common `Status.Conditions` member that contains a collection of `ackv1alpha1.Condition` objects that describe the various terminal states of the CR and its backend AWS service API resource", "items": { "description": "Condition is the common struct used by all CRDs managed by ACK service controllers to indicate terminal states of the CR and its backend AWS service API resource", "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status of the condition, one of True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the Condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array" }, "firewall": { "description": "The configuration settings for the firewall. These settings include the firewall policy and the subnets in your VPC to use for the firewall endpoints.", "properties": { "deleteProtection": { "type": "boolean" }, "description": { "type": "string" }, "encryptionConfiguration": { "description": "A complex type that contains optional Amazon Web Services Key Management Service (KMS) encryption settings for your Network Firewall resources. Your data is encrypted by default with an Amazon Web Services owned key that Amazon Web Services owns and manages for you. You can use either the Amazon Web Services owned key, or provide your own customer managed key. To learn more about KMS encryption of your Network Firewall resources, see Encryption at rest with Amazon Web Services Key Managment Service (https://docs.aws.amazon.com/kms/latest/developerguide/kms-encryption-at-rest.html) in the Network Firewall Developer Guide.", "properties": { "keyID": { "type": "string" }, "type_": { "type": "string" } }, "type": "object", "additionalProperties": false }, "firewallARN": { "type": "string" }, "firewallID": { "type": "string" }, "firewallName": { "type": "string" }, "firewallPolicyARN": { "type": "string" }, "firewallPolicyChangeProtection": { "type": "boolean" }, "subnetChangeProtection": { "type": "boolean" }, "subnetMappings": { "items": { "description": "The ID for a subnet that you want to associate with the firewall. This is used with CreateFirewall and AssociateSubnets. Network Firewall creates an instance of the associated firewall in each subnet that you specify, to filter traffic in the subnet's Availability Zone.", "properties": { "subnetID": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "tags": { "items": { "description": "A key:value pair associated with an Amazon Web Services resource. The key:value pair can be anything you define. Typically, the tag key represents a category (such as \"environment\") and the tag value represents a specific value within that category (such as \"test,\" \"development,\" or \"production\"). You can add up to 50 tags to each Amazon Web Services resource.", "properties": { "key": { "type": "string" }, "value": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "vpcID": { "type": "string" } }, "type": "object", "additionalProperties": false }, "firewallStatus": { "description": "Detailed information about the current status of a Firewall. You can retrieve this for a firewall by calling DescribeFirewall and providing the firewall name and ARN.", "properties": { "capacityUsageSummary": { "description": "The capacity usage summary of the resources used by the ReferenceSets in a firewall.", "properties": { "cidrs": { "description": "Summarizes the CIDR blocks used by the IP set references in a firewall. Network Firewall calculates the number of CIDRs by taking an aggregated count of all CIDRs used by the IP sets you are referencing.", "properties": { "availableCIDRCount": { "format": "int64", "type": "integer" }, "iPSetReferences": { "additionalProperties": { "description": "General information about the IP set.", "properties": { "resolvedCIDRCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false }, "type": "object" }, "utilizedCIDRCount": { "format": "int64", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "configurationSyncStateSummary": { "type": "string" }, "status": { "type": "string" }, "syncStates": { "additionalProperties": { "description": "The status of the firewall endpoint and firewall policy configuration for a single VPC subnet. \n For each VPC subnet that you associate with a firewall, Network Firewall does the following: \n - Instantiates a firewall endpoint in the subnet, ready to take traffic. \n - Configures the endpoint with the current firewall policy settings, to provide the filtering behavior for the endpoint. \n When you update a firewall, for example to add a subnet association or change a rule group in the firewall policy, the affected sync states reflect out-of-sync or not ready status until the changes are complete.", "properties": { "attachment": { "description": "The configuration and status for a single subnet that you've specified for use by the Network Firewall firewall. This is part of the FirewallStatus.", "properties": { "endpointID": { "type": "string" }, "status": { "type": "string" }, "subnetID": { "type": "string" } }, "type": "object", "additionalProperties": false }, "config": { "additionalProperties": { "description": "Provides configuration status for a single policy or rule group that is used for a firewall endpoint. Network Firewall provides each endpoint with the rules that are configured in the firewall policy. Each time you add a subnet or modify the associated firewall policy, Network Firewall synchronizes the rules in the endpoint, so it can properly filter network traffic. This is part of a SyncState for a firewall.", "properties": { "syncStatus": { "type": "string" }, "updateToken": { "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "object" } }, "type": "object", "additionalProperties": false }, "type": "object" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "type": "object" }